There’s a moment in the life of almost every growing organisation where the way IT has been run quietly stops working. Nothing dramatic happens. No single breach, no headline incident. It’s subtler than that, a slow realisation that nobody is quite sure what’s installed on which laptop, where the important data actually lives, or who has access to what. The estate has simply grown up without anyone deciding how it should behave.
We’d call this an unmanaged estate, and if it sounds familiar, you’re in good company. It’s where most businesses start and we’ve helped plenty of them move on from it.
What “unmanaged” really looks like
An unmanaged estate isn’t a failure. More often it’s the natural result of moving fast. People needed tools, so they installed them. They needed to share a file, so they used whatever was to hand. Work got done — and that’s the point.
But underneath the productivity, we usually find a few things to be true:
- Users install what they want. Helpful in the moment, but it means software no one has reviewed, licences no one is tracking, and updates no one is applying.
- Data lives wherever it lands. A bit on the laptop, a bit in a personal cloud drive, a bit in an email thread. When someone leaves, some of it leaves with them.
- There’s no agreed baseline. Two laptops doing the same job can be configured in completely different ways, with completely different levels of exposure.
- Security is reactive. Without governance, you’re not preventing problems, you’re hoping to spot them after the fact.
None of this is reckless. It’s just unowned. And in our experience, the cost of that doesn’t show up until it does.
The shift: from hoping to knowing
When we move an organisation to a managed estate, what we’re really changing is the shift from hoping to knowing. Instead of trusting that everything is probably fine, we build a working model where you can actually see, set and prove the state of your environment.
In a Microsoft world, we usually build that journey on three pillars:
1. Centralised identity with Entra. Identity becomes the front door. Every person, every device, every sign-in is known and governed in one place. We grant access deliberately rather than letting it accumulate by accident – and just as importantly, we can remove it cleanly when someone moves on.
2. Device management with Intune. Rather than each device being its own little island, we use Intune to define how a device should be set up, what can run on it, and how it’s kept up to date – and then apply that consistently across the whole fleet. New starter? Their laptop arrives already knowing the rules.
3. A security baseline, aligned to CIS. This is the part that turns “managed” into “managed well.” We align to a recognised baseline – the CIS Benchmarks – so you have an independent, externally validated definition of “good.” You’re no longer guessing what secure looks like. We measure you against a standard the wider industry trusts, and we can show you exactly where you sit against it.
Put together, these don’t just lock things down. They give you a deliberate, repeatable, defensible way of working.
The bit organisations often miss
Here’s the honest part, and it’s the reason we wanted to write this.
The technology is rarely the hard bit. The hard bit is recognising that this is a genuine shift in operating model – not just a tooling upgrade.
In an unmanaged estate, the implicit deal is: do whatever you need to do. In a managed estate, you are, gently but unmistakably – prescribing a way of working. You’re saying: these are the approved tools, this is where data belongs, this is how devices are configured, and these are the guardrails we all work within.
We think that’s a reasonable and responsible thing to do. But if you roll it out as though you’re simply “tightening security,” without acknowledging that you’re changing how people work day to day, you’ll meet resistance – and you’ll deserve some of it. People don’t push back on being kept safe. They push back on change that arrives without explanation.
What we’d ask you to get right
A few principles tend to make the difference between a managed estate that people accept and one they quietly resent:
Be clear on your objectives – to yourself first. “Improve security” is too vague to steer by. Are you reducing data loss risk? Meeting a compliance or insurance requirement? Preparing for growth or due diligence? Protecting client data you’re contractually responsible for? Name the goal, because it shapes every decision that follows, and it gives you a straight answer when someone asks why are we doing this?
Communicate the “why,” not just the “what.” Your staff don’t need a CIS control reference. They need to understand that the organisation is taking responsibility for protecting their work, their colleagues and your customers, and that the changes they’ll notice are in service of that. A short, human explanation up front saves a hundred frustrated tickets later.
Frame it as a working model, not a clampdown. The story isn’t “we no longer trust you to install things.” It’s “we’re giving everyone a consistent, supported, secure environment so you can get on with your job without carrying risk you never signed up for.” Same change. Completely different feeling.
Bring people on the journey. Explain what’s changing, why, and what it means for them. Acknowledge that some things will feel different. Give them somewhere to raise concerns. The goal isn’t just a managed estate – it’s a workforce that understands why it’s managed and is comfortable working within it.
The destination
A managed estate isn’t about control for its own sake. It’s about removing the quiet, accumulating risk of an environment nobody fully owns, and replacing it with one that’s understood, governed and genuinely supportable.
The organisations we see make this transition well aren’t the ones with the best tools. They’re the ones who were honest that it was a shift, clear about why they were making it, and thoughtful about how they brought their people with them.
Get those three things right, and “managed IT” stops being something done to your staff – and becomes something that quietly works for them.
Let’s talk
If you recognise your own estate somewhere in this article – or you know the shift is coming and want to get it right first time, we’d love to help. At Integy, we guide organisations through exactly this journey: centralising identity on Entra, managing devices with Intune, and aligning to a CIS baseline, all without losing sight of the people who have to work within it.
Get in touch for a no-pressure conversation about where your estate is today and where it could be.