Hi Ian,
I think "On creation or update" is the best option. You just have to specify VSM fields you need to be updated from AD (when you specify the resource mappings). If you wish to manage some fields information manually in the system, just don't place them in the mapping table.
In addition, for each mapped field you can specify when it should be updated ("Always","On Initial Population Only", "Only When Blank", etc.)
Besides you may find it useful to combine several mappings. In example "On creation only" with more AD attributes mapped and "On Create and Update" with just a few fields mapped to be sure that all the other fields are left unchanged.
Sorry if I didn't get your question right.
Regs
Gytis