MSPs should build recurring services around access governance, SSO administration, MFA policy, and privileged access oversight. Those are harder for clients to standardise internally and easier to justify commercially than break-fix support. The key is to sell measurable identity outcomes, not vague technical labour.
Why This Matters for Security Teams
For MSPs, identity services are one of the clearest ways to move from hourly support to recurring, higher-margin work. Clients do not just need help resetting passwords or onboarding users. They need ongoing control over who can access what, when MFA policies change, and how privileged accounts are monitored. That is especially true as identity sprawl shifts beyond employees into service accounts, API keys, and automation. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs.
This matters commercially because identity work is harder to standardise internally than basic break-fix support, which makes it easier to package, measure, and renew. It also matters operationally because identity failures are rarely isolated. The NIST Cybersecurity Framework 2.0 frames identity and access as a core governance function, not a one-time configuration task, which aligns well with managed service delivery. In practice, many MSPs encounter identity-driven incidents only after a client has already suffered an access review failure, overprivileged account, or secrets exposure rather than through intentional service design.
How It Works in Practice
The strongest MSP identity offers are built as recurring operational controls, not project-only implementations. Instead of selling “SSO setup” once, the MSP should sell ongoing administration of identity posture: joiner-mover-leaver workflows, MFA enforcement, privileged access oversight, access recertification, and exception handling. This is where service revenue becomes defensible, because identity policies change continuously as applications, vendors, and users change.
A practical service stack often includes:
- SSO administration and application onboarding with standard templates
- MFA policy design, rollout, and exception governance
- Role-based access reviews and privileged access monitoring
- Service account hygiene, including inventory and ownership tracking
- Secret rotation support for credentials embedded in apps, pipelines, or admin tools
To make this marketable, tie each service to outcomes the client can audit: fewer standing privileges, faster deprovisioning, tighter MFA coverage, and lower identity risk. The Top 10 NHI Issues research is useful here because it reinforces a broader point: identity problems are often hidden in service accounts and long-lived credentials, not just in human logins. MSPs can use that framing to expand their scope from help desk labour into identity governance.
The commercial model usually works best when packaged as tiered recurring services with clear service-level objectives, regular reporting, and monthly access health reviews. Where current guidance suggests caution is in trying to productise everything too aggressively. If the client environment is highly bespoke, identity operations may need more advisory time than a fixed template allows. These controls tend to break down when the MSP inherits fragmented directories, undocumented application ownership, and no reliable source of truth for account lifecycle.
Common Variations and Edge Cases
Tighter identity oversight often increases delivery overhead, requiring MSPs to balance standardisation against client-specific complexity. That tradeoff is real, especially when clients span multiple directories, legacy applications, and regulated environments. The best practice is evolving, but most mature MSP offers separate the repeatable core from the exceptions: standard MFA policy, standard access review cadence, and standard offboarding checks, with bespoke handling only where business-critical systems demand it.
One useful differentiator is whether the client is buying administration or governance. Administration covers routine changes. Governance covers decision support, audit evidence, and control validation. That second layer is where margins improve, because the service becomes harder to replace with commodity labour. It is also where identity work connects to board-level risk, especially after incidents like the 52 NHI Breaches Analysis show how weak identity hygiene can compound into larger compromise paths.
For some clients, the right entry point is not a full identity program but a narrow managed control such as privileged access oversight or service account governance. That is often the easiest way to prove value before expanding into broader identity operations. For MSPs serving cloud-heavy or automation-heavy customers, identity services should increasingly include non-human identity oversight, because machine accounts and API keys are now part of the same commercial risk surface as employee access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control underpin recurring MSP identity services. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret rotation and lifecycle management are central to higher-margin identity services. |
| NIST AI RMF | AI RMF governance is relevant where MSPs manage identity for agentic systems and automation. |
Standardise access governance work around PR.AC-1 and report access changes as a managed control outcome.
