I agree, this whole area is weaker than it should be in CB. A similar thing happened to me when appointing an accountant. It turns out that they had been added as admin and the account owner. I was subsequently unable to remove their access when I changed accountants last year. I dont think it is too strong a position to take to say they effectively gave my account to somone else. I was at risk of having to go through a process where I had to send in ID to prove who I was. Now, I understand that process and it is reasonable for them to ask that but it shouldn't have happened in the first place. As it happened the accountant wrote to them and asked to have herself removed.
These sections in the Access Conditions Terms do not seem to be entirely accurate...
2.2 the Subscriber determines who is an Invited User and what level of user role access to the relevant organisation and Service that Invited User has;
2.3 the Subscriber is responsible for all Invited Users’ use of the Service;
2.4 the Subscriber controls each Invited User’s level of access to the relevant organisation and Service at all times and can revoke or change an Invited User’s access, or level of access, at any time and for any reason, in which case that person or entity will cease to be an Invited User or shall have that different level of access, as the case may be;
2.5 if there is any dispute between a Subscriber and an Invited User regarding access to any organisation or Service, the Subscriber shall decide what access or level of access to the relevant Data or Service that Invited User shall have, if any.