Shadow AI Surge
The next operational problem is becoming visible across software teams, enterprise users, vendors, and the MSP channel—and it centers on who governs agentic AI once it starts acting inside business systems.
Start with what’s happening inside software teams. The New Stack ran a piece with a blunt line in the headline: “There is no accountability.” The reporting focuses on AI coding agents—tools like Claude Code, GitHub Copilot, and Cursor—pulling in dependencies and installing packages automatically. And the measurable risk is already showing up in upstream research: the article cites a Snyk audit of 4,000 AI-agent “skills” where more than a third contained at least one security flaw. That’s not a hypothetical future problem—those are packages and components being pulled into real environments, at machine speed, with human ownership getting fuzzy.
Then zoom out from developers to the broader workforce. The Register, citing Verizon’s latest Data Breach Investigations Report, says “shadow AI” use—employees accessing generative AI tools through unauthorized personal accounts—has surged fourfold in the last year. The same coverage points to adoption numbers that matter: 45 percent of professionals are using AI regularly, and 67 percent of those users are doing it through personal, non-approved accounts. Verizon’s dataset also flags that 28 percent of data-loss-prevention violations involved code or other proprietary material being submitted to AI platforms. Again—this is observable behavior, happening now, inside companies that believe they’re “managing” AI.
And if you’re wondering whether organizations are handling it well, Gartner’s answer is “no.” The Register reports Gartner’s prediction that 40 percent of organizations will demote or decommission AI agents because they can’t implement effective governance. Gartner’s framing is that companies keep treating agent governance as all-or-nothing—either fully locked down or fully trusted—and that’s producing operational and compliance failures at scale.
And in the managed services channel, vendors are now productizing the visibility problem. A release carried by Yahoo Finance says ScalePad is extending its Lifecycle Manager platform beyond traditional RMM into SaaS management—including discovery of SaaS, shadow IT, and AI usage—explicitly pitching it as something MSPs can operationalize across client environments.
Context Is Infrastructure
The mechanism is that AI only looks “agentic” on the surface. Underneath, it is forcing organizations to make their information, permissions, and workflows legible to machines—and most business environments were built for humans to improvise around the gaps.
That is why the data layer matters first. Dun & Bradstreet’s rebuild of its Commercial Graph is not just a database modernization story. It is a signal that agentic systems need cleaner context than human users do. A person can recognize a messy customer record, ask a colleague, check another system, and make a judgment call. An agent cannot reliably do that. If the entity is wrong, the next action is wrong. And because agents operate at software speed, the mistake scales before anyone notices.
So the first mechanism is context normalization: turning fragmented business information into something a machine can resolve, verify, and act on.
The second mechanism is context movement. That is where Zoom’s Model Context Protocol expansion fits. The point is not simply that meeting transcripts and summaries exist. The point is that those artifacts now need to move into Salesforce, ServiceNow, Workday, developer tools, and other systems with permissions intact. The agent does not just need information. It needs authorized information in the place where work is happening.
The third mechanism is controlled execution. Anthropic’s self-hosted sandboxes and MCP tunnels are not glamour features. They are operating controls. They let organizations keep execution inside a managed environment, connect to private tools through a governed path, and preserve the convenience of a managed agent loop without giving the agent uncontrolled reach across the business.
Put those together and the pattern becomes clear: agentic AI is not really a prompt problem. It is a coordination problem. The system needs trusted data, portable context, permission boundaries, execution controls, and repeatable workflows.
That is why the next move is packaging. Anthropic’s “Claude for Small Business” is pre-built workflows and connectors into tools like QuickBooks, PayPal, HubSpot, Google Workspace, and Microsoft 365 because small businesses are not buying architecture. They are buying a usable motion: take this messy cross-app task and make it repeatable.
That is the mechanism underneath the market shift: vendors are not just selling AI capability anymore. They are selling coherence. They are taking the messy parts of business work—identity, context, permissions, execution, and workflow—and packaging them so automation can run without constant human translation.
Agent Control Plane
And once vendors package coherence, the channel question becomes who governs it for the client. For MSPs, the consequence is that automation is becoming the work—and whoever governs it owns the margin.
Look at the security side first. The Next Web reports that Anthropic unintentionally exposed the full source code of Claude Code on a public npm registry—roughly 512,000 lines of TypeScript across 1,906 files. The story isn’t embarrassment; it’s that the leak included permission-enforcement logic, sandboxing architecture, and feature flags. In other words, it’s a blueprint for how the guardrails work. A security veteran quoted in the piece, Tim Burke of Quest Technology Management, warns that when attackers understand the permission model, they can craft commands that look legitimate and slide past security tooling tuned for human patterns. That’s the point: once automation becomes the actor, “normal behavior” is no longer a human baseline. MSPs can’t defend clients with yesterday’s assumptions about what activity looks like.
Now pair that with what the channel is being sold as the fix. TechPartner News says WatchGuard is rolling out an MSP-focused “agentic digital workforce” called Rai—positioned as always-on detection, investigation, and response, with an initial Analyst role live and Auditor and Admin roles coming. The pitch is that partners get dashboards, daily briefs, and a model that scales without adding headcount. You can hear the subtext: the expectation is no longer “your engineers will do the work,” it’s “your platform will do the work, and your engineers will supervise exceptions.”
Put those together and the consequence resolves into one hard operational reality: MSP value is shifting from doing tasks to controlling the automated system that does them—setting the permissions, defining what the agent can touch, enforcing policy, logging decisions, and knowing when to stop the machine.
The MSP either becomes the provider that simplifies and governs the automation layer—turning it into a packaged, priced control plane—or the MSP becomes the cleanup crew for everyone else’s automation, absorbing the weird tickets, the edge cases, and the security fallout without ever getting paid for the complexity.
Why Do We Care?
The counterargument is that SMB clients are not asking for agent governance. They are asking for productivity. They want AI to summarize, automate, route, recommend, and execute. They do not want to buy permission maps, policy reviews, audit trails, or responsibility boundaries.
And that is true.
But it is also the trap.
Clients rarely ask for the control layer before something breaks. They ask for speed first and accountability later. Once an agent is connected to business systems, the question changes. It is no longer, “Can this tool save time?” It becomes, “Who approved the action, who could see it, who limited it, and who pays if it was wrong?”
That is the bad MSP decision: selling AI enablement without pricing agent governance. The MSP helps the client automate work, but does not define the operating boundary around that automation. It earns the project, but inherits the ambiguity.
So we care because the market will not announce this as a new managed service category. It will show up as support tickets, bad workflows, confused permissions, shadow AI spend, and disputes over who was responsible for an automated action.
The MSP that sees the shift can package governance as the value. The MSP that misses it will treat governance as overhead and then absorb the cost when the automation fails.
What to Consider
Start by separating AI enablement from agent operations. Enabling a tool is a project. Governing what that tool is allowed to do is a managed service.
That means defining four things before the agent goes into production.
First, permission boundaries. What systems can the agent access? What data can it read? What actions can it take without approval?
Second, approval rules. Which actions require a human in the loop—financial changes, security remediation, customer communications, ticket closures, or data movement?
Third, evidence. Can the MSP and client see what the agent did, what data it used, which workflow it triggered, and who approved the action?
Fourth, responsibility. Does the contract say who owns an automated mistake, who pays to unwind it, and what falls outside the MSP’s scope?
Package those controls. Price them. Review them quarterly.
The opportunity is not just helping clients adopt AI. It is helping them operate AI without turning every automated action into an unmanaged support and liability event.
If this trend continues, MSPs will stop selling “AI enablement” as a standalone project and start selling agent operations retainers that include approved workflows, permission maps, execution logs, spend controls, incident review, and quarterly policy tuning. The dividing line will be simple: MSPs that can prove what an agent was allowed to do, what it actually did, and who approved the action will own the managed service category. MSPs that cannot will inherit the ambiguity every time automation creates a business problem.