Accountability sits with the service provider and the identity owner together, because the provider is executing privileged work on behalf of the client. Without recordings, approvals, and logs, the provider cannot demonstrate what happened during elevation. That creates a governance gap that is especially difficult to resolve in shared-service environments.
Why This Matters for Security Teams
In an MSP model, missing privileged session recording is not a minor audit defect. It means no reliable evidence of who performed elevated actions, when the elevation occurred, or whether the work stayed within approved scope. That makes incident triage, client assurance, and dispute resolution much harder, especially when the provider is acting across multiple tenants and administrative boundaries. The governance gap is amplified because privileged access is often shared, time-bound, and operationally urgent.
NHIMG research shows only 5.7% of organisations have full visibility into their service accounts, which helps explain why MSP oversight often fails at the exact moment it is needed most. The risk is not just technical loss of telemetry, but accountability failure across two parties with different obligations. The Ultimate Guide to NHIs – Key Challenges and Risks frames this as a visibility and control problem, while the OWASP Non-Human Identity Top 10 highlights how weak governance around machine access turns ordinary operations into security exposure.
In practice, many security teams discover missing session records only after a client asks for proof of what happened during an elevated change.
How It Works in Practice
Accountability in an MSP setup is usually shared, but not equally. The service provider is accountable for operating privileged sessions under the agreed controls, while the identity owner, usually the client, remains accountable for setting the access policy, approval model, and evidence requirements. When session recording is missing, the provider cannot demonstrate execution integrity, and the client cannot prove that the privilege was used appropriately. That is why recordings, logs, approvals, and ticket references need to be treated as a single control set, not separate administrative chores.
Current guidance suggests pairing privileged access management with identity-bound session logging, so each elevation request is tied to an approved work item, a named operator, and a recorded session artifact. That can include:
- time-bound elevation with explicit start and end timestamps
- recorded console or remote sessions for privileged actions
- immutable log storage with tenant separation
- approved change or incident references linked to the session
- review and attestation by both provider and client after completion
This is also where Zero Trust expectations matter. The Ultimate Guide to NHIs – Key Challenges and Risks emphasises that visibility and rotation are baseline controls, not optional extras. For modern MSP operations, that baseline increasingly aligns with runtime verification and least privilege rather than standing access. The OWASP Non-Human Identity Top 10 also reinforces that machine and delegated access must be monitored as first-class identities, not hidden behind shared admin tooling.
These controls tend to break down when the MSP uses generic jump hosts, shared admin accounts, or tools that do not preserve per-session evidence across client tenants.
Common Variations and Edge Cases
Tighter session recording often increases operational friction, requiring organisations to balance forensic certainty against admin speed and privacy constraints. That tradeoff becomes most visible in emergency support, where teams may need break-glass access before a recorder is fully attached. Current guidance suggests defining those exceptions up front, with compensating controls such as immediate incident declaration, post-event review, and mandatory retrospective logging.
There is no universal standard for every MSP workflow yet, but the direction is consistent: if privileged work can affect client systems, then evidence of that work must be attributable. For shared-service platforms, the best practice is evolving toward client-specific recording, separate evidence retention, and explicit responsibility mapping in the contract and operating procedure. The identity owner should be able to request records; the provider should be able to produce them without ambiguity.
Where this guidance becomes difficult is in multi-region support centres, outsourced subcontractors, or remote access chains that cross several tools before reaching the target system. In those environments, missing one recording layer can make the entire chain unverifiable, even if some logs still exist.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-08 | Missing session evidence is a non-human identity governance failure. |
| NIST CSF 2.0 | PR.AC-4 | Privileged access oversight depends on recorded, reviewable access control. |
| CSA MAESTRO | GOV-03 | MSP accountability hinges on governance for delegated agent or operator actions. |
Assign ownership for delegated privileged actions and verify evidence before closing access.
Related resources from NHI Mgmt Group
- Who should be accountable when sensitive data exposure is found through privileged access?
- Who is accountable when a compromised privileged account triggers remote wipe?
- Who is accountable when a compliance platform misses privileged access changes?
- How do security teams know whether privileged session controls are actually working?
