Sabiki AIRM Agentic Identity Risk Management
The MSP Owner Brief · Act 1 of 2

Your clients are deploying AI.
You're not equipped to do it safely.

AI is becoming non-optional for client competitiveness. Every ChatGPT licence, every Claude integration, every Microsoft Copilot rollout, every Perplexity, DeepSeek, or Lindy seat, every custom-built agent — they each create new identities your MSP currently can't see, score, or govern. The MSPs who can safely deliver AI will win the next 18 to 24 months — the ones who can't will lose the relationship to those who can.

For MSP principals, COOs, commercial leads Read time 5–7 minutes Interactive live ROI calculator in Act 2

Every MSP will be asked the AI question by every client in the next 12 months. AIRM is how you answer it.

Three reasons this is on your desk now

What's actually happening in your client base.

Three movements happening simultaneously across the MSP channel right now — each one a reason to evaluate AIRM this quarter, not next.

Your clients are licensing AI now — ChatGPT, Claude, Microsoft Copilot, Perplexity, DeepSeek, Lindy — and the first waves go live this quarter. Without a pre-deployment oversharing and access audit, the marketing intern is one prompt away from the CFO's compensation file.

Pre-deployment NHI and permissions scan. Top-10 oversharing sites flagged by sensitivity exposure. Gated rollout — these 50 users on these sites this week, the rest in 30 days.

"AI-Safe in 7 days" — a productised readiness service every M365 client will buy.

The vendor list keeps expanding. ChatGPT, Claude, Copilot, Perplexity, DeepSeek, Lindy, n8n agents, Zapier AI, custom-built agents — every AI tool your clients add creates non-human identities with broad permissions. You can't currently see them. They never get reviewed. They proliferate for the life of the tenant.

Continuous discovery of every AI-spawned identity — Copilot agents, ChatGPT and Claude OAuth grants, Perplexity / DeepSeek / Lindy seats, automation accounts, third-party integrations. Six behavioural signals. Risk-scored and triaged for monthly review.

AI Agent Governance — a recurring retainer for the AI estate your client now depends on but can't govern alone.

The AI services market is forming right now. MSPs are racing to productise. The principals who launch in the next 90 days will define the local market category. The ones who wait 12 months will be reselling someone else's narrative.

A productised service kit you can launch inside 30 days — AI-Safe Onboarding, AI Agent Governance, quarterly AI Risk Posture report. Branded as your services, delivered through your existing PSA (ConnectWise, HaloPSA, Autotask).

First-mover AI service line in your local market — a differentiator that survives the next two renewal cycles.

Enterprise AI adoption

78%

of enterprises running at least one generative-AI tool in production by 2026 — ChatGPT, Claude, Copilot, Perplexity, DeepSeek or Lindy. Every seat sits inside a tenant with no oversharing audit.

Aggregated vendor disclosures · IDC · 2026

AI agents in production

69%

of enterprises already running AI agents in production — before the governance layer most MSPs offer.

Industry CISO survey, 2026

Identity sprawl

144:1

Non-human identities per human user in a typical M365 tenant — 97% over-permissioned. AI accelerates the curve.

Entro · Obsidian · 2025

Peer signal

92%

of security leaders concerned about AI agents in their environment. Your clients are actively looking for a partner who can answer this.

Sabiki market research, 2026

Early signals from the field

What we're already hearing from the cohort.

Sabiki is in active design-partner conversations with MSP principals across the channel. Three signals are coming through every one.

Signal 01 · Recognition

Discovery is the sale.

First-time NHI scans typically uncover 4–10× more identities than the MSP or the client believed they had. The visibility moment is what converts the principal — long before any technical evaluation. The scan is the demo.

Signal 02 · Pull

The AI conversation is already happening.

Every MSP we've spoken with has had a client raise AI in the last quarter — ChatGPT licences, a Copilot pilot, a Claude rollout, Perplexity in the marketing team. None of them had to start the conversation. The buying signal is already there — what's missing is the productised answer.

Signal 03 · Differentiation

Productisation wins new clients.

Cohort partners who turn the scan into a named service line (AI-Safe Onboarding, AI Risk Posture) are closing new logos on the back of it — not just upselling their existing book. The service line is the lead magnet.

"

AIRM gives the MSP a service line they can't currently sell. Most identity tooling tells you what's wrong — AIRM tells you how to fix it and produces the audit log to prove it. That's the layer the channel was missing.

"

Every MSP principal I speak to is asking the same thing: how do I monetise the AI conversation my clients are already having? AIRM is the answer. Within 90 days you can have three new service lines in your portfolio, all powered by the same engine.

The 30-second offer

See it on your client's tenant. No commitment.

The fastest way to know whether AIRM belongs in your portfolio is to point it at a single tenant in your book and read the executive summary the same day.

Run a free AIRM scan against one tenant.

Read-only, agentless, deployed via Microsoft Graph API. GDAP-compatible — no MX changes, no agents to install, zero client-facing disruption. The scan returns a one-page executive summary plus a full NHI inventory with risk scores, the same day.

Free 14-day trial No credit card Read-only Day 1
Act 2 · the commercial case

If the numbers in Act 1 make sense — see what accelerated AIRM adoption does to your book.

The interactive ROI calculator, three MSP service-line concepts AIRM unlocks, three client-conversation scripts (owner / CFO / IT lead), and the 90-day flagship path. About 4 minutes.

Continue to Act 2 ↓
Act 2 · The commercial case

Accelerated AIRM adoption across your customer base — what it does to your P&L.

Slide your total M365 estate under management, then slide how many of those tenants adopt AIRM. The math is anchored to the canonical v8 pricing model — partner tier climbs with the adoption count, NRR compounds Year-2 onwards. This is the floor — whatever services you wrap on top of AIRM are pure additional margin.

i On iPhone or iPad? If you opened this file from Mail and the sliders won't move, that's iOS Mail's preview pane blocking JavaScript. Tap the share icon → Open in Safari (or Save to Files → open from Files in Safari) and the calculator will work normally.

Your inputs

Two sliders. Default is a 50-tenant MSP with 30% of the book adopting AIRM.

Adoption rate · 30% of your estate

Adoption count drives your partner tier — Silver 30% (1–9) → Gold 33% (10–49) → Platinum 36% (50–99) → Elite 40% (100+). Average price per customer assumes the canonical 35/30/20/10/5 tier mix → $411.50/tenant/month weighted MSRP.

Partner tier · Gold
Weighted MSP margin / tenant $136 /mo
Adopted tenants × weighted margin 15 × $136
AIRM subscription margin / month $2,037

Year-1 annual recurring

$24,447

Year-3 ARR (118% NRR)

$34,226

AIRM subscription margin only — the floor. The MSP-built service lines below stack on top of this and are pure additional margin. Drive adoption higher → hit the next partner tier → the margin uplift applies to every existing tenant in your adopted book.

The cost of waiting

Three conversations you'll regret not running this quarter.

The AI wave isn't pausing for your evaluation cycle. Here's what waiting another quarter actually costs — drawn from the kind of conversations every MSP principal will be having in the next twelve months.

Scenario 01 · The AI rollout you didn't gate

The near-miss in six months.

Your warmest M365 client rolls out ChatGPT Enterprise, Copilot, or a Claude integration in Q3 without an oversharing audit. Six months later, an internal whistleblower flags that compensation data surfaced in a junior-staff prompt. The call lands on your desk. The first question is the same every time: "Why didn't you raise this with us last year?"

Scenario 02 · The competitor who got there first

The renewal that suddenly goes hard.

A 12-month renewal conversation with your second-largest client opens with: "Another MSP has been showing us a service called 'AI Risk Posture' for our quarterly board reporting. Why aren't you doing this?" You don't have an answer because you don't have the product. The renewal closes — but at a discount, and the trust dynamic is permanently shifted.

Scenario 03 · The insurance renewal you can't defend

The premium hike that lands on your client.

Your client's cyber insurer adds NHI-governance questions to the 2027 questionnaire. There's no evidence pack to hand over. The premium goes up +27% (Marsh, 2025) — or worse, the renewal includes a coverage exclusion for AI-related incidents. The client wants to know why their MSP didn't see this coming when the questions hit the market 18 months earlier.

Three service lines you could build on top of AIRM

What you sell, under your brand.

Sabiki sells AIRM as a per-tenant subscription. What you wrap around it is your business — your brand, your pricing, your margin. Below are three service-line concepts MSPs commonly productise on top of identity-governance tooling like AIRM. The price ranges are industry-typical for similar engagements, not Sabiki pricing — flex to your local market and your existing service rates.

A note on pricing. The numbers below are illustrative industry benchmarks for the kind of work MSPs typically charge clients to deliver. They are not Sabiki SKUs and not in the AIRM partner program. The only price relationship between you and Sabiki is the per-tenant AIRM subscription — everything below is the MSP service-line opportunity AIRM unlocks.

Service 01 · One-off

AI-Safe Onboarding

Pre-deployment audit · 7-day delivery

Run an AIRM scan before the client's AI users go live — whether the rollout is ChatGPT, Claude, Copilot, Perplexity, DeepSeek, Lindy, or a mix. Surface the top-10 oversharing sites by sensitivity exposure. Deliver a remediation plan + gated rollout: these users on these sites this week, the rest in 30 days.

Typical MSP charge$1,500 – $5,000
Your delivery cost~3–5 hrs eng time
Indicative MSP margin~75–90%

"Before you turn any of these AI tools on for everyone, let's spend a week making sure the marketing intern can't summarise the CFO's compensation review."

Service 02 · Monthly retainer

AI Agent Governance

Continuous · per tenant per month

A recurring service for the full AI estate — ChatGPT & Claude OAuth grants, Copilot agents, Perplexity / DeepSeek / Lindy seats, n8n / Zapier workflow integrations, custom-built agents. Monthly review, risk-scored, dormant-identity sweep, board-ready evidence pack.

Typical MSP charge$250 – $750 /tenant/mo
Your delivery costlow — AIRM automates the bulk
Indicative MSP marginmost of the spread

"Every AI tool your team adopts adds identities to your tenant. We govern them so you don't have to think about it."

Service 03 · Quarterly

AI Risk Posture

Quarterly evidence pack · executive

A quarterly posture report for the client's leadership team — NHI risk trend, remediation log, compliance mapping (ISO 27001 / SOC 2 / Essential Eight / NIS2). The artefact that wins the next renewal conversation and the next cyber-insurance underwriting.

Typical MSP charge$450 – $1,000 /tenant/qtr
Your delivery cost~2 hrs (AIRM auto-generates)
Indicative MSP margin~80–95%

"When your auditor or your cyber insurer asks how you're governing AI identity sprawl — this is what you hand them."

Act 2 · Your services revenue, quantified

Now stack the services you ship on top of the licence margin.

The calculator above sized the AIRM subscription margin — the floor. This one sizes the part that's your business: the three service lines above, priced at your rates, sold to whatever share of your adopted clients takes them. Slide every lever. The defaults sit at the premium end of the benchmark ranges in the cards above — slide them down to match your local market.

i On iPhone or iPad? If the sliders won't move, that's iOS Mail's preview pane blocking JavaScript. Open in Safari (share icon → Open in Safari) and the calculator works normally.

Your inputs

One adoption slider, then a price and an attach rate for each of the three service lines.

Mirror the adoption count from the calculator above

Share of adopters who buy it · 80%

Share of adopters on retainer · 60%

Share of adopters who buy it · 50%

Illustrative service economics — not Sabiki SKUs. Onboarding is one-off (Year-1 only); retainer and report are recurring. Defaults are premium; the benchmark ranges are in the service cards above. The only price relationship between you and Sabiki remains the per-tenant AIRM subscription.

Services revenue · 3 lines live
AI-Safe Onboarding (one-off, Y1) $42,000
AI Agent Governance (recurring / yr) $81,000
AI Risk Posture (recurring / yr) $30,000
Year-1 services revenue $153,000

Total partner revenue · Year 1

$177,443

Recurring run-rate / yr

$135,443

Total partner revenue = AIRM licence margin + services. Year-1 includes the one-off onboarding; the run-rate is the durable annual figure once onboarding is delivered — licence margin plus recurring retainers and reports. Services are where the margin lives — the licence is the floor that gets you in the room.

How you'll position it to your clients

Three conversations, three openings.

The same client meeting, three different rooms. Use the script that maps to whoever's actually in the chair — the owner cares about competitiveness, the CFO cares about risk transfer, the IT lead cares about operational reality.

OWN The Business Owner Cares about competitiveness

"Everyone's talking about AI. We've got ChatGPT in marketing, a Copilot pilot in finance, the dev team is using Claude — but I'm honestly not sure if we're getting value or creating problems."

Your script

"That's the conversation every business owner is having right now. The question isn't whether to adopt AI — your competitors already are. The question is whether you can adopt it safely enough to expand it. We can scan your tenant this week and give you a one-page picture of what's actually happening. Then you decide what to do next."

CFO The CFO Cares about risk transfer

"What's our exposure if one of these AI tools causes a data breach? And what's our cyber insurance going to say at renewal?"

Your script

"Identity governance is now a renewal-questionnaire question with Marsh, Aon, Beazley — and the answer affects your premium. We can give you the evidence pack your insurer's now asking for, before they ask. It's a quarterly artefact, signed off, dated, auditor-friendly. About $900 a quarter."

IT The IT Lead Cares about operational reality

"We already have Defender and Entra Premium. What does this actually do that those don't?"

Your script

"Entra Premium shows you the identities and lets you act one at a time. AIRM scores them continuously, gives you a triaged remediation queue, and produces the audit log your auditor's now asking for. It's the workflow layer, not a replacement for what you have. Read-only on day one — nothing changes in your tenant unless you turn it on."

The 90-day flagship path

From first scan to Gold tier in 90 days.

The realistic ramp for an MSP that productises from day one. The principals who follow this path hit Gold tier (33% margin) by month three; cautious testers stay at Silver for twelve.

Day 1Evaluate

Run a free scan against your first tenant.

Read-only Graph API, agentless, GDAP-compatible. Executive summary returned the same day with NHI inventory + top risks. Zero commitment.

$0

Investment

Day 30First sale

First paid tenant + first AI-Safe engagement.

Pick the warmest M365 client in your book. Use the scan output as the discovery artefact. Land AI-Safe Onboarding ($3k average) + AIRM subscription. Silver tier active.

$3k

First service revenue

Day 60Productise

All three services live in your portfolio.

AI-Safe Onboarding + AI Agent Governance + AI Risk Posture quarterly all priced, packaged, in your PSA. Five tenants live. Marketing push to your full book.

5

Tenants live

Day 90Flagship

10+ tenants live · Gold tier triggered.

Partner margin moves to 33% across your full book. First AI Risk Posture quarterly delivered to client leadership teams. AIRM is now the flagship line in your AI services portfolio — your service-line revenue stacks on top.

33%

Partner margin locked

No agents · No deployment · No commitment

Run AIRM on one customer's tenant. Decide after the report.

AIRM is delivered entirely from the tenant — there's nothing for your client to install, approve, or worry about. Run a free scan on the warmest M365 customer in your book this week. If the report doesn't make the case for you, you walk away. No cost. No friction. No exposure.

No agents. Anywhere.

Cloud-only, tenant-level, deployed via Microsoft Graph API. Nothing installed on endpoints, no MX changes, no client-side software to support or patch. Your client's environment isn't touched.

Read-only on Day 1.

AIRM observes — it doesn't modify a single permission, grant, or identity until you flip the switch. Zero client-facing disruption. Nothing for the helpdesk to field. GDAP-compatible from minute one.

Decide after the data.

Run the free 14-day scan. Read the executive summary and full NHI inventory the same day. Subscribe only if the report makes the case. If it doesn't, walk away. No credit card. No commitment.

Free 14-day trial No credit card Read-only Day 1 GDAP-compatible No agents on endpoints