Why Unmanaged Access Is Increasing MSP Liability: Access Governance Gaps with Kyle Bove

Why Unmanaged Access Is Increasing MSP Liability: Access Governance Gaps with Kyle Bove

The dominant structural mechanism explored in this episode centers on governance gaps in access management and the resulting liability transfer to MSPs. The discussion highlights how fragmented identity stacks, unmanaged access, and reliance on manual tracking expose MSPs to growing contractual, operational, and legal risk. Companies and technologies referenced include Microsoft 365, Google Workspace, Okta, ConnectWise, and specific access governance solutions targeting the channel. The ConnectWise 2026 Threat Report identifies credential abuse as a core attack vector, underscoring how unaddressed authorization and access drift remain a structural exposure area.

The episode cites multiple indicators and supporting data. According to the ConnectWise 2026 Threat Report, credential abuse is now the primary attack vector, with attackers commonly exploiting active and orphaned accounts left unmanaged in client environments. Fragmented identity stacks complicate the onboarding and offboarding process, with onboarding often requiring 45 minutes per client as technicians navigate numerous access portals. The prevalence of shadow IT, orphaned accounts, and missed deprovisioning windows was discussed as persistent drivers of both operational overhead and increased incident risk.

Supporting developments include community-documented scenarios where multi-factor authentication (MFA) was present but insufficient to prevent breaches, particularly when privilege escalation or temporary exclusions remain unaddressed. Examples such as the Reddit phishing event and Microsoft’s handling of MFA via VOIP demonstrate how authentication is distinct from governance, and that temporary access or exceptions frequently become permanent, heightening exposure. Regulatory environments—including healthcare, finance, and government—were cited as adding further requirements for explicit governance controls and auditable access policies, while manual spreadsheet tracking often fails to meet these demands.

The operational implications for MSPs include the need to move beyond basic practice such as MFA and endpoint protection, toward purpose-built tools and processes that provide continual visibility, auditable controls, and policy enforcement for client access. Without this, MSPs face increased administrative burden, billing discrepancies, contractual liability, and reputational risk. As regulatory audits become more demanding and clients demand clearer evidence of governance, service providers must reconcile the tradeoffs between increased process complexity and the need for automated, enforceable identity governance. This shift challenges existing pricing models, requiring MSPs to justify and potentially repackage their service offerings in the context of risk management and operational maturity.

 

💼 All Our Sponsors

Support the vendors who support the show:

👉 https://businessof.tech/sponsors/

 

🚀 Join Business of Tech Plus

Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.

👉 https://businessof.tech/plus

 

🎧 Subscribe to the Business of Tech

Want the show on your favorite podcast app or prefer the written versions of each story?

📲 https://www.businessof.tech/subscribe

 

📰 Story Links & Sources

Looking for the links from today’s stories?

Every episode script — with full source links — is posted at:

🌐 https://www.businessof.tech

 

🎙 Want to Be a Guest?

Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:

💬 https://www.podmatch.com/hostdetailpreview/businessoftech

 

🔗 Follow Business of Tech

 

LinkedIn: https://www.linkedin.com/company/28908079

YouTube: https://youtube.com/mspradio

Bluesky: https://bsky.app/profile/businessof.tech

Instagram: https://www.instagram.com/mspradio

TikTok: https://www.tiktok.com/@businessoftech

Facebook: https://www.facebook.com/mspradionews


Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.