I have searched long and hard and come up with nothing so I am throwing this out there.
What do MSPs do for tech accounts on client installations? A single account shared by all techs or individual accounts?
A single account has a few drawbacks. When a staffing change happens, we have to change the password everywhere. If someone tied it to a service, then it will fail after the change. When a change is made, in some cases, you don't know which tech did the work. I am sure this single account policy would not be HIPPA, PCI, etc compliant.
Multiple accounts are more difficult to manage, but offer some solutions to the problem above.
AuthAnvil 2FA with the password server. One service account and one support account with the passwords synchronized to the password server. As an MSP, you run reports based on your user access through the VSA to maintain compliance.
At previous organizations we ran dual accounts (service and support) with the service account passwords being 20 character and stored in a limited access share. The support account was managed in the Audit > Credential management area. That was still a pain to change with employee turnover.