What MSPs Can — and Cannot — Be Responsible For

Managed Service Providers (MSPs) play a critical role in keeping business technology running securely and reliably. However, there’s a common misconception that hiring an MSP means all responsibility transfers to IT.

In reality, effective IT and security operate under a shared responsibility model. This post explains what MSPs can responsibly manage — and what remains with the client — so expectations are clear before issues arise.

What MSPs can be responsible for

When properly contracted and authorized, MSPs can take ownership of technical implementation, management, and monitoring within an agreed scope.

Technical systems and tools (in scope)

An MSP can:

  • Manage servers, workstations, and networks under contract

  • Deploy and maintain security tools (EDR, antivirus, monitoring)

  • Apply patches and updates to managed systems

  • Monitor systems and alert on issues

  • Maintain backups and assist with recovery

This responsibility applies only to systems explicitly included in the service agreement.

Access enforcement (not access decisions)

An MSP can:

  • Enforce MFA

  • Implement least-privilege access

  • Remove access when instructed

  • Maintain logs and audit trails

However, the MSP does not decide who should have access — only how access is enforced.

Incident response (within scope)

An MSP can:

  • Detect and respond to technical incidents

  • Contain threats on managed systems

  • Assist with recovery efforts

  • Provide documentation and reporting

An MSP cannot respond to incidents involving systems or vendors outside the agreed scope without authorization.

Documentation and operational visibility

An MSP can:

  • Maintain system documentation

  • Track managed assets

  • Record changes and actions

  • Provide audit-ready records

This documentation supports compliance but does not replace internal governance.

What MSPs cannot be responsible for

Some responsibilities cannot be outsourced, regardless of how comprehensive the IT services are.

Business and HR decisions

An MSP cannot:

  • Decide who to hire or terminate

  • Know when employees leave unless notified

  • Initiate HR actions independently

  • Approve HR-related changes without direction

Timely onboarding and offboarding require client communication.

Data ownership and classification

An MSP cannot:

  • Decide what data is sensitive or regulated

  • Determine business data retention requirements

  • Know where all business data exists without disclosure

Clients own their data — including classification, retention, and legal responsibility.

Physical security

An MSP cannot:

  • Control office access

  • Prevent unauthorized physical entry

  • Secure unattended devices

  • Enforce visitor policies

Physical access almost always overrides technical controls.

User behavior

An MSP cannot:

  • Stop users from sharing passwords

  • Prevent users from approving phishing MFA prompts

  • Control what users click

  • Guarantee users follow policy

Technology reduces risk — it does not eliminate human behavior.

Third-party vendors and unmanaged systems

An MSP cannot be responsible for:

  • Vendors chosen independently by the client

  • Applications not disclosed or supported

  • Personal devices outside management

  • Shadow IT systems unknown to the MSP

Responsibility requires visibility and authority.

Business risk decisions

An MSP can advise, but cannot decide:

  • What risks the business is willing to accept

  • Budget vs. security tradeoffs

  • Compliance scope definitions

  • Operational priorities

Those decisions remain with leadership.

Why this distinction matters

Unclear responsibility leads to:

  • Security gaps

  • Missed expectations

  • Audit findings

  • Delayed incident response

  • Disputes during critical events

Clear responsibility ensures:

  • Faster response

  • Better protection

  • Stronger compliance

  • Predictable outcomes

This shared responsibility model aligns with expectations under HIPAA, CMMC/NIST, PCI-DSS, and modern governance standards.

What “fully managed” really means

“Fully managed” does not mean:

  • Unlimited authority

  • Replacement of executive decision-making

  • Assumption of legal or business liability

  • Control over people, policies, or facilities

It means:

  • Full responsibility for defined technical scope

  • Proactive management within agreed boundaries

  • Partnership — not replacement — of internal ownership

Our recommendation

We recommend clients:

  • Clearly define what systems are in scope

  • Identify internal owners for HR, data, and facilities

  • Communicate changes promptly

  • Treat IT security as a partnership

Strong IT outcomes happen when technology management and business ownership work together.

If you ever have questions about what falls inside or outside MSP responsibility, we’re happy to clarify — before issues arise.

Al Davis