Governance, Not Enablement: Why Agentic AI Demands New MSP Service Models

[00:00:02] The valuable AI offer for MSPs is not another chatbot skew. The winning MSP AI offer is an agent operations layer, policy plus enforcement wrapped around workflow automation. Because ungoverned agents turn routine work, like package installs, data pulls, and SaaS actions, into unmanaged spend and unmanaged risk.

[00:00:25] The market is already moving there. Vendors are building context pipes, execution sandboxes, small business workflows, and agentic security labor. The MSP that package governance around those systems owns the margin. This is the Business of Tech. I'm Dave Sobel. The next operational problem is becoming visible across software teams, enterprise users, vendors, and the MSP channel.

[00:00:55] And it centers on who governs agentic AI once it starts acting inside business systems. Start with what's happening inside software teams. The new stack ran a piece with a blunt line in the headline, There is no accountability. The reporting focuses on AI coding agents, tools like CloudCode, GitHub Copilot, and Cursor, Pulling in dependencies and installing packages automatically.

[00:01:21] And the measurable risk is already showing up in upstream research. The article cites a SNCC audit of 4,000 AI agent skills, where more than a third contained at least one security flaw. That's not a hypothetical future problem. Those are packages and components being pulled into real environments, at machine speed, with human ownership getting fuzzy. Then zoom out from developers to the broader workforce.

[00:01:48] The Register, citing Verizon's latest data breach investigations report, says shadow AI use, that's employees accessing generative AI tools through unauthorized personal accounts, has surged fourfold in the last year. The same coverage points to adoption numbers that matter. 45% of professionals are using AI regularly, and 67% of those users are doing it through personal, non-approved accounts.

[00:02:15] Verizon's dataset also flags that 28% of data loss prevention violations involved code or other proprietary material being submitted to AI platforms. Again, this is observable behavior happening now inside companies that believe they're managing AI. And if you're wondering whether organizations are handling it well, Gartner's answer is no.

[00:02:39] The Register reports Gartner's prediction that 40% of organizations will demote or decommission AI agents because they can't implement effective governance. Gartner's framing is that companies keep treating agent governance as all or nothing, either fully locked down or fully trusted. And that's producing operational and compliance failures at scale. And in the managed services channel, vendors are now productizing the visibility problem.

[00:03:06] A release carried by Yahoo Finance says ScalePad is extending its lifecycle manager platform beyond traditional RMM into SaaS management, including discovery of SaaS, shadow IT and AI usage, explicitly pitching it as something MSPs can operationalize across client environments. If you're listening to this and haven't hit follow yet on Apple Podcasts, search business of tech. It takes five seconds and you'll get the next episode automatic.

[00:03:38] Today's episode is supported by JumpCloud for MSPs. Imagine delivering intelligent, secure IT for every client from one unified platform. JumpCloud eliminates tool sprawl by bringing identity, device and access management under one roof. Easily manage multiple clients via a multi-tenant portal, intelligently automate onboarding and push patches across Mac, Windows and Linux, all from a single pane of glass.

[00:04:03] The result? Tighter proactive security, fewer mistakes and faster service delivery. To explore JumpCloud for MSPs, visit jumpcloud.com slash MSP radio. Are you and your clients tired of the time-consuming ticket tennis of coordinating meetings and help desk calls? Wouldn't it be better to automate this process with a tool that connects directly to ConnectWise Manage or Autotask?

[00:04:31] TimeZest offers scheduling automation that gives you complete control of your schedule and eliminates the hassle of calendar ping pong. As the only service designed specifically for MSPs, it integrates into your workflow and makes scheduling appointments easy on you and your clients. Plus, you can try TimeZest for free.

[00:04:52] Visit timezest.com slash MSP radio and use the code MSP radio to get 10% off your first year of TimeZest. The mechanism is that AI only looks agentic on the surface. Underneath, it's forcing organizations to make their information, permissions and workflows legible to machines. And most business environments were built for humans to improvise around the gaps. That's why the data layer matters first.

[00:05:22] Dunn and Bradstreet's rebuild of its commercial graph is not just a database modernization story. It's a signal that agentic systems need cleaner context than human users do. A person can recognize a messy customer record, ask a colleague, check another system and make a judgment call. An agent cannot reliably do that. If the entity is wrong, the next action is wrong.

[00:05:46] And because agents operate at software speed, the mistakes scale before anyone notices. So the first mechanism is context normalization. Turning fragmented business information into something a machine can resolve, verify and act on. The second mechanism is context movement. This is where Zoom's model context protocol expansion fits. The point is not simply that meeting transcripts and summaries exist.

[00:06:12] The point is that those artifacts now need to move into Salesforce, ServiceNow, Workday, developer tools and other systems with permissions intact. The agent does not just need information. It needs authorized information in the place where work is happening. The third mechanism is controlled execution. Anthropic self-hosted sandboxes and MCP tunnels are not glamour features. They're operating controls.

[00:06:39] They let organizations keep execution inside a managed environment, connect to private tools through a governed path, and preserve the convenience of a managed agent loop without giving the agent uncontrolled reach across the business. Put those together and the pattern becomes clear. Agentic AI is not really a prompt problem. It's a coordination problem. The system needs trusted data, provable context, permission boundaries, execution controls, and repeatable workflows.

[00:07:09] That's why the next move is packaging. Anthropix, clawed for small business, is pre-built workflows and connectors into tools like QuickBooks, PayPal, HubSpot, Google Workspace, and Microsoft 365 because small businesses are not buying architecture. They're buying a usable motion. Take this messy cross-app task and make it repeatable. That's the mechanism underneath the market shift. Vendors are not selling AI capability. They're selling coherence.

[00:07:37] They are taking the messy parts of business work, identity, context, permissions, execution, and workflow, and packaging them so automation can run without constant human translation. And once vendors package coherence, the channel question becomes who governs it for the client? For MSPs, the consequence is that automation is becoming the work, and whoever governs it owns the margin. Look at the security side first.

[00:08:04] The next web reports that Anthropic unintentionally exposed the full source code of flawed code on a public NPM registry. Roughly half a million lines of TypeScript across nearly 2,000 files. The story is an embarrassment. It's the leak included permission enforcement logic, sandboxing architecture, and feature flags. It's a blueprint for how the guardrails work.

[00:08:27] A security veteran quoted in the piece, Tim Burke of Quest Technology Management, warns that when attackers understand the permission model, they can craft commands that look legitimate and slide past security tooling tuned for human patterns. That's the point. Once automation becomes the actor, normal behavior is no longer a human baseline. MSPs can't defend clients with yesterday's assumptions about what activity looks like. Now pair that with what the channel is being sold as the fix.

[00:08:55] Tech partner news says WatchGuard is rolling out an MSP-focused agentic digital workforce called RAI, R-A-I, positioned as always on detection, investigation, and response, with an initial analyst role live and auditor and admin roles coming. The pitch is that partners get dashboards, daily briefs, and a model that scales without any headcount. You can hear the subtext. The expectation is no longer your engineers will do the work.

[00:09:23] It's your platform will do the work and your engineers will supervise exceptions. Put it all together and the consequence revolves into one hard operational reality. MSP value is shifting from doing tasks to controlling the automated system that does them. That's setting permissions, defining what the agent can touch, enforcing policy, logging decisions, and knowing when to stop the machine. The MSP either becomes the provider that simplifies and governs the automation layer,

[00:09:52] making it a packaged price control plane, or the MSP becomes the cleanup crew for everyone else's automation, absorbing weird tickets, edge cases, and the security fallout without ever getting paid for the complexity. I want to make sure you know about something that's coming up this June. The SMB online conference is back June 23rd, 24th, and 25th, and this one is built for operators like you.

[00:10:19] The theme is, profitable is enough, which runs counter to a lot of what you hear in this industry. This isn't about hyper growth or exit multiples. It's about running a business that works on your terms. Three days, online, noon to 3.30 Eastern. Twelve sessions across pricing, service delivery, AI, M&A, private equity, people, and culture. All practitioner speakers. No vendor keynotes.

[00:10:49] It closes with a session unlike anything you've seen at a conference. I'm going to read anonymous submissions from attendees. What keeps you up at night about your business? And respond live. No script. Real answers. Small Biz Thoughts community members get in free. Go claim your ticket. Everyone else, registration is $399. SMBOnlineConference.com That's SMBOnlineConference.com

[00:11:17] Why do we care? The counterargument is that SMB clients are not asking for agent governance. They're asking for productivity. They want AI to summarize, automate, route, recommend, and execute. They don't want to buy permission maps, policy reviews, audit trails, or responsibility boundaries. And that is true. But it's also the trap. Clients rarely ask for the control layer before something breaks.

[00:11:45] They ask for speed first and accountability later. Once an agent is connected to business systems, the question changes. It's not, can this tool save time? It becomes, who approved the action? Who could see it? Who limited it? And who pays if it's wrong? That's the bad MSP decision. Selling AI enablement without pricing agent governance. The MSP helps the client automate work, but does not define the operating boundary around that automation.

[00:12:14] It earns the project, but inherits the ambiguity. So we care because the market will not announce this as a new managed service category. It will show up as support tickets, bad workflows, confused permissions, shadow AI spend, and disputes over who was responsible for an automated action. The MSP that sees the shift can package governance as the value. The MSP that misses it will treat governance as overhead and then absorb the cost when the automation fails.

[00:12:44] So what to consider? Start by separating AI enablement from agent operations. Enabling a tool is a project. Governing what that tool is allowed to do is a managed service. That means defining four things before the agent goes into production. First, permission boundaries. What systems can the agent access? What data can it read? What actions can it take without approval? Second, approval rules. Which actions require a human in the loop?

[00:13:12] Financial changes, security remediation, customer communications, ticket closures, or data movement? Third, evidence. Can the MSP and client see what the agent did? What data it used? Which workflow it triggered? And who approved the action? Fourth, responsibility. Does the contract say who owns an automated mistake? Who pays to unwind it? And what falls outside the MSP scope? Package those controls. Price them.

[00:13:41] Review them quarterly. The opportunity is not just helping clients adopt AI. It's helping them operate AI without turning every automated action into an unmanaged support and liability event. If this trend continues, MSPs will stop selling AI enablement as a standalone project and start selling agent operation retainers that include approved workflows, permission maps, execution logs, spend controls, incident review, and quarterly policy tuning.

[00:14:10] The dividing line will be simple. MSPs that can prove what an agent was allowed to do when it actually did, and who approved the action will own the managed service category. MSPs that cannot will inherit the ambiguity every time automation creates a business problem. This is the Business of Tech. Want more from the Business of Tech?

[00:14:34] Join Business of Tech Plus for ad-free episodes, early interviews, extended cuts, subscriber-only shows, and exclusive member perks and analysis. Sign up at businessof.tech slash plus. And follow this show on your podcast app, and if you're on YouTube, hit subscribe and the bell so you never miss a story. Reviews and comments help spread the word, too. Interested in advertising? Head to mspradio.com slash engage.

[00:15:03] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. Thanks for listening. I'll see you on the next episode. Part of the MSP Radio Network.