AI has become part of everyday business operations. For managed service providers and small and medium-sized businesses (SMBs), the appeal is clear. AI tools can help lean teams move faster, automate repetitive processes, summarise information, query documentation and support customers with fewer manual steps.
That efficiency is valuable, especially for organizations operating with limited IT and security resources. Yet once AI tools are connected to sensitive business systems, they also become part of the attack surface.
The new risk: AI agents create a new exposure point
A standalone chatbot with no access to internal systems presents relatively limited risk. An AI agent connected to customer data, support tickets, internal documentation, credentials or business applications is different. It has privileged access that attackers want to exploit. In many cases, the AI agent can represent an easy route into the systems and data behind it.
This matters because attackers do not always follow the paths defenders expect. According to N-able’s recent State of the SOC report, in 2025, 18% of alerts originated from network and perimeter infrastructure, while around half of attacks never touched the endpoint. Organizations relying exclusively on endpoint monitoring would have missed as many as 137,187 network and perimeter threats across 12 months. Attackers switch up their tactics, and the deploying powerful AI tools while ignoring security fundamentals adds more routes in.
Recent vulnerabilities also show how quickly AI-adjacent infrastructure can become a security concern. The BadHost flaw in Starlette demonstrated how weaknesses in underlying frameworks can potentially expose private AI tools, MCP servers, large language models and the sensitive data those tools can access. For MSPs and SMBs experimenting with AI agents, that is a reminder that applying security basics to the supporting stack matters as much as the efficiency gained through application itself.
Why this matters especially for MSPs and SMBs
MSPs and SMBs are likely to be enthusiastic adopters of AI because the technology helps them achieve more with fewer resources. MSPs may use AI to support customer environments, summarise tickets, automate workflows or query technical documentation. SMBs may use it to make their limited IT, operations and administrative resources more efficient.
The challenge is that these same organizations may still be maturingthe processes needed to track AI infrastructure, patch open-source components or monitor agent activity. Smaller companies can benefit significantly from AI, yet they cannot treat AI infrastructure as separate from their broader security programme.
Open-source AI infrastructure: flexibility comes with responsibility
Businesses broadly face two routes when adopting AI tools. They can use an off-the-shelf SaaS product, or they can build and customise their own AI infrastructure using open-source frameworks. Each model brings different responsibilities.
Open source gives MSPs and SMBs the ability to customise AI tools, decide what data they can access and build workflows that fit their environment. That flexibility is attractive, especially for organisations that want more control than a generic SaaS tool provides.
Custom infrastructure also brings custom responsibility. If an organisation builds AI infrastructure using open-source frameworks, it is responsible for knowing which components are in use, how they are configured, whether they are exposed and how quickly they can be patched. Open-source frameworks may allow more control over data access, but organisations remain on the hook for rapidly patching flaws like BadHost.
This is where practices such as SBOMs (Software Bills of Materials) can be useful. Maintaining an inventory of components, libraries and frameworks helps security teams understand what is in their environment and where action is needed when a vulnerability emerges. Without that visibility, even a relatively small AI tool can become difficult to secure.
AI changes the stack, not the fundamentals
AI introduces new workflows and architectures, yet the most important controls remain familiar. Security teams should resist the idea that AI requires an entirely new security playbook. The stack may be changing, but the fundamentals still apply.
Patching remains critical. Organisations need to know which frameworks, libraries and AI-adjacent tools are in use and have a process to update them quickly. This applies to private AI tools, MCP servers, LLM interfaces and the supporting infrastructure around them. But, thanks to AI, patching is far from enough, with AI-assisted vulnerability discovery making new exploits easier.
Identity and access management is potentially more important. AI agents should only have access to the systems and data they genuinely need. Least privilege should be the default, and broad, persistent permissions should be avoided wherever possible. Service accounts linked to AI agents should be reviewed regularly, especially if those agents can access customer data, credentials, or business applications.
Monitoring also needs to expand to cover AI-connected systems. Security teams should look for abnormal access patterns, unexpected connections, unusual query behaviour and attempts to reach data outside an agent’s intended scope. Network segmentation can also help limit the potential impact if an AI agent or supporting service is compromised.
Asset inventory is the foundation for all of this work. Security teams, MSPs and SMBs should start by understanding whether they are exposed. Organisations cannot protect AI systems they do not know exist.
What security teams should do now
The first step is identifying where AI tools and agents are being used across the organisation both officially and unofficially. From there, teams should determine whether any of those tools are connected to sensitive systems or data, inventory the open-source components and frameworks supporting them, and check whether any AI-related infrastructure is internet-facing.
They should also review permissions and service accounts used by AI agents, patch known vulnerabilities in frameworks and supporting tools, monitor AI systems for unusual activity, and assign clear ownership for maintaining custom AI infrastructure. Without ownership, AI tools can quickly become orphaned assets that remain connected to important systems without adequate oversight.
The MSP opportunity: helping customers adopt AI safely
For MSPs, this risk also creates an opportunity. Many SMBs will adopt AI quickly, yet they may not fully understand the security implications of custom tools, open-source dependencies or agent permissions. MSPs are in a strong position to help customers balance innovation and risk.
That support could include assessing AI exposure, reviewing open-source AI infrastructure, applying patches and hardening, implementing identity controls, monitoring AI-connected systems and creating basic AI governance policies. Over time, AI security could become a new advisory and managed service opportunity for MSPs.
The goal should not be to slow AI adoption. AI agents can deliver real efficiency gains for MSPs and SMBs, particularly when teams are under pressure to do more with limited resources. The priority is to adopt AI with the same discipline applied to any other critical business technology.
AI is changing the technology stack. It has not changed the need for strong security fundamentals. Patching, monitoring, identity practices, asset inventory and clear ownership remain essential to protecting the systems and data that matter most.
Join our LinkedIn group Information Security Community!
