TL;DR: MSP identity governance needs repeatable controls, not one-off configuration effort, as 1Password is adding Policy Templates, Seat Limits, and Granular Vault Permissions to its MSP edition to reduce repetitive client setup, align usage with contracts, and tighten least-privilege access across managed companies.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should MSPs standardise identity controls across multiple client environments?
A: MSPs should define reusable policy baselines, apply them consistently across managed companies, and track any client-specific override as an exception.
Q: Why do granular vault permissions matter in delegated support models?
A: They matter because delegated support often expands faster than teams notice.
Q: When should organisations use seat limits in access governance?
A: Organisations should use seat limits when usage growth can affect cost, contract compliance, or approval discipline.
Practitioner guidance
- Standardise client baselines through policy templates Define reusable policy sets for common managed-company patterns, then document which settings are centrally enforced and which can be overridden by the client.
- Set seat limits against contracted service boundaries Map licensing caps to expected client growth, approval thresholds, and renewal triggers.
- Restrict shared vault access by role and task Remove default technician access where possible and assign vault permissions only to the support roles that need them.
What's in the full announcement
1Password's full article covers the operational detail this post intentionally leaves for the source:
- Reusable policy template setup across managed companies and the specific controls MSP administrators can centralise
- Seat limit enforcement details for users and guests, including how overages are constrained in managed companies
- Granular vault permission options for role-based and user-based support access
- How MSPs can apply these controls through the MSP console in existing customer environments
👉 Read 1Password's article on MSP policy templates, seat limits, and vault permissions →
MSP policy templates and vault permissions: what changes for IAM teams?
Explore further
MSP identity governance fails first at standardisation, not at enforcement. Repeating policy setup across client environments creates drift before any technical control is even evaluated. That drift matters because access decisions become inconsistent across companies that should be governed by the same baseline. The practitioner conclusion is that onboarding consistency is a control objective, not an administrative preference.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: What should teams review before rolling out shared policy templates?
A: Teams should review which settings the template enforces, which settings clients can override, and how exceptions are tracked. A template is only safe when the baseline is correct, the change path is controlled, and client deviations are visible in governance reviews.
👉 Read our full editorial: MSP policy templates shift NHI governance toward consistent access