The durable AI money for an MSP is not in reselling AI tools. It is in governing how your clients use them. Selling licenses to Copilot, Gemini, or the model of the month is a resold SKU that every competitor can also resell, so it prices like a commodity and churns like one. Writing the policy, controlling the access, monitoring the usage, vetting the vendors, and training the staff is a recurring advisory service only you sit close enough to deliver. One is a product you pass through at thin margin. The other is a service line that compounds. This piece is the argument for building the second one, and the finance reason it matters more than most of the AI content aimed at MSP owners admits.
I write this from the operator seat, not the vendor seat. I spent a decade in investment banking and private equity working on over 7bn dollars of transactions, including a board seat through a 300m dollar-plus PE exit, and I now run growth inside a US MSP. So I see both halves: the operating reality of what clients actually need from an MSP right now, and the finance math that decides whether a new service line adds to the multiple or quietly subtracts from it. Governance passes both tests. Tool reselling passes neither.
The tool listicle is a trap
Search "AI for MSPs" and you get listicles. Which AI tools should you resell, which automation platform to standardize on, which copilot to bundle. The whole genre trains you to think of AI as another product line in the stack, one more SKU to mark up. It is vendor content wearing an operator hat, and the vendors writing it have an obvious interest in you buying and reselling their thing.
The problem is the same one that governs security bolt-ons. The moment a capability is available off a distributor to every MSP, it stops being a differentiator and becomes table stakes. Reselling an AI license is a one-time revenue bump and a pass-through margin, not a durable moat, for exactly the reason cross-selling a resold security product is now table stakes rather than a premium driver. Every buyer, and every competitor, can see it is a resold product. If your AI strategy is a list of tools you resell, you have a cross-sell, not a service line.
Governance is the opposite shape. It is not a product you pass through. It is judgment, process, and accountability applied to a client's specific risk, delivered on a recurring basis, and it gets stickier the longer you do it. That is the shape of revenue that holds up, both in the market and in a diligence room.
The gap your clients actually have
The reason governance is a real service and not a marketing frame is that the gap it fills is measurable and large. Per ISACA's 2026 AI Pulse Poll of over 3,400 digital-trust professionals, published in May 2026, 90 percent believe employees in their organization are using AI, but only 38 percent of organizations have a formal, comprehensive AI policy. Almost everyone is using it. Most have no rules for it. That gap is the exposure, and it is exactly the kind of thing a client cannot see and an MSP is positioned to close.
The exposure has a name the community already uses: shadow AI, the unauthorized use of public AI tools by employees, often free versions, with company data going into them. It is the current version of shadow IT, and it is the live anxiety across MSP peer communities right now. I cover the numbers a governance conversation should lead with in a companion piece on shadow AI in SMBs. The short version for this argument: your clients' staff are already pasting sensitive data into tools nobody sanctioned, and neither the client nor the client's insurer has priced that risk yet.
That is the whole opening. An MSP does not need to invent AI capability to sell governance. It needs to walk a client through a risk they already carry and cannot see, then get paid to manage it down. That is a services conversation, not a product pitch.
What a governance service line actually is
Governance sounds abstract until you break it into the deliverables a client will actually pay a monthly fee for. Here is the service line as concrete components, each of which is billable work an MSP is already structurally positioned to do.
| Component | What the MSP actually does |
|---|---|
| Acceptable-use policy | Write and maintain the client's AI policy: which tools are sanctioned, what data may go into them, what is prohibited. Update it as tools and data policies change. |
| Access control | Enforce who can use which AI tools, on which devices, with which permissions. Conditional access, identity integration, blocking unsanctioned tools at the network layer. |
| Monitoring | Track AI usage across the estate, surface shadow-AI activity, apply risk scoring, and report on it. The client cannot self-audit this; the MSP already holds the visibility. |
| Vendor assessment | Vet each AI tool's data-handling, retention, and training-opt-out settings before it is sanctioned. Keep a maintained list of approved and prohibited tools. |
| Staff training | Teach the client's employees what safe AI use looks like, because policy without awareness is paper. Recurring, because the workforce and the tools both turn over. |
Notice what none of these are: reselling a model. The MSP does not need to build or own any AI capability to deliver a single line in that table. The work is policy, control, visibility, diligence, and education, applied to whatever tools the client ends up using. That is why it is durable. The tools underneath will change every quarter. The need for someone accountable to govern them does not.
This is also why the MSP is the natural owner. You already hold the identity infrastructure, the device management, the network visibility, and the client trust. A standalone AI-governance vendor has to acquire all of that from scratch. You are sitting on it. Governance is the highest-margin thing you can do with visibility you already have.
The AI-spend valuation trap
Here is where the finance lens changes the decision, and where a lot of AI-for-MSPs advice will quietly cost owners money. There is a loud genre of content telling MSP owners to AI-ify the business to boost the multiple, to spend on models and automation as if the spend itself is an asset a buyer pays for. It runs the wrong way. Buyers do not pay for AI spend. They pay for EBITDA. AI investment that destroys EBITDA destroys the price.
The cautionary tale is exact, and it comes from someone who runs MSP sell-side processes for a living. Abraham Garver of FOCUS Investment Banking, speaking on the Business of Tech in January 2026, describes a roughly 50m dollar-revenue MSP in the security and financial-services vertical that had been spending about 7m dollars a year on AI investment before ChatGPT, and had zero EBITDA left to show for it when the PE sponsor wanted to exit. His rule is blunt: an AI capability, like a patent, is worth only what it demonstrably contributes to EBITDA. If it does not prove in the financials, it is worth nothing to a buyer. Unproven automation spend is a liability at the table, not an asset.
Read that against the two AI strategies. Building your own AI capability is a capex bet that only pays if it lands in margin, and Garver's own honest counsel to sub-3m dollar-EBITDA owners is that they usually cannot out-invest the 100m dollar-plus platforms on AI, so trying is often the losing move. A governance service line is the opposite kind of spending. It is a services business with a labor cost and a recurring fee against it, and it shows up as margin the month you sell it. One strategy is a story you hope proves in the financials years later. The other is EBITDA now. For how buyers weigh AI in a real valuation, and why proven margin beats promised capability, see what moves an MSP's multiple and the method in how to value an MSP.
The commercial shape: how to price it
A service line only helps the business if it is structured as recurring, high-margin revenue rather than one-off project work. Governance is naturally that shape, if you build it that way. The setup, writing the first policy, running the first assessment, standing up monitoring, is a project. The value is the retainer that follows: an ongoing monthly fee to keep the policy current, enforce the access, watch the usage, re-vet the tools, and retrain the staff. It sits alongside the managed-services agreement as a per-seat or per-client recurring line, priced for the advisory work it represents, not the tooling underneath.
The trap to avoid is pricing it like a product, on the cost of the tools. Our own analysis of published MSP pricing, drawn from roughly 2,000 US MSPs' own pricing pages, shows how tightly the market clusters at the entry seat tier, and the loudest point from the pricing community is that a raw per-seat number means little without the offering and the margin behind it. Governance is where that offering-and-margin argument is most true. You are not billing for a license. You are billing for judgment and accountability on a risk the client cannot manage themselves, which is exactly the kind of differentiated, high-margin service that lets an MSP price off value rather than cost. The mechanics of that choice, per-seat, per-device, or value-based, and which one buyers of MSPs prefer, are covered in MSP pricing models in 2026.
Structured this way, a governance line does more than add revenue. It adds the right kind of revenue. It is recurring, so it reads as an annuity. It is high-margin, because the cost is labor and process, not passed-through product. It is sticky, because once you hold a client's AI policy and controls, switching cost is high. Recurring, high-margin, sticky revenue is the exact profile buyers pay up for, which is the connective tissue between this service line and your eventual multiple. Building that revenue quality is the same groundwork that carries an owner through exit readiness.
Why governance is durable and tools are not
Step back and the whole argument is one contrast. Tools commoditize; governance compounds. The specific AI product a client uses this year will be replaced, repriced, or absorbed into a suite within a couple of years. If your AI service is tied to a tool, your service has the shelf life of that tool. If your AI service is the governance layer, it survives every tool change underneath it, because the client's need for policy, control, monitoring, and accountability does not expire when the model does.
That durability is why governance reads as a real service line and not a trend to ride. It is the same reason a genuine security practice beats a resold security SKU: the thing that pays is the capability a buyer, or a client, cannot easily replicate, delivered on a relationship that deepens over time. For an MSP, the AI version of that capability is not the model. It is being the accountable party who governs how the model gets used. That is defensible, it is recurring, and it is the AI opportunity worth building.
FAQ
Governance. Reselling AI tools is a pass-through SKU any competitor can also resell, so it prices like a commodity and churns like one. Governance, writing the policy, controlling access, monitoring usage, vetting vendors, and training staff, is a recurring advisory service that gets stickier over time and that the MSP is uniquely positioned to deliver, because it already holds the identity, device, and network visibility a standalone vendor would have to acquire from scratch.
Five components: an acceptable-use policy that defines sanctioned tools and permitted data, access control that enforces who can use which tools on which devices, monitoring that surfaces shadow-AI activity across the estate, vendor assessment that vets each tool's data handling before it is approved, and recurring staff training. None of these require the MSP to build or own AI capability. The work is policy, control, visibility, diligence, and education applied to whatever tools the client uses.
Only if it shows up in EBITDA. Buyers pay for profit, not for AI spend. Abraham Garver of FOCUS Investment Banking cites a roughly 50m dollar-revenue MSP that spent about 7m dollars a year on AI and had zero EBITDA to show for it at exit, which was worth nothing to a buyer. A governance service line is the safer bet, because it is a recurring-fee services business that lands in margin the month you sell it, rather than a capex bet you hope proves in the financials years later.
As a recurring retainer, not a product markup. Treat the first policy, assessment, and monitoring setup as a project, then bill an ongoing monthly per-seat or per-client fee to keep the policy current, enforce access, watch usage, re-vet tools, and retrain staff. Price it for the judgment and accountability it represents, not the cost of the underlying tools. That produces recurring, high-margin, sticky revenue, the profile that also lifts the business's eventual multiple.
Because tools commoditize and governance compounds. The specific AI product a client uses this year will be replaced or repriced within a couple of years, so a service tied to a tool has the shelf life of that tool. A governance service survives every tool change underneath it, because the client's need for policy, control, monitoring, and accountability does not expire when the model does. It is the same logic that makes a real security practice worth more than a resold security SKU.
Getting exit-ready
If you own a business and expect to sell to private equity one day, the groundwork for a strong exit starts years before the process, including building the recurring, high-margin service lines that lift the multiple. I work with owners on exit readiness. Get in touch.