Company Profile
Meridian Digital is a full-service digital marketing agency based in Austin, Texas, with 38 employees managing paid media, analytics, CRM strategy, and email campaigns for 54 active clients. Their team includes 12 account managers, 8 paid media specialists, 6 analytics leads, and a rotating group of 4-6 interns each quarter.
Their clients span e-commerce, SaaS, and professional services — each with their own Stripe accounts, Salesforce orgs, Google Ads accounts, and Google Analytics properties.
The Problem
Meridian's AI agents connected to client tools through shared API keys. Every team member who needed to touch a client's data had the same level of access — full read and write permissions across every integration.
For two years, this worked well enough. The team was small, everyone knew the rules, and mistakes were rare.
Then three things happened in the same quarter.
Incident 1: The Deleted Contact List
A summer intern, working on a Salesforce report for a retail client, accidentally ran a bulk delete operation instead of a bulk export. The AI agent executed the request — it had full write access — and 2,300 contacts disappeared from the client's Salesforce org. It took the team 14 hours to restore the data from a backup, and the client nearly terminated their contract.
Incident 2: The Wrong Ad Account
A paid media specialist asked their AI agent to pause a set of underperforming campaigns. The agent paused campaigns in the wrong client's Google Ads account. By the time the error was caught 6 hours later, the client had missed an estimated $3,200 in revenue from a time-sensitive product launch.
Incident 3: The Audit Question
During a quarterly business review, a major client asked Meridian to provide a log of every action taken in their Stripe account over the past 90 days. Meridian could not answer the question. They had no way to distinguish which team member's AI agent had performed which action.
When every team member has identical access to every client account, a single mistake can cascade into a client relationship crisis. Shared API keys make it impossible to attribute actions to individuals.
What They Needed
After the contact list incident, Meridian's operations director outlined three requirements:
- Role-based access by default — New team members and interns should get read-only access. Write access should be granted only to assigned clients and only for specific actions.
- Client isolation — No team member's AI agent should be able to accidentally access the wrong client's data.
- Full attribution — Every tool call should be traceable to a specific person, for a specific client, at a specific time.
The Solution
Meridian migrated their AI agent infrastructure to Pipeworks in a phased rollout over three weeks.
Per-client workspaces with isolated credentials
Each of Meridian's 54 clients was set up with its own workspace. Client Stripe API keys, Salesforce credentials, Google Ads tokens, and Google Analytics properties were configured in isolated environments. No cross-contamination possible — an agent working in Client A's workspace physically cannot reach Client B's data.
Role-based defaults for every team member
Meridian established three permission tiers:
- Interns and junior analysts — Read-only access to Google Analytics and Google Ads. No Stripe or Salesforce access at all.
- Account managers — Read access to all four integrations. Write access to Salesforce (create and update contacts, log activities) and Google Ads (adjust bids, update ad copy) only for their assigned clients.
- Senior leads — Full access to all integrations for their assigned clients, including Stripe refunds and Salesforce bulk operations.
Every new team member starts with read-only defaults. Write access is granted per integration, per client, by an account director.
Named API keys with activity logging
Each team member received a named API key tied to their identity. Every tool call — whether reading a Google Analytics report or updating a Salesforce record — is logged with the person's name, the client workspace, the specific tool called, and a timestamp.
Meridian now generates monthly attribution reports for clients who request them.
Integrations Used
Results After 90 Days
Zero Accidental Data Loss
In the 90 days following the migration, Meridian recorded zero incidents of accidental data modification across all 54 client accounts. The intern who had previously deleted the contact list now had read-only Salesforce access — they could pull reports and analyze data, but their AI agent could not modify or delete records.
3x Faster Client Onboarding
Before Pipeworks, onboarding a new client took an average of 4.5 hours of technical setup — creating shared credentials, distributing API keys, configuring access for each team member.
After the migration, onboarding dropped to 1.4 hours. The operations team creates a workspace, connects the client's integrations once, and assigns team members with the appropriate role. Permissions propagate automatically.
| Metric | Before | After | Change |
|---|---|---|---|
| Client onboarding time | 4.5 hours | 1.4 hours | 69% reduction |
| Accidental data modifications | 3 per quarter | 0 | 100% reduction |
| Time to answer client audit questions | 2-3 days | Under 5 minutes | 99% faster |
| Team members with excess permissions | 100% | 0% | Full compliance |
Client Retention Improvement
The retail client who nearly left after the contact list incident renewed their contract after seeing Meridian's new access controls. Two other enterprise clients cited the audit trail capability as a factor in expanding their engagement.
Meridian's client retention rate improved from 82% to 91% in the two quarters following the migration. While multiple factors contributed, the operations director attributed a significant portion to the confidence clients gained from seeing granular access controls in action.
Intern Productivity Without Risk
Before Pipeworks, Meridian restricted intern access informally — senior team members would verbally tell interns which accounts they could touch and which they should avoid. This created anxiety, slowed down work, and still led to mistakes when instructions were forgotten or misunderstood.
After the migration, interns could work freely within their read-only permissions. They ran Google Analytics reports, pulled Google Ads performance data, and analyzed campaign metrics across any assigned client without risk of modifying anything. Their output increased measurably — the average intern completed 40% more analysis tasks per week because they spent less time second-guessing whether they were allowed to access a particular account.
The most valuable permission is the one you do not grant. Read-only defaults protect your clients and your reputation. Escalate to write access only when a team member's role specifically requires it.
The Economics
Meridian calculated the cost of their pre-Pipeworks incidents and compared it to the ongoing cost of proper access controls:
Direct incident costs:
- Contact list restoration: 14 hours of senior engineering time ($2,800) plus client relationship management ($1,200 in unbilled time)
- Wrong ad account: $3,200 in estimated lost client revenue plus 6 hours of team time ($900)
- Audit response failure: 3 days of research time ($4,500) plus reputational damage (unquantified)
Total incident costs in one quarter: approximately $12,600
Ongoing savings:
- Client onboarding: 3.1 hours saved per client at $150/hour blended rate = $465 per new client
- Incident prevention: $12,600+ per quarter in avoided costs
- Audit response: minutes instead of days, freeing senior staff for billable work
With 2-3 new clients per month, the onboarding savings alone covered the platform cost within the first quarter.
Key Takeaways
For agencies managing multiple client accounts:
-
Shared API keys are a liability, not a convenience. The time saved by giving everyone the same access is wiped out by a single incident. Named keys with per-person attribution cost nothing extra and eliminate the "who did this?" problem entirely.
-
Read-only defaults are the right starting point. Most agency work — reporting, analysis, monitoring — only requires read access. Write access should be an explicit grant, not a default.
-
Client isolation is non-negotiable at scale. When you manage 10 clients, you can keep track of which account you are working in. At 50+, cross-account mistakes become statistically inevitable without technical controls.
-
Audit trails sell. Enterprise clients increasingly ask about data governance during procurement. Being able to show exactly who accessed their systems and when is a competitive advantage.
What Meridian Says
"We went from hoping nobody made a mistake to knowing that mistakes are structurally prevented. Our interns can use AI agents confidently because the guardrails are built in — they do not have to remember which client's Salesforce they can and cannot edit. The system enforces it."
— Sarah Lindgren, Operations Director, Meridian Digital