MSP & AI Glossary | Intelligent IT

AI-Native MSP

A managed services provider that builds its own AI products and runs its operations on those same products.

A conventional MSP licenses tools from vendors and resells their capabilities. An AI-native MSP designs its own automation, monitoring, and intelligence layers, then uses them internally before selling access to clients. The result is a tighter feedback loop: improvements driven by real production incidents translate into product updates, not just policy documents.

The distinction matters for buyers because it affects accountability. When the provider's own infrastructure runs on the same stack as yours, they have a direct incentive to keep it reliable and secure.

Article 50 (EU AI Act)

The EU AI Act provision requiring disclosure when users are interacting with an AI system, enforceable from August 2026.

Article 50 applies to any organization deploying AI systems that generate synthetic content, make automated decisions affecting individuals, or interact with users through a conversational interface. Covered systems must clearly inform users they are engaging with AI, in plain language, before interaction begins. Violations carry fines of up to 3% of global annual turnover.

For US-based companies using AI in customer-facing workflows, Article 50 compliance is triggered by the location of the end user, not the company's headquarters. Any client with EU customers or employees falls within scope.

Automated Compliance

Continuous, software-driven verification of regulatory controls that replaces periodic manual audits.

Traditional compliance relies on annual or quarterly reviews: an auditor checks documentation, tests controls, and issues a point-in-time report. Automated compliance runs those same checks continuously against live configuration data (cloud access policies, endpoint patch status, backup logs) and flags drift the moment it occurs rather than months later.

This approach is particularly relevant for frameworks with ongoing evidence requirements, including SOC 2 Type II, HIPAA, and CMMC Level 2. The output is a continuously updated control inventory rather than a static report.

Backup & Disaster Recovery

The combined practice of copying data to secure secondary storage and testing rapid restoration of systems after an outage or attack.

Backup addresses the data layer: automated, encrypted copies stored offsite or in a separate cloud region. Disaster Recovery (DR) addresses the operational layer: documented procedures and tested runbooks for restoring critical systems within a defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The two are often confused, a backup strategy that has never been tested for restoration is not a DR plan.

Ransomware has made DR testing a board-level concern. An immutable backup stored in a network-isolated location is the primary defense when encrypted data must be recovered without paying a ransom.

CMMC (Cybersecurity Maturity Model Certification)

A US Department of Defense framework requiring contractors to achieve certified cybersecurity controls before bidding on federal contracts.

CMMC 2.0 defines three levels: Level 1 covers basic cyber hygiene (17 practices); Level 2 aligns to NIST SP 800-171 (110 practices) and requires third-party assessment for most contracts involving Controlled Unclassified Information (CUI); Level 3 adds NIST SP 800-172 requirements and government-led assessment. The rule was finalized in late 2024, with phased enforcement through 2028.

Companies in the Defense Industrial Base supply chain (including subcontractors who never interact directly with DoD) must demonstrate compliance at the appropriate level. Gaps in a subcontractor's controls can disqualify the prime contractor.

Co-Managed IT

A model in which an internal IT team and an MSP share responsibility for infrastructure, support, and projects according to a negotiated scope.

Co-managed IT is common in organizations with an existing IT staff that lacks capacity, specialized skills, or 24/7 coverage. The MSP fills defined gaps (overnight monitoring, security operations, cloud architecture) rather than replacing the internal team. Scope is codified in a responsibility matrix that specifies who owns which systems and escalation paths.

The model is distinct from staff augmentation: the MSP brings its own tooling, processes, and SLAs rather than simply providing headcount. Internal staff typically retain ownership of business-specific applications while the MSP owns the infrastructure layer.

Cloud Migration

The process of moving on-premises servers, applications, or data to a cloud platform such as Microsoft Azure, Google Cloud, or AWS.

Cloud migrations range from "lift and shift" (moving virtual machines to cloud infrastructure with minimal changes) to full re-architecture where applications are rebuilt as cloud-native services. The right approach depends on application complexity, licensing terms, latency requirements, and the organization's long-term platform strategy.

Common failure modes include underestimating egress costs, migrating technical debt alongside workloads, and skipping a pre-migration dependency audit. A successful migration plan documents every application's interdependencies before the cutover window opens.

EDR (Endpoint Detection & Response)

Software on every laptop, desktop, and server that watches for suspicious behavior and blocks attacks in real time.

EDR replaces traditional antivirus. Where antivirus matched files against a list of known threats, EDR watches what programs do and stops them when they act maliciously, even if no one has seen the specific threat before. It monitors process execution, network connections, file modifications, and memory activity, correlating these signals against behavioral models built from global threat intelligence.

We deploy SentinelOne EDR across every managed endpoint and monitor it continuously from our SOC. When EDR detects an anomaly, automated containment can isolate an endpoint from the network in under 30 seconds while preserving forensic artifacts for investigation.

Fractional CIO / CTO

A senior technology executive hired on a part-time or contract basis to provide strategic IT leadership without the cost of a full-time hire.

A Fractional CIO attends leadership meetings, owns the IT roadmap, represents technology in board discussions, and aligns infrastructure spending to business objectives. The model is common in companies between 50 and 500 employees, large enough to need executive-level IT strategy, not yet large enough to justify a $250,000-plus annual salary for a dedicated hire.

A Fractional CTO focuses on product and engineering strategy: architecture decisions, build vs. buy tradeoffs, technical hiring, and vendor selection. Both roles are typically engaged 10 to 20 hours per month and operate independently of the MSP's day-to-day delivery team.

GEO (Generative Engine Optimization)

Structuring content so that AI answer engines (Perplexity, ChatGPT Search, Google AI Overviews) cite it accurately and consistently.

Traditional SEO targets keyword rankings in a blue-link results page. GEO targets citation in AI-generated answers. The disciplines overlap but diverge in execution: GEO prioritizes information density, factual specificity, structured schema markup, and named authorship over keyword frequency. Pages that AI engines cite tend to define terms precisely, include verifiable statistics, and link to authoritative sources.

For B2B service companies, GEO matters because buyers increasingly begin vendor research through AI assistants rather than search. A company not cited in AI answers is effectively invisible to a growing segment of its target market, even if it ranks highly in traditional search.

HIPAA

US federal law governing the privacy and security of protected health information (PHI) held by healthcare organizations and their service providers.

HIPAA's Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic PHI. Technical requirements include access controls, audit logging, encryption in transit and at rest, and documented risk assessments. Business Associates (any vendor who processes PHI on behalf of a covered entity) must sign a Business Associate Agreement (BAA) and comply with the same security standards.

HIPAA compliance is not a one-time certification. It requires ongoing risk analysis, workforce training, incident response procedures, and documentation of all security decisions. The HHS Office for Civil Rights enforces HIPAA through audits and complaint investigations, with penalties up to $1.9 million per violation category per year.

Managed SOC

A Security Operations Center delivered as a service - 24/7 threat monitoring, detection, and incident response without an in-house team.

A SOC (Security Operations Center) is the function responsible for continuously monitoring an organization's technology environment for threats, investigating alerts, and coordinating response. A managed SOC delivers this function as a service: the provider supplies the analysts, tooling, and processes, while the client gains coverage they could not build internally at equivalent cost or speed.

Our managed SOC uses AI-driven correlation across endpoint, network, email, and cloud telemetry to detect threats in under 2 minutes and initiate containment in under 30 seconds for confirmed incidents. The 45-minute resolution SLA for critical incidents is enforced by automated SLA monitoring, not a best-effort target.

MCP (Model Context Protocol)

An open protocol, donated to the Linux Foundation in May 2026, that standardizes how AI agents connect to external tools, data sources, and services.

MCP defines a structured interface between an AI model and external capabilities (file systems, APIs, databases, browsers) so that different AI systems can invoke the same tools using a common contract. Before MCP, every AI application had to build and maintain its own integrations. With MCP, a tool published once is accessible to any compliant agent.

For enterprises, MCP is relevant because it is becoming the standard by which AI agents in productivity software, security tools, and custom applications access internal systems. Organizations that govern their MCP tool surface (controlling which agents can call which tools with which permissions) are better positioned to manage the risk of agentic AI in their environment.

MDR (Managed Detection & Response)

A security service combining technology and human analysts to detect, investigate, and contain threats across an organization's environment.

MDR is the operational layer above EDR and SIEM. Where EDR provides endpoint-level detection and SIEM aggregates logs, MDR providers actively hunt for threats that technology alone misses, investigate confirmed alerts, and execute containment actions on behalf of the client. The human element distinguishes MDR from purely automated security products.

MDR is often confused with MSSP (Managed Security Service Provider). MSSPs typically monitor alerts and escalate to the client; MDR providers take direct response action. The distinction matters when evaluating response time commitments, an MSSP SLA may cover alert notification, while an MDR SLA covers time-to-containment.

MFA (Multi-Factor Authentication)

A login process that requires two or more verification methods before granting access to a system or application.

MFA typically combines something the user knows (password), something the user has (phone or hardware key), and something the user is (biometric). The most common implementation pairs a password with a time-based one-time code delivered via an authenticator app. SMS-based codes are weaker and vulnerable to SIM-swapping attacks; app-based or hardware-key MFA is preferred for sensitive systems.

Verizon's 2024 Data Breach Investigations Report found that stolen or weak credentials were a factor in more than 80% of breaches. MFA does not prevent all credential-based attacks (adversary-in-the-middle phishing kits can intercept session tokens) but it eliminates the largest category of opportunistic compromise.

MSP / MSSP

An MSP manages IT operations; an MSSP adds dedicated security monitoring and response on top of that foundation.

A Managed Service Provider (MSP) handles the day-to-day technology operations of a client organization: helpdesk support, device management, network monitoring, backup, and cloud administration. The relationship is typically governed by a monthly retainer and an SLA specifying response and resolution targets.

A Managed Security Service Provider (MSSP) extends that foundation with dedicated security operations: 24/7 SOC monitoring, threat hunting, incident response, and compliance reporting. Some providers operate as both; others specialize. When evaluating an MSP that claims security capabilities, ask specifically who staffs the SOC, what hours they operate, and what their mean time to contain a confirmed threat is.

Patch Management

The systematic process of identifying, testing, and applying software updates to operating systems and applications to close known vulnerabilities.

Most exploited vulnerabilities have a published patch available for weeks or months before a breach occurs. Patch management closes that window. The process involves inventorying all software versions across every device, monitoring vendor advisories, testing updates in a staging environment where practical, and deploying patches within a defined timeframe based on CVSS severity scores.

In a managed IT environment, patch management is typically automated via RMM tooling. Critical patches (CVSS 9.0 or higher) are typically deployed within 24 to 72 hours of release; standard patches follow a monthly cycle. Emergency out-of-band patches for actively exploited zero-days are handled as incidents, not scheduled maintenance.

Phishing Simulation

Controlled, fake phishing emails sent to employees to measure susceptibility and train staff to recognize social-engineering attacks.

Phishing simulations are run on a scheduled cadence (typically monthly) without prior warning to employees. When a user clicks a simulated malicious link, they are redirected to a training module rather than a real attack payload. Aggregate click rates by department, seniority, and role provide measurable data on where security awareness training is most needed.

Effective phishing programs vary the lure types: credential harvesting, malicious attachment, voice phishing (vishing) awareness, and SMS-based attacks (smishing). A program that runs only credential-harvesting simulations will miss the growing prevalence of document-based and QR code attacks targeting corporate email.

RMM (Remote Monitoring & Management)

Software that allows an MSP to monitor device health, deploy patches, run scripts, and support endpoints without physical presence.

RMM agents are installed on every managed device (servers, workstations, laptops) and report health telemetry in real time: CPU load, disk capacity, memory pressure, service status, patch compliance, and security agent status. The MSP's platform aggregates this data, generates alerts when thresholds are breached, and provides a remote shell for remediation.

RMM is foundational to managed IT: it is how an MSP manages hundreds of client devices without proportional headcount growth. The security implications of RMM are significant, an RMM agent runs with high privilege on every endpoint, making the RMM platform itself a target for attackers seeking to move laterally across an MSP's entire client base. Multi-tenant isolation and MFA on RMM consoles are non-negotiable controls.

SIEM (Security Information & Event Management)

A platform that collects and correlates log data from across an organization's technology stack to surface security events and support investigation.

A SIEM ingests log streams from firewalls, endpoints, cloud services, identity providers, email gateways, and applications, normalizing them into a common format for search and correlation. Detection rules and behavioral analytics identify patterns that indicate attack sequences: a failed login followed by a successful one from a different country, or a service account accessing files it has never touched.

SIEM alone does not respond to threats; it surfaces them. The value of a SIEM depends entirely on the quality of detection content and the analysts interpreting alerts. Deployed without tuning and oversight, a SIEM generates alert volumes that exceed any analyst team's capacity, a condition known as alert fatigue.

SLA (Service Level Agreement)

A contractual commitment specifying response times, uptime targets, and remedies if those targets are missed.

SLAs define the operational contract between an MSP and its clients. Response SLA specifies how quickly the provider acknowledges a ticket; resolution SLA specifies how quickly the issue must be resolved. Uptime SLAs define acceptable availability for covered infrastructure, typically expressed as a percentage (99.9% is 8.7 hours of downtime per year).

The remedy clause (what happens when SLAs are missed) is where contracts vary significantly. Credit-based remedies are common but may be insufficient for businesses where an hour of downtime costs more than a monthly service fee. When evaluating SLA terms, buyers should assess whether remedies reflect the actual cost of failure, not just a token credit.

Our published SLAs: 2-min response on security alerts, 45-min resolution on critical incidents, 99.9% uptime. Automated SLA monitoring enforces these commitments on every ticket.

SOC 2

An AICPA audit framework evaluating a service organization's controls over security, availability, processing integrity, confidentiality, and privacy.

SOC 2 is not a certification, it is an audit report issued by a licensed CPA firm. Type I reports assess whether controls are designed appropriately at a point in time. Type II reports assess whether those controls operated effectively over a period, typically six to twelve months. Most enterprise buyers require a SOC 2 Type II report as a condition of contracting with software vendors and service providers.

The five Trust Service Criteria map to business concerns: Security (is data protected from unauthorized access?), Availability (is the service reliably accessible?), Processing Integrity (is processing complete and accurate?), Confidentiality (is sensitive information protected?), Privacy (is personal data handled in accordance with stated policy?). Not all criteria are required in every audit, scope is defined by the service being assessed.

Threat Protection

A layered set of controls (endpoint security, email filtering, DNS protection, and access controls) designed to stop attacks before they cause damage.

Threat protection operates across multiple vectors simultaneously. Endpoint controls (EDR) watch device behavior. Email security filters phishing, malware, and business email compromise attempts before they reach inboxes. DNS filtering blocks connections to known malicious domains at the network layer. Identity controls (MFA, conditional access, privileged access management) limit what attackers can do with compromised credentials.

No single control is sufficient. Defense in depth means that a failure at one layer (a user clicking a phishing link) does not result in a breach because subsequent controls contain the damage. The goal is to raise the cost and complexity of a successful attack beyond what most threat actors are willing to invest.

vCIO (Virtual Chief Information Officer)

An outsourced strategic IT advisor who owns the technology roadmap and aligns IT spend to business goals, engaged on a part-time basis.

A vCIO differs from a Fractional CIO in emphasis: the vCIO role is typically delivered by an MSP as part of a managed services engagement, focusing on budget planning, vendor selection, technology roadmap reviews, and quarterly business reviews. The Fractional CIO is more commonly an independent executive engaged directly, with broader authority and a seat at the leadership table.

In practice, both roles answer the same question: how does this organization's technology strategy serve its business objectives? The vCIO function provides mid-market companies access to executive-level thinking that guides capital expenditure decisions, M&A due diligence, and regulatory readiness, without the overhead of a full-time hire.

Zero Trust

A security model that verifies every user and device before granting access to any resource, regardless of network location.

Traditional network security drew a perimeter around the corporate network and trusted everything inside it. Zero Trust discards that assumption. Every access request (whether from an employee on the office network or a remote contractor) is authenticated, authorized, and continuously validated against policy. The model is summarized as "never trust, always verify."

Zero Trust is an architecture, not a product. Implementing it involves identity verification (MFA, conditional access), device health checks (endpoint compliance policies), least-privilege access controls (limiting what each user and service account can reach), and microsegmentation (dividing the network so lateral movement is constrained). NIST SP 800-207 is the canonical reference framework for Zero Trust architecture in the US federal and enterprise context.