Skip to main content

Clients Ignore Security Pitches. They Ask About AI. Use the Second to Fix the First.

Nick Ross4 min read

TL;DR

  • AI readiness is the strongest wedge MSPs have had in years to reopen security conversations clients previously dismissed.
  • Executives who resisted MFA and DLP for years will fund both the moment those controls become prerequisites for the AI project they want.
  • A quick security posture scan before any AI build surfaces the over-permissioned data and shadow AI that make the business case for you.
  • The AI enablement ladder runs four levels: hygiene and security, fixed-scope projects, recurring governance revenue, and strategic advisory.
  • You do not need to be an AI expert to win this work; you need to be the guide who aligns security, productivity, and governance with business goals.

For years the security conversation has gone one way: the MSP raises it, the client defers it, and nothing moves until a breach forces the issue. Productivity pitches drown in tool fatigue. Continuous improvement never finds a line item. The MSP stays boxed in as a cost center.

AI just flipped that table. As of September 2025, if there is one lever MSPs should be pulling, it is this one: AI is the fast track to relevance in the C-suite and to specialization in your services.

Why the door is suddenly open again

Illustration of AI adoption reopening executive conversations for MSPs

AI stopped being a novelty and started being a necessity. But clients are past asking whether to use AI. They are asking how to use it safely, strategically, and competitively, and that question is yours to answer.

You do not need to be an AI expert. You need to be their AI guide: the person who aligns security, productivity, and governance with their business goals. If you have been waiting for the moment to move the relationship from "fix my IT" to "help us grow," this is it.

A fintech wanted an agent. The scan found the real project.

A mid-sized fintech company came to us with a request:

"Can you built an agent that can process our loan applications against underwriting criteria and create approvals or rejections?"

The ask bundled three pieces:

  • A customer-facing chatbot to handle loan FAQs.
  • An internal Copilot to assist loan officers with underwriting questions.
  • An AI assistant to triage loan requests by analyzing SharePoint documents.

The business case was real. They spent one hour per loan application and handled around 20 a week, so the project promised lower call center load, faster processing, and a customer experience edge.

Before building anything, we ran a quick security posture scan. It uncovered:

  • Over-permissioned SharePoint libraries with underwriting data mixed into customer FAQ content.
  • Unmanaged personal laptops accessing sensitive SharePoint data.
  • No MFA, stale guest accounts, and no DLP in place.
  • Five unsanctioned AI tools already in use by employees, unsupervised.

They were about to hand sensitive company data to AI systems with no guardrails. When the executive team saw the findings, they understood immediately. No scare tactics, no technical rabbit holes. Just a clear, business-aligned picture of exposure.

Sell the roadmap, not the tool

What followed was not a product sale. It was a phased engagement rooted in specialization:

Phase 1: Quick win, 14 days. Built an AI chatbot in Copilot Studio using isolated, clean FAQ content.

Phase 2: 90-day project roadmap. Cleaned up the SharePoint environment, implemented MFA, labeled sensitive data, removed stale accounts, created AI use policies and controls, and built a secure environment where internal Copilots access only curated content.

Phase 3: Ongoing optimization. Rolled out DLP, lifecycle governance, and sensitivity labels. Introduced data access policies and regular audits. Positioned ourselves as their AI security partner.

The client got their agent. The MSP got a security overhaul the client had never agreed to fund before, plus a recurring engagement.

What makes AI the wedge that finally works?

Two forces converge here.

AI creates new risk surfaces. Data leaks into tools like ChatGPT. Shadow IT is back as shadow AI. AI-written phishing and business email compromise now read human and slip past trained eyes.

The C-suite finally cares. AI is treated as strategic, not optional, and security is the price of admission to adoption. Executives are asking, unprompted: "Is our data protected?" "Can we control what Copilot sees?" "How do we stop people from pasting sensitive data into Gemini?"

Notice what clients are not asking for: technical jargon. Their actual questions sound like this:

  • "Where do we even start?"
  • "How can AI reduce our workload?"
  • "How do we stay ahead of the competition?"
  • "What if someone pastes client data into ChatGPT?"
  • "How do we prevent reputational damage from AI gone wrong?"

Your job is to bridge that curiosity into action.

The four-level AI enablement ladder

The AI enablement ladder showing four levels of MSP opportunity

We break the opportunity into four levels:

Level 1: Hygiene and security

Use AI as the reason clients finally adopt the controls they resisted for years: MFA, DLP, device management. Show how basic hygiene protects AI systems and the data feeding them.

Level 2: Projects

Package short-term, fixed-scope work like SharePoint cleanup or Copilot access controls. Fast, visible wins build momentum.

Level 3: Recurring revenue

Offer ongoing AI posture reviews, data governance, and monitoring. This productizes continuous improvement, the thing most MSPs never figured out how to monetize.

Level 4: Strategic advisory

Become the vCIO or vCISO for AI. Guide AI strategy, security, and innovation as part of your core offer, and update your agreement model to match: base package, advisory retainer, projects.

Agreement model diagram pairing a base package with advisory retainer and projects

Where to start this month

No ocean-boiling required:

  1. Pick your entry point. Security-first: an "AI Readiness Scan." Productivity-first: an "AI Goals + Guardrails" workshop.
  2. Build your starter offer. A quick one-hour session or a simple assessment template that identifies risks or workflow automation wins.
  3. Package your first project. A 2 to 4 week fixed-scope "AI Enablement" engagement: acceptable use policy, Copilot configuration, SharePoint and OneDrive cleanup.
  4. Use the results to upsell. Every finding becomes the path to a new project or a recurring service.

A ready-made starting kit

The AI Readiness Accelerator Kit for MSPs

If you want to accelerate your go-to-market, the free AI Readiness Accelerator Kit (opens in new tab) packages the materials for every step above:

  • AI Readiness Assessment sales sheet
  • AI Readiness discovery talk track built on the CLOSER framework
  • AI Readiness executive summary template
  • AI Readiness technical checklist
  • AI Readiness website lead magnet
  • AI Readiness baseline checks
  • Copilot AI usage policy
  • Monetization tracks for AI readiness

The MSPs that move now get to have the growth conversation. The ones that wait will be back to pitching security to people who stopped listening years ago.

Frequently asked questions

Do MSPs need deep AI expertise to sell AI readiness?

No. Clients are not asking for model architectures. They are asking where to start, how to reduce workload, and how to stop employees from pasting client data into ChatGPT. The MSP's job is bridging that curiosity into a secure, structured plan.

What should an AI readiness starter offer look like?

Keep it small: a one-hour session or a simple assessment that identifies risks or workflow automation wins. Follow it with a 2 to 4 week fixed-scope project covering an acceptable use policy, Copilot configuration, and SharePoint or OneDrive cleanup.

Walk into the AI conversation holding evidence

The fintech story below started with a posture scan. CloudCapsule runs that scan across 250+ Microsoft 365 controls in about 60 seconds per tenant, with executive-ready reporting your clients can actually read.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading