Co-Managed IT: The Hybrid Approach
This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Your specific situation may vary, and you should consult with IT professionals regarding whether co-management is appropriate for your organization.
You have an internal IT person who knows your business, understands your history, and gets what matters to your organization. But that person is stretched thin. They're reactive, constantly fighting fires, and they don't have time to think strategically about where IT should be going. Someone suggested bringing in an MSP to handle the operational baseline and let your internal person focus on strategy. This hybrid approach is called co-managed IT. It sounds like the perfect middle ground. In reality, it only works if you understand what you're actually doing and if both teams are mature and professional about it.
Co-managed IT means keeping your internal IT team while hiring an MSP to provide additional support, expertise, or specialized services. The internal team and the MSP work in parallel—not instead of each other, but alongside each other. Ideally, each handles what they do best. Your internal team brings business knowledge and strategic thinking. The MSP brings operational scale and specialized expertise. In practice, this requires very clear role definition or it devolves into confusion about who's responsible for what.
What Co-Management Actually Looks Like
The appeal of co-managed IT is obvious and real. You keep the people who understand your business, your culture, your history, the way you do things. You lose none of that institutional knowledge. You add vendor expertise and additional hands without losing that internal foundation. A company with a good two-person IT team might add an MSP for security monitoring, infrastructure management, and overflow support. The internal team stays strategic and focused on what matters to your business. The MSP handles the operational baseline.
The model only works if role definition is crystal clear. Fuzzy boundaries create conflict, duplicate work, and finger-pointing when problems happen. When a system fails and both teams think the other is responsible, you lose time in the critical moment when you need speed. You might have the internal team investigating a problem thinking the MSP is aware of it, while the MSP is waiting for the internal team to reach out. Meanwhile, users are offline and revenue is being lost.
The most successful co-managed relationships have invested significant time in defining roles, documenting communication procedures, and establishing clear escalation paths. The worst ones are the ones where both teams are vague about who does what and they find out at crisis time that they have different understandings.
The Strategic vs Operational Division
The best co-managed relationships have the internal team focused on strategy and the MSP focused on operations. Your internal IT person works on questions like "we need to migrate to a new backup system," "our firewall is end-of-life and needs replacement," "we need to implement MFA across the organization." The MSP works on questions like "the daily backup tests are failing and we need to troubleshoot," "the network monitoring detected unusual traffic patterns," "there's a security patch waiting to be deployed."
This division makes sense because strategy requires knowledge of your business. Strategy involves understanding what matters most to your revenue, what your growth plans are, what compliance obligations you have, what your culture values. Operations requires systems expertise and bench strength. Operations involves troubleshooting, testing, monitoring, documenting, communicating with vendors. You probably have one internal person who understands both, but there isn't enough time in the week for that person to do both at world-class level.
The problem is that organizational reality is messier than this division. Operational issues come up that have strategic implications. A critical backup failure isn't just an operational problem—it's a strategic problem if it reveals that your backup strategy is insufficient. Infrastructure decisions have immediate operational impact. A decision to move to cloud storage affects how the MSP backs up your systems. The teams need to communicate constantly and trust each other's judgment.
In the healthiest co-managed relationships, there's a clear rule: the MSP operates within boundaries but has authority to make decisions within those boundaries. The MSP doesn't have to call the internal team every time something goes wrong. The MSP escalates when something exceeds the defined scope or when the decision has strategic implications. The internal team reviews MSP work and gets briefed regularly, but they're not in the critical path for every decision.
The MSP Role in Co-Management
In a co-managed relationship, the MSP typically handles the baseline operations: monitoring and alerting, backup and disaster recovery verification, patch management, helpdesk tier-one and tier-two support, infrastructure maintenance, and basic security monitoring. The internal team handles escalations, makes decisions about what to do when the MSP flags a problem, and owns strategic work that requires business knowledge.
The MSP becomes the operational lift for the internal team's decisions. When the internal team decides "we need to implement MFA," the MSP does the deployment and testing and initial user support. The internal team owns the decision about how aggressive to be and what exceptions to allow. When the MSP detects suspicious network activity, they escalate to the internal team who evaluates whether it's a real threat or a false positive and decides on action.
Specialized services often come from the MSP. Security monitoring, compliance work, vendor management for certain systems. The internal team doesn't have the depth to do this work. The MSP provides it and reports findings back to the internal team, who then translates it to business language for leadership.
This structure requires the MSP to be collaborative rather than directive. Some MSPs are good at this. They understand they're supporting the internal team's vision and decisions. Other MSPs want to control everything. They see the internal team as getting in the way. Those MSPs create friction constantly.
Team Dynamics and the Critical Role of the Internal Leader
Co-managed IT requires more communication and coordination than a fully outsourced MSP relationship. The internal IT person becomes a manager of the external relationship. They need to be comfortable delegating, communicating expectations clearly, and trusting the MSP to execute. Many internal IT people struggle with this transition because they're used to being the person who does the work, not the person who coordinates work. They have a hard time letting go.
The MSP needs to understand that they're not running the show. They're supporting the internal team's vision and decisions. This requires the MSP to be collaborative and responsive. They need to proactively communicate what they're finding and what they're doing. They need to ask clarifying questions when scope is unclear. They need to flag potential problems before they become actual problems.
The person who makes or breaks a co-managed relationship is almost always the internal IT leader. If they're mature, communicative, and good at delegation, the model works beautifully. They set clear expectations, they receive regular updates from the MSP, they make good decisions about escalations, they manage their internal stakeholders' expectations about what IT can deliver. If they're defensive, territorial, or bad at communication, it creates disaster. They hoard information, they don't trust the MSP, they create conflict between teams.
The internal IT leader needs to understand that bringing in an MSP isn't a failure. It's a smart decision to add capacity and expertise. They need to be secure enough in their role to collaborate with external people. The MSP isn't replacing them. The MSP is freeing them up to do what they're good at.
Communication Structures That Make It Work
Communication should be frequent and structured. The best co-managed relationships have weekly or bi-weekly meetings covering alerts, escalations, upcoming maintenance work, and strategic items. Both teams should have access to a shared ticketing system so they can see what the other is doing. Clear escalation procedures mean when something urgent happens, both teams know what the other is doing and don't waste time in coordination.
Daily communication happens for critical issues. If a system goes down, both teams know immediately and they coordinate response. Weekly status communication happens for operational work. The MSP briefs the internal team on what they've done, what they found, what they're planning, and what decisions they need from the internal team. The internal team briefs the MSP on upcoming changes or business context the MSP needs to know about.
The worst co-managed relationships have no communication schedule and teams surprise each other with decisions. A decision made on one side gets undermined by something the other side doesn't know about. An MSP patches a system without consulting the internal team. The internal team makes a decision about backup without consulting the MSP. Communication infrastructure is what makes co-management work.
A shared ticketing system is critical. When a user reports an issue, is that ticket assigned to the internal team or the MSP? If the internal team closes a ticket, does the MSP see it? If the MSP does work, is the internal team kept in the loop? A system where both teams can see everything prevents the "I didn't know you were working on that" problem.
Defining Scope: The Most Common Point of Conflict
The contract should define exactly what each party is responsible for. This should cover not just service areas but also decision-making authority. The MSP handles backup and disaster recovery—but who decides when to upgrade the backup storage? Who decides whether to move backup to the cloud? Who decides on disaster recovery testing frequency?
Scope creep happens in co-managed relationships because the line between what's MSP work and what's internal team work is naturally fuzzy. This leads to the MSP doing extra work they don't get paid for, or the internal team feeling they're not getting the support they paid for. If the contract says the MSP handles "infrastructure maintenance," does that include purchasing new hardware? Does it include evaluating whether hardware is still under warranty? Does it include managing the relationship with the vendor?
Clear scope in the contract prevents this friction. When something comes up that's outside the defined scope, both teams know to flag it. The internal team and MSP can discuss whether to add it to the MSP's responsibilities or handle it differently. At least the conversation happens instead of resentment building.
The scope should also address what happens when decisions are controversial. If the internal team wants to do something the MSP thinks is risky, who decides? If the MSP wants to implement a security control the internal team thinks is too restrictive, who decides? These are the hard questions that need to be answered upfront in the relationship.
Cost and Efficiency in the Hybrid Model
Co-managed IT is usually more expensive than full outsourcing to an MSP, but less expensive than hiring equivalent internal staff. You're paying for the MSP's expertise without paying for a whole team. You're not paying for a full IT director equivalent, just for the part-time guidance and support.
The efficiency comes from having the right person for each task. Your internal person spends time on decisions, on business-critical infrastructure, on things that matter strategically. The MSP spends time on operational baseline, on troubleshooting, on the work that doesn't require deep business knowledge. Each works at their highest level of value. That efficiency offset makes co-management economical even though both teams are working.
The cost model typically has a smaller MSP contract than full outsourcing. You might pay 30-50% of what a fully managed relationship would cost because the internal team is handling part of the load. The savings come from not needing a full MSP to do everything—you're using the MSP for specific areas where you need additional capacity or expertise.
When Co-Managed Makes Sense
Co-managed works best when you have competent internal IT staff who are overextended, not underqualified. If your internal person is good but outnumbered, adding an MSP adds capacity. If your internal person is mediocre, adding an MSP doesn't fix the underlying problem. You end up with two mediocre parties managing the environment, and the communication overhead makes things worse.
Co-managed works when you have clear organizational boundaries and good internal IT leadership. It works when your business context and IT decisions matter enough that you want an internal person involved. It doesn't work when both parties are unclear on scope, when there's friction between teams, or when leadership is sending mixed signals about authority.
It also doesn't work if you're trying to manage compliance or security without the MSP having clear authority. You can't have a compliance requirement, the MSP responsible for implementing it, and the internal team responsible for verifying it, with unclear authority about who decides how to implement it. Someone has to own it. Usually that's the internal team with the MSP in a support role.
The Transition into Co-Management
If you're moving from fully internal IT to co-managed, the transition takes time and intentional management. You need to invest in defining roles and communication procedures before you start. Have the initial conversation about what the MSP will own, what the internal team will own, how escalation works, and what the decision-making authority is.
Start with a trial period where both teams are learning to work together. Expect friction initially. There will be moments where the internal team thinks the MSP is overstepping or where the MSP thinks the internal team isn't appreciating their work. This is normal. The question is whether both teams have the maturity to work through it.
If you're moving from fully outsourced MSP to co-managed, you're bringing IT back in-house for strategy and decision-making. This is often prompted by the realization that having all your IT decisions made by an external party isn't sustainable long-term. You want more control and more business alignment. The MSP might feel like they're losing authority. They need to understand the new role.
Making Co-Management Work
The key to making co-managed IT work is recognizing it as a relationship that requires management. It's not a setup and forget arrangement. You need ongoing attention to communication, role definition, and scope. You need regular reviews of whether the division of labor is actually working. You need both teams committed to making it work.
Co-managed IT is increasingly common and it works well when role definition is clear and both parties communicate actively. The key is having strong internal IT leadership and an MSP that understands they're supporting the internal team's vision, not implementing their own agenda. If you have both, you get the benefit of internal knowledge plus external expertise. If either party is weak or if either party is territorial, you'll waste time on coordination and conflict instead of getting actual value from the hybrid model.
Fully Compliance provides educational content about IT service models and managed IT services. This article reflects general guidance about co-managed IT relationships. Individual organizations have different maturity levels, leadership structures, and IT needs—evaluate co-management based on your specific organizational context and capabilities.