Identity and Access Management: What to Ask an IT Firm Before You Hand Over the Keys
Who has access to what, under what conditions, and what happens when that access should end — this discipline is one of the most auditable signals of how a prospective IT firm actually runs security. It is not glamorous. There are no flashy dashboards to demo. But it is exactly the discipline that separates firms treating security as a process from those treating it as a checkbox. If you are about to give an IT company administrator-level access to your entire environment, these are the questions worth asking before you sign.
- Why Access Management Is the Right Lens for Vendor Evaluation
- What Good Access Control Looks Like in Practice
- The Questions That Reveal Process vs. Afterthought
- Red Flags You Should Not Ignore
- How to Use This Information to Make a Decision
- What This Means for Your Business
Why Access Management Is the Right Lens for Vendor Evaluation
Most business owners evaluating IT firms focus on response times, pricing, and service catalogs. Those things matter — but they are easy to polish for a sales conversation. Access management is harder to fake. It requires documented processes, consistent execution, and a culture that treats security hygiene as non-negotiable, not something the sales team mentions once and moves past.
When you give an IT firm access to your environment, their technicians hold privileged credentials to your servers, cloud platforms, email systems, and potentially your financial and client data. If that firm does not manage its own access practices rigorously, your exposure does not come only from outside attackers — it comes from inside their organization.
According to CISA’s guidance on insider threats, a significant share of damaging security incidents involve authorized users — people who had legitimate access that was never properly scoped, reviewed, or revoked. That dynamic applies to your IT vendor’s own staff just as much as it applies to your employees.
This is why access management is the right lens for vendor evaluation. It is a discipline you can probe with specific, concrete questions. The answers will tell you more about a firm’s operational maturity than any presentation will.
What Good Access Control Looks Like in Practice

Before you can evaluate a vendor, you need a clear picture of what you are actually looking for. Mature access control is not a single tool or setting — it is a set of interlocking practices that work together.
A firm operating at a high level will demonstrate most or all of the following:
- Least privilege by default. Every technician and account has access only to what their role requires — nothing broader. Access is granted deliberately, not by convenience.
- Multi-factor authentication on all privileged accounts. No administrator-level access happens on a password alone. This applies to their own internal systems and to the tools they use to access your environment.
- Formal onboarding and offboarding procedures. When a technician joins, access is provisioned through a defined process. When they leave — for any reason — access is revoked immediately and that revocation is documented.
- Periodic access reviews. On a regular schedule (typically quarterly), someone audits who has access to what and confirms those permissions are still appropriate. Accounts that have not been used are flagged or deactivated.
- Separation of duties. The person who approves access changes is not the same person who makes them. This limits the damage any single compromised account can cause.
- Documented policies — not just stated intentions. The above practices exist in writing, are reviewed regularly, and can be shown to a client or auditor on request.
None of these are exotic. They align with widely recognized frameworks like the NIST Cybersecurity Framework and the CIS Critical Security Controls. A firm that cannot describe all of them in plain language is not operating at a mature level.
The Questions That Reveal Process vs. Afterthought
These are not trick questions. They are reasonable, professional questions that any well-run IT firm should answer without hesitation. Pay attention to how quickly and specifically they respond — not just what they say.
On access provisioning
- “Walk me through what happens when a new technician joins your team and needs access to a client environment. Who approves that request, and what does the documentation look like?”
- “What access does a technician have to my environment outside of an active support ticket?”
A mature firm will describe a formal approval process, role-based permissions, and scoped or just-in-time access. A firm operating on instinct will say something like “we give them what they need to do their job” — which is not an answer, it is a vague intention.
On offboarding
- “What is your process when a technician leaves the company? How quickly is their access to client environments terminated?”
- “Do you have a documented checklist for that? Has it ever been tested?”
The right answer involves immediate revocation — same-day or within hours — and a documented offboarding checklist. If the answer is “we handle it” or “our HR takes care of it,” that is a gap worth pressing.
On ongoing access hygiene
- “How often do you review which of your team members have access to my environment? What triggers a review outside the scheduled cycle?”
- “What happens to accounts that have not been used in 30, 60, or 90 days?”
Dormant accounts are one of the most common vectors in real-world breaches. A firm without a clear answer to that question has a meaningful gap in their access governance program.
On privileged access to your specific environment
- “Which members of your team will have administrator-level access to my systems, and what controls are on those accounts?”
- “Do your administrators use the same account for day-to-day tasks and privileged actions, or are those separated?”
Best practice is to separate standard user accounts from privileged administrator accounts — even for the IT firm’s own staff. If a technician uses one account to read email and reset domain passwords, that is an unnecessary risk with no good justification.
On their own internal security posture
- “Do you require multi-factor authentication for your own internal systems and for access to client environments?”
- “When did you last have an independent third party assess your own security controls?”
This last question is where many firms stumble. Plenty of IT companies will audit their clients but have never subjected themselves to the same scrutiny. A firm that has undergone a genuine third-party assessment of its own controls — and can describe the process or show you the results — is operating at a different level than one that has not.
Red Flags You Should Not Ignore
Beyond incomplete answers, there are specific patterns that should give you pause — regardless of how polished the rest of the conversation feels.
- Irritation at the questions. A firm that treats your due diligence as an obstacle is showing you something important about how they handle accountability when things go wrong.
- Vague answers dressed as specifics. “We use industry best practices” is not an answer. “We provision access through our ticketing system, require manager approval for admin rights, and run quarterly access reviews documented in our internal wiki” is an answer.
- No separation between internal accounts and client access. If their technicians use shared credentials, or there is no clear boundary between personal access and privileged client access, the exposure is yours to absorb.
- No record of a third-party security assessment. A firm that manages other companies’ security but has never been independently reviewed is asking you to take their word for everything. That is a meaningful asymmetry of trust.
- Offboarding that depends on one person’s memory. If access revocation hinges on whether a manager remembers to make the call, that is not a process — it is a hope.
- No documented policies. Policies do not need to be long or complex, but they need to exist in writing. If the firm cannot point to documentation, the discipline lives only in someone’s head — and heads change jobs.
How to Use This Information to Make a Decision
You are not looking for perfection — you are looking for evidence of intentionality. No firm will describe a flawless program in every area, and the ones that claim otherwise should be trusted less, not more.
What you are looking for is a firm that treats access governance as a living process: documented, reviewed, and improved over time. The questions above are not a scorecard — they are a conversation. Watch for depth, specificity, and a willingness to acknowledge where they are still improving.
The best IT firms are candid. They will tell you their current review cycle, where they are investing in improvement, and what they would want to see in your own environment before they make recommendations. That transparency is itself a signal worth noting.
It is also worth asking whether the firm has undergone an independent audit of their own security controls — not just certifications they help clients pursue, but an honest assessment of their own posture. The answer tells you whether they hold themselves to the same standard they sell.
If you want a concrete reference point for what a mature access control program looks like at the vendor level, look at how a firm describes its own cybersecurity posture publicly. The specifics they cite — and whether they can back any of it up with third-party validation — will tell you a great deal before the first conversation. You can also review our managed IT services to understand the baseline standards we hold ourselves to before we ever ask you to hold us accountable.
What This Means for Your Business
Secure access control sits at the intersection of security, trust, and operational discipline. When it works, you never notice it. When it fails — a former employee whose access was never revoked, a shared admin credential that reached the wrong hands, an account that sat dormant for six months before anyone noticed — the consequences are not subtle.
Asking these questions before you sign is not adversarial. It is the same due diligence you would apply to any vendor who holds keys to your building. The firms worth working with will not just tolerate this conversation — they will welcome it. The ones that push back, deflect, or give answers that dissolve under follow-up are showing you exactly what the relationship will feel like when something actually goes wrong.
How a firm manages privileged access to your environment is one of the most direct indicators of how they think about security overall. It is auditable, it is specific, and it is worth the conversation. Rigorous identity and access management is not an advanced capability reserved for large enterprises — it is a baseline expectation you should hold every prospective IT vendor to, regardless of your company’s size.
Want a Walkthrough of Your Own Setup?
Twenty minutes on the phone with our team gets you specific recommendations you can use immediately — whether you hire us or not. No pitch, no pressure, just an honest read on where your business stands.