Tom Harrison, VP Cyber Risk | SPECTRA
MSPs are redefining their service boundaries
Over the last couple of years, MSPs have been put in a really exciting position; they have the opportunity to guide their clients in adopting game changing AI solutions, whilst simultaneously revolutionizing their own internal processes. But who of the many stakeholders (including insurers) will be on the hook when it fails?
Traditionally, an MSP wouldn’t ever advise a business in back-office processes like accounting or HR, let alone revenue impacting decision making. However, MSPs today are the natural “go-to” trusted partner to consult and provide support for the deployment of agents, which can impact a business's operations and performance in profound ways.
Where should an MSP draw the line and what protections or frameworks should they adopt to safely guide their activities? Many we speak to are comfortable supporting a client with relevant security protocols to reduce AI risk; data leakage prevention, zero trust principles and user training… it is a great start, but it leaves opportunities for wider risk management conversations on the table.
Firstly, let’s explore the evolving threat landscape. Internal AI deployment introduces entirely new attack vectors:
Clients also should be thinking about the impact AI is having on the threat actor’s toolset. Traditional endpoint protection has limits when you're dealing with the speed and orchestration of AI managed attacks, and the bar to entry for targeted phishing and social engineering is lowering every day.
That's why we're seeing focus shift beyond endpoint protection toward network-level behavioral detection and response services, as well as rethinking Identity Management for autonomous systems: What data can it access? What can it do with that data? Can it influence downstream decisions? All of that needs proper risk assessment and, frankly, you want humans in the loop for anything beyond very low-risk activity
Tech Asbestos
What happens when an AI you've deployed makes a terrible business decision? Not because it was compromised or hacked, but because it was working exactly as it was trained to work, to explore boundaries and create novel solutions?
As more MSPs rush to deploy AI solutions for clients, we're creating a whole new category of risk that might not be covered by traditional insurance policies. Much like the impact of asbestos on property and health insurance providers (which almost crippled the world's largest insurance marketplace decades after asbestos was used in construction materials), we might see a significant “silent AI” risk sitting within existing insurance policies and a correction on the horizon – both from a technological and risk pricing perspective.
Raising the bar
There's an argument that insurance could be what saves us from AI going really off the rails. Seatbelts and airbags weren't invented by the insurance industry, but it was insurance companies that forced car manufacturers to install them. We could see the same dynamic play out with AI.
Right now, insurers are adding AI related risks to cyber policies, treating AI-related incidents as business interruption events. But if an AI has been properly installed, there's been no attack, no network compromise, it simply makes a bad business decision, is that actually a cyber event?
I think there's a school of thought that pushes this more toward errors and omissions coverage. The business authorized an AI to make a decision, it was made incorrectly, but it's not really a cyber issue, is it? It's like hiring someone new who didn't know the processes and inadvertently made a mistake.
That's where it gets interesting, because it comes down to standards. What would you expect of a doctor, surgeon, or architect? Proper training, periodic testing, knowledge checks, and adherence to a certain number of practical hours every year. It's quite easy to see an analogy for AI, certain standards that the insurance industry might necessitate. The bare minimum that AI needs to be doing to stay current, get tested for bias, and avoid drifting from its original intended purpose.
Insurers won't necessarily have all the answers as to what those standards need to be, but that's where you bring in experts. In the same way that airbags weren't invented by insurers, but they made them mandatory. It's hard to see this kind of control coming from anywhere else. Governments are in an arms race. The private sector has very little incentive to slow down. Some regulators, notably the EU, took steps to regulate AI and set standards early in the 2020s, but it feels like the pendulum is swinging. Who knows, maybe insurers will be the ones to save the day?
The growing opportunity for MSPs
If you're taking on cybersecurity, data management, and helping clients safely deploy AI, what else could you be doing? If you're managing the AI that runs in that company, you're in a great place to start taking on the back office as well.
If you have control and oversight of the AIs running in that organization, why not look at other things you could be doing around business processes, operations, and HR? I think that's something for larger MSPs to think about as they evolve into “Managed Everything Providers”.
What This Means for You
The MSPs that will do well here are the ones who recognize that AI security isn't just about preventing breaches, it's about responsible deployment. That means having proper conversations with clients about authority levels, decision-making boundaries, the difference between AI-assisted and AI-autonomous operations, as well as raising the question around insurance and risk transfer.
Your professional liability in this space is evolving too. There are plenty of signposts as to what the AI standards of the future will look like (see the NIST AI RMF and OWASP LLM top 10, certifications like ISO 42001 are available for specific deployments). Getting ahead of them means being deliberate about implementation, documentation, and oversight.
Start thinking about AI not as a feature to bolt onto existing services, but as a fundamental shift in what you and your client are responsible for managing, leverage insurance and the standards out there – don’t be the car manufacturer who resisted installing seatbelts.
SPECTRA provides MSP certification and cyber insurance facilitation services.
Learn more about how we help MSPs navigate emerging risks