Co-Managed IT Playbook: How Internal IT and an MSP Can Work Without Friction

Co-managed IT works best when everyone understands who owns what. Ambiguity creates delays, duplicated effort, and frustration on both sides. When it's structured well, your internal team stays in control of strategy while gaining the depth, coverage, and specialized skills that a managed IT provider brings.

Here's a practical playbook for making the partnership work from day one.

What Co-Managed IT Is (And Isn't)

Your internal IT team keeps strategic and day-to-day control while an MSP extends capacity, specialized expertise, and after-hours coverage. This is not outsourcing. Your IT director or manager remains the decision-maker. The MSP is an extension of their team, filling gaps, not replacing people.

Co-managed IT is most common in organizations with 50-200 employees that have a small internal IT team (1-3 people) that can't cover every specialization. Your internal person knows the business and the people. The MSP brings cybersecurity depth, infrastructure expertise, and 24/7 monitoring that a one- or two-person team simply can't provide.

Define Ownership by Function

The most important step is creating a clear RACI matrix (Responsible, Accountable, Consulted, Informed) for every IT function. Without this, you'll get finger-pointing when something falls through the cracks.

End-User Support Tiers

Define which team handles what:

• Tier 1 (password resets, basic troubleshooting): Often shared or handled by the MSP's help desk to free up the internal team
• Tier 2 (application issues, escalated problems): Typically the internal team, since they know the line-of-business apps best
• Tier 3 (infrastructure, security incidents, complex networking): Usually the MSP, since this requires specialized tools and expertise

Security Tooling and Response

This is where co-managed partnerships add the most value. Your internal IT person probably isn't a cybersecurity specialist, and they shouldn't have to be. The MSP manages EDR, email security, vulnerability scanning, and incident response. Your internal team handles user education and policy enforcement.

Patch and Vulnerability Management

Decide who patches what. A common split: the MSP handles OS and third-party patching for all endpoints and servers; the internal team handles line-of-business application updates since they understand the testing requirements.

Vendor Management

Clarify who manages which vendor relationships. The MSP typically manages security vendors, backup solutions, and cloud platforms. The internal team manages LOB application vendors, ISP contracts, and office equipment.

Project Execution

For larger projects (office moves, network upgrades, cloud migrations), define who leads and who supports. The MSP often provides project management and technical execution while the internal team handles user communication and business-side coordination.

Escalation Design Matters

Vague escalation paths are the #1 reason co-managed relationships fail. When a server goes down at 7 PM, who gets called? What if the internal IT person is on vacation? What if it's a security incident?

Set response paths for three scenarios:

Critical Outages

• MSP monitors 24/7 and initiates response immediately
• Internal IT is notified within 15 minutes via text and email
• If internal IT is unavailable within 30 minutes, MSP proceeds with documented remediation authority
• Business owner is notified if estimated downtime exceeds 2 hours

Security Incidents

• MSP's security team leads containment and investigation
• Internal IT supports with business context and user communication
• Both teams follow the documented incident response runbook
• Legal and insurance contacts are pre-documented, no scrambling during an incident

Executive-Impact Issues

• CEO can't access email, CFO's laptop dies before a board meeting, these need a fast lane
• Define VIP users and their direct escalation path
• Response time for VIP issues: 15 minutes, not the standard SLA

Document contacts, SLAs, and communication templates in advance. Don't figure this out during a crisis.

Shared Visibility

Both teams need to see the same data. If the MSP has a dashboard the internal team can't access, or the internal team keeps a separate ticket system, you'll have blind spots.

Agree on shared visibility for:

• Ticket trends by category, are the same issues recurring? Is ticket volume trending up or down?
• Security alerts and closure metrics, how many alerts were generated, investigated, and resolved?
• Patch compliance coverage, what percentage of devices are current on patches?
• Monthly priorities and blockers, what was planned, what was completed, and what got stuck?
• Asset inventory, both teams should work from the same hardware and software inventory

A monthly operations meeting (30-60 minutes) between the internal IT lead and the MSP account manager keeps both sides aligned. Quarterly, include business leadership to review the IT roadmap and adjust priorities.

Tool Overlap: Pick One System of Record

One of the most common friction points is tool overlap. The internal team uses one ticketing system, the MSP uses another. The internal team has one monitoring tool, the MSP has a different one.

Pick a system of record for each function:

• Ticketing: Use one platform. If the MSP's PSA tool is more capable, give the internal team access to it.
• Monitoring: The MSP's RMM should be the single monitoring platform. Duplicate monitoring creates alert confusion.
• Documentation: Use one documentation platform (IT Glue, Hudu, or similar) that both teams can access and update.
• Password management: One shared vault for infrastructure credentials, with role-based access.

90-Day Launch Plan

Days 1–30: Discovery and Role Mapping

• Complete infrastructure audit and documentation
• Define the RACI matrix for every IT function
• Align on tools and shared access
• Set up shared ticketing and monitoring
• Document escalation paths and emergency contacts
• Introduce both teams and establish communication norms

Days 31–60: Operational Handoffs and Testing

• MSP assumes responsibility for agreed functions
• Run a simulated critical outage to test escalation
• Run a simulated security incident to test response coordination
• Internal team provides feedback on MSP responsiveness and quality
• Adjust SLAs and processes based on real-world experience

Days 61–90: KPI Tuning and Strategic Cadence

• Review first 60 days of ticket data and security metrics
• Fine-tune the support split based on actual volume and complexity
• Establish the quarterly business review cadence with leadership
• Build the 12-month IT roadmap jointly
• Document lessons learned and process improvements

Signs the Partnership Is Working

• Internal IT spends more time on strategic projects, less on firefighting
• After-hours incidents are handled without the internal team losing sleep
• Security posture measurably improves (patch compliance, EDR coverage, MFA adoption)
• Business leadership feels informed through regular reporting
• Both teams can answer "who owns this?" for any IT function instantly

Signs It's Not Working

• Tickets bounce between teams with no resolution
• The internal team feels bypassed or undermined
• The MSP treats the engagement as another fully-managed client
• There's no shared documentation or metric visibility
• Neither team knows what the other is working on

If you see these signs, address them immediately. Most co-managed failures come from unclear ownership, not incompetence on either side.

Bottom Line

Co-managed IT succeeds when roles are explicit, communication is disciplined, and both teams operate from shared metrics. The goal is one IT operation with two contributing teams, not two separate IT departments bumping into each other.

If your internal team needs depth without adding full-time headcount, let's map a co-managed model that fits your organization. We work with internal IT teams across San Bernardino County to extend their capabilities without creating friction.