How to Secure a YouTube Channel After Removing an Agency
When an agency relationship ends, a handful of deliberate steps close every door they had — and leave your channel in a cleaner, safer state than before they arrived.
Ending an agency relationship is not as simple as removing one person from Studio Permissions. Agencies typically accumulate access across several layers — Studio roles for individual team members, Brand Account ownership if they insisted on it, third-party tools connected to the channel, and sometimes ad accounts or linked services. Closing out cleanly means working through each layer in order, not just clicking Remove on one name.
If your situation is actually …
- You want to check who still has access before revoking anything → Audit who has access to your channel →
- You need to revoke tools and third-party apps the agency connected → How to revoke agency tools from YouTube →
The principle: close every door, not just the obvious one
Three rules for a clean agency departure that leaves no residual access.
- Principle 1
Work in layers, not one pass
Studio Permissions, Brand Account owners, and connected apps are separate systems. Removing someone from Studio does not touch the Brand Account, and revoking a tool requires visiting Google account security — not YouTube Studio. Each layer needs its own explicit check.
- Principle 2
Revoke before you close communication
Remove access before the final handover conversation. Once the relationship is officially over, the agency has no reason to accept a revocation gracefully — and in adversarial departures, they may act on remaining access if they still have it.
- Principle 3
Harden what remains
After revoking, change the channel's recovery contacts and review 2FA settings on the owning Google Account. If the agency knew the backup email or phone number, those are live recovery paths they could still use.
Review cadence: Run this process immediately when any agency relationship ends, then audit again 30 days later to confirm nothing was missed.
Remove agency access — layer by layer
Work through these in order. Each step is independent — do not skip one because the agency seems cooperative.
Remove all agency team members from Studio Permissions
Open Permissions and remove every individual who was added as part of the agency engagement — managers, editors, and viewers alike. If you are unsure which accounts belong to them, cross-reference any invite emails you sent or received.
Where: studio.youtube.com → Settings → Permissions
Confirm: The user list no longer shows any agency-associated accounts.
Check Brand Account ownership
If the agency holds Owner or Primary Owner status on the Brand Account, that is a higher-stakes grant than a Studio role. Remove them from the owners list. If they are the Primary Owner, you will need to transfer that role to your own account first — a newly added Primary Owner waits approximately 7 days before the transfer completes.
Where: myaccount.google.com/brandaccounts
Confirm: Only accounts you control appear in the owners list.
If this fails: Why ownership transfer is not working
Revoke connected tools and third-party apps
Agencies commonly connect scheduling tools, analytics platforms, and ad management software to the channel using OAuth. These connections survive Studio role removal. Visit Google account permissions and revoke any app you do not recognise or no longer need.
Where: myaccount.google.com/permissions
Confirm: No unfamiliar apps appear in the connected-applications list.
Update recovery contacts on the owning Google Account
If the agency ever had access to your recovery email address or backup phone number, update both now. Recovery contacts are entry points to the account — not just conveniences.
Where: myaccount.google.com/security
Confirm: Recovery email and phone are ones you control and recognise.
Review and re-enable 2-Step Verification
Confirm that 2-Step Verification is active on the owning Google Account and that the backup codes are refreshed. If the agency ever handled 2FA on your behalf, generate new backup codes so old ones are invalidated.
Where: myaccount.google.com/security
Confirm: 2-Step Verification is on; backup codes refreshed.
Invite a trusted backup owner
If the agency departure has left you as the only person with any access, add a trusted personal account as a second Brand Account owner. A single point of ownership is a single point of failure.
Where: myaccount.google.com/brandaccounts
Confirm nothing was missed
- All agency team members removed from Studio → Permissions
- Agency accounts removed from Brand Account owners list
- No agency account holds Primary Owner status
- Connected apps and tools reviewed — unfamiliar ones revoked
- Recovery email and phone updated to contacts you control
- 2FA confirmed active; backup codes refreshed
- At least one personal backup owner added to Brand Account
- 30-day follow-up audit scheduled
What agencies often hold that creators don't expect
Most creators know to remove the main agency contact from Studio. What catches people out is everything else. Agencies working at scale routinely request Brand Account ownership rather than just Manager access — because ownership lets them manage permissions independently without coming back to the creator for every invite. If that happened, a Studio-only removal leaves them with a more powerful grant intact.
Tools are the other surprise. A scheduling tool, an analytics dashboard, or a video optimisation platform connected during the engagement continues to have OAuth access to the channel after the relationship ends. That access does not expire automatically. Visiting myaccount.google.com/permissions is the only way to see and revoke it.
Recovery contacts are the least obvious risk. If someone from the agency ever helped set up or reset 2FA, they may have used an email address they control as a backup. That gives them a legitimate recovery path to the Google Account even after all other access has been removed.
Why this keeps happening
Access spreads because there's no record of where it went
When an agency onboards gradually — one tool here, one owner grant there — it leaves traces across systems that are hard to reassemble at departure time. Keeping a running record of every grant, who approved it, and when it was revoked makes the offboarding process a quick confirmation rather than a full investigation.