An Employee Left Your Agency and Still Has Access to Every Client Account. Now What?
An Employee Left Your Agency and Still Has Access to Every Client Account. Now What?
It's Friday at 4 PM. Your senior account manager, Sarah, just told you she's leaving. Two weeks notice. She's going to a competitor.
You say the right things. You wish her well. You start thinking about who takes over her accounts.
What you don't think about is this: right now, at this exact moment, Sarah has admin access to the Meta Business Manager accounts of 14 of your clients. She's a manager on 9 Google Ads accounts. She has editor access to 6 client websites. She can log into the HubSpot portals of 3 enterprise clients. She has the shared passwords for 11 client Instagram accounts saved in her browser.
In two weeks, Sarah walks out the door. How many of those accesses get revoked on her last day?
If your agency is like most, the honest answer is: maybe half. The rest will sit there for weeks. Some for months. A few might never get revoked at all.
This isn't a hypothetical. BetterCloud's research found that 63% of companies have former employees who still have access to corporate systems. Intermedia puts it even higher: 89% of ex-employees retain access to at least one former employer application after leaving.
At a normal company, that's bad. At an agency, it's a disaster waiting to happen.
Why Agencies Have It Worse Than Everyone Else
A departing employee at a SaaS company might still have access to Jira and Slack. Annoying, but contained. It's your own internal stuff.
A departing employee at an agency has access to your clients' stuff. That's a completely different situation.
Think about what a mid-level account manager or strategist touches in a typical week:
Advertising platforms. Google Ads, Meta Ads Manager, LinkedIn Campaign Manager, TikTok Ads, The Trade Desk. Not sandbox accounts. Live accounts with real budgets. Your clients' money.
Social media. Client Instagram, Facebook, LinkedIn, Twitter/X, TikTok profiles. Sometimes through a tool like Sprout Social or Hootsuite. Sometimes through shared credentials that 4 people know.
Analytics. Google Analytics, Google Tag Manager, Mixpanel, SEMrush, Ahrefs. The data your clients pay you to analyze and protect.
Content management. WordPress admin panels, Webflow dashboards, Shopify backends. The ability to edit, publish, or delete content on live client websites.
Internal systems. Your CRM with every client's contract details, billing history, and contact information. Your project management tool with strategy documents, timelines, and deliverables.
One person. Dozens of client accounts across dozens of platforms.
And here's the part that keeps agency owners up at night: you probably don't have a list of all these accesses. Nobody does. It lives in Sarah's head, in scattered permission screens across 30 different platforms, and maybe in a Google Sheet that someone started updating in 2024 and abandoned three months later.
What Actually Goes Wrong
This isn't about theory. These things happen. Regularly.
The accidental post. An ex-employee still has access to a client's social media scheduler. Weeks after leaving, they log into what they think is their personal account and accidentally publish a draft post to a client's Instagram. The client calls you on a Saturday morning asking why their brand just posted a photo of someone's dog.
The angry departure. Someone leaves on bad terms. They still have admin access to a client's Meta Business Manager. They pause all active campaigns. Or worse, they change the ad spend. Or they download the custom audiences your client spent months building. Keeper Security has documented multiple cases of ex-employees causing damage through retained social media access.
The competitor intelligence. Your former strategist joins a rival agency. They still have view access to three clients' Google Analytics and SEMrush projects. They can see traffic data, keyword rankings, conversion rates, top-performing content. That's your clients' competitive intelligence, now in the hands of a competitor. And you'll never know it happened.
The slow-motion breach. An ex-employee's personal laptop gets compromised six months after they left your agency. Their saved passwords include logins to your client's WordPress admin and Google Ads account. Now a hacker has a backdoor into your client's systems, through a person who doesn't even work for you anymore.
The compliance nightmare. A major client sends their annual vendor security audit. One of the questions: "Describe your offboarding process and how you ensure access to our systems is revoked within 24 hours of termination." You don't have a process. You don't have documentation. You fail the audit. According to Agency Management Institute, 40% of agencies now receive these questionnaires from clients, up from 15% in 2019.
The 72-Hour Rule That Most Agencies Fail
Here's a straightforward way to think about it. When someone leaves, there are three time windows that matter:
The first 24 hours. The absolute essentials. Disable their email. Revoke access to anything with a shared password (social media accounts, ad platforms with shared logins). Change any passwords they knew. This is damage control.
24 to 72 hours. Remove them from every client platform where they had individual access. Google Ads, Meta Business Manager, Analytics, CMS, CRM. This requires going platform by platform, client by client. For someone who managed 10 to 15 clients, this can take hours of manual work.
72 hours to 30 days. Catch the things you missed. The Canva team account. The Zapier integrations tied to their email. The staging environment credentials. The Figma files. The API keys. The random tools they signed up for using their work email.
Kaspersky's research found that 30% of organizations take more than 3 days to revoke access. 20% take a month or longer. For agencies managing access across dozens of platforms for dozens of clients, these numbers make sense. Not because people are careless. Because it's genuinely hard to do manually.
A Platform-by-Platform Breakdown
The most painful part of agency offboarding is that every platform handles access differently. There's no single button. Here's what you're dealing with:
Meta Business Manager. You need to remove the person from every Business Manager they were added to, for every client. If they were the primary admin on any account (it happens more than you'd think), you need to transfer ownership first. If you lose access to a Meta Business Manager, the recovery process can take weeks or months.
Google Ads. Individual access removal per account. If they created campaigns using their personal Google account linked to the agency, you have a problem. You might need the client to revoke access from their end.
Google Analytics / GA4. Separate permissions from Google Ads. A different interface, a different removal process. Easy to forget when you're focused on the ad accounts.
Social media (shared credentials). Instagram, Twitter/X, and others that use shared logins. You need to change the password, which means updating it for everyone else who needs it. Hope you know who those people are.
CMS platforms. WordPress, Webflow, Shopify, Squarespace. Each client, each platform, each set of credentials.
Project management and communication. Asana, Monday.com, Slack, Teams. Remove from all channels, especially client-facing ones.
Design and collaboration. Figma, Adobe CC, Canva, Google Drive, Dropbox. Shared folders with client assets, strategy documents, unreleased campaign materials.
For one departing employee who managed 10 clients, you're looking at 40 to 70 individual access revocations across different platforms. Each one requires logging in, finding the right settings page, and confirming the removal.
No wonder things fall through the cracks.
What a Proper Offboarding Process Looks Like
You don't need a 50-page security policy. You need three things:
1. An access inventory. A living document (or better, an automated system) that tracks who has access to what. Every employee, every freelancer, every platform, every client. If you can't answer "what does this person have access to?" in under 60 seconds, you don't have an inventory.
2. A revocation checklist by role. Account managers touch different systems than designers. Build a checklist for each role type, not a generic one-size-fits-all list. Update it every time you add a new tool or client.
3. A same-day trigger. The moment someone gives notice (or is let go), the offboarding process starts. Not on their last day. Not when someone remembers. Immediately. Ideally, automated.
The gap between "we should revoke access" and "access is actually revoked" is where incidents happen. Every day that gap stays open is a day your client data is exposed through someone who no longer has any reason to protect it.
The Automated Alternative
Manual offboarding across 40-70 platforms per person doesn't scale. Not at 30% annual turnover, which is the industry average for agencies. A 40-person agency doing 12 offboardings a year is looking at 480 to 840 individual access revocations, all done manually, all with zero margin for error.
Automated IT platforms can cut this to a single action. Mark someone as departing, and every connected account gets revoked simultaneously. Email, ad platforms, social media tools, CMS access, design tools, project management. All at once. No checklists, no "did we forget Figma?"
That's what Nsix Digital does, among other things. We're biased, obviously. But the math is simple: if one missed revocation can cost you a client worth $100,000 in lifetime revenue, the cost of automation pays for itself the first time it prevents that from happening.
Frequently Asked Questions
How long do former employees typically keep access to company systems?
According to Kaspersky, 30% of organizations take more than 3 days to fully revoke a departing employee's access, and 20% take a month or longer. Intermedia research found that 89% of ex-employees retain access to at least one former employer application. At agencies, where access spans dozens of client platforms, full revocation often takes weeks.
Can a former employee access client social media accounts after leaving?
Yes, if their access wasn't explicitly revoked. Shared-password platforms (Instagram, Twitter/X) are especially vulnerable because changing the password requires coordination across everyone who uses it. Platforms with individual access (Meta Business Manager, LinkedIn) require manual removal per account. Documented incidents include ex-employees posting unauthorized content on client profiles.
How many access points does a typical agency employee have?
A mid-level account manager or strategist at a marketing agency typically has access to 40 to 70 individual accounts across client ad platforms, social media profiles, analytics tools, CMS dashboards, CRMs, project management tools, and internal systems. For someone managing 10 to 15 clients, each client represents 4 to 6 separate platform accesses.
What should an agency do immediately when an employee gives notice?
Within the first 24 hours: disable their email account, change all shared passwords they had access to (especially social media logins), and revoke access to any platform where they have admin privileges. Within 72 hours: systematically remove their access from every client platform, tool, and system. Document everything as you go.
How can agencies prevent offboarding security gaps?
The most effective approach is maintaining a real-time access inventory that tracks every employee's permissions across all platforms and clients. Combined with automated revocation (tools that disable all accesses simultaneously when triggered), this eliminates the manual, error-prone process that causes most security gaps. Without automation, agencies need detailed role-based checklists and a policy of starting revocation on notice day, not the last day.