Every time I join a new company, I do the same thing. I open up Meta Ads Manager, or LinkedIn Business Manager, or HubSpot, and I go to the users list.
And there they are.
Agencies from two years ago. Freelancers whose names nobody recognizes. A PR firm that got cut from the budget last reorg. A performance marketing agency that handled paid social for a campaign that ended 18 months ago.
Still there. Still active. Still with access.
Nobody Removed Them Because Nobody Thought To
Here's what makes agency relationships different from employee offboarding: there rarely is a clear last day.
With an employee, someone knows when they're gone. There's an offboarding checklist, an IT ticket, a final day. It still goes wrong constantly, but at least there's a process on paper.
With an agency or contractor, it just fades. The campaign winds down. The SOW expires. The Slack channel goes quiet. The truth is, most of the time, nobody is even thinking of it as an ending. The work slowed down. Maybe it'll pick back up? You liked working with these people. You might want to bring them back for the next campaign, the next product launch, the next busy season. Revoking their access feels premature, maybe even rude. So you don't.
And then you never do. Because the next campaign comes along and you're already onto the next thing, and that agency or contractor just sits in the users list indefinitely, holding access to accounts they haven't touched in a year, for a relationship that quietly became inactive without anyone deciding it was over.
Most of the time the relationship was friendly, which makes the whole thing feel even less urgent. The idea that a former agency you had a good run with is a security risk feels almost paranoid. So nobody acts on it.
Until the relationship isn't friendly. Or until someone like me joins a new company and opens the users list.
Marketers Don't Think About Security. This Isn't an Insult.
I've been in marketing for a long time. I can tell you exactly how a marketer thinks about tool access: we need to get something done, we need someone to have access to do it, we give them access. That's it. That's the whole thought process.
We're not thinking about what happens when they leave. We're not auditing the users list on a quarterly basis. We're not policing seats, unless we hit the seat limit on our plan and need to add someone new. That's literally the only time most marketers ever open the users list: when we have to.
This isn't a criticism. Security isn't a marketer's job. Our job is driving revenue, launching campaigns, managing agency relationships, hitting numbers. Identity hygiene is nowhere on that list. And it shouldn't have to be.
But here's the problem: IT doesn't see most of these tools either. The entire marketing stack, from the ad platforms to the CMS to the automation tools, was acquired by marketing, paid for by marketing, and is managed by marketing. IT has little to no visibility into who has access or what they can do.
So you have a situation where marketing isn't thinking about security, IT can't see the problem, and the agencies and contractors just sit there. Accessible. Forever.
The New Person Problem
One more wrinkle that makes this worse.
Marketing teams turn over. Sometimes quickly. The person who hired the agency might be gone. The person who gave the contractor access might be gone. The new person who joins and opens the users list sees a bunch of names they don't recognize.
And then what?
They could spend time trying to figure out who everyone is, whether they still need access, who to contact to verify. But that's a significant amount of work for something that doesn't feel urgent and isn't in their job description. So they don't bother.
The access stays. The risk stays. And the cycle repeats with every new campaign, every new agency relationship, every new hire who inherits the mess.
What Can Actually Go Wrong
I know what you're thinking: so what? It's just a former agency. They're not going to do anything malicious.
Usually true. But consider a few scenarios.
The agency parted ways badly. Maybe they lost the pitch to a competitor. Maybe there was a dispute over invoices. Maybe they were fired. The marketing relationship was friendly but the ending wasn't. And somebody at that agency still has admin access to your Meta Business Manager and can see every active ad campaign, every audience, every pixel, every budget.
The agency has a staff turnover problem. The person who had access left the agency. Their credentials got passed around or stayed active. Now you have someone in your HubSpot instance who never had a direct relationship with your company at all.
The agency gets breached. This one is the scariest and most likely to be outside everyone's control. Their systems get compromised, and suddenly the credentials they used to access your CMS or your ad accounts are in someone else's hands. You have no way of knowing. You have no way of revoking access quickly because you're not even sure what they have. It's not hypothetical either. MailChimp was breached twice in six months through social engineering attacks on its employees and contractors, exposing data across hundreds of customer accounts. The customers didn't get hacked. Their vendor did. And that was enough.
None of these require anyone to have bad intentions. All they require is a relationship that ended and nobody thinking to close the door on the way out.
The Numbers Behind the Gut Feeling
This isn't just a nagging feeling. New research from the Ponemon Institute, based on a survey of 614 IT and security leaders, found that 68% of organizations can't reliably remove access when an employee leaves. For agencies and contractors, where there's no offboarding process at all, it's almost certainly worse.
The same research found that 77% of organizations experienced at least one cybersecurity incident tied to disconnected apps in the past two years. Marketing tools, social platforms, and ad accounts are squarely in that category: they sit outside the identity stack, they don't support the protocols IT uses to manage access centrally, and they're almost entirely invisible to the people whose job it is to catch these things.
And 63% of organizations have failed an audit at least once because of gaps in securing these apps. An auditor asking "who currently has access to your LinkedIn Business Manager and when was each person's access last reviewed" is a question most marketing teams genuinely cannot answer.
A Quick Audit You Can Do Right Now
If you want to know where you stand, here's a five-minute exercise.
Go open the users list in three of your most important marketing tools right now. Then ask yourself three questions:
- Do I recognize every name on this list? Not just "I've heard of that agency" but: do I know who this specific person is, and do they have an active relationship with this company right now?
- Do I know whether each person should still have access? Not based on what they worked on 18 months ago, but right now, today?
- If someone needed to be removed right now, how would I do it? Is there a process, or would it involve tracking down the right admin, figuring out which tools they have access to, and hoping you don't miss anything?
If you can answer all three confidently for all three tools, you're in better shape than most marketing teams. If not, you've just found the gap, and you're definitely not alone.
What Good Actually Looks Like
The version of this that doesn't create problems looks like this: every time an agency relationship ends, access is revoked automatically across every tool they touched, tied to the offboarding of the contract rather than someone remembering to do it manually. Every time a new person joins the marketing team, they inherit a clean users list, not a graveyard of former vendors.
That requires connecting marketing tools to the same identity controls that govern the rest of the enterprise. Provisioning and deprovisioning should work the same way for an agency contact as they do for an employee, regardless of whether the tool natively supports SSO or SCIM.
Most marketing tools don't support those standards, which is exactly why the problem persists. It's not that nobody cares. It's that the infrastructure to fix it hasn't reached these apps yet.
That's the gap Cerby was built to close: automated access controls for the applications IT can't reach through traditional identity systems, including the entire marketing stack that's currently running on manual processes and good intentions.