The risk an MSP carries that a law firm doesn't
Picture a 75-person managed service provider on a Tuesday afternoon. A tier-2 tech is closing forty tickets across eleven clients, and someone proposes wiring an AI assistant into the PSA to draft ticket summaries and pull from the knowledge base. Reasonable. Until you realize the same model is reading resolution notes from a manufacturer's firewall config and a dental group's VPN setup in the same session. The day an AI-drafted summary references the wrong client's environment, you haven't created a typo. You've breached the one thing every MSP actually sells: that Client A's network is invisible to Client B.
That is why a generic AI readiness checklist undersells you. The RSM middle-market AI survey shows adoption climbing fast across the middle market, and the OECD report on AI adoption by small and medium-sized enterprises is blunt that data quality, process ownership, and governance have to land before tools become value. For an MSP that guidance has a sharper edge: your "data" is dozens of clients' infrastructure secrets, and your governance failure mode is cross-tenant contamination, not a bad answer.
So before you score workflow value or adoption friction, score the one dimension that is existential here: can the AI touch ticket and knowledge data without ever crossing a client boundary? The SMB AI readiness assessment gives you the eight-dimension scorecard. For an MSP, tenant isolation is the gate that sits in front of all of them.
The first workflow that survives a security questionnaire
Pick the workflow that is high-volume, text-heavy, and low blast-radius if it goes sideways. For a 75-person MSP that usually means: drafting ticket resolution summaries from a single client's own ticket history, surfacing relevant runbook articles to a tech mid-ticket, or composing a first-pass client status update from this month's closed tickets. What it does not mean, on day one, is anything that takes action in a client environment or reasons across multiple tenants at once.
Run each candidate through one filter your clients will eventually run on you anyway. The NIST AI Risk Management Framework gives the rhythm — govern the context, map the workflow, measure the risk, manage the loop after launch. Then layer the security reality of your business: CISA's AI data security best practices and the NIST Cybersecurity Framework 2.0 should dictate how the model authenticates into the PSA, what it's scoped to read, and whether every retrieval is logged per-client. If you can't answer "which client's data did the model see, and who approved that scope" from a log, the workflow isn't ready — it's a future incident report.
A worked version: say a 40-person MSP's techs want ticket summaries. Before launch you nail down a named service-desk owner, read-only access scoped to one client tenant per session, a reviewer who eyeballs summaries on tickets touching credentials or security, an exception path when the model retrieves from outside the active tenant, and one number to watch — summary edit rate. If techs rewrite 60% of drafts, you've automated frustration, not work. If they ship 80% untouched, you have a real before/after to put in front of the next client QBR.
Prove one tenant-safe workflow before you let AI touch the RMM
The honest readiness question for a 75-person MSP is narrow on purpose: can exactly one support workflow move from a tech's side experiment into a governed, logged, tenant-isolated operating rhythm — without weakening the access controls your SOC 2 or client contracts depend on? The Deloitte State of AI report tracks how the gap between piloting and operating is where most value leaks out. Your assessment should produce one of three verdicts: approve a single governed support workflow, require access and isolation remediation first, or reject the use case when ownership and value aren't clear. "We'll figure out logging later" is a reject.
The pull will be to skip ahead — let the AI close tickets, trigger RMM scripts, push changes. Resist it. The Gartner agentic AI forecast projects that more than 40% of agentic AI projects get cancelled, largely because teams scaled autonomy ahead of proven control. An MSP that lets a model take action in client environments before it has earned trust on read-only drafting isn't being ambitious. It's writing the breach disclosure in advance.
What you can do Monday: list your top three text-heavy support workflows, mark which ones can be scoped to a single client tenant, and pick the one with the cleanest access boundary as your pilot. Then use the 90-day implementation plan to turn that pick into a named owner, a security review, per-tenant logging, and a service metric you can defend to a client.
