Accountability should sit with the MSP as the access operator and with the customer as the environment owner, but both need evidence. Session recording, tamper-resistant logs, and clear approval trails make it possible to prove what happened and which control failed.
Why This Matters for Security Teams
MSP session misuse is not just an access problem, it is an accountability problem. When a third party operates inside a customer environment, the question is rarely whether access existed. The real issue is whether the session was approved, monitored, and attributable after the fact. That is why NIST Cybersecurity Framework 2.0 places strong emphasis on governance, logging, and control verification, not just initial access decisions.
For NHIs, the audit trail matters because service accounts, API keys, and remote admin pathways often outlive the people who created them. NHI Management Group has noted that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why evidence quality becomes central to both incident response and post-incident dispute resolution. The audit record must show who approved the session, what scope was granted, what actions were taken, and whether the MSP stayed inside policy. See Ultimate Guide to NHIs — Regulatory and Audit Perspectives and Top 10 NHI Issues for the governance implications.
In practice, many security teams discover gaps only after a disputed session has already been used to change systems, exfiltrate data, or weaken controls.
How It Works in Practice
Accountability should be split, but not diluted. The MSP is accountable as the access operator because it initiates and uses the session. The customer is accountable as the environment owner because it defines the policy, approves the scope, and retains the evidence needed to investigate misuse. That division only works when the session is engineered for reviewability from the start.
Good practice is to combine session approval, scoped privilege, and tamper-resistant recording. The approval trail should show who requested access, who authorised it, the business reason, the time window, and the assets in scope. The recording should capture command execution, privilege elevation, and administrative actions, while logs should be written to an immutable or otherwise protected location. Current guidance suggests aligning this with NIST Cybersecurity Framework 2.0 functions for govern, protect, detect, and respond.
- Use unique operator identity for each MSP technician instead of shared accounts.
- Require just-in-time access and automatic expiry for every privileged session.
- Record session activity and preserve the evidence in a system the MSP cannot edit.
- Link approvals to ticketing or change records so the business reason is auditable.
- Review alerts for privilege escalation, command drift, and out-of-scope target access.
For NHI-heavy estates, this is also a lifecycle problem. The NHI Lifecycle Management Guide and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both reinforce that access without revocation, logging, and ownership transfer becomes unauditable over time. These controls tend to break down when MSPs use shared jump hosts, customer logging is disabled, or privileged actions occur through opaque automation that cannot be tied to a named operator.
Common Variations and Edge Cases
Tighter session control often increases operational friction, requiring organisations to balance faster support resolution against stronger evidence and oversight. That tradeoff is especially visible in 24/7 managed services, emergency break-glass access, and multi-tenant MSP tooling, where speed can compete with reviewability.
There is no universal standard for this yet, but current guidance is clear on one point: accountability cannot rest on verbal assurances. If the MSP uses delegated admin tooling, the customer still needs proof of what was done inside its own environment. If the customer allows contractor access through federated identity, the operator identity still needs to be preserved in logs rather than collapsed into a generic provider role. Where regulated data is involved, audit requirements usually demand stronger retention, tamper resistance, and segregation of duties.
The hardest cases are shared service desks, outsourced incident response, and “follow-the-sun” operations where multiple technicians may touch the same environment in one day. In those environments, session recording alone is not enough unless it is paired with approval lineage, scoped permissions, and incident-scoped retention. The lesson is consistent: after-the-fact accountability depends on evidence that survives handoffs, not on who claims they were in the session.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Defines ownership and accountability for managed access activities. |
| OWASP Non-Human Identity Top 10 | NHI-07 | Covers logging and monitoring of non-human access paths used by MSPs. |
| CSA MAESTRO | GOV-03 | Requires governance and traceability across third-party agentic access operations. |
Record privileged MSP activity in tamper-resistant logs and review for out-of-scope actions.
Related resources from NHI Mgmt Group
- Who is accountable when a privileged session is abused after credential checkout?
- Who is accountable when a hospital contractor keeps access after the work ends?
- Who is accountable when credit portability consent is misused?
- Who is accountable when temporary workers retain access after the season ends?
