The episode identifies a structural shift from AI as a discrete feature to AI as an ongoing operational system, emphasizing the growing burden of governance, accountability, and consumption oversight for managed service providers. Companies such as Microsoft, Cisco, and Google are redirecting strategy toward building control planes and governance infrastructure to address operational friction in deploying AI agents, as operational complexity—rather than access to tools—emerges as the bottleneck. This shift is substantiated by reports from GTIA, Cisco, and insights into vendor incentives and partner programs.
Evidence highlights a clear disconnect between widespread AI adoption and the maturity required to operationalize these systems. According to the Global Technology Industry Association (GTIA), 97% of IT service providers use some form of AI, but only 28% consider themselves AI-driven. Cisco reports that while 85% of enterprises are piloting AI agents, just 5% have moved them into production, pointing to persistent trust and operational gaps. Axios adds that in AI-intensive teams, compute expenditures are surpassing employee costs, with large organizations like Nvidia and Uber experiencing rapid escalation in AI-driven utility bills.
Further developments reinforce these themes. Microsoft is aligning partner incentives around new SKUs such as Microsoft 365 E7, explicitly targeting AI as a delivery motion rather than a feature. Consumption-based pricing—exemplified by the move to token-based billing for GitHub Copilot—exposes clients to “death by a thousand cuts” if usage is not closely monitored. Reports from Cobalt indicate significant security risk, with one in five organizations experiencing an incident involving large language models and a low remediation rate for identified vulnerabilities. Vendors such as Google and OpenAI are responding with new management platforms and reliance on consultancies to address integration and governance challenges.
For MSPs and IT leaders, the practical implications are clear: AI’s operational realities dictate a need to explicitly define governance, permission structures, and consumption management as part of service delivery. Unscoped or bundled AI services risk unbilled labor, unclear liability, and unmanaged exposure to security and cost overruns. The operational pivot involves inventorying AI features, establishing ownership, applying identity and access controls, tracking spend, and updating contracts to clarify accountability. Without formalizing these boundaries, MSPs may be left absorbing risk and cost by default.
00:00 AI Reality Check
04:43 Operator Burden
07:11 Meter the Risk
10:35 Why Do We Care?
Supported by:
Acronis
ScalePad
Zero Networks
Upcoming event:
The Pivotal Point of IT: Building Services for the AI-First Era
Date: May 13 at 1p.m. EDT
Register: https://go.acronis.com/davesobelaiera
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:02] AI is not a feature you roll out. It's a system you operate across identity, access, integrations, tickets, endpoints, finance with a meter running. Vendors are building agent control planes and moving pricing toward consumption. If MSPs don't sell governance as a product, they'll deliver it for free under the name support. This is the Business of Tech. I'm Dave Soule.
[00:00:30] AI is moving from interesting capability to operational reality, and the proof is showing up in adoption, gaps, and dollars. Start with the channel's own scoreboard. The Global Technology Industry Association, GTIA, says 97% of IT service providers are using some form of AI, but only 28% describe themselves as AI-driven. That's the key spread. Usage is common, operational maturity is not.
[00:00:59] GTIA also ties maturity to execution discipline, and says 77% of North American providers expect AI and cybersecurity services to be their top growth areas over the next two years. Translation? The market thinks this work is arriving fast, and it's going to be operational, not experimental.
[00:01:19] Now look at AI agents specifically. Cisco, in reporting around RSA conversations, says 85% of enterprises are piloting AI agents, but only 5% have put them into production. Cisco frames that as a trust gap. For this section, the key signal is simpler. Pilots are widespread, production is rare. That gap tells you the market has moved past curiosity and into operational friction.
[00:01:46] These numbers are directionally useful more than precise. The definitions of AI-driven, pilot, and production vary, but the spread is still the signal. Then there's the money. Axios reports that in some AI-heavy teams, compute spend is outpacing employee costs. NVIDIA's Brian Castardo says compute costs for his team are already beyond employee costs.
[00:02:14] And Axios cites reporting that Uber's CTO burned through a full-year AI budget on token usage. Even if your clients aren't NVIDIA or Uber, the takeaway matters. Token-based usage turns AI into a utility bill. Lots of small overages that add up fast if no one is watching the meter. And for smaller clients, the risk isn't a million-dollar surprise. It's death-by-a-thousand-cut usage.
[00:02:40] And that drifts across assistants, agents, and embedded AI features. Gartner, meanwhile, projects worldwide IT spending will hit $6.31 trillion in 2026, up 13.5%, driven heavily by AI infrastructure, software, and cloud services. The dollars are moving. And platform vendors are mobilizing partners around it. Channel Insider reports Microsoft is expanding partner benefits and tooling.
[00:03:06] Positioning's releases like Microsoft 365 E7 and Microsoft Agent 365 as part of a partner-led AI motion. When Microsoft is designing incentives for partners, that's a signal this is becoming a delivery motion, not a feature conversation. If you're listening to this and you haven't hit follow yet, on Apple Podcasts, search The Business of Tech. Takes five seconds, and you'll get tomorrow's show automatically.
[00:03:34] This episode is brought to you by Control Map. Growing MSPs are using Control Map to build recurring revenue by expanding their GRC services. Starting now, Control Map is offering a free plan for MSPs looking to get started with providing compliance as a service. Create a free account and run an assessment. Track key items like policies, risks, and evidence in one place. It's a practical way to prove value to a client before deciding to expand your compliance offering.
[00:04:02] Try Control Map for free today. Visit scalepad.com slash Dave to get started. That's scalepad.com slash Dave. A quick heads up, Acronis is hosting a live event on May 13th called The Pivotal Point of IT, building services for the AI-first era. Their CEO will be laying out Acronis' vision for AI-first service delivery for MSPs,
[00:04:28] including a new partner program and what they're calling a major platform announcement. If you want to hear directly from Acronis on where they're taking all of this, registration link is at go.acronis.com slash Dave Sobel AI era. No spaces. The through line is simple. AI isn't hard to demo anymore. It's hard to operate in the messy reality of modern organizations. Work doesn't live in one system or one clean workflow.
[00:04:57] It lives across identity, tickets, finance, endpoints, cloud consoles, and whatever tools someone adopted last week. And the moment you introduce automation into that environment, you hit the real requirement. Consistency. AI can't be smart if the environment is incoherent. Cisco calls it a trust gap. Operationally, that usually means something more concrete. Identity and access controls, workflow integration, testing discipline, and clear ownership when an agent misbehaves.
[00:05:27] Not an adoption problem. That's an operating model problem. That's why vendors are racing to build control surfaces for agent operations. The register covers Google Gemini's enterprise agent platform as an attempt to manage agent sprawl as a first-class problem, give agents identities, govern access, and observe behavior. The important signal is not the feature checklist. It's that vendors now see governance infrastructure as part of the product category.
[00:05:55] At the same time, when organizations can't stitch this together internally, they bring in outside operators. TechPartner.News reports OpenAI leaning on global consultancies and embedding specialists directly in customer environments. It's an acknowledgment that adoption isn't bottlenecked on access to the tool. It's bottlenecked on integration into real workflows, with real systems and real constraints. In the mid-market especially, internal IT, security, and app owners
[00:06:23] rarely have the time or cross-system authority to sustain that coordination month after month. And MSPs need to name a boundary clearly. When AI is embedded inside Microsoft, Google, or a SaaS app, the vendor may operate the model, but the customer still owns the data, the permissions, and the outcomes. That pushes the MSP role towards governance, configuration, identity, data access logging, and incident response boundaries. Control planes reduce sprawl,
[00:06:53] but they do not fix bad permissions, bad data, or unclear accountability. That's where the operator burden lands. If a service account is over-permissioned, or an agent can close tickets or trigger approvals it shouldn't, better visibility does not remove the underlying exposure. And once governance is unclear, the two things that start drifting immediately are risk and cost. On the risk side, Cobalt's 2026 State of Pentest testing report
[00:07:23] says one in five organizations experienced a security incident involving a large language model in the last year. Cobalt also found 32% of AI and LLM vulnerabilities were rated high risk, nearly three times the overall high risk rate. And even when teams find these issues, only 38% of high-risk AI findings are fixed. That's the toxic combo. High-risk findings, low remediation rates, and continued rollout.
[00:07:51] Someone has to continuously test, validate controls, and keep the business moving anyway. And in many organizations, that someone becomes the service provider. On the cost side, the pricing model itself is shifting in a way that forces governance. Microsoft is reportedly moving GitHub Copilot toward token-based billing as soon as June, based on internal documents cited by Where's Your Ed At? The new structure is explicit. Copilot Business at $19 per user per month
[00:08:20] includes $30 of pooled AI credits, and Copilot Enterprise at $39 per user per month including $70 of pooled credits. Whether the exact timing shifts or not, the direction is the point. AI pricing is trending toward a pooled, trackable consumption. That's not AI as a flat tool, that's AI as a metered utility. Which means organizations need someone to manage consumption, set guardrails, and keep usage aligned to outcomes.
[00:08:51] Clients will need someone to continuously control two volatile variables, AI risk and AI consumption. The opportunity is not just deployment, it's ongoing governance, accountability, and cost control. The MSP either becomes the provider that simplifies and governs this automation layer, with policies, testing, usage controls, and accountability wrapped into a service, or the MSP becomes the place where the client's AI complexity lands, incident by incident,
[00:09:20] and overage by overage, without ever getting paid for owning it. This episode is supported by Zero Networks. Cyber resilience is no longer a security team problem. It's a board-level business imperative. When an attacker gets inside a network, the real questions become, how far can they move? Can they get to the crown jewels? And how much of the business can they impact? And for how long? That's where Zero Networks comes in. Zero Networks helps organizations
[00:09:50] prevent attacks, minimize blast radius, and maintain business continuity. Even when attackers get inside. Their micro-segmentation platform automatically builds segmentation policies based on how legitimate users and systems actually communicate, making every access and connection verified and intentional. The result for a threat actor is lateral movement is blocked and threats are contained before they can cause damage. Because it's not the breach, it's the damage.
[00:10:20] Contain the breach before it spreads. The question isn't if attackers gets in, it's whether your business stays running when they do. Zero Networks was built for exactly that. Visit them at zeronetworks.com So why do we care? The bad decision is treating AI adoption like a tooling decision instead of a service design decision. If an MSP adds AI capabilities without defining governance, pricing, accountability,
[00:10:49] and contract boundaries, it turns client experimentation into unscoped labor, unclear liability, and margin leakage. The practical mistake is bundling AI support into general service delivery without separately scoping who owns configuration, permissions, acceptable use, data overage, data exposure, and incident response. And this won't be driven only by security teams. Insurance, compliance, and audit demands
[00:11:18] will force the same questions. Who approved this? What did it access? And where are the logs? If that operating boundary is not explicit, every AI failure defaults into the MSP's queue, and usually under the MSP's balance sheet. So what to consider? If AI governance is not explicitly scoped, scheduled, and priced, it'll be delivered informally and billed at zero. Start by defining AI governance as a service with named deliverables.
[00:11:48] That means maintaining an inventory of every AI feature and agent in the client environment, documenting ownership, setting identity and permission boundaries, defining approved data sources and retention rules, and putting testing and change control around prompts, integrations, and automations. Consumption controls belong in that same package. Budgets, alerts, and usage reporting. Then put that work on an operating cadence. At minimum, review it monthly. What new agents appeared?
[00:12:18] What permissions changed? What spend drifted? What incidents occurred? And what high-risk findings remain unresolved? If remediation is expected, price it. If it's out of scope, document that in writing. Finally, align the commercial model to the operational reality. Standardize on one primary control plane where you can, enforce a cross-platform minimum baseline everywhere else, and update contracts so ownership is explicit for overages, data exposure,
[00:12:48] configuration boundaries, incident response, and accountability. If those terms are not defined up front, the MSP will end up absorbing the work by default. If this trend continues, MSP agreements will add a formal AI operations schedule, agent inventories, approval boundaries, testing requirements, token budgets, and incident ownership because clients will want explicit accountability for both AI behavior and AI spend.
[00:13:19] This is the Business of Tech. Want more from the Business of Tech? Join Business of Tech Plus for ad-free episodes, early interviews, extended cuts, subscriber-only shows, and exclusive member perks and analysis. Sign up at businessof.tech slash plus. And follow this show on your podcast app, and if you're on YouTube, hit subscribe and the bell so you never miss a story. Reviews and comments help spread the word too.
[00:13:49] Interested in advertising? Head to mspradio.com slash engage. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. Thanks for listening. I'll see you on the next episode. Part of the MSP Radio Network.