Shared Responsibility: What We Handle vs. What Clients Are Responsible For

One of the most common misunderstandings in managed IT services is the assumption that the MSP is responsible for everything related to security, compliance, and technology.

In reality, effective IT and security require a shared responsibility model — where some responsibilities belong to Atlantic Office Technologies (AOT), and others remain with the client.

This post explains how that shared responsibility works, why it matters, and what each side is accountable for.

Why a shared responsibility model exists

As your managed service provider, AOT delivers IT and security services within the scope defined by your contract. However, no MSP can fully replace internal business ownership, HR authority, or physical control of your organization.

The shared responsibility model exists to:

  • Set clear boundaries

  • Prevent assumptions and gaps

  • Support security and compliance frameworks

  • Ensure accountability on both sides

This approach is standard across modern security frameworks such as CMMC/NIST, HIPAA, and PCI-DSS Atlantic Office Technologies - ….

What AOT is responsible for

Within the scope of managed services, AOT is responsible for implementing, managing, and monitoring technical controls on systems we manage.

Examples include:

Access control

  • Enforcing MFA

  • Managing privileged accounts

  • Logging authentication activity
    Clients approve who should have access.

Asset management

  • Maintaining records (CMDB) for AOT-managed devices
    Clients track assets not managed by AOT.

Logging, monitoring, and alerting

  • Collecting and monitoring logs for managed systems

  • Forwarding logs to centralized monitoring (SIEM)
    Clients retain responsibility for logging on systems outside AOT’s scope.

Backups and recovery

  • Managing and testing backups for in-scope systems
    Clients ensure backups exist for systems not covered by contract.

Patch management

  • Applying OS and application updates to managed systems
    Client-owned or unmanaged systems must be patched by the client.

Security tooling

  • Deploying and managing antivirus / EDR on managed devices
    Unmanaged devices must be protected by the client.

Incident response (within scope)

  • Detecting, triaging, and assisting with containment and recovery
    Clients must notify AOT of incidents involving client-managed systems.

What clients are responsible for

Some responsibilities cannot be outsourced — even with fully managed IT.

Clients retain responsibility for areas such as:

HR and personnel actions

  • Hiring and termination decisions

  • Notifying AOT of onboarding and offboarding

  • Ensuring timely access removal

AOT cannot terminate or modify access without client direction.

Data ownership and classification

  • Identifying and classifying sensitive data (including CUI)

  • Deciding where data is stored

  • Ensuring appropriate handling of regulated data

AOT avoids storing CUI and enforces rules for incidental exposure, but classification remains a client responsibility Atlantic Office Technologies - ….

Physical security

  • Securing offices and facilities

  • Controlling physical access to devices

  • Escorting visitors

  • Managing physical safeguards

Client-only systems and vendors

  • Systems not covered under the AOT contract

  • Third-party vendors selected by the client

  • Client-owned applications and services

Enterprise-level risk decisions

  • Business risk acceptance

  • Non-IT operational risks

  • Compliance decisions beyond technical enforcement

Why this matters for security and compliance

Security frameworks explicitly require clear assignment of responsibilities.

For example:

  • CMMC / NIST 800-171 requires defined roles and ownership

  • Auditors expect clarity on “who owns what”

  • Incidents often escalate when responsibilities are assumed instead of defined

This matrix prevents:

  • Gaps in coverage

  • Disputes during incidents

  • Delays in response

  • Compliance findings caused by ambiguity Atlantic Office Technologies - ….

What happens if responsibilities aren’t followed

When responsibilities fall outside AOT’s defined scope:

  • AOT cannot be held accountable for gaps

  • Service limitations may apply

  • Audit findings or contractual issues may occur

This is not punitive — it’s about ensuring everyone understands their role before issues arise.

How this is reviewed and enforced

The responsibility matrix is:

  • Reviewed annually with client leadership

  • Updated when services or contracts change

  • Used as a reference during incidents, audits, and reviews

  • Acknowledged by clients as part of ongoing service governance Atlantic Office Technologies - ….

Our recommendation

We recommend clients:

  • Review this responsibility model with leadership

  • Ensure internal owners are identified for HR, data, and physical security

  • Communicate changes promptly (hires, terminations, new systems)

  • Ask questions when scope or ownership is unclear

Strong security is not just about tools — it’s about clear ownership and cooperation.

If you’d like to review your responsibility matrix or clarify what is in or out of scope for your environment, we’re happy to walk through it together.

Al Davis