Swivel-chair tax in MSPs exposes the cost of fragmented identity

At a glance

What this is: This is an MSP productivity analysis showing that disconnected identity, access, and security tools create a hidden operational drag called the swivel-chair tax.

Why it matters: It matters to IAM practitioners because fragmented workflows increase friction across human access administration, NHI oversight, and any future autonomous operations that depend on consistent, low-latency governance.

By the numbers:

• The average interruption can cost more than 20 minutes of lost work.

👉 Read JumpCloud's analysis of the swivel-chair tax in MSP operations

Context

In MSP operations, the core problem is not only workload volume but identity and access work spread across disconnected tools. When technicians must move between monitoring, directory, ticketing, and security dashboards to complete one task, the governance model starts to depend on manual memory and repeated context switching instead of controlled workflows.

For IAM teams, this is a human identity problem first, but it also exposes an NHI-style governance pattern: fragmented control planes create inconsistent enforcement, poor traceability, and more opportunities for error. The article frames that operational drag as the swivel-chair tax, and that is a useful shorthand for any identity programme where the process itself becomes the bottleneck.

That starting position is typical for many service organisations that grew by layering tools rather than designing a unified access workflow.

Key questions

Q: How should MSPs reduce identity workflow friction across multiple client tools?

A: MSPs should reduce identity workflow friction by mapping every technician handoff, then removing duplicate steps and duplicate data entry between consoles. The goal is not just faster work, but fewer opportunities for inconsistent access changes and weaker audit evidence. A single operational source of truth for identity and access reduces the swivel-chair tax and makes governance repeatable across clients.

Q: Why do disconnected identity tools create more risk for service teams?

A: Disconnected identity tools create more risk because each system can hold a different view of access, device posture, or policy state. That makes it easier for changes to be missed, delayed, or applied inconsistently. For service teams, the result is not just slower execution. It is a higher chance of errors that affect revocation, compliance, and incident response.

Q: What breaks when MSPs rely on scripts and connectors to join their systems?

A: What breaks is consistency. Scripts and connectors can move data, but they also create hidden dependencies that fail when an API changes or a field mapping shifts. In practice, that can stall onboarding, leave devices out of date, or create stale permissions that no one notices until a client asks for proof or a security issue surfaces.

Q: How can teams tell if tool consolidation is actually improving governance?

A: Teams can tell by measuring whether routine access, device, and security changes require fewer handoffs, fewer duplicate logins, and less manual evidence gathering. If technicians still need to cross-check the same state in multiple systems, consolidation has not yet improved governance. The right signal is faster, more consistent enforcement with cleaner audit trails.

Technical breakdown

Swivel-chair tax and identity workflow fragmentation

The swivel-chair tax is the accumulated productivity loss caused by having to switch among separate systems to finish a single operational task. In identity-heavy environments, that usually means moving between a directory, a ticketing platform, an MDM console, a security dashboard, and maybe a reporting tool. Each transition carries a reorientation cost, which increases the chance of missed steps and inconsistent decisions. The issue is not just fatigue. Fragmented identity workflows reduce the reliability of access operations because state is split across tools, not governed in one place.

Practical implication: map the handoffs in your access workflow and remove any step that forces technicians to re-enter the same identity state in another console.

Brittle connectors, scripts, and sync tools

When MSPs try to glue disconnected systems together, they often rely on custom scripts, brittle API calls, or sync utilities. These can move data temporarily, but they create hidden coupling between systems that were never designed to share a lifecycle. If one platform changes an endpoint, a field, or a permission model, the whole chain can stall. In identity operations, that means onboarding, device posture updates, or access changes can fail silently or partially. The technical risk is not only breakage, but uncontrolled divergence between systems of record.

Practical implication: treat every connector as an identity dependency that needs version control, testing, and failure monitoring.

Why centralised identity and access management reduces control drift

A unified identity and access layer reduces drift by making identity state, device state, and access state visible in one operational model. That matters because the more places a technician must touch to complete a routine change, the more likely policy will be applied unevenly. Centralisation does not remove governance requirements, but it makes them enforceable with fewer manual reconciliations. For MSPs, the value is less about convenience than about reducing operational variance across clients and making compliance evidence easier to assemble.

Practical implication: consolidate the systems that govern identity state before you try to optimise reporting or audit readiness.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Fragmented identity operations create governance debt, not just productivity loss. When access administration, device control, and security monitoring sit in separate systems, the programme becomes dependent on human memory and repeat execution. That increases the probability of inconsistent access changes, missed revocations, and weak audit trails. The practitioner conclusion is simple: operational fragmentation is itself an identity control problem.

Swivel-chair tax is a named control friction that belongs in identity risk discussions. The concept captures a measurable failure mode where time, attention, and accuracy are spent moving between tools instead of enforcing policy. That matters because every extra console increases the surface for mistakes and delayed response. Teams should treat this as a governance design flaw, not an inconvenience.

Unified management improves assurance because it collapses the distance between decision and enforcement. When the same operational layer handles identity, access, and device state, policy exceptions are easier to spot and harder to bury in tool silos. That aligns more closely with NIST Cybersecurity Framework 2.0 and zero trust thinking, where visibility and control need to move together. Practitioners should optimise for fewer identity control planes, not more dashboards.

MSP scale amplifies access inconsistency across clients. What looks manageable in one environment becomes error-prone when repeated across many tenants, especially when technicians rely on different toolchains for each customer. The governance implication is that multi-client operations need standardised identity workflows, otherwise recertification, access review, and incident response become uneven by design. The conclusion is to design for repeatability across tenants, not local efficiency inside one console.

From our research:

• A single failed login might trigger a warning in three separate tools, according to the 2026 Infrastructure Identity Survey.
• Fragmented identity operations can also lengthen response work because the average interruption can cost more than 20 minutes of lost work.
• This pattern connects directly to Codefinger AWS S3 ransomware attack, where compromised credentials turned identity gaps into operational impact.

What this signals

Swivel-chair tax is the practical face of identity fragmentation. MSPs are not only losing time, they are losing consistency, which is the basis of trustworthy governance. When the same access event generates noise in multiple tools, teams need to rethink whether their control plane is serving the workflow or fragmenting it. That shift matters for any programme that must scale human administration without multiplying error paths.

With 75% of organisations expressing strong confidence in their secrets management capabilities while the average time to remediate a leaked secret is 27 days, per the State of Secrets in AppSec, confidence and control quality are clearly diverging. The same gap shows up in MSP operations when policy looks centralised but execution remains split across consoles.

Control drift grows fastest where evidence is hardest to gather. If audit proof still requires technicians to assemble records from several systems, the programme is already paying a hidden tax in assurance. The next phase for many service organisations is not more tooling, but more disciplined consolidation around a smaller number of identity control points.

For practitioners

• Inventory the handoffs in technician workflows List every point where a technician moves from one console to another to complete identity, access, device, or security work. Flag steps that require re-entry of the same data or duplicate verification, then remove the most repetitive transitions first.
• Collapse duplicate policy enforcement points Identify where MFA, encryption, approvals, and access checks are being enforced in more than one system. Consolidate those decisions into a single source of truth so changes are applied once and audited once.
• Test connector failure as an identity risk Treat scripts, sync jobs, and API links as governed dependencies. Build alerts for partial sync, stale permissions, and failed updates so a broken connection does not silently create inconsistent access state.
• Standardise evidence collection for audits Define one reporting path for access, device, and control evidence across clients. If audit proof still requires manual merging from multiple systems, the workflow is not yet centralised enough to scale.

Key takeaways

• Fragmented MSP workflows turn identity administration into a recurring productivity and governance problem, not just an inconvenience.
• Disconnected consoles, brittle connectors, and duplicate policy enforcement increase the chance of stale permissions, missed changes, and poor audit evidence.
• Centralising identity, access, and device governance reduces drift by making enforcement and reporting happen in one operational model.

Key terms

• Swivel-chair tax: The swivel-chair tax is the hidden productivity loss created when staff must move repeatedly between unrelated tools to complete one identity or access task. In practice, it increases fatigue, slows response, and makes governance less reliable because decision and enforcement are split across systems.
• Identity workflow fragmentation: Identity workflow fragmentation is the state where authentication, access administration, device management, and reporting live in separate tools with weak coordination. It creates inconsistent records, duplicate work, and more opportunities for errors in access changes, audits, and incident handling.
• Control drift: Control drift is the gradual mismatch between policy and what actually happens operationally when tasks are enforced in multiple places. In identity programmes, it shows up as inconsistent access state, stale permissions, and audit evidence that does not cleanly match the live environment.
• Brittle connector: A brittle connector is a script, API integration, or sync mechanism that works only as long as all linked systems remain unchanged. In identity operations, brittle connectors create hidden dependencies that can break onboarding, updates, or access changes when one platform changes its behaviour.

Deepen your knowledge

Identity workflow fragmentation and centralised access governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to reduce tool-switching while tightening control, this is a strong place to start.

This post draws on content published by JumpCloud: the swivel-chair tax and fragmented toolchains in MSP operations. Read the original.