Governance

How to Audit Who Has Access to Your Instagram

Review every person and partner who can reach your Instagram in Meta Business Suite, spot stale access, and remove anyone who no longer needs it — on a schedule, not after something breaks.

Access accumulates quietly. The freelancer from last year, the agency you stopped working with, the ex-employee whose role nobody removed — none of them show up unless you go looking. An access audit is the periodic look: walk every layer where someone can reach your Instagram and remove what should not be there.

Audit every layer of access

  1. Review portfolio people

    List every Admin and Employee on the Business Portfolio. Remove anyone whose work has ended and downgrade anyone over-permissioned.

    Where: business.facebook.com → Settings → People

  2. Review the Instagram asset assignments

    Check exactly who has which permissions on the Instagram account itself, and whether each still matches their job.

    Where: business.facebook.com → Accounts → Instagram accounts → Assigned people

  3. Review Partners

    List every other Business Portfolio (agencies, partners) with access. Remove any whose contract has ended.

    Where: business.facebook.com → Settings → Partners

  4. Review the Instagram login activity

    In the Instagram app, check active sessions and end any device or location you do not recognise.

    Where: Instagram app → Settings → Accounts Centre → Password and security → Where you're logged in

  5. Record the result

    Note who has what and a next-review date, so each audit is a quick diff rather than a fresh investigation.

Make the audit a habit

Audits work when they are scheduled and triggered, not improvised.

  1. Principle 1

    Scheduled cadence

    A quarterly calendar reminder beats an annual scramble after something goes wrong.

  2. Principle 2

    Event-triggered

    Always audit the moment a teammate leaves or an agency relationship ends — that is when stale access is most dangerous.

  3. Principle 3

    Cover all layers

    People, asset assignments, partners, and live sessions. Missing one layer is how "removed" access lingers.

Review cadence: Quarterly, plus on every departure.

What audits usually miss

  • Forgetting the Partners layer

    Removing a person but leaving the agency's whole Business Portfolio connected as a Partner means the agency still has access.

    Already happened: Offboard an agency

  • Auditing the portfolio but not the app sessions

    A logged-in session can outlive a removed role. End unknown sessions in the Instagram app as part of every audit.

Delvia

Access issues are easier to prevent when roles, owners, and responsibilities are recorded clearly

Most access problems trace back to the same gap — no clear record of who has access, what role they hold, and what should happen when that changes. Delvia helps you keep that record so problems are visible before they become incidents.

Delvia is free on iPhone and Android. Keep a clear record of who has access to your accounts — and what to do when that changes — wherever you are.