One accountable owner is a feature, not a risk

You have done the math your board asked for. Three vendors run pieces of your environment today, and the spreadsheet that maps who owns what has a column nobody can fill in cleanly. The MSP says identity belongs to the security firm. The security firm says identity is a Microsoft 365 admin task, so it belongs to the MSP. The cloud consultant has not been on a call in six weeks. When you ask who would own a breach at 2am, the honest answer is that you would, because you are the only person whose name appears on all three contracts.

So you start looking at putting it under one roof, and the first objection comes from inside your own head, in your board's voice: is that not concentration risk? One vendor, one point of failure, all the eggs in one basket. It sounds responsible to worry about. It is the kind of line that gets nodded at in a meeting.

Here is the question worth sitting with before you accept the worry as fact. Is a single owner the risk, or is the absence of one the thing that has been quietly costing you all along?

The phrase has a real meaning, and it is worth keeping honest. In its original setting, concentration risk describes the danger of having too much exposure to a single counterparty, so that one failure takes down a disproportionate share of the whole, per the Office of the Comptroller of the Currency's discussion of concentration risk in bank portfolios. That logic maps cleanly onto a vendor when the vendor is a single component: one cloud region, one data store, one provider with no failover.

A security operator is a different kind of dependency. The operator does not hold your data hostage; your identity lives in Microsoft Entra, your workloads run in AWS, your guardrails sit in AWS Control Tower. Those are yours. A good operator runs them and hands you the keys on request. The thing you are consolidating is not your infrastructure. It is the answer to "who owns this," and spreading that answer across three firms did not buy you resilience. It bought you a gap at every seam.

Walk the boundaries in your current setup and you can see where ownership evaporates:

• Conditional Access is an identity change and a security control at once, so the MSP and the security firm each assume the other watches it.
• GuardDuty findings land in an inbox the cloud consultant checks when they are engaged, which is not most weeks.
• Joiner and leaver access gets provisioned by IT and reviewed by security, and the review happens when someone remembers.

None of these is a vendor being bad at their job. Each is a vendor doing exactly its job, with the failure living in the inch of space between two contracts. That inch is where audit findings come from, and where incidents start. One accountable owner does not magically do more work. It removes the inch.

A single owner without guardrails is just a single point of failure with better marketing, so the guardrails are the actual feature. Three of them carry most of the weight:

• The audit stays independent. The firm that runs your environment and gets you ready cannot also be the firm that signs your SOC 2 report, because an auditor reviewing its own work has an independence problem that can void the report, according to AICPA guidance on independence in SOC engagements that audit firms summarize.
• Deep specialists stay named and separate. When an engagement needs more Azure or AWS depth than a generalist should claim, a real partner brings in a specialist by name and does not bluff past it.
• The keys stay yours. Your tenant, your accounts, your data, owned by you and operated by them, so a contract ending is a transition and not a hostage negotiation.

With those three in place, the one owner is the team that answers when something breaks, and the structure around it keeps that team honest. That is not concentration. That is a single throat to choke, redesigned into a single name that answers.

You do not need to take any of this on faith. You need answers a vendor cannot hand-wave. Put these to anyone offering to be your single security vendor:

• If we leave in 18 months, what do we walk away owning, and how long does the handoff take?
• Who signs our SOC 2 report, and are they independent of the team that runs our environment?
• When a control gap shows up at the seam between identity and cloud, which role owns the fix?

A real owner answers each in a sentence, with a name and a number. A firm selling consolidation as a convenience starts qualifying, because the honest answer would expose that the seams just moved inside one logo.

Go back to the spreadsheet with the column nobody could fill in. The worry that started this was concentration: too much riding on one vendor. The risk you have been living with is the opposite, accountability spread so thin that no single person could say who owns the gap at 2am except you. Those are not the same fear, and only one of them has been showing up in your audit findings.

A single owner with the keys left in your hands, an independent audit, and named specialists is not a basket holding all your eggs. It is the first time anyone but you has a name on the whole thing. So when the concentration objection comes up in the next board meeting, the question to ask back is simple: are we worried about one owner, or are we worried about no owner at all?