Google has quietly updated Merchant Centre for Agencies with new security controls around user access. Specifically, these changes affect how admin and standard roles are managed across agency-linked accounts. According to Google Ads Liaison Ginny Marvin, the intent is to streamline workflows and improve security. It is a relatively low-profile announcement, but for agencies managing Shopping feeds and Performance Max campaigns at scale, the implications are worth thinking through carefully.
Why Access Control Matters More Than You Might Think
Merchant Centre sits at the foundation of any Shopping or Performance Max campaign. The product feed - and everything linked to it - determines what ads serve, to whom, and at what price. If the wrong person has the wrong level of access, the consequences are not abstract. A mistaken feed suppression, a bulk price edit, or a shipping settings change can kill campaign performance overnight without triggering any obvious alert in Google Ads.
Most agencies have sensible controls inside Google Ads Manager Accounts. But Merchant Centre has historically been treated as a secondary concern from a permissions standpoint. The result is often a sprawl of legacy user access - former employees, old freelancers, staff who moved teams - sitting on accounts with broader permissions than anyone remembers granting. That is a genuine security risk, and it is also an operational one. If something goes wrong with a feed, you need to know exactly who can touch it.
Admin vs Standard Roles: The Distinction That Matters
The new controls centre on the distinction between admin and standard roles in Merchant Centre for Agencies. Admins have full account control - they can manage users, edit all settings, and modify the feed itself. Standard users have a more restricted scope. The updated security controls give agencies tighter tools to define and enforce that boundary, which in practice means less risk of a standard user inadvertently (or deliberately) making changes that should require senior sign-off.
For larger agencies with multiple account managers working across dozens of client feeds simultaneously, this kind of role clarity is operationally important. It is not just about preventing mistakes - it is about audit trails. When a client asks why their feed had an issue on a given day, being able to show clearly who had access, and what level of access they held, is part of a professional service standard. Google tightening these controls is a push in the right direction.
The Performance Max Connection
The reason Merchant Centre governance deserves more strategic attention now than it did three years ago is Performance Max. Shopping campaigns have always relied on the Merchant Centre feed, but PMax has deepened that dependency. PMax pulls product data, supplemental feeds, custom labels, and product groups to make autonomous decisions about which inventory to show and where. The quality and integrity of the feed is not just a data hygiene issue - it is a direct input into how the AI allocates budget.
If someone with inappropriate access makes a change to feed rules, shipping settings, or product exclusions inside Merchant Centre, PMax will adapt to that change without any obvious signal to the campaign manager. You might see a drop in conversion value, a shift in which product groups are spending, or a sudden increase in disapproved products - but the root cause sits outside Google Ads entirely. Tighter access controls reduce the surface area for this kind of silent disruption.
What Agencies Should Do Now
Google's update is a useful prompt to run a proper access audit across your Merchant Centre accounts. Start with a simple question: who currently has admin access, and do they actually need it? In most agency setups, admin access should be limited to senior account leads and a small number of operations staff. Everyone else - account managers, junior execs, analytics team members - should be operating at standard level or below.
Beyond the internal team, check which third-party integrations and feed management tools have access. Feed platforms, comparison shopping services, and supplemental feed tools sometimes request admin-level permissions when standard access would do the job. Tighten those where you can, and document what remains. Then set a recurring review cadence - quarterly is sensible for most agencies. Access reviews are not a one-time task; they need to be part of account hygiene in the same way budget pacing checks or conversion tracking audits are.
The Broader Point About Account Governance
There is a tendency in PPC to treat account structure and access governance as admin work - something to sort out at onboarding and not revisit. But as campaigns become more automated and more dependent on data inputs from connected systems, the governance layer becomes increasingly critical to performance. A well-structured Merchant Centre with clean access controls and a reliable feed is not just good housekeeping. It is infrastructure for the campaign to function as intended.
Google's move to strengthen security controls for agency accounts reflects a maturation of the platform. The expectation is clearly that agencies operating at scale should be running these accounts with the same rigour they apply to client data in other contexts. If your Merchant Centre access list looks like it has not been reviewed since the account was set up, that is a gap worth closing - not because Google is watching, but because feed integrity is quietly one of the biggest levers on Shopping and PMax performance.