Because every extra console, API bridge, and manual verification step consumes technician time that cannot be billed elsewhere. That overhead grows with client count, so revenue rises while the operational burden rises too. Margin improves only when the stack reduces recurring coordination work.
Why This Matters for Security Teams
Disconnected identity tooling is not just an inconvenience for managed service providers. It fragments access control, hides risk across multiple consoles, and turns every routine change into a manual coordination task. That means more technician touch time, slower remediation, and less capacity for higher-value work. NHI Management Group has documented that only 5.7% of organisations have full visibility into service accounts in the Ultimate Guide to NHIs, which helps explain why identity operations become expensive at scale.
The margin problem is structural. As client count grows, the MSP does not just add revenue, it also adds more exceptions, more approvals, more secret rotations, and more reconciliation between tools that do not share a common identity model. This is where the discipline reflected in NIST Cybersecurity Framework 2.0 becomes operationally relevant: governance and repeatable control execution reduce friction. In practice, many security teams encounter identity sprawl only after a failed audit, a secrets leak, or a customer escalation has already forced a manual clean-up.
How It Works in Practice
MSPs lose margin when identity tasks are split across ticketing, vaults, endpoint tools, cloud consoles, and customer-specific admin portals. Each system may be usable on its own, but the workflow cost appears when technicians must compare records, verify ownership, rotate credentials, and document the change in several places. That overhead is especially painful for non-human identities, where the same service account or API key may exist in code, CI/CD, infrastructure, and a customer vault at the same time.
The operational answer is not simply “buy another tool.” Best practice is to reduce identity drift by centralising lifecycle controls and making them repeatable:
- Use one source of truth for NHI inventory and ownership.
- Automate discovery so service accounts and secrets are found before customers report them.
- Standardise rotation and revocation so technicians are not building one-off fixes.
- Apply policy-based access reviews instead of manual exception handling for every client.
- Track work by outcome, not by console activity, so time spent on identity maintenance is visible.
The underlying risk is not theoretical. NHI Management Group reports in the Top 10 NHI Issues that 79% of organisations have experienced secrets leaks, and 71% of NHIs are not rotated within recommended time frames. Those conditions create recurring service work that erodes delivery margin because every exception becomes a manual intervention. The control goal is to make identity work deterministic enough that technicians spend less time reconciling systems and more time preventing repeat incidents.
These controls tend to break down when each customer demands a different identity stack, because the MSP ends up reimplementing the same governance process in incompatible tooling.
Common Variations and Edge Cases
Tighter identity standardisation often increases onboarding effort, so MSPs have to balance short-term implementation cost against long-term operating efficiency. That tradeoff is real, especially when legacy customers refuse to change vaults, directory structure, or authentication patterns.
Current guidance suggests a few edge cases need special handling. Highly regulated clients may require separate administrative boundaries, which limits full consolidation. Multi-tenant MSP environments can also create conflicts between shared automation and customer-specific exceptions. In those cases, the goal is not identical tooling everywhere, but consistent control logic everywhere.
Identity sprawl is most expensive when it intersects with secrets that should have been rotated or revoked but remain active. NHI Management Group notes in the 52 NHI Breaches Analysis that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. That is why MSPs should treat tooling consolidation as a margin control, not just a security upgrade. The practical exception is a customer with tightly coupled legacy systems, where standardisation may need to happen in phases rather than all at once.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Disconnected tooling usually creates hidden NHI inventory and ownership gaps. |
| NIST CSF 2.0 | GV.OC, PR.AC, PR.DS | Tool sprawl drives governance, access, and data protection inefficiency. |
| CSA MAESTRO | IAM | Multi-client identity operations need consistent lifecycle automation across environments. |
Standardise identity lifecycle automation so each client does not require a separate manual process.
Related resources from NHI Mgmt Group
- How should security teams handle disconnected applications that sit outside identity tooling?
- What is the difference between deploying identity tooling and governing identity security?
- How should security teams reduce privileged access risk when identity tools are fragmented?
- Should security teams re-evaluate identity tooling when regional demand accelerates?
