Fireside Chat | The MSP's Guide to Becoming an AI Strategic Partner

[00:00:10] Welcome everyone to the latest installment of MSP Business School. I'm Brian Doyle and I'm here with you today to do a little fireside chat. We like to do these from time to time to talk about things that, you know, I'm hearing daily from different customers as I do my, what I'll call my regular day job over at VCIO Toolbox.

[00:00:31] Now, there's a lot of buzz around AI, right? We know those two letters will probably be uttered more by everybody globally before the end of the year than almost any others, right? And, you know, everybody's got their take on what AI is doing, good, bad, or indifferent, right? But one of the things that I know is it's one of the top priorities sitting on the MSP minds.

[00:00:54] And one of the questions that comes up often is not so much, will AI be beneficial or how do we get out there? But how do we get that into the conversation with the customer? Believe it or not, a number of the MSPs that I've worked with have not, you know, yet been able to get to that point where they're having the business conversations with the customers. And they're seeing these AI projects go to consultants that are focusing on nothing except AI, right? They're not being brought to the table.

[00:01:22] And one of the things that we want to do is kind of work on a, call it a playbook. That's going to help you really understand how you can engage your customer and get involved with those AI projects as an MSP. So really, we're going to talk a little bit today about everything from AI readiness to driving recurring revenue post-project with the AI in your MSP. But we're going to kick things off by talking a little bit about the opportunity itself.

[00:01:49] The customers are already buying AI and they're already utilizing AI within their businesses. But the question is, are they engaging you in this conversation? There are some studies out there that are showing that many of the businesses are not looking at the IT people as the people they need to work with from AI, but they're looking out to application providers and consultants and others that are working out there.

[00:02:13] So you really need to work early to showcase that you've got AI strategy capabilities and really take on that advisor role before any competitors come in in front of you. And the opportunities are not insignificant. In talking to my customers that are really starting to build out good AI programs, I'm hearing the average project assessment in GoLive can average between $3,000 and $15,000.

[00:02:42] And today, as I share with you a little bit, we're going to talk a little bit about what a readiness assessment really is, because there's kind of a readiness assessment that a lot of you were using as kind of a sales focus tool. And certainly it's a good first level to really understand, does the customer have budget? Do they have a strategy? Do they have resources that are identified that are going to help support this? But it doesn't. It's really when you get to the project assessment where now we're starting to look at the data much more deeper and some of the other elements that we need to consider in building out this program,

[00:03:11] that things really start to shine and really, you know, this is where the project commences and starts beginning before you deliver. And once you convert those projects, there's a long tail as well. MSPs have been brought up on as a service, right? And the good news here is in the world of AI, governance as a service should be a reality. As we've all experienced already, I know myself here at VCIO Toolbox,

[00:03:37] our developers are changing our methodologies and getting ready to roll out new features, totally based on how AI has advanced over the course of the last three, four months, right? So we're all seeing how quick it moves, but there's a counterbalance to that. Once it moves quickly, it also opens up security considerations, functionality considerations, you know, are we getting the information real that we're looking for at this point in time?

[00:04:08] So there's a lot more we can do. And this is also a great way if you're stuck in that commodity bucket to start differentiating yourselves. So if that cyber conversation isn't winning and these days the cyber conversation is like going to the dentist for many customers. They know they got to do it, but they don't really want to talk about it. You know, if that's not getting you to that more trusted advisor level, this conversation certainly would. So, you know, there's a huge opportunity out there.

[00:04:37] Folks are seeing up to $30,000 per customer in recurring revenue for that governance and kind of ongoing maintenance of the AI projects that they deliver. And they're definitely seeing that the relationships are growing much faster versus traditional break fix. So when you're conducting a readiness assessment and think a little bit more post that, you know, that sales readiness assessment. Actually, let's take a moment on the sales readiness assessment.

[00:05:04] Every MSP should have a way to at least engage and kind of do a pre-project discovery with a customer, really to see what their appetite is for AI. Questions around, you know, do you have a strategy for AI today? Are tools being utilized by your employees? Do you know what tools are out there? That's a critical one because shadow AI is a huge problem that's starting to creep in. And this is where a lot of the data breaches originate, too,

[00:05:33] because if you don't have a handle on who's using AI and if you're not providing the tools with some guardrails for that AI, those AI agents to be utilized in your organization, you're opening the door for potential security problems down the road. We've already heard stories about users putting customer data into public, you know, or AI harnesses that are still that are contributing to the LLM's learning.

[00:05:59] And these kind of things are shadowing those breaches out in the marketplace. So we want to make sure that you're not doing that, of course, as an MSP. So there's really five dimensions of once you've established a customer wants to do AI, you've done this kind of sales readiness assessment that at least tells you that they have an appetite for AI. And now we're going to go in and work with the customer. And those five pillars are very simple. It's data readiness, infrastructure and security, process readiness,

[00:06:27] people and culture and governance and policy. And we're going to break each one of those down. Data readiness is really the understanding of the availability and accessibility of the customer's data. What data do they want to use as part of this process? What are the processes that they're trying to, you know, automate? Right. And in doing that, we can start looking a little bit deeper. Do we have access to that? Are there APIs or MCP capabilities that can support them?

[00:06:57] If not, how are we going to build an RPA process that might be able to bring that data into reality with the AI? But the real reality is if we don't have access to that data and more importantly, it's not governed. Always think about that concept of garbage in yields garbage out. Right. And if we don't have good, clean data to input, you're going to end up with bad outcomes. So data readiness is a key component of one of the things you need to evaluate with your customer as you're kicking this process off.

[00:07:27] The second one is infrastructure and security. Where's this AI going to run? Is it going to be a cloud-based MCP server that you're engaging in? What data is it going to touch and where is that data found? You know, do we have identity controls, endpoint controls? What are the compliance risks? All of this has to be assessed. And obviously, this is right in the sweet spot of the MSP. It's looking at an overall architecture and really understanding where the risk lives. And that's something that all of you do natively every day.

[00:07:57] Then we really need to look at process readiness. You've got to map the existing workflows to understand where the highest leverage AI opportunities exist within the customer. They're going to want to see ROI. They're going to want to see some sort of measurable outcome. So we have to understand these business processes. And for a lot of MSPs, that's a new conversation.

[00:08:18] They might not be involved with the line of business managers and really understand what's happening on the shop floor or how the supply chain is working, right? You know, these different considerations depending on the vertical that you're working with. And now we really have to get into those conversations and understand what the process and the workflow looks like. And then we can determine, can this be translated into something that AI can provide to the customer?

[00:08:42] But more importantly, with a better outcome than they're getting today manually and with some sort of return on investment, whether that's, you know, increased productivity, more efficiency or, you know, hardcore dollars. Those are things that need to be understood at this stage. People and culture need to be looked at, too. You know, is there executive buy-in? If the executives are not believers that AI can help their business move forward, they're not going to help push those initiatives through.

[00:09:09] The second thing is you've really got to understand the AI literacy of a business. If you're working with a business that is very, you know, very simple in their technology usage and their users are not really looking at technology as a big part of their business, you've got to assess that as well before saying AI is going to be the panacea that's going to change their world.

[00:09:31] There's a lot of businesses that rely on technology for simple tasks, CRM, transactions, but their users are not super technology savvy. So we've got to understand what the people and the culture looks like and are they ready to really adopt AI? You could build the greatest tool that's going to give them the biggest impact, but as any software vendor will tell you, if you can't get adoption onto that platform, none of it matters.

[00:09:57] So, you know, this is a great example of where you really got to get in there and really analyze the environment and say, not only can they benefit from it, but will it be adopted? Will it be leveraged? Will it be embedded into their working culture? And if not, it may not be the right place for it to be done as well. And then finally, governance and policy. Obviously, as you're putting these projects together, we have to have acceptable use policies for AI.

[00:10:22] AI end users have to know what they can and could and shouldn't put into the platform, as an example. Understand how they're going to meet regulatory compliance. The EU AI compliance standards are already in place here in the States. There's various frameworks coming in, and I'm sure we're going to see more and more around regulation as time goes by as well.

[00:10:45] And the nice part about this is when we start looking at compliance and we look at policy and we look at the long term, this is setting the tone for what we all love, that recurring revenue opportunity. What you're going to find when you meet with your customers is when you look at these five dimensions. Again, that was data readiness, information and security, process readiness, people and culture and governance and policy. You're going to see a lot of your clients are going to score really high on one or two pillars and then really low on the other ones.

[00:11:14] And when we understand where that imbalance lives, that's our roadmap to really bringing projects forward to the customer. Now, when we're running the assessment, think of it in a four phase framework. The first one is kind of the discovery call, right? This is even pre-project, pre-sales. This is where we're going to do that kind of sales readiness conversation. And really what we're trying to find is understand is, you know, what is their appetite for using AI? Do people use it within the organization today? Do they have awareness of where it's being used?

[00:11:44] Do they pay for those subscriptions? Are they potentially being used rogue? You know, do they share AI awareness information with their customers? We have a number of questions. And again, inside BCIO Toolbox, we have a 30-minute readiness assessment that can be used to help you in this discovery process. Again, not looking to put a commercial here. You can find those almost anywhere. But when you have that, it's going to guide you through this discovery conversation.

[00:12:10] Once you understand that there's use cases that can be investigated, now it's time to work with the customer, get into that paid engagement, and really start looking at data collection. And this is where we go back to what I was saying earlier, looking at all those data sources, understanding if they're ready to be AI enabled, meeting with the IT ops, finance teams, the department heads, anybody that's going to be potentially impacted in the workflow that you might bring to life through AI now needs to be engaged as well.

[00:12:40] Beyond that, we now need to do analysis and scoring. We don't want to put out 12 different AI opportunities in front of the customer. We want to prioritize them, see where the biggest gains can be made, and then bring two or three to the customer. And we do this through kind of scoring the different opportunities that we hear and seeing where the biggest, you know, again, some general criteria that will allow us to determine where the best focus of time and resource should be for that customer.

[00:13:07] And then you're going to deliver that report. All of this takes about four weeks, and now you're going to work with the customer to get in there. Things to watch out for, though. AI has, just like all IT projects, the opportunity for easy scope creep. Once they start seeing the benefit, they might want to bring more under that umbrella, and you've got to make sure.

[00:13:29] The other thing is really be sure before you embark on a project that you've done another readiness assessment to really make sure you're not going to fall into any technical black holes as you move things through. And then finally, you know, selling tools before strategy is not going to be the answer. So don't focus on the tools that you're going to be delivering themselves and the technologies that might be supporting it. Make sure they're understanding what the outcome is going to be of getting these projects done. And that's really where you're going to secure the win as the MSP.

[00:13:58] Now, the beautiful thing about this is when you go through it, now you're really going to start, you know, getting the customers buy-in. But we've got to turn readiness into this paid project, right? So you've really got to prioritize things ruthlessly. I said this earlier. You don't want to have 12 opportunities for the customer because they will never pick one. You've got to really get in there and say these are the top three opportunities where we see the highest gains.

[00:14:24] And again, those gains can be efficiency, productivity, you know, workflow streamlining, communication improvements, or ROI, right? But we want to make sure that we're prioritizing ruthlessly and we're giving the customer limited options. We want to make sure that they understand the business outcomes. We don't want to tell them, hey, we're going to implement Copilot and it's going to be wonderful.

[00:14:45] We want to make sure they understand how they're going to reduce their document processing time by 40% or how they're going to be able to take products to market 60% faster as their marketing teams can create artifacts at scale much quicker than they could traditionally. Those are the kind of things that they're going to want to understand before they say yes or no. And then anchor in the findings.

[00:15:07] You know, really make sure that as you, you know, you were uncovering these challenge points that really can drive an AI project that you're reinforcing with the customer what you discovered, where the bottlenecks and workflow live, where the financial losses might be creeping out of their work stream and really help them see that. And then break things into 90-day phases, right? Make sure there's some data cleanup put out there.

[00:15:32] Then have a phase where there's a pilot where you get selected users starting to utilize that tool and validate that the workflow is, in fact, what they need to be. So tweaking is done before you bring it out to the masses, right? And then you're going to start building in phase three the governance process. And at each one of those steps, it really provides you with the opportunity to talk about as a service as you move through it as well. Finally, you're going to want to introduce governance early.

[00:15:59] As you're talking about the projects, you've got to talk about the long game, too. Hey, this is not a project in the world of AI that you're going to set up and it's going to be done forever. AI continues to evolve. Your workflow might change and there's going to be changes that need to happen. Each time the AI evolves, we may be introducing new issues in your LLM. Security considerations, ethical considerations, bias considerations.

[00:16:28] And we need to continually look at this. So a strong AI governance program needs to be rolled into any AI project that you're looking at. So let's kind of shift gears into what governance really looks like. And, you know, we also have to get into why governance can't be optional. A lot of MSPs are delivering the projects but are not comfortable yet kind of taking on the next tail. But the problem is things will break over time.

[00:16:55] Things will not work like they did on day one because AI and their language models continue to change, right? So when that happens, if we're not in a governance process, we're going to start getting pushback that the project didn't work, right? So we want to make sure we stay in front of those potential risks that we can face as well. AI, as I've said many times, just doesn't stay put.

[00:17:18] And really what we need to do, you know, need to do is make sure that the changes that happen in AI are not affecting real-time decisions for the customer. Security isn't a project, right? We all know this. It's a program we implement with our customers. And AI governance needs to be treated the exact same way. Ongoing monitoring, ongoing policy management, ongoing response capabilities.

[00:17:42] Those are things that we need to build into our AI governance programs that exist, you know, within the traditional security programs that we do today for our customers. The other thing is, you know, and we kind of touched upon it, is regulatory pressure is real. The EU AI Act is live. U.S. frameworks are published. U.S. sector-specific guidance is starting to grow in healthcare, finance, and education.

[00:18:09] Regulated or not, though, just like traditional networks that we manage, we're only one incident away from the client having a big issue that they have to face, right? So, you know, we need to stay on top of that, and the customer needs to understand this is no different than any other tool they use in their environment. There needs to be a long-term security plan. So what are the things that we're looking for in a governance plan? Well, we're looking for accuracy drift.

[00:18:37] I've talked about, you know, the models changing and evolving. You know, every time I open up Claude, there's an update that needs to be applied, and then all of a sudden there's a new language model that goes into it as well. And that can degrade output quality over time if you don't stay out in front of it, right? Compliance gaps. We've talked about it. As these regulations become a little bit hardened, we've got to see where our actual use is maybe opening up a gap against what the compliance and the controls we need to adhere to exist.

[00:19:05] I spoke earlier about shadow AI, but this one is very real. It's people, you know, adopting unapproved tools within the environment. And there's many vendors that are coming on the scene now that are starting to offer shadow AI tools to really understand where that's being used. You know, similar to the way we were worried about shadow IT with the SaaS apps before.

[00:19:30] So now we're really able to identify where that shadow AI is occurring and make sure that we can get out in front of any unapproved tools before they cause real harm. And then finally, we need to work on incident exposure. We need to have an incident response plan for AI-based events. We need to understand how we can contain an event if it's happened before. You know, what are the steps that we can take if data is potentially getting out or getting used?

[00:19:58] And there's a lot of steps that we can take to do that, but we got to really map them out, understand them, and of course, test them as part of the process as well. Other considerations that you need to think about is there's really six core components in an AI governance program. First one is simply AI policy development, right? We have to have written policies that really help the customer understand and their end users understand what's acceptable use.

[00:20:27] What are prohibited use cases? How should data be handled? What's the employee's responsibility? What's the company's responsibility for the employee? And we can own that whole policy lifecycle as an MSP community. Just like traditional security programs, we've got to have an AI inventory. We've got to know what AI tools are being used out there. We all know AI is not a one-tool-fits-all.

[00:20:52] Different models fit different use cases, so marketing might need something different than data research, depending on the organization. And then we've got to make sure that we've got least privilege rights on that as well, that the right people have access to the tools that they're supposed to use, and we've got approvals in process before anything can go forward. So just like anything, we want to have a risk register for AI or incorporate AI risk into our risk register, but maybe tag it or define it a little bit more clearly and really understand that.

[00:21:21] The other thing is we need to look at vendor and tool assessment a little bit more deeply. We've got to understand how the vendor's utilizing AI within their applications. What models are they using and how is your data being treated within those modules? What is the security posture of those organizations? What contractual protections do you have? You really have to become the filter on this because it's also new for the vendor community, right?

[00:21:45] Not everybody necessarily has every component of an AI program yet developed within their application, but they're moving fast to bring those convenience tools, agents within their apps, MCP servers you can connect to. Those kind of things to give you better ease of use and certainly a better user experience, but they may not have totally fleshed out exactly the policies that they need to support that as well. Again, everything is moving so quickly.

[00:22:15] There's a little bit of influx that we're all facing as that. Employee training is also critical. We talk about it from a security awareness and phishing simulation standpoint, but there really needs to be AI training as well. We've got to reduce that human factor. We talked about it earlier.

[00:22:35] The data that has escaped on AI is simply because people were putting data that was private by nature into models that were training the LLM. And your end users have to understand the dangers of that. You've got to convey that messaging. So training is really critical. And then as we talked about a few moments ago as well, incident response is really critical here. It's going to potentially be a different level of incident response.

[00:23:02] It might be a little bit more public than some of the other things that you need to do are. So you really have to work with your provider to build a great plan for incident response. So when the if becomes the when, you're ready for it. And then finally, you've got to have executive governance reviews. You know, this is kind of the QBR equivalent for AI. You know, regular reviews of risk posture, compliance status, you know, program health needs to be conducted.

[00:23:31] And you guys can be the conductors. And you've got a lot of the tools that are going to work with it, right? Your Microsoft tools, your anthropic tools, all those kind of things. You're going to be able to gauge that security risk and be able to get the details for them. So you really need to be that steward running it. And if you haven't gotten the theme throughout this entire conversation I'm having with you, this is all true strategy discussion with a customer. This is all business process that's being managed here.

[00:23:59] It's not about fixing my PC's issue. It's about how do we drive a business forward? And you've got to be prepared to have those conversations. You know, so there's a number of ways you can shape this. You know, if you do visit BCIO Toolbox's website, you'll see that we have a downloadable governance document there or playbook there that you can look at. And we break down how you can potentially price these services when you're building recurring revenue as well and what goes into each one.

[00:24:28] But really don't sell governance as a compliance application. It's competitive infrastructure for your organization. It could be the edge that puts them ahead of their competitors. And clients who govern AI will be able to move much faster because you're not going to fall into a bit of having to re-architect things. You're continually watching how the AI is performing, monitoring for degradation of information coming in, and making those changes along the way.

[00:24:57] So you don't run into a situation that's six months in. The app that you built or the workflow that you built is not giving you the same level of benefit as you did before. And you've got to go back to start, you know, square one in order to re-architect it. So that's a little bit about, you know, your opportunity.

[00:25:15] You know, I've said for years, it's never been a better time for MSPs to raise their game, whether it's a cyber conversation, an AI conversation, us being thought leaders in the community, getting more strategic with our customers and helping drive business outcomes. The opportunity is endless and continues to grow. And if you're not starting to do these things, you may get left behind as well. So it's time to adapt. It's time to learn. It's time to buckle down and say, where do I fit into this pendulum as well?

[00:25:44] And then find your approach model that you're going to deliver. So again, I want to thank you all for joining me today. We'll be back to regular guests next week. So please get them. If you are watching this on YouTube, please subscribe so you can get brought up to date when new features, new clips and other things are out there besides our episodes. And certainly if you're listening, you can download this anywhere you get your podcast today. I want to thank everybody for joining me. I wish you the best.

[00:26:12] You know, the industry is changing quickly. Things are moving fast. But it's an exciting time to be an MSP and get strategic, my friends. You really have an opportunity to embed yourself in your customer's life if you do it right more than ever before. We'll see you again next week.