MSPs need to consider data and legal implications of AI

Before managed service providers (MSP) take on artificial intelligence (AI) for their customers in the SME space, there needs to be proper data infrastructure and security measures put in place.

When it comes to AI, the missing piece that seems to be forgotten in the conversation is the challenge many in the channel have – customer data lives in disparate silos, said iasset.com CEO Scott Frew in response to Microsoft’s desire to help partners build AI-powered applications and agents for their customers.

It wasn’t just Microsoft pushing channel partners into AI development, but also Amazon Web Services (AWS), which launched Amazon Q Business in Australia last week.

AWS partners director for Asia Pacific and Japan (APJ) Chris Casey said at the cloud giant’s Partner Summit event in Sydney on 2 April that the vendor has “39 unique partners operating in Australia and New Zealand over the past 12 months who hold this competency”.

“These partners include both traditional technology partners as well as consulting or channel partners who are working closely with customers to understand the business opportunities they’re trying to solve,” said Casey.

However, Frew told ARN that many partners face the challenges of having missing channel or customer data, living in disparate silos or are completely dependent on others to create opportunities.

For example, AI agents need accurate information to complete any sort of business process, just like employees.

“My view is even large corporations’ data has been siloed – even the ones that have got data lakes that are trying to solve the problem,” said Frew. “They’ve still got these data silos sitting around the business – it might be the ERP [enterprise resource planning] systems or ITSM [IT service management] systems.

“If you think about iasset going into these very large and very small customers – we’ve got little two-user customers as well – they don’t understand when we walk in the door how bad their data situation is.”

Looking at this from an small- to medium-sized enterprise (SME) point of view, they have never collected data for anything other than the need to get a bill out the door, explained Frew.

“They’ve not thought about what that impact that has on their own business,” he said. “Jumping ahead with AI is not going to solve these problems.

“It’s not magic … I mean, it is magic … but it’s not magic enough to fix the underlying infrastructure that it relies on to make decisions because AI will answer confidently even if it’s wrong.”

Frew noted that while it was great that big corporations were “trying to flog AI”, but with everyone using it, unless that data is absolutely perfect underneath, it won’t produce consistent, accurate results.

“That’s what I’ve been trying to tell the channel for a couple of years now,” said Frew.

Agents of AI

Both Frew and iasset.com chief strategy officer Nick Verykios are proponents of AI, having launched a as-a-service brokering offer that will help vendors and their distributors gain significant data driven momentum in the market on the iasset.com services platform earlier this year.

Verykios said the concept has been tested with three vendors and one distributor for the past 12 months and it aims to make it available in April.

“It was eye opening for all of us as to how much dormant business there is that isn’t being managed,” he said.

For Verykios, agentic AI is “redefining the role of artificial intelligence in business, moving beyond support functions to autonomously anticipate, act and optimise the entire customer journey”.

Additionally, he said the shift from customer success to agentic success is more than a technological upgrade, it’s a redefinition of how success is measured in the IT channel.

“It’s about creating ecosystems where AI performs at a level that goes beyond human capabilities, delivering outcomes with greater speed, intelligence and efficiency,” Verykios said.

Frew believes the first step of an agentic AI story is to make sure to do an analysis.

“Everyone is familiar with generative AI but agentic AI is where we specialise; that’s going to fragment even further,” he said. “In our world, we’ve got a customer with a ton of data that we’re now collecting and it’s all linked together.”

For example, the data is around its install base, providing an opportunity to upsell a product, service or add-on.

“Our early tests have shown that the AI not only finds those opportunities, but it also even suggests a marketing story to go out to those customers,” Frew explained. “That was an unexpected result for us.”

This covers the analysis. The second step is taking action, which is “the scary part”, Frew said. However, as a business, he added that iasset.com is “not rushing into that”, because the answer has to be 100 per cent accurate, “every time”.

Complex legalities when it comes to AI

One thing that people are realising now is the cyber attack profile of AI is completely different and malicious actors have already proved that they can attack an AI. If they throw enough rubbish at it, it can give out personal information.

“Now, if a company like us gives out personal information in the European Union, we are screwed in every direction you could possibly imagine,” explained Frew. “We need to work out how to make sure the AI doesn’t spit out PII [personal identifiable information] to anyone that isn’t authorised to get it.”

Ryan Solomons, dispute resolution partner for law firm RedeMont, who specialises in trade practices and intellectual property law, also warns that businesses often assume major software providers handle data responsibly.

“AI-driven tools may store and process information in ways that conflict with privacy laws and confidentiality obligations,” he said. “Companies must scrutinise their agreements and software settings to avoid legal exposure.”

Solomons notes the key question is whether liability falls on the software provider or the business using these tools. In most cases, businesses bear the greater risk.

“Large tech companies often include indemnity clauses protecting themselves, exposing firms to potential privacy law violations and lawsuits,” he said. “Courts will assess whether businesses took reasonable steps to protect confidential data and what was agreed regarding use. Simply relying on a software provider’s assurances without understanding how the technology works is insufficient.

According to the legal expert, AI also complicates protecting sensitive information under non-disclosure agreements (NDA).

“Traditionally, NDAs safeguard data shared between parties,” he said. “Still, if AI tools or smart features transmit confidential information to third-party servers, businesses may be in breach, even if no human intentionally disclosed the data.

“This is particularly concerning for healthcare, law and finance industries, where confidentiality is paramount. Legal professionals, for instance, must ensure AI does not process case related data.”

Mitigating cyber risk

As the market evolves a critical part of the market will be cyber insurance, especially as a lot of “organisations or channel partners still realise how vulnerable they are — and how vulnerable their customers are”, explained Frew.

“It’s like any growing business when they’re too small – they don’t worry about all the compliance bits because they’re too small and they don’t get there,” he notes. “As they grow, they need to add these compliance bits on which weighs heavily on them; some of them try and short-circuit it and some of them fall by the wayside.”

Frew explained when he owned Distribution Central, it had provisions for security, networks, voice, video and data.

“The reason I did that is because I know the resellers don’t have the capability, so we would have the engineers that they can pull down and use as their resource,” he said. “Now, the way the market talks today – and obviously I’m not in the distribution game anymore – is co-selling and joining a cyber reseller with a storage reseller.”

Any MSP who sells cyber services today should have all the appropriate cyber certifications in place.

“I think it’s critical for companies like us to carry cyber insurance because think about the billions of transactions we’re running across the planet,” he said.

If Deloitte and the US government’s National Security Agency (NSA) and Central Intelligence Agency (CIA) can get hacked, Frew notes iasset.com has no chance of not being targeted.

“We’re sitting out in the cloud and we do have encryption everywhere,” he said. “We are absolutely at the top of our game for an ISV [independent software vendor] but that doesn’t make us uncrackable.”

Given the importance of data, Frew added he would caution all MSPs, as “the data that is flowing through the organisation is precious and valuable to them as a business”.