What do security teams get wrong about managed service providers?

Why This Matters for Security Teams

managed service provider are often approved as if they were a delivery channel, but operationally they behave like a concentrated identity plane with persistent access, privileged tooling, and delegated trust. That distinction matters because attackers rarely need to compromise the whole provider. They only need one weak credential, one overbroad service account, or one automation path that was never reviewed as a high-risk identity.

The blind spot is amplified by third-party connectivity and shared administration patterns. NHIMG research shows that 92% of organisations expose NHIs to third parties, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs. That is why MSP access cannot be managed only through vendor management or procurement controls. It needs identity governance, credential lifecycle discipline, and auditability aligned to frameworks such as the NIST Cybersecurity Framework 2.0.

Security teams also underestimate how much privilege accumulates behind the scenes. Provider consoles, remote management tools, backup agents, endpoint automation, and delegated admin roles can all become durable access paths long after the original business justification has changed. In practice, many security teams discover provider overreach only after an incident review exposes it, rather than through intentional identity governance.

How It Works in Practice

The practical mistake is treating MSP access as a single contract-level approval instead of a set of identities that must each be inventoried, classified, and continuously reviewed. Every provider staff account, service account, API token, remote session broker, and automation credential should be mapped to a business owner, a purpose, a scope, and a revocation path. The identity question is not just who the provider is, but what exact access is being used, by which identity, for which task, and under what conditions.

Best practice is to apply the same control logic used for internal privileged access. That includes least privilege, time-bound access, strong authentication, session logging, and prompt offboarding. It also means forcing the provider to distinguish between human operator access and machine access. Human technicians should use named, attributable accounts; automation should use distinct workload identities and short-lived secrets. Where possible, prefer just-in-time elevation over standing access, and require reauthorization for sensitive actions.

• Inventory every MSP identity, including service accounts and automation tokens.
• Separate human support access from machine-to-machine access.
• Rotate secrets and revoke stale access as part of the provider offboarding process.
• Log privileged sessions and tie actions back to a named operator or workload.
• Review provider access with the same cadence used for other high-risk identities.

This aligns with the NHI lifecycle and offboarding guidance in NHI Lifecycle Management Guide and with NIST guidance that emphasises governance, visibility, and continuous risk management in the NIST Cybersecurity Framework 2.0. Current guidance suggests that provider access reviews should be evidence-driven, not certificate-driven, because a vendor attestation does not prove that stale credentials or shadow automation have been removed.

These controls tend to break down in environments where multiple MSPs share the same administrative tooling because attribution and revocation become ambiguous.

Common Variations and Edge Cases

Tighter control of MSP access often increases operational overhead, requiring organisations to balance response speed against assurance. That tradeoff is real, especially in 24/7 support models where emergency access, shared break-glass accounts, and cross-border operations are part of the service contract.

There is no universal standard for this yet, but current guidance is moving toward stronger identity separation and time-limited access rather than broad standing trust. The biggest edge case is emergency support: a provider may need immediate access during an outage, but that does not justify permanent privilege. The safer pattern is pre-authorised JIT access with tight TTLs, immutable logging, and post-event review. Another edge case is outsourced automation. Scripts that patch, monitor, or back up systems can outlive the staff who created them, so they need the same lifecycle controls as human accounts. NHIMG has highlighted how weak credential rotation and over-privileged accounts repeatedly appear in real-world NHI failures, including the broader patterns described in Top 10 NHI Issues.

Security teams also get tripped up by shared responsibility language. A provider may manage the tool, but the customer still owns the risk of what that tool can reach. If the environment includes privileged integrations, production consoles, or secrets stores, the access model should be treated as a high-impact identity dependency, not a procurement detail. In practice, this fails most often when contract language is clearer than the actual revocation workflow.

Related resources from NHI Mgmt Group

• What do security teams get wrong about self-service app requests?
• What do security teams get wrong about ITSM and access governance?
• What do security teams get wrong about role explosion?
• What do security teams get wrong about asset management and access governance?