The AI-First MSP Playbook

Introduction

Who This Playbook Is For

You run an MSP. You manage 200 to 1,500 endpoints across multiple clients. Your techs are good — too good to be resetting passwords at 2pm on a Tuesday.

You've probably looked at AI tools. Maybe you've tried one. Maybe it took months to set up, required a dedicated admin, and still couldn't do half of what the demo promised.

This playbook is for you.

It's not a primer on what AI is. You don't need a glossary or a diagram explaining machine learning. You need to know what works, what doesn't, and how to deploy AI in your service desk without wasting another quarter on a tool that underdelivers.

We wrote this because nobody else did. The guides out there are either vendor-agnostic fluff that tells you to "identify use cases and prioritize pilot projects," or they're 30-page brochures disguised as playbooks. ConnectWise published an "AI Playbook" that spends five pages on a glossary and never mentions a single ticket type by name. That's not a playbook. That's a pamphlet.

This one has real numbers from MetricNet, Gartner, Forrester, and CompTIA. Honest vendor evaluation criteria. Technical details on how AI agents actually resolve tickets. And a deployment framework you can execute in a week — not a quarter.

Chapter 1

The L1 Problem, Quantified

The Numbers Nobody Talks About

Before evaluating any tool, you need to know what L1 tickets actually cost you. Not in vague terms like "significant time savings." In dollars.

According to MetricNet's 2024 benchmarking data, the average cost of a Tier 1 help desk ticket is $22. Escalate that to Tier 3 and it's $104+. But those are averages. Your cost depends on your volume, your team, and your tech rates.

Sources: ManageEngine/ITBD; Gartner

That 40% number is from Gartner. Password resets. The single most common help desk task across every MSP, every IT department, everywhere. Forrester Research puts the cost of a single password reset at $70 when you factor in end-user downtime, tech time, and productivity loss. Adjusted for 2024: $87 per reset.

Large organizations spend an average of $5.2 million per year on password resets alone, according to Specops. You're not a large organization. But the math still hurts.

For a typical MSP managing 500 endpoints:

Metric	Conservative	Typical	Heavy
L1 tickets/month	150	300	500
Avg resolution time	12 min	15 min	20 min
Loaded tech rate	$35/hr	$42/hr	$50/hr
Monthly L1 cost	$1,050	$3,150	$8,333
Annual L1 cost	$12,600	$37,800	$100,000

The ticket-per-endpoint benchmarks back this up. Best-in-class MSPs see 0.5 tickets per endpoint per month. Average is 1.5. If you're above 2.0, something is structurally wrong. At 500 endpoints and 1.5 tickets/endpoint, that's 750 tickets/month, roughly 70% of which are L1. That's 525 L1 tickets.

Source: Evolved Management, TruMethods benchmarking

The Hidden Costs You're Not Counting

Direct labor is the obvious number. But there are four costs that don't show up in any PSA report:

1. Opportunity cost. L1 tech salary: $23-24/hour (ZipRecruiter average). Project work billed to clients: $150-250/hour. Every hour your techs spend on password resets is an hour they're not doing billable project work. The delta is enormous.

2. SLA risk. Average MSP customer churn is 12% annually, and SLA breaches are a leading driver. Industry standard for P1 tickets is 15-minute response. For P3 (most L1 tickets), it's 4 business hours. When L1 volume spikes and tickets queue up, response times slip. One bad month of SLA breaches can cost you a contract worth more than a year of AI tooling.

Source: Xurrent; Louisville Geek SLA benchmarks

3. Technician burnout and turnover. Help desk turnover rate: 40% per year. The average help desk agent stays 2.5 years before moving on. Each departure costs approximately $12,000 in direct replacement costs, plus 8-12 weeks to hire and 26 weeks before the replacement reaches full productivity. Technicians spend 39% of their time on manual tasks. 88% say those tasks prevent them from strategic work.

Sources: Sherweb; ManageEngine; SHRM

4. The after-hours gap. L1 tickets submitted at 11pm wait until 8am. Your client notices. The morning avalanche of 50+ overnight tickets creates a triage bottleneck that takes hours to clear. Context switching between tickets reduces technician productivity by up to 40%. Meanwhile, your SLA clock was ticking all night.

What Counts as L1?

Not every ticket is automatable. Here's a realistic breakdown of what an AI technician can handle today, based on actual resolution data:

High confidence (80%+ automation rate)

• Password resets (AD, M365, Entra ID, Okta, Google Workspace) — 2-30 min manual, seconds with AI
• Account unlocks — often caused by failed password attempts or smart lockout
• MFA resets and re-enrollment — requires identity verification and Entra ID API calls
• Distribution group / shared mailbox access grants — Graph API group management
• License assignment (M365, Google Workspace) — API-driven, per-user
• Basic permission grants — with configurable approval routing

Medium confidence (50-70% automation rate)

• New user onboarding — currently takes 2+ hours manually per new employee to create identities in AD and provision access across M365, email, groups, and LOB apps. With automation: minutes.
• User offboarding — access revocation, license removal, mailbox conversion
• Software installation requests — via RMM remote script execution
• Email forwarding setup — Exchange Online PowerShell or Graph API
• VPN access provisioning

Source: NinjaOne (2+ hours for manual provisioning); Rewst case studies (1,400 hours/month saved on onboarding)

Low confidence (requires human judgment)

• "Can't access files" — ambiguous. Needs cross-stack diagnosis: identity, permissions, device health, service status
• Outlook sync issues — could be device, profile, or service-wide
• Printer issues — often physical. AI can diagnose drivers/network but can't fix paper jams
• Performance complaints — needs RMM data, recent changes, and human context

Chapter 2

Why Most MSP AI Tools Fail

The Failure Rate Is Staggering

Let's start with the uncomfortable truth. According to MIT analysis, 95% of company-wide AI launches in 2025 failed to produce the desired result. S&P Global Market Intelligence found that 42% of businesses scrapped their AI projects entirely — up from 17% in 2024.

The MSP space is worse. Pia CEO Christian Pacheco estimates that only 1-2% of MSPs globally understand and effectively implement hyperautomation. Roughly 30-40% have attempted it and abandoned the effort.

This isn't because AI doesn't work. It's because most tools demand things MSPs can't give: dedicated headcount, developer skills, months of setup time, and ongoing maintenance that quietly eats the ROI.

Source: Gitnux MSP AI Industry Statistics

The Implementation Tax

Here's the pattern we see repeated across the industry:

1. MSP owner sees a demo. It looks great. "AI resolves tickets automatically."
2. Signs up. Onboarding call scheduled for next week.
3. First month: connecting tools, mapping workflows, documenting SOPs.
4. Second month: building automations, testing edge cases, assigning a dedicated admin.
5. Third month: "Why is this only handling 15% of what was promised?"
6. Month four through six: the tool gets abandoned or becomes "that thing Sarah manages."

This isn't a technology problem. It's an architecture problem. Most MSP AI tools fall into one of three categories, and each has a structural limitation:

Category 1: Workflow Builders (Rewst, Bumblebee)

What they are: Platforms where you build automations — visual workflow builders, drag-and-drop logic, API connectors. Rewst is the most powerful example, with 80+ integrations, a Jinja-based template engine, and nearly 1,000 customers.

Why MSPs buy them: They're genuinely flexible. If you can build the workflow, it can automate almost anything.

The real implementation burden:

• Rewst requires learning Jinja templating language for anything beyond basic flows
• Their own training program (Cluck University) has multiple multi-hour sessions just for foundations
• Rewst recommends three internal roles for proper implementation: an Automation Champion, an Executive Champion, and an Automation Engineer
• Data inconsistency in your PSA/RMM must be cleaned up first — "garbage in, garbage out"
• Many MSPs "successfully implement basic workflows but fail to leverage advanced capabilities like state machines, custom API integrations, or AI modules"

Bumblebee (CRN "Stellar Startup of 2025" in AI) lives in Slack/Teams, but still requires you to document SOPs and build workflows before it does anything. It generates workflows from your SOPs — which means you need SOPs documented first. Most MSPs under 1,000 endpoints have SOPs in a tech's head, not in a wiki.

Category 2: PSA-Native Tools (Pia, NeoAgent, Everest, zofiQ)

What they are: AI tools that live inside your PSA — your ticket system. They read tickets, triage them, and in some cases attempt resolution.

Why MSPs buy them: They're close to where tickets live. Integration feels natural.

The structural limitation: they can only see the PSA. When a ticket says "can't access files," a PSA-native tool can read the ticket and maybe check AD. But it can't simultaneously query your RMM for device health, check M365 service status, pull documentation from IT Glue, and correlate across all of them. It sees one slice of the picture.

Specific implementation data:

• Pia: Restech's case study shows a 3-4 month onboarding timeline (July to October). One MSP on r/msp reported a "nearly full-time AI trainer on staff for 2+ years." Pia's own CEO acknowledges limits: "There are limits to how far automation can go even with help from AI — the system handles Level 1 chores today and is getting increasingly good at Level 2 tasks, but going beyond that will be difficult."
• NeoAgent: Most transparent pricing ($1,300-$2,600/mo) and lightest setup. Claims autonomous L1 resolution. Narrower scope.
• Everest (YC F25): Uses field engineers for high-touch implementation. More resources, but slower to deploy.
• zofiQ: Was promising until ConnectWise acquired it in January 2026. Previously supported ConnectWise, Autotask, and HaloPSA. Now being positioned as a "horizontal agentic layer across the ConnectWise portfolio." If you're on HaloPSA or Autotask, you're out.

Category 3: Autonomous Agents (Rallied, Mizo)

What they are: AI agents that reason about tickets, decide what to do, and execute — without pre-built workflows. They connect to multiple tools and act across your stack.

Why they're different: Instead of following a script, they understand the ticket, gather context from your tools, decide the right action, and execute. A new ticket type doesn't need a new workflow. The agent figures it out.

What to watch for: This is the newest category. Claims are high. Ask for proof: live ticket resolution on your actual tickets, not a demo environment.

The Trust Gap

The MSP community is deeply cynical about AI, and for good reason. These are real quotes from r/msp:

Additional failure data from Gitnux: 56% of MSPs experience data quality issues that undermine AI effectiveness. 60% face legacy system compatibility problems. 49% are deterred by vendor lock-in concerns. 48% face change management resistance from their teams.

ConnectWise CEO Manny Rivelo admitted the core problem: "Most MSPs haven't yet really embraced automation because there are challenges when you have to build solutions or hire teams to manage things like RPAs." He noted that 70-80% of MSP costs come from labor — suggesting they're leaving the real opportunity untapped.

This cynicism is earned. Any tool you evaluate should be held to a higher standard because of it.

Chapter 3

Workflow Engines vs. Autonomous Agents

The Distinction That Changes Everything

"AI for MSPs" gets thrown around like it means one thing. It doesn't. There are drag-and-drop workflow builders that call themselves AI. There are autonomous agents that actually reason about tickets. They work completely differently, and picking the wrong type is the most expensive mistake you can make.

Even the vendors admit this. Pia's own blog puts it bluntly: "Many platforms marketed as AI simply execute predefined actions... Automation follows clear instructions. Decision-making AI analyzes context, identifies intent, evaluates uncertainty." And: "Platforms requiring teams to manually build flows, map conditions, and define every possible scenario aren't truly intelligent — they're just executing user-created logic."

How They Differ

Dimension	Workflow / RPA Tools	Autonomous AI Agents
Architecture	Deterministic, predefined paths	LLM reasoning with planning loops
Decision-making	If/then rules, decision branches	Contextual inference from natural language
Data handling	Structured data only	Structured and unstructured (ticket text, emails)
New ticket types	Requires a new workflow to be built	Agent reasons about it and adapts
API changes	Workflows break, need maintenance	Tool definitions updated centrally
Setup requirement	Build workflows per ticket type	Connect tools, define permissions
Skills needed	Developer or automation engineer	MSP owner or service manager
Best for	High-volume, identical, predictable tasks	Variable tickets with ambiguity

Adapted from SS&C Blue Prism research; arxiv comparative study

Why This Matters for Your Service Desk

Here's the practical difference. A ticket comes in: "Sarah can't access the shared drive." With a workflow engine, you need a predefined flow for "shared drive access" that checks specific conditions in a specific order. If the ticket says "Sarah can't access SharePoint" instead? Different workflow. "Sarah can't get to her files"? Another one. Every variation needs its own path.

An autonomous agent reads the ticket and figures it out. It identifies an access issue, queries the identity provider for Sarah's account, checks her group memberships against the resource permissions, looks up the client's documentation in IT Glue, and determines the fix. It doesn't care how the user worded it. It reasons about the problem the way your techs do.

Research comparing LLM agents to RPA across enterprise workflows backs this up: RPA outperforms in execution speed for repetitive, stable tasks, while LLM agents significantly reduce development time and handle dynamic inputs that would require dozens of RPA decision branches. For your MSP, where ticket language is inconsistent and every client's environment is slightly different, the agent approach has a clear edge.

The "Only Partly Agentic" Problem

Industry analyst ChannelHolic assessed zofiQ (before the ConnectWise acquisition) as "only partly" agentic — functioning more as a Microsoft-style copilot than fully autonomous. Fully autonomous features existed for select large customers but remained in development for general availability.

Rewst's own blog makes a revealing admission: "AI can vary its output even when the input stays the same, which makes it great for creative or interpretive tasks but less reliable for operational ones. When vendors claim their AI can 'run your tickets' or 'handle remediation,' it's worth asking whether this is the right place for probabilistic logic."

This is the honest tension. Workflow tools are deterministic and reliable, but someone has to build and maintain every single one. AI agents are flexible and adaptive, but they introduce probabilistic reasoning. Neither is objectively "better." The question is: does your team have the capacity to build and maintain workflows for every ticket type?

If you're under 1,000 endpoints and you don't have a dedicated automation engineer on staff, the answer is almost certainly no. You need something that works without being built.

Chapter 4

How AI Agents Actually Resolve Tickets

The Resolution Pipeline

An autonomous AI agent follows a four-stage pipeline for every ticket. Understanding this helps you evaluate whether a vendor's "AI" is actually doing anything intelligent, or just routing tickets with a chatbot attached.

1. Perceive. Ingest the ticket, alert, or chat message. Extract intent, urgency, affected systems, and user identity. This is where NLP matters — the agent needs to understand "I can't login" and "password doesn't work" and "locked out of my account" are all the same problem.

2. Reason. The LLM plans a resolution path. It considers available tools, permissions, client-specific configurations, and historical patterns. This is the step that separates agents from workflow engines — the planning happens dynamically, not from a predefined script.

3. Act. Execute tool calls via APIs: reset a password in Entra ID, unlock an account, add a user to a security group, deploy software via RMM. Each action is a structured API call with specific parameters.

4. Evaluate. Check whether the action succeeded. Did the password reset go through? Can the user log in? If yes, update the ticket and close it. If no, escalate with full context.

What the Architecture Looks Like

Under the hood, an MSP AI agent connects to your stack through a tool-use layer. Think of it as a technician with a keyring — each key opens a different tool:

When the agent needs to take an action, it generates a structured function call — essentially telling the system "call this API with these parameters." The orchestration layer executes the call and returns the result. The agent then decides what to do next based on the outcome.

Walk-Through: Password Reset

Here's exactly what happens when a password reset ticket arrives:

1. Ticket ingress: User submits "Can't log in, need password reset" via email, portal, or chat
2. Identity verification: Agent matches the ticket submitter against the PSA contact record. Confirms the requester is the affected user or an authorized manager
3. Account lookup: Queries Microsoft Graph API to confirm the user exists and is active in Entra ID
4. Check account state: Is the account locked, disabled, or does it just need a password reset? Different problems require different actions
5. Execute reset: Calls the Microsoft Graph resetPassword endpoint with forceChangePasswordNextSignIn: true
6. Secure delivery: Sends the temporary password through a secure channel — never in the ticket itself
7. Update ticket: Adds internal notes documenting the action, categorizes as "Password Reset", logs time entry
8. Verify: Optionally confirms with the user that they can log in
9. Close ticket

Total time: under 3 minutes. Manual time: 10-30 minutes including the queue wait. The required Entra ID permission is UserAuthenticationMethod.ReadWrite.All with a User Administrator role assignment.

Walk-Through: New User Onboarding

This is the most complex L1 workflow and the biggest time sink. Currently takes 2+ hours manually per new employee (NinjaOne research). Here's what the AI handles:

1. Parse the request: Extract name, department, role, start date, manager, required applications from the ticket
2. Lookup onboarding template: Query IT Glue/Hudu for the client's onboarding SOP and department-specific access template
3. Create user account: Call Microsoft Graph to create the user with display name, UPN, department, job title, and manager
4. Assign licenses: Assign the correct M365 license tier (E3/E5/Business Premium) per client template
5. Add to groups: Security groups, distribution lists, Teams, SharePoint sites — per department template
6. Configure mailbox: Set up shared mailbox access, email aliases, forwarding rules
7. Set up MFA: Issue a Temporary Access Pass for first-login MFA enrollment
8. Provision LOB apps: Create accounts in CRM, project management tools, or other integrated apps
9. Generate welcome package: Compile credentials and first-day instructions
10. Notify manager: Send new user details via secure channel
11. Update and close ticket

One MSP case study documented 1,400 hours per month spent on manual onboarding/offboarding tasks before automating. System admins waste 30% of their time just managing user rights and installations.

Sources: Rewst case study; Heimdal Security

Walk-Through: MFA Reset

MFA resets are the highest-risk L1 ticket. A bad actor posing as a user requesting an MFA reset is a common social engineering attack. This is the one ticket type where AI should always require human approval before executing.

1. Ticket ingress: "I got a new phone and can't sign in with MFA"
2. Identity verification: Agent flags this as high-risk and requests identity verification through a secondary channel (manager confirmation, security questions, or video call)
3. Approval gate: Human tech must explicitly approve before any action
4. After approval: Delete existing authentication methods via Graph API
5. Revoke sessions: Invalidate all active sessions to prevent unauthorized access
6. Issue Temporary Access Pass: Time-limited TAP so the user can re-enroll MFA
7. Guide re-enrollment: Instruct user to set up new MFA at aka.ms/mfasetup
8. Verify and close

Required permission: UserAuthenticationMethod.ReadWrite.All with Authentication Administrator role. The approval gate is non-negotiable — if a vendor tells you their AI handles MFA resets autonomously with no human check, that's a security risk, not a feature.

What Makes Cross-Stack Diagnosis Different

The ambiguous tickets — "can't access files," "Outlook is slow," "something is wrong with my computer" — are where most tools fail. A PSA-native tool sees the ticket text and nothing else. An agent with full-stack access can:

• Check the identity provider: Is the account locked? Is the license active? Are group memberships correct?
• Check the RMM: Is the device online? Any recent alerts? Disk space, CPU, memory?
• Check M365 service health: Is there a known outage affecting this service?
• Check documentation: Any client-specific procedures or known issues?
• Check the PSA: Any recent changes, related tickets, or ongoing projects?

Service desk teams spend up to 30% of their time just sorting and assigning tickets. Cross-stack diagnosis by an AI agent eliminates that triage burden and delivers context-rich escalations when human judgment is needed.

Source: zofiQ research

Chapter 5

The Three Requirements

After analyzing dozens of MSP AI deployments — successful and failed — three non-negotiable requirements emerge. If a tool doesn't meet all three, it will stall.

Requirement 1: Time to Value Under 7 Days

Every week between signing up and resolving real tickets is a week of risk. Risk the tool doesn't work. Risk you'll lose momentum. Risk the team stops caring.

Remember: 53% of MSPs experienced 6+ month rollout delays. The tools that succeed deploy fast.

Questions to ask:

• "How many days from signing up to resolving my first real ticket?"
• "Do I need a dedicated person to manage this?"
• "What happens during the first week? Walk me through it day by day."

Red flags: "We'll schedule a kickoff call and begin onboarding over the next 4-6 weeks." "You'll need to document your SOPs first." "We'll assign a field engineer." Any mention of a "dedicated admin."

Green flags: "Connect your tools today, resolving tickets by Friday." "No workflows to build." "You talk to it in plain English."

Requirement 2: Full-Stack Visibility

L1 tickets don't live in one tool. A "can't access files" ticket might require checking five different systems simultaneously. A tool that only sees your PSA is making decisions with one eye closed.

Questions to ask:

• "Which tools do you connect to? PSA, RMM, identity, documentation?"
• "Can you query multiple tools simultaneously when diagnosing?"
• "What happens when the answer isn't in the ticket text?"

Red flags: Tool only connects to your PSA. "We use ticket data to make decisions." No mention of RMM or identity provider connections.

Green flags: Connects to PSA + RMM + identity + documentation simultaneously. Can cross-reference data from 3-4 tools. Takes action across tools, not just reads.

Requirement 3: Autonomous Resolution, Not Just Triage

Triage is helpful. Routing tickets saves time. But it doesn't eliminate tech time. Someone still has to open the ticket and do the work.

NeoAgent's own blog identifies this gap: "Many tools promise intelligence but stop at recommendations. They surface insights, suggest next steps, and then rely on technicians to interpret, decide, and act. In live MSP environments, that approach often adds friction rather than removing it."

Questions to ask:

• "Does it resolve the ticket or just categorize and route it?"
• "Show me a ticket resolved end-to-end with no human involvement."
• "What percentage of L1 tickets does it fully resolve autonomously?"

Red flags: "AI-assisted resolution" (assisted = a human still does it). "Suggests resolutions for your techs." Demo only shows categorization.

Green flags: "Resets the password, unlocks the account, notifies the user, closes the ticket." Real ticket resolved end-to-end. Clear metrics on resolution rate, not just "tickets touched."

Chapter 6

The Evaluation Framework

Use this scorecard when evaluating any AI tool for your service desk. Score each category 1-5.

Deployment Speed (Weight: 25%)

Score	Criteria
1	3+ months to full deployment
2	1-3 months with dedicated admin
3	2-4 weeks with some configuration
4	1-2 weeks, minimal configuration
5	Same week, connect and go

Integration Depth (Weight: 25%)

Score	Criteria
1	PSA only
2	PSA + one other tool
3	PSA + RMM + identity provider
4	PSA + RMM + identity + documentation
5	Full stack + cross-stack queries + actions

Resolution Capability (Weight: 25%)

Score	Criteria
1	Triage/routing only
2	Triage + suggested resolutions
3	Resolves 1-2 ticket types autonomously
4	Resolves 5+ ticket types autonomously
5	Resolves most L1 categories + handles new types without new workflows

Ongoing Burden (Weight: 15%)

Score	Criteria
1	Full-time dedicated admin required
2	Part-time admin + regular workflow maintenance
3	Occasional configuration updates
4	Minimal maintenance, self-adjusting
5	Zero ongoing admin — runs autonomously

Team Adoption (Weight: 10%)

Score	Criteria
1	New platform to learn, separate login
2	PSA integration, some new workflows
3	Familiar interface, moderate learning curve
4	Lives where team already works, natural interaction
5	Feels like a teammate, zero training needed

The Competitive Landscape (March 2026)

Vendor	Type	PSA Support	Key Tradeoff
Rewst	Workflow builder	Multi-PSA	Powerful but requires developer skills + months
Pia	AI + Automation	Multi-PSA	Pre-built packs but 3-4 month onboarding
Bumblebee	AI Workflow	Multi-PSA	Workspace-native but needs SOPs documented first
NeoAgent	AI Automation	CW, Autotask	Transparent pricing but narrower scope
Everest	Agentic AI	PSA-native	YC-backed but high-touch implementation
zofiQ	Agentic AI	CW only (acquired)	ConnectWise-exclusive since Jan 2026
Mizo	Agentic AI	CW, AT, Halo	Newer entrant, PitchIT 2025 runner-up
Rallied	Autonomous agent	CW, AT, Halo, Syncro	Workspace-native, same-week deployment

The 10 Questions for Every Vendor

Write these down. Bring them to every demo call.

1. "How many days from signup to my first real ticket resolved?"
2. "Do I need a dedicated person to manage this? Part-time or full-time?"
3. "Show me a real ticket being resolved, not a demo scenario."
4. "Which of my tools do you connect to? Can you query them simultaneously?"
5. "What happens when a ticket type comes in that you haven't seen before?"
6. "What does your tool NOT do? Where are the boundaries?"
7. "What's your actual resolution rate across your customer base? Not tickets touched — tickets resolved without human intervention."
8. "Can I talk to three customers who've been live for more than 90 days?"
9. "What breaks? When things go wrong, how do I find out and what happens?"
10. "If I cancel in 30 days, what's the process?"

Any vendor who can't answer these directly is selling you a pitch, not a product.

Chapter 7

The Week-One Deployment Playbook

If you find a tool that scores 4.0+ on the evaluation framework, here's how to deploy it properly. This is the exact process that separates the 1-2% of MSPs who succeed with AI from the 30-40% who try and abandon.

Pre-Deployment (Before Day 1)

• Audit ticket data: categorize last 90 days by type, complexity, volume
• Identify top 5 ticket categories (usually: password resets, account unlocks, new user setup, MFA issues, basic troubleshooting)
• Set up API credentials for PSA, RMM, and identity providers
• Map client-specific exceptions ("Client X uses on-prem AD, not Entra ID")
• Define approval workflows: what's autonomous vs. what needs human sign-off

Day 1: Connect and Scope

Morning:

• Kickoff call with vendor (30-60 minutes)
• Map your stack: which PSA, RMM, identity provider, documentation platform
• Connect tools via OAuth or API keys — this should take under an hour. If it takes longer, flag it.

Afternoon:

• Define initial scope: start with highest-volume, lowest-risk L1 tickets
• Password resets and account unlocks are the right starting point — high volume, low risk, clear success criteria
• Set approval rules: what the AI can do autonomously vs. what needs human approval

• All tools connected and verified
• AI has read access to ticket history (last 30-90 days)
• Scope defined: which ticket types, which clients
• Approval rules configured
• Team notified: "We're testing an AI tool this week"

Day 2-3: Supervised Mode

The AI starts processing tickets but doesn't execute actions yet. Instead, it tells you what it would do.

You need to verify it's making the right decisions on YOUR tickets, with YOUR stack, for YOUR clients. Demo environments are clean. Real environments have exceptions, edge cases, and that one client who still uses on-prem Exchange.

What to watch for:

• Is it correctly identifying the ticket type?
• Is it pulling the right user from the right identity provider?
• Are the proposed actions correct?
• Does it handle client-specific exceptions?

• Reviewed 20+ supervised ticket decisions
• Identified edge cases or exceptions
• Corrected any misconfigurations
• Confidence level assessed: ready for autonomous mode?

Day 4-5: Autonomous Mode (Limited Scope)

Turn on autonomous resolution for your highest-confidence ticket types. The AI now executes: resets the password, notifies the user, updates the ticket, closes it. No human in the loop.

Monitor:

• Resolution time — should be minutes, not hours
• End-user confirmation — did the user confirm the issue was fixed?
• Error rate — any tickets where the action failed or was incorrect?
• Escalation quality — for tickets it can't resolve, is the triage accurate?

Week 2-4: Expand and Tune

Week 2: Add MFA resets (with approval gate), distribution group access, license assignment

Week 3: Add onboarding/offboarding workflows, software install requests

Week 4: Add cross-stack diagnosis for ambiguous tickets

Common Gotchas

1. Missing SOPs: The AI can only follow documented procedures. If your password reset process exists only in a tech's head, document it first
2. API permission issues: MSPs often discover their Entra ID service principal doesn't have the right roles. Test all API connections before Day 1
3. Client-specific exceptions: Map these before deployment. "Client Y requires manager approval for any account change"
4. Technician resistance: Frame it as "AI handles the boring stuff so you can do interesting work." Show them an AI-resolved password reset that would have taken 15 minutes
5. Over-scoping: Trying to automate everything at once. Start with one ticket type, one client. Expand after proving accuracy
6. Ignoring the approval queue: If approval requests pile up and nobody responds, the system stalls. Assign clear ownership

The 30-Day Benchmark

After 30 days, you should be able to answer these four questions:

1. How many tickets did the AI resolve without human intervention?

• Target: 30-50% of in-scope L1 tickets in month one
• If below 20%: the tool isn't working. Diagnose or switch.

2. How many tech hours were recovered?

• Calculate: (tickets resolved) × (avg previous resolution time)
• Compare to your baseline from Chapter 1

3. What's the error rate?

• Target: Under 5% incorrect actions
• If above 10%: trust issue. Pause and investigate.

4. How does the team feel about it?

• Ask your techs directly. If they don't trust it, adoption dies regardless of the numbers.

Chapter 8

Safety, Control, and Compliance

This is the chapter most playbooks skip. It's also the one that matters most. You're giving an AI system access to your clients' identity providers, mailboxes, and endpoints. If that sentence doesn't make you a little nervous, it should.

The good news: this is a solvable problem. You just need the right guardrails from day one.

Three Tiers of Control

Not everything should be autonomous. The smartest approach: start tight, loosen as you build confidence. Here's how to structure it:

Tier	Actions	Authorization
Fully Autonomous	Ticket triage, categorization, status updates, internal notes, querying device/user status (read-only), documentation lookup, informational responses, time entries	No approval needed
Approval Required	Password resets, account unlocks, software installations, group membership changes, configuration changes on endpoints	Human confirmation via Slack/Teams notification
Always Human-Only	MFA resets, account deletion/disabling, admin role assignments, conditional access policy changes, data deletion, security incident response, any action on privileged accounts	Manual execution only

As you build trust, actions graduate from "approval required" to "fully autonomous." Password resets typically make that jump within the first two weeks. MFA resets? Those should never be fully autonomous. Ever.

Per-Client Permission Scoping

You serve multiple clients. Each has different security postures, different compliance requirements, different risk tolerances. The AI must respect that:

• Client isolation: The agent working on Client A's tickets should never touch Client B's identity provider. Period. API keys and service accounts scoped per tenant.
• Role-based tool access: You decide which tools the agent can use and which actions it can perform — per client.
• Policy inheritance: Set global rules ("always require approval for MFA resets") with client-level overrides ("Client X also requires approval for password resets").

Audit Trail: Your Insurance Policy

When a client asks "what did the AI do to Sarah's account last Tuesday?" you need to answer that in 30 seconds. Every AI action should generate an audit record with:

• Timestamp, ticket ID, client/tenant
• User affected and exact action performed (including the API call)
• Tool/system used
• Who approved it (or that it was auto-approved)
• Result (success/failure)
• The agent's reasoning — why it chose this action over alternatives

Ask every vendor to show you this. If they can't pull a detailed audit trail for every AI action, they haven't built the tool for MSPs. They've built it for demo day.

SOC 2 Considerations

If you're SOC 2 compliant (or your clients require it), the AI tool needs to meet the same bar as everything else in your stack:

• All AI interactions logged and auditable against the five trust principles
• Kill switch: you can disable AI features or revert to manual workflows instantly
• Regular human review of AI decisions (monthly at minimum)
• Clear data retention policies for AI reasoning traces

HIPAA (If You Serve Healthcare)

Healthcare clients add another layer. Make sure:

• The vendor's BAA covers how the AI processes, stores, and transmits PHI
• All PHI access is logged at application and database levels
• The AI never stores PHI in model memory beyond the active session
• Minimum necessary standard: the agent touches only the data it needs for that specific ticket

Chapter 9

Measuring What Matters

The Five Metrics Dashboard

After deploying AI, track these five metrics monthly. These are the numbers that tell you whether the tool is working, not the vendor's marketing claims.

Metric	Pre-AI Benchmark	Month 1 Target	Month 6 Target
Autonomous Resolution Rate	0%	30-50% of L1	60-80% of L1
Mean Time to Resolution	4-24 hours	<15 min (AI tickets)	<5 min (AI tickets)
Cost Per Ticket	$22 (MetricNet avg)	$8-12 (blended)	$5-8 (blended)
Error Rate	N/A	<5%	<3%
Tech Hours Recovered	0	25-40 hrs/month	60-100 hrs/month

Industry data supports these targets. Companies deploying AI agents in support report 50% reductions in cost per interaction. Early enterprise rollouts show 60% reduction in ticket volume reaching human agents. MSPs using AI-driven monitoring outperform peers by 34% in client retention and 27% in revenue growth.

Sources: Plain.com; Pylon; MSPBots

The ROI Calculation

Example for an MSP managing 800 endpoints:

Line Item	Calculation	Value
Total L1 tickets/month	800 endpoints × 1.0 ticket/endpoint × 70% L1	560 tickets
AI resolution rate (month 3)	560 × 50%	280 tickets
Avg cost per L1 ticket	MetricNet benchmark	$22
Monthly savings	280 × $22	$6,160
AI tool cost	Varies by vendor	~$1,200
Net monthly savings		$4,960
Annual net savings		$59,520
ROI multiple		5.1x

That's the conservative math. It doesn't count:

• After-hours coverage value: An offshore NOC costs $2K-$8K/month. AI provides 24/7 L1 coverage at a fraction of that. No language barriers, no quality inconsistency, no "vacations, sick days, turnover, and scheduling gaps."
• Client retention value: Average MSP client is worth $2K-$10K/month in recurring revenue. Reducing churn from 12% to 8% by improving SLAs can be worth more than the entire AI investment.
• Capacity expansion: The gold standard for endpoints per technician is 350. Average is 200-300. AI can close that gap without hiring, letting you add clients without adding headcount.

Sources: Acronis benchmarking (350 endpoints/tech); Xurrent (12% churn rate); DigitalMinds BPO (NOC pricing)

The Augmentation Principle

The best MSPs take pride in their people. Customer service is the product. AI doesn't replace that. It protects it.

When your L3 engineer is resetting passwords instead of architecting a client's cloud migration, you're wasting your best asset on your lowest-value work. That's not a staffing problem — it's an allocation problem.

Technicians currently spend 39% of their time on manual tasks. 88% say those tasks prevent them from innovation or strategic goals. The average MSP technician spends 4-6 hours per week on non-billable manual reporting alone.

Sources: ManageEngine; Support Adventure

The right mental model isn't "AI replaces techs." It's "AI handles the work that's beneath your team's skill level so they can do the work that grows your business."

What changes for your techs: L1 tickets disappear from their queue. They get context-rich escalations instead of raw tickets. Morale improves. Nobody became a tech to reset passwords.

What changes for you: Margins expand. Growth becomes less terrifying — adding 200 endpoints doesn't mean hiring another tech. After-hours coverage without night shifts. The next hire you make is an L3 engineer or project manager, not another L1 tech.

What doesn't change: Your team still handles complex troubleshooting, client relationships, and strategic work. Security incidents, hardware issues, and network problems still need humans. AI handles the repetitive, high-volume, low-complexity work. Humans handle everything that requires judgment, empathy, or expertise.

Chapter 10

What's Next — The AI-First MSP

The Market Is Moving Fast

ConnectWise CEO Manny Rivelo: "All software needs to be intelligent as we move into the new era. I don't think you'll exit '26 or for sure '27 with dumb SaaS applications." He's not wrong. The zofiQ acquisition in January 2026 was just the first move. Every major PSA vendor will have AI capabilities by the end of 2027 — built or acquired.

Gartner predicts agentic AI will autonomously resolve 80% of common service issues by 2029. 40% of enterprise applications will embed task-specific AI agents by the end of 2026. The question isn't whether this is happening. It's whether you're the MSP that deployed early and built a cost advantage, or the one still burning $50/hr of tech time on password resets while your competitor resolves them in 3 minutes.

The Three Stages

Stage 1: L1 Resolution (Now). Deploy AI to handle password resets, account unlocks, MFA resets, and basic provisioning. Highest volume, lowest risk, clearest ROI. This is your starting point.

Stage 2: Intelligent Triage + Onboarding (Months 2-6). Expand to user onboarding/offboarding, cross-stack diagnosis, and proactive pattern detection. Catching client-wide outages before they become 20 individual tickets. The system starts learning your environment's patterns.

Stage 3: Proactive Operations (6+ Months). AI monitors your environment and flags issues before they become tickets. Detects anomalies, correlates events across clients, recommends preventive actions. This is where AI stops being reactive and starts being a strategic advantage.

The Industry Numbers That Should Motivate You

Source: Mordor Intelligence

The market is growing. But so is the competition. 64% of MSPs reported revenue increases last year. 67% expect further growth. 91% cited profitability as a top priority for 2025. The MSPs that grow margins fastest will be the ones that solve the labor equation — and AI is the lever.

Getting Started

You've done the math. You know the evaluation framework. You have the deployment playbook, the safety requirements, and the metrics to track.

The next step is simple: pick a tool, run a pilot, and measure. Not in theory. On your actual tickets, with your actual stack, for your actual clients.

If it works in week one, expand. If it doesn't, you know within days — not months — and you move on.

The worst outcome isn't picking the wrong tool. It's waiting another quarter while your techs burn hours on password resets and your competitors figure this out first.

One More Thing

You just read a vendor-neutral evaluation framework. You have the scorecard, the questions, the red and green flags. That was the point — give you a filter so you can cut through the noise yourself.

Now here's the part where we're transparent about something: we wrote this playbook because we built the tool it describes.

Rallied is an AI technician for MSPs. It lives in your Slack or Teams workspace. It connects to your PSA, RMM, identity provider, and documentation — and it resolves L1 tickets autonomously. Password resets, account unlocks, MFA resets, access provisioning, software installs. The tech never opens the ticket.

If you score Rallied against the framework in Chapter 6:

Category	Rallied	Why
Deployment Speed	5	Connect your stack, resolving tickets same week. No workflows to build.
Integration Depth	5	PSA + RMM + identity + documentation + communication. Cross-stack queries and actions.
Resolution Capability	5	Autonomous end-to-end resolution across L1 categories. No new workflows per ticket type.
Ongoing Burden	5	Zero ongoing admin. No automation engineer needed. No workflows to maintain.
Team Adoption	5	Lives in Slack/Teams. Feels like a teammate, not a platform. Zero training.

We're not asking you to take our word for it. We're asking you to use your own scorecard. Bring it to a demo. Score us the same way you'd score Rewst, Pia, or anyone else. If we don't hit 4.0+, we'll tell you.

That's the whole pitch. If the framework checks out, talk to us. If it doesn't, you still have a great evaluation tool for whoever you pick.

The AI-First MSP Playbook, March 2026. Written by the team at rallied.ai.

This guide is free to share. If it saved you from a bad vendor decision, we did our job.