One Size Fits All Doesn’t Survive the Age of AI

For twenty years, the managed service provider model was built on a straightforward value proposition: let specialists manage your technology so your organization can focus on its mission. MSPs patched servers, operated help desks, managed infrastructure, and provided access to expertise that many organizations could not afford to maintain internally. For countless organizations, this arrangement delivered real value. IT was genuinely complicated, and MSPs emerged to provide the knowledge, scale, and operational discipline that most organizations couldn’t build on their own. AI just broke that model.

A challenge for many organizations evaluating AI services today is distinguishing between genuine innovation and the packaging of existing technologies. In some cases, what is marketed as an “AI strategy” or “AI integration” engagement is primarily focused on selecting, deploying, and managing third-party platforms such as Copilot, Glean, or other emerging AI tools. There can be real value in that work—particularly around governance, security, adoption, and change management—but the underlying technology is often developed by others.

The Moat Is Disappearing

To be fair: the best MSPs in the market aren’t doing this. Top-tier providers are embedding agentic AI into their operations — autonomously detecting threats, adjusting security policies, cutting ticket resolution times by 40 to 70 percent. That’s real work. But it’s also not what most organizations are being sold. The gap between what the best MSPs deliver and what the average one bills for has never been wider.

The problem runs deeper than pricing, though. The old MSP model relied on complexity as a moat. If clients believe AI is too complicated to manage themselves, they’ll pay someone else premium rates to manage it — even when that someone else is just forwarding the bill with a markup attached.

That moat is gone. AI tools aren’t network switches or Exchange servers. You don’t need a NOC and a 24/7 helpdesk to run a chatbot or a document summarizer. A small, sharp technical team can scope, configure, and govern AI tools for an organization in days, not months — without the bloat of an enterprise services contract.

Why One-Size-Fits-All No Longer Works

This is exactly why one-size-fits-all doesn’t work anymore. Big MSPs scale by standardizing. They build a playbook, apply it to every client regardless of size, mission, or actual need, and bill accordingly. That’s fine for routine infrastructure. It does not work for AI, where the right approach for a twelve-person nonprofit on a tight budget looks nothing like the right approach for a five-hundred-person enterprise with a compliance department. Force-fitting a generic rollout onto an organization that needed something narrower and cheaper isn’t service. It’s waste, paid for at a premium — typically $100 to $300 per user per month for full-service contracts.

None of this means MSPs sell nothing. An MSP isn’t just selling labor — it’s selling expertise, monitoring tools, security systems, backup systems, documentation, and the experience of having seen hundreds of problems before you ever hit one. Pretending that value doesn’t exist is how organizations end up learning expensive lessons.

So the honest question isn’t whether that value is real. It’s how much of it a disciplined small organization can capture on its own, and at what cost. For organizations willing to be disciplined, the answer is 80 to 90 percent of the benefit, at a fraction of the price.

Where DIY Usually Fails

That other 10 to 20 percent is concentrated in a few specific areas, and it’s worth naming them before going any further:

• Cybersecurity
• Backups and disaster recovery
• Microsoft 365 administration
• Employee departures and offboarding
• Compliance requirements

Many organizations feel like they’re saving money on these — right up until a ransomware attack, a business email compromise, or an accidental deletion wipes out the savings in a single afternoon. This isn’t hypothetical: cybersecurity is the fastest-growing MSP segment precisely because cyber insurers now demand continuous monitoring and threat hunting that internal SMB teams can’t practically sustain. Turning on Microsoft Defender is not the same as having someone actively watching for threats at 2 a.m.

Outside of those five areas, though, there is a lot a disciplined organization can do without paying anyone a monthly retainer.

What They Can Do Themselves

1. Standardize everything:

• Buy the same laptops for everyone.
• Run the same software stack.
• Avoid custom configurations.
• Fewer variations mean fewer support tickets.

2. Move completely to the cloud:

• Use Microsoft 365 or Google Workspace.
• Eliminate on-premises servers wherever possible.
• Replace file servers with SharePoint, OneDrive, or Google Drive.

3. Use the security that’s already built in:

• Enable MFA for everyone, no exceptions.
• Turn on device encryption.
• Turn on Microsoft Defender.
• Leave automatic updates on.

4. Appoint a technology champion:

• One staff member spends a few hours a week handling routine issues.
• They don’t need to be an IT professional — just organized and willing to learn.
• One caveat: AI is a powerful first-line tool, but it can hallucinate. A technology champion needs enough basic context to sanity-check what it tells them before acting on it.

5. Use AI for first-line support:

• Most password, Outlook, Teams, and printer questions can be solved in minutes with ChatGPT or Copilot.
• AI is surprisingly good at the boring, common stuff that used to require a ticket.

6. Bring in specialists, not a contract:

• Skip the monthly MSP retainer and hire experts only when the work demands it.
• A security assessment once a year.
• A Microsoft 365 migration once every few years.
• A network redesign when it’s actually necessary.

A Practical Hybrid Model

Put the two halves together — what you can own and what you can’t — and a pattern emerges. For organizations with 10 to 30 employees, the sweet spot usually looks like this:

• Handle day-to-day issues internally.
• Purchase Microsoft 365 Business Premium for built-in security and management.
• Use AI for routine support.
• Bring in an outside expert quarterly for a health check and security review.
• Keep an emergency consultant on call for when something actually breaks.

Done well, this costs 25 to 50 percent of a traditional full-service MSP contract, while delivering most of the same capability. Organizations that have tried to go further — full DIY, no outside help at all — tend to hit a wall around multi-cloud integration and compliance documentation. That’s where the complexity is real, and where outside expertise still earns its keep.

What’s Changing — and What Isn’t

For nonprofits and foundations — the organizations we work with most — the most successful version of this isn’t “no MSP.” It’s a very lean MSP relationship: focused on security, Microsoft 365 administration, and strategic guidance, while routine user support stays in-house. That combination tends to deliver the best balance of cost, security, and reliability.

What’s actually dead is the idea that every organization, regardless of size or risk profile, needs to buy IT in one all-inclusive monthly bundle. The expertise an MSP brings to cybersecurity, backups, and compliance hasn’t gotten less valuable — if anything, AI has made it more valuable, because it’s exactly the kind of judgment a chatbot can’t replace. What’s gone is the excuse for charging enterprise rates for everything in between.

So What Do We Call This New Model?

Call it what you want — we’ve started using the term Specialized Service Provider, or SSP. The idea is simple: a lean version of the MSP model, stripped of the all-inclusive bundle and focused on the areas where outside expertise still genuinely earns its keep. Security. Compliance. Microsoft 365 administration. Strategic guidance. Everything else — routine support, basic troubleshooting, first-line AI assistance — stays in-house, handled by a capable internal champion with good tools and occasional backup. That’s not a gap in coverage. For most small nonprofits and foundations, it’s the right coverage.

For forty-three years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!