Proofpoint’s MSP Platform has launched an AI governance playbook for managed service providers (MSPs) serving small and midsize businesses, giving providers a process-level guide for customer onboarding, incident response, vendor management, cybersecurity delivery and generative AI use.
The June 2 release follows Proofpoint’s May launch of a dedicated MSP Platform business unit, formed after its acquisition of Hornetsecurity and aimed at managed service providers and SMB customers in North America.
Proofpoint said its 365 Total Protection platform for MSPs combines Microsoft 365 security, security awareness training, backup, compliance support and AI cyber assistance.
Operationalizing the channel push
The new resource, MSP Playbook for Working Smarter, Not Harder, extends that channel push into operating practices. Proofpoint’s playbook page lists six focus areas: onboarding, monitoring and maintenance, customization, managing cybersecurity, vendor management and GenAI.
The company describes the guide as a resource for providers facing cybercrime, manual processes, compliance rules and client demand while trying to scale service delivery.
Transitioning to structured AI governance
The AI section moves the discussion from general experimentation to customer governance. Proofpoint said businesses are shifting from ad hoc generative AI use toward more structured adoption, while MSPs are being asked to guide how customers use the technology.
Daniel Blank, senior vice president of global MSP sales at Proofpoint MSP Platform, said SMB clients are asking about “how AI should be used, how it’s already being adopted by employees, and what policies and controls need to be established.”
Integrating agentic AI into existing security models
In May guidance, the Australian Signals Directorate’s Australian Cyber Security Centre, CISA, the NSA, the Canadian Centre for Cyber Security, New Zealand’s NCSC and the UK NCSC described agentic AI systems as large language model-based systems connected to external tools, data sources, memory and planning workflows.
The agencies said these systems can act without continuous human intervention and may introduce risks through prompt injection, expanded attack surfaces, privileges and downstream integrations.
The same guidance recommends treating agentic AI risk as part of an organization’s existing security model rather than a separate technology issue. It also recommends never granting agentic AI broad or unrestricted access, especially to sensitive data or critical systems.
For MSPs, that language places AI governance close to familiar service categories: identity, permissions, logging, incident response, access review and customer policy.
Shadow AI and the visibility gap
Visibility remains one of the clearest gaps. A Cloud Security Alliance survey, commissioned by Token Security and based on 418 IT and security respondents, found that 82% of organizations had discovered unknown AI agents in their environments.
The same survey found that 65% reported at least one AI agent-related incident in the previous 12 months and only 21% had formal decommissioning processes for AI agents.
CSA also linked the issue to lifecycle control. Hillary Baron, assistant vice president of research at CSA, said “gaps in consistency and end-of-life management remain” as agents gain autonomy. The survey also reported data exposure, operational disruption and financial losses among organizations that experienced AI agent-related incidents.