MSP governance for device, SaaS, and AI sprawl

At a glance

What this is: This is a JumpCloud analysis of how MSPs are managing multi-platform device, SaaS, and AI sprawl, with the key finding that top performers standardise policies, automate controls, and govern shadow IT more aggressively.

Why it matters: It matters because MSP operating models increasingly intersect with NHI, human IAM, and emerging AI access governance, so the same sprawl that drives scale also expands identity risk and control drift.

By the numbers:

• 70% of MSPs are managing more than just Windows environments.
• 64% of organizations are running both Microsoft and Google Workspace.
• 95% of all MSPs are concerned about shadow IT.

👉 Read JumpCloud's analysis of MSP governance for device, SaaS, and AI sprawl

Context

MSP environments are no longer defined by a single desktop stack. They now span mixed operating systems, multiple collaboration suites, mobile devices, SaaS applications, and AI tools, which makes identity governance and control consistency harder to maintain across every client estate.

The practical problem is not complexity itself, but unmanaged variation. When access policy, device control, and application oversight differ from one client or platform to the next, the result is control drift, shadow IT, and higher operational overhead for teams that already manage many identities and entitlements at once.

Key questions

Q: How should MSPs standardise governance across different client environments?

A: MSPs should set one minimum control baseline for device posture, approved applications, and access enforcement, then allow only documented exceptions. That approach reduces tenant-by-tenant inconsistency and makes it easier to audit policy compliance across mixed platforms. Standardisation works best when the baseline is simple enough to enforce repeatedly, but strict enough to stop local workarounds from becoming the default operating model.

Q: Why do shadow IT and SaaS sprawl create access risk for MSPs?

A: Shadow IT creates access risk because unmanaged tools sit outside normal review, approval, and revocation processes. Once an app is in use without governance, teams lose visibility into who has access, what data it can reach, and whether it should remain connected. In MSP environments, that hidden surface grows quickly because each client can add tools faster than a central team can classify them.

Q: How do automation and policy enforcement work together in MSP operations?

A: Automation should carry out an already-defined policy, not replace policy judgment. In MSP operations, that means using workflow controls to apply updates, push device settings, and check entitlement drift consistently across tenants. If the underlying policy is inconsistent, automation only scales the inconsistency. The goal is repeatable enforcement, faster remediation, and fewer manual exceptions.

Q: What should MSPs prioritise first when AI tools, SaaS, and devices are all expanding at once?

A: MSPs should prioritise visibility and policy consistency before they expand automation depth. If teams cannot inventory what is in use, they cannot decide what to govern, approve, or restrict. The most effective sequence is discovery, baseline policy, then automation. That order prevents the organisation from automating blind spots and makes later scaling more reliable.

Technical breakdown

Why policy standardisation matters across MSP estates

Standardisation means applying the same control baseline across different client environments, even when the underlying stacks differ. In MSP operations, that baseline usually includes device posture rules, access expectations, application approval boundaries, and exception handling. Without a common policy layer, every client becomes a one-off governance exercise, which increases inconsistency and makes audits harder. Standardisation does not remove tenant differences, but it reduces the number of decisions technicians have to make manually. That matters because identity and device controls only work reliably when they can be repeated at scale across varied environments.

Practical implication: define a minimum control baseline for every client and enforce it before allowing environment-specific exceptions.

Automation for device and identity management

Automation in MSP operations is the use of repeatable workflows to apply updates, enforce policy, and remediate drift without constant human intervention. It is most valuable where the same task must be performed across many devices, accounts, or client tenants. In identity terms, automation reduces the time between policy change and enforcement, which is critical when access rules, patching, or compliance checks need to be consistent. It also lowers the chance that technicians will rely on ad hoc fixes that are hard to reproduce later. The technical risk is not too much automation, but automation that is not tied to approved governance logic.

Practical implication: move repetitive device and access tasks into governed workflows that can be audited and rolled back.

Shadow IT and SaaS sprawl in MSP environments

Shadow IT is any application, service, or access path that is used outside approved governance. In MSP settings, that sprawl grows quickly because clients adopt SaaS tools and AI services faster than central controls can catalog them. The technical challenge is visibility, not just enforcement. If you cannot discover what is in use, you cannot review access, classify risk, or decide whether a tool should be blocked, approved, or monitored. This is where identity governance overlaps with application discovery and entitlement management, because unmanaged applications become unmanaged access pathways.

Practical implication: inventory client-facing apps and AI tools continuously, then tie approval status to access enforcement.

NHI Mgmt Group analysis

MSP sprawl is now an identity governance problem, not just an operations problem. When clients run multiple operating systems, multiple collaboration suites, and AI-enabled tools at the same time, access control becomes fragmented across platforms and tenants. That fragmentation increases the chance that policy intent and actual enforcement diverge. The practitioner conclusion is clear: MSPs need a governance model that treats device, SaaS, and AI access as one control surface.

Standardisation is the only realistic response to multi-tenant variance. The article’s own data shows that most MSPs are already managing beyond Windows, which means bespoke handling for every client does not scale. A common policy baseline is what keeps privilege, device posture, and app access from becoming client-specific guesswork. The practitioner conclusion is that consistency must be designed in before service expansion creates unmanageable drift.

Automation is the control amplifier, not the control objective. Automating patching and security tasks matters because it shortens the distance between governance decision and enforcement across many endpoints and tenants. But automation only improves security when the underlying rule set is already sound. The practitioner conclusion is to automate repeatable governance actions, not to automate inconsistency.

Shadow IT exposes the identity boundary where governance stops and unmanaged access begins. The article’s concern about SaaS sprawl is really about lost visibility into who can access what, through which tools, and under which approval model. Identity sprawl: the growing mismatch between the number of apps, devices, and access paths in use and the controls that actually govern them. The practitioner conclusion is that discovery and approval status must be managed as one lifecycle.

AI adoption widens the MSP governance surface even when AI is not the primary subject. Once AI tools are embedded in client workflows, they become part of the same access and policy problem as SaaS and devices. That means MSPs cannot treat AI as a separate innovation track with separate exceptions. The practitioner conclusion is to bring AI usage into the same governance model that already covers devices, applications, and accounts.

From our research:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For a broader governance lens, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs helps teams align lifecycle controls with sprawl and exception management.

What this signals

MSPs should expect identity scope to keep widening as client estates mix endpoints, collaboration suites, and AI-enabled services. With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, governance needs to cover entitlement decisions across every access path, not just traditional users.

Identity sprawl: the practical limit is no longer how many tools a client adopts, but how much unmanaged variation the MSP can still govern. That means discovery, exception handling, and approval status need to be treated as one operating system for identity and access.

Teams that already manage mixed device and SaaS estates should also align their controls to NIST Cybersecurity Framework 2.0 functions so that protect, detect, and respond remain connected as sprawl grows.

For practitioners

• Define a minimum policy baseline for every client Set a standard control package for device posture, approved applications, and access enforcement, then require exceptions to be documented and time-bound.
• Automate repeatable governance workflows Move patching, policy enforcement, and routine access checks into governed workflows so technicians are not making the same manual decisions across every tenant.
• Continuously inventory SaaS and AI usage Maintain an up-to-date list of client applications and AI tools, then link discovery to approval status so shadow IT can be blocked or brought under control.
• Align device controls with identity controls Treat endpoint posture, application access, and account governance as one operational chain so that a device that fails policy cannot still reach sensitive services.

Key takeaways

• MSPs are now governing a broader identity surface that includes devices, SaaS, and AI tools, so isolated controls no longer hold up.
• JumpCloud’s data shows that high-growth MSPs win by standardising policy, automating repeatable actions, and tightening shadow IT enforcement.
• The practical response is to treat discovery, policy, and enforcement as one lifecycle, not as separate operational tasks.

Key terms

• Shadow It: Software, services, or access paths used outside approved governance. In MSP environments, shadow IT is a control problem because unmanaged applications and AI tools create blind spots for review, approval, and revocation across client estates.
• Policy Standardisation: The practice of applying a consistent control baseline across multiple environments. For MSPs, it reduces variance in device posture, application access, and enforcement logic so technicians can govern mixed estates without rebuilding the policy model for every client.
• Identity Sprawl: The expansion of identities, apps, devices, and access paths faster than the controls that govern them. Identity sprawl matters because visibility, review, and enforcement all become harder when the actual operating environment grows beyond the reach of the intended governance model.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by JumpCloud: MSP governance for device, SaaS, and AI sprawl. Read the original.