Managed service provider growth now depends on complexity

At a glance

What this is: A webinar-based analysis of why high-growth MSPs are leaning into complexity, with evidence that growth is now tied to managing diverse devices, SaaS sprawl, and repeatable policy enforcement.

Why it matters: It matters because MSP operating models increasingly intersect with identity governance across human users, machine access, and emerging AI agents, which raises the bar for access control and lifecycle discipline.

By the numbers:

• 22%, rly a quarter, 22%, of MSPs surveyed grew their revenue by more than 20% in the past year.
• 70% are supporting devices beyond Windows.
• 75% are managing more Software-as-a-Service applications.
• 66% of high-growth MSPs are automating both device and security management.

👉 Read JumpCloud's analysis of high-growth MSP operations and complexity

Context

High-growth MSPs are demonstrating that complexity is not the enemy of scale when policy, automation, and governance are strong enough to absorb it. In practice, that means supporting hybrid device estates, more SaaS, and broader client requirements without losing operational control.

For identity and access teams, the MSP model is a useful proxy for broader enterprise reality: more environments, more identities, and more exceptions. The primary question is no longer whether complexity exists, but whether access governance can keep pace with it across human, non-human, and emerging agentic identities.

Key questions

Q: How should MSPs govern access across mixed device environments?

A: MSPs should define a common policy baseline for every supported device class, then layer exceptions only where business need is explicit. The goal is not identical configuration everywhere, but consistent enforcement, visibility, and auditability across Windows, macOS, Linux, and mobile estates. That reduces drift and makes onboarding and offboarding materially easier.

Q: Why do SaaS sprawl and shadow IT create identity risk for MSPs?

A: Because each unsanctioned application creates its own authentication path, access entitlement set, and lifecycle burden. If those apps are not tied back to ownership and review processes, access can outlive business need and bypass normal oversight. The result is a governance gap, not just a software inventory problem.

Q: What do high-growth MSPs get right about automation?

A: They use automation to make policy execution repeatable, not to replace governance. That includes patching, configuration enforcement, compliance checks, and other recurring controls that become unreliable when handled manually at scale. Automation works best when it shortens the time between drift and remediation.

Q: How should organisations treat AI agents in identity governance?

A: They should treat AI agents as identities with ownership, access limits, monitoring, and revocation requirements. If an agent can act on systems or data, its access should be lifecycle-managed like any other non-human identity. The key is to prevent privileges from persisting after the task or service need has ended.

Technical breakdown

Policy standardization across mixed device estates

Policy standardisation is the control pattern that lets MSPs manage Windows, macOS, Linux, and mobile devices without treating every client like a bespoke case. The mechanism is not uniform hardware, but uniform governance rules that define what must be enforced, monitored, and remediated regardless of endpoint type. That matters because device diversity increases configuration drift, support variance, and audit friction. When policies are consistently applied, the MSP can scale onboarding and reduce exception handling while preserving client-specific flexibility where it is truly required.

Practical implication: standardise access and security policy baselines before adding more device classes.

Automation as the control plane for operational scale

Automation in MSP operations is less about convenience than control density. Patch management, policy enforcement, and compliance tracking all become more reliable when they are executed by repeatable workflows instead of manual tickets. The technical value is that automation compresses the time between drift detection and remediation, which reduces the window in which misconfiguration becomes an incident. It also makes service delivery more consistent across a larger estate, which is why high-growth MSPs can expand without adding headcount at the same rate.

Practical implication: automate the controls that create repeatability first, then expand service scope.

SaaS sprawl and shadow IT governance

SaaS sprawl creates an identity problem before it becomes an application problem. Every unsanctioned app introduces another access path, another credential set, and another place where lifecycle ownership can disappear. Shadow IT governance therefore depends on discovery, access visibility, and policy enforcement around who can connect what to the managed environment. In MSP settings, that governance has to extend to AI-enabled platforms as well, because unmanaged integrations behave like any other uncontrolled access surface even when the interface looks harmless.

Practical implication: inventory unmanaged apps and bind them to access review and offboarding processes.

NHI Mgmt Group analysis

Complexity is now the operating condition, not the exception. The webinar’s core finding is that high-growth MSPs are succeeding by building governance around diversity instead of trying to eliminate it. That matters because hybrid devices, broader SaaS usage, and client-specific requirements are the baseline environment now, not temporary noise. The practitioner conclusion is that scale comes from control design, not from architectural nostalgia.

Shadow IT is an identity governance problem before it is a tooling problem. When unmanaged SaaS becomes normal, the real failure is loss of entitlement visibility and lifecycle ownership. Access review processes that only cover sanctioned systems miss the majority of practical risk in a sprawling MSP estate. The implication is that governance must follow the access path, not just the approved application catalog.

Automation is the only way to keep policy consistent as service breadth expands. Manual handling of patching, compliance, and enforcement does not survive cross-platform growth at MSP scale. This is not a productivity preference, it is a control-limit issue. The practitioner conclusion is that repeatable policy execution becomes the margin-preserving layer of the operating model.

Planning for AI agents as identities is the right next-step move. The article’s guidance to treat digital workers like other identities is directionally correct because the governance question is access, monitoring, and revocation. That places AI agents inside the same entitlement lifecycle logic as service accounts and other non-human identities, even if their runtime behaviour will later require tighter controls. The implication is that MSPs should extend identity discipline now rather than wait for agent sprawl to create blind spots.

Identity blast radius: the size of unmanaged access is becoming the real growth constraint. As MSPs support more devices and more SaaS, the consequential risk is not just sprawl but the reach of any single uncontrolled identity or policy gap. That is a governance concept worth naming because it links endpoint diversity, SaaS visibility, and lifecycle discipline into one operating measure. The practitioner conclusion is to shrink blast radius through tighter policy scopes and cleaner offboarding.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For a broader governance lens, NIST Cybersecurity Framework 2.0 helps teams anchor identity controls in identify, protect, detect, respond, and recover functions.

What this signals

Identity control for MSPs is converging with enterprise AI governance faster than many teams expect. As client estates expand into more SaaS and more digital workers, MSPs will need entitlement models that cover humans, service accounts, and AI agents in the same operating view. With 44% of organisations reporting any policies for AI agents, according to the 2026 Infrastructure Identity Survey, policy maturity is already becoming a service differentiator.

The practical signal is that audit readiness will depend less on the number of tools in the stack and more on whether every active access path has an owner, a purpose, and an offboarding trigger. MSPs that can prove that discipline will be better positioned to support complex client environments without turning governance into manual overhead.

For practitioners

• Standardise policy baselines across all managed endpoints Define a single control baseline for Windows, macOS, Linux, iOS, and Android, then document where exceptions are allowed and who approves them. Keep the baseline small enough to enforce consistently across every client tenant.
• Automate the controls that fail under ticket-based handling Prioritise workflows for patching, configuration enforcement, compliance checks, and recurring access tasks so the same policy executes the same way every time. Use automation to reduce drift between client environments and internal teams.
• Bind shadow IT discovery to identity lifecycle processes Map unmanaged SaaS and AI-enabled apps to owners, access paths, and offboarding steps so discovery is followed by entitlement cleanup. Treat any app with active authentication as part of the access review scope, not as an isolated software issue.
• Treat AI agents as governed identities from day one Assign ownership, monitor activity, and revoke privileges when tasks end, using the same lifecycle discipline you apply to other non-human identities. Do not allow agent access to persist simply because the workflow still exists.

Key takeaways

• The article’s real message is that growth now rewards MSPs that can govern complexity instead of resisting it.
• High-performing providers are combining policy standardisation, automation, and shadow IT visibility to scale across more diverse client environments.
• The same identity discipline will increasingly need to cover AI agents and other non-human access paths, not just endpoints and SaaS apps.

Key terms

• Shadow IT: Software or cloud services used without formal approval or governance. In MSP environments, it often appears as unmanaged SaaS connected by users or clients outside the standard control plane, creating hidden authentication paths, unclear ownership, and offboarding gaps that increase identity risk.
• Policy Standardisation: A control approach that applies the same security and access rules across different devices, platforms, or client environments. The aim is consistency of enforcement, not identical technical configuration, so teams can scale operations while keeping exceptions visible and manageable.
• Identity Blast Radius: The amount of access, systems, or data affected when a single identity, policy, or entitlement goes wrong. It is a useful way to think about how far mis-scoped access can travel in a complex environment, especially when unmanaged SaaS, digital workers, and delegated access are involved.
• Lifecycle Management: The governance process that controls identity creation, changes, review, rotation, and removal. For MSPs, it needs to cover human users, service accounts, SaaS connections, and AI agents so access does not persist beyond business need or ownership.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by JumpCloud: High-growth MSPs are thriving in complexity. Read the original.