Andrei Fomitchev You already have an IT person, maybe a small team. They keep the lights on, but they are buried: patching servers after hours, fielding password resets, and somehow also expected to plan next year’s cloud migration. The question is not whether you need outside help. It is how much.
This guide breaks down co-managed IT versus fully managed IT: what each model actually covers, and how to tell which one fits a business that already has internal IT.
Co-managed IT is a shared model where an external provider works alongside your in-house IT team, taking on specific functions (after-hours monitoring, cybersecurity, project work) while your staff keep day-to-day control. Fully managed IT hands the entire IT function to an external provider that owns strategy, support, and operations end to end. The difference comes down to who owns what: co-managed splits responsibility, fully managed transfers it.
If you have a capable internal IT team that is stretched thin, co-managed IT fills the gaps without replacing anyone. If you have no internal IT, or you want technology off your plate entirely, fully managed IT is the cleaner fit. Most of the decision is about how much control you want to keep, not about cost alone.
Co-Managed IT
Co-managed IT is a partnership model where an external managed service provider (MSP) shares responsibility for your technology with your internal IT staff. The provider covers agreed areas, such as monitoring, security, helpdesk overflow, or specialized projects, while your team retains ownership of the systems and decisions they handle best.
What is co-managed IT?
Co-managed IT splits the workload between your internal team and an external provider. Your staff keep the institutional knowledge and the relationships; the MSP adds capacity, tooling, and specialist skills your team does not have in-house. A common split: your internal team owns user support and business-specific applications, while the provider owns 24/7 monitoring, cybersecurity, patching, and backup.
In our work with GTA mid-market firms, the trigger for co-managed IT is almost never a broken IT team. It is a competent two-person team that cannot be on call at 2am and also deliver a Microsoft 365 migration on schedule. Co-managed IT support buys back that capacity without forcing you to hire a third or fourth full-time person for coverage you only need part of the time.
What is fully managed IT?
Fully managed IT means the provider owns your entire IT function. There is no internal IT staff to coordinate with; the MSP is your IT department, handling strategy, procurement, helpdesk, cybersecurity, and infrastructure. You get a single accountable partner and a predictable monthly cost, in exchange for handing over the operational driver’s seat.
This model suits businesses that have no internal IT, or whose leadership wants technology fully off their plate. It is also common when a generalist “IT person” has quietly become a single point of failure, and the business needs depth across security, cloud, and support that one hire cannot cover.
How are co-managed and fully managed IT different?
The core difference is ownership. Co-managed IT shares responsibility with your team and is designed to augment what you already have. Fully managed IT transfers responsibility entirely and replaces the need for internal IT. Here is how the two compare across the dimensions that matter most when you are choosing.
| Dimension | Co-Managed IT | Fully Managed IT |
|---|---|---|
| Who runs IT | Shared: your team plus the provider | Provider owns it end to end |
| Best for | Businesses with stretched in-house IT | Businesses with little or no IT staff |
| Your internal team | Stays, refocuses on strategic work | Not required |
| Typical scope | Gaps: security, after-hours, projects | Everything: support through strategy |
| Decision control | You keep the final say | Provider drives, you approve direction |
| Ramp-up | Faster: augments your existing setup | Full onboarding and transition |
When does co-managed IT make sense?
Co-managed IT makes sense when you have internal IT that is good but outnumbered by the work. You are not trying to replace your team; you are trying to extend its reach into hours, skills, or projects it cannot cover alone. The clearest signals:
- You have one to three internal IT staff who are constantly reactive and never get to strategic work
- You are missing a specific skill, usually cybersecurity or cloud architecture
- You need 24/7 monitoring and after-hours coverage your team cannot sustain
- A major project (migration, office move, security overhaul) is competing with daily support
- Compliance frameworks (PIPEDA, PHIPA, SOC 2) demand expertise you do not have on staff
The most common co-managed failure we see is undefined boundaries. When “who handles after-hours alerts” is left vague, tickets fall through the gap between your team and the provider. A clear responsibility matrix, written down before day one, is what separates a co-managed partnership that works from one that finger-points.
When is fully managed IT the better fit?
Fully managed IT is the better fit when there is no internal team to build around, or when leadership wants one partner accountable for everything. Hiring your way out of the problem is harder than it looks: the talent gap is real, and specialized security staff in particular are expensive and scarce in the GTA market. The signals that point to fully managed:
- You have no internal IT, or one overwhelmed generalist doing everything
- Leadership wants a single accountable partner, not a team to manage
- You are scaling faster than you can hire and onboard IT staff
- Technology issues keep pulling non-IT employees away from their actual jobs
4.8M
The global cybersecurity workforce gap in 2024, per the (ISC)2 Cybersecurity Workforce Study. Staffing security in-house is hard precisely because the talent is scarce, which is a major reason mid-market firms outsource it.
How do you choose between co-managed and fully managed IT?
Choosing comes down to an honest read of your current team and how much control you want to keep. Run these four steps before you talk to any provider, and the right model usually becomes obvious.
Audit your team’s real capacity: Not the org chart, the reality. How many hours a week does your IT staff spend firefighting versus planning? If the answer is “all of them,” you have a capacity problem co-managed IT solves directly.
List the gaps: Write down the skills, hours, and projects nobody currently owns. After-hours coverage, security monitoring, a cloud migration. These gaps define the scope of any provider relationship.
Decide what you want to keep control of: If retaining decision-making and institutional knowledge matters, lean co-managed. If you want to hand off the whole function and just approve direction, lean fully managed.
Match the model to the gap: Gaps in capacity and specialist skills point to co-managed. The absence of an internal function altogether points to fully managed. The size of the gap, not the size of your company, drives the choice.
The two models are not permanent. Several of our clients started fully managed while they were small, then shifted to co-managed once they hired an internal IT lead worth building a team around. Pick the model that fits where you are now, and treat it as something you revisit yearly, not a decision locked in for a decade.
Co-managed IT extends an existing team; fully managed IT replaces the need for one. Audit your capacity, name your gaps, and decide how much control you want to keep. The model follows from those answers, and you can change it as your business grows.
Not sure which side of the line your business falls on? That is the conversation we have with GTA companies every week. Our co-managed IT services are built to slot in alongside your existing team and cover exactly the gaps you name, nothing you do not need. If you are weighing the move, it helps to read how to evaluate an MSP before you sign and the signs your business is ready for managed IT.
Sources
- 2024 Cybersecurity Workforce Study, (ISC)2, 2024
Adrian Carmichael 
