# Centered Networks — full body content for AI ingestion > Companion to /llms.txt. Where llms.txt is a curated index, this file contains the full body text of the most citation-worthy pages so AI models can ingest content directly. Last updated: 2026-05-26. See /llms.txt for the navigable URL index with per-page citation guidance. --- # The MIP: why the MSP category is ending and what replaces it URL: https://www.centerednetworks.com/mip.html ## Position paper ## The MIP: why the MSP category is ending and what replaces it. A twenty-year arc closes. From break-fix, through managed services, MSSP, and the cloud-first MSP, the work has finally moved on. What replaces it is the Managed Intelligence Provider — and for mission-driven organizations, the difference is structural, not cosmetic. Published: May 22, 2026. Reading time: ~10 min. Author: Centered Networks. In the past three weeks, the two largest AI labs in the world stood up standalone enterprise services firms. On May 4, Anthropic announced a $1.5 billion AI-native services firm with Blackstone, Hellman & Friedman, and Goldman Sachs. One week later, OpenAI launched its Deployment Company with $4 billion from TPG and nineteen co-investors, and absorbed the AI consulting firm Tomoro on the same day. Both are running the Palantir playbook for the model-vendor era: send technical teams into operating businesses, redesign workflows around agents, and stay embedded long enough to make the deployment actually work. The pattern matters. So does the gap it leaves open. What the announcements really told the market is that the MSP category which defined business IT for the last twenty years is ending. The work itself has moved. What replaces it is the Managed Intelligence Provider — the MIP — and for the nonprofits, foundations, and rural hospitals neither Anthropic nor OpenAI will reach, the question is no longer whether the model will arrive but whose version of it will get there first. ### $5.5 billion in three weeks, validating one thesis. **May 4, 2026.** Anthropic announces a $1.5B AI-native services firm with Blackstone, Hellman & Friedman, and Goldman Sachs. Co-investors include General Atlantic, Apollo, Sequoia, Leonard Green, and GIC. Target market: community banks, mid-sized manufacturers, and regional health systems. **May 11, 2026.** OpenAI launches its Deployment Company with $4B from TPG and nineteen co-investors including Advent, Bain Capital, and Brookfield. Acquires Tomoro (~150 AI engineers) the same day. Target market: general mid-market enterprise. Two firms. Eighteen co-investors of institutional scale. One thesis, capitalized at $5.5B in twenty-one days: the future of enterprise AI is forward-deployed and managed, not licensed and self-served. ## 01. Why the MSP category is ending. Read the last twenty years of managed IT as four patterns, each a layer of professionalism on top of the last. **Break-fix, mid-2000s.** A truck rolls when something breaks. The bill is hourly. There is no relationship and no posture, only events. The business is fundamentally reactive. **Managed services, 2010s.** Flat-fee monitoring, patching, and helpdesk replaces the truck roll. Uptime is the SLA. The relationship is monthly. The whole category invents itself around predictability: predictable costs for the client, predictable revenue for the provider, predictable Tuesday-morning support tickets for both. The category names itself the MSP. **The MSSP overlay, late 2010s.** Security stops being an add-on and becomes a co-equal layer. Endpoint detection, SIEM, and a SOC sit alongside the managed services contract. The smart MSPs build out an MSSP arm. The unsophisticated ones bolt on a third-party SIEM tool, call it managed security, and quietly hope a real incident never arrives. **The cloud-first MSP, 2020s.** Microsoft 365 and Azure become the client's actual operating environment. The work moves from racks in a closet to tenants in the cloud. The MSP's competence shifts from servers to Entra, Intune, Defender, Purview, and the Microsoft 365 admin center. The contract still bills monthly, the SLA still names uptime, but the underlying skill set has been reborn. Each step was a layer of professionalism on top of the previous one. The MIP is not the next layer. It is a different operating model. The work has shifted from running infrastructure — a finite, mature, mostly-solved problem — to deploying and operating intelligence, which is none of those things. Models change quarterly. Governance requirements evolve continuously. Agent lifecycles need ongoing operation. None of that fits inside a 36-month MSP contract focused on uptime SLAs and ticket SLAs. The category that won the last twenty years was built around a different problem than the one in front of the buyer now. > The work has shifted from running infrastructure to deploying and operating intelligence. Models change quarterly. Governance evolves continuously. None of that fits inside an uptime SLA. ## 02. What an MIP actually is. The category was named by the MSP industry analysts at **Pax8** and **Inforcer**, who began publishing the Managed Intelligence Provider thesis in late 2025. The label is theirs. The structural definition that follows is the one the market is now converging on. An MIP is recognizable by five characteristics, not by a marketing claim. - **Managed intelligence as a primary deliverable, not a tail engagement.** Agents need lifecycle management. Tokens need cost monitoring. Governance posture evolves with the underlying models. Drift gets detected and corrected. Compliance gets attested continuously. This is monthly billing, quarterly governance review, and a delivery manager who owns the relationship — not a project that ended last quarter and a support inbox that ignores it. - **A productized engagement model** with Assess, Deploy, and Operate as a defined sequence — not a custom SOW for every client. A fixed-fee assessment is the front door. A fixed-scope deployment is the middle. Ongoing managed operations are the steady state. Buyers can read the price, the duration, and the deliverable before they sign. Generic consulting cannot. - **Vendor-aligned but client-loyal.** Deep alignment with one platform buys integration depth, governance simplicity, and pricing economics the client could not access alone. The right to deploy outside that platform when a specific workflow demands it protects the client from lock-in. The MIP picks a side on platform and stays on the client's side on outcomes. - **Vertical specificity as a moat.** The generalist services firms — Anthropic's, OpenAI's, Accenture, Deloitte — accumulate horizontal scale across industries. A vertical-specific MIP accumulates sector knowledge instead: how nonprofits are funded, how foundations are governed, what HIPAA looks like for a Critical Access Hospital, what an OMB Circular A-133 audit actually reads. That knowledge compounds in a way horizontal scale does not. - **Structural promises, not statements of intent.** Fixed prices, fixed durations, named guarantees with named remedies: the deliverable lands on the published date, or the customer pays nothing for that week. The opposite of the open-ended consulting SOW where the price is "time and materials" and the duration is "until the budget runs out." Each of these is observable from the outside. A buyer can read a website, an SOW, and a price sheet and tell whether a firm is an MIP or an MSP that put "AI" on its homepage. The category is not aspirational. It is structural. > The category is structural, not aspirational. A buyer can read an SOW and a price sheet and tell which side of the line a firm sits on. ## 03. Why mission-driven organizations need an MIP specifically. Read the targeting language of the two big announcements again, carefully. Anthropic's firm is aimed at community banks, mid-sized manufacturers, and regional health systems. OpenAI's is aimed at general mid-market enterprise. Both sit below the Accenture and Deloitte tier — the segment the large systems integrators have chronically underserved — and both will reach a customer base that can absorb $250,000 to $2 million in AI services spend without flinching. That is not the mission-driven sector. A 40-person community foundation cannot absorb a $1M consulting engagement. A 25-bed Critical Access Hospital cannot absorb it. A 200-person human services nonprofit running on the donor relationships of three program officers cannot absorb it. The economics of the firms Anthropic and OpenAI just launched do not bend down to mission-driven scale, and pretending otherwise wastes time and budget on both sides of the table. The structural reasons go deeper than headline price. Mission-driven organizations have: - **Small in-house IT and zero in-house AI talent.** The work cannot be assembled out of internal staff hours. It has to arrive as a managed service or it does not arrive at all. - **Board scrutiny on every new vendor.** Foundation boards govern, hospital boards govern, nonprofit boards govern. A new partner has to be defensible at the board level, with a credentials story, a governance story, and a price story that survives a finance-committee read. - **Funding cycles that do not permit surprise consulting invoices.** Grant-funded budgets and donor-restricted funds do not absorb scope creep. Predictable monthly cost is not a preference; it is a procurement requirement. - **Regulatory weight unequal to staff size.** HIPAA for a 25-bed hospital. OMB Circular A-133 for a federally-funded nonprofit. Donor-data fiduciary duty for a foundation. The compliance burden does not scale down with the organization, and neither does the cost of getting it wrong. The MIP's monthly-billed, structurally-promised, continuously-operated model is the only commercial structure that matches this reality. Project consulting firms do not fit. License resellers do not fit. The forward-deployed services arms of the AI labs do not fit. The gap is the most important thing in this story, and it is not a market failure. It is a market opening. ## 04. What separates a real MIP from a pretender. The label is going to be claimed widely over the next eighteen months. Every MSP with a Copilot tab on its website will discover that "Managed Intelligence Provider" sounds better in a Tuesday-morning sales meeting than "Managed Services Provider with an AI slide deck." A buyer cannot rely on the label. The structure underneath the label is the only useful signal. Five questions a board chair or rural-hospital CIO can ask any prospective partner. The answers do the diagnostic work the label cannot. ### Are the price and the duration published? A real MIP shows the price of an Assessment, the price of a Deployment, and the price of ongoing Operations on its website, with a duration attached to each. A pretender quotes everything as "contact us for a custom proposal." The opacity is the tell: a productized engagement model has nothing to hide on price, and the firms that hide it do so because they do not have a product. ### Are there structural promises with named consequences? "We will work hard" is not a promise. "The deliverable lands on Day 14 or the week is free" is a promise. Real MIPs publish their guarantees on the same page as their prices. Pretenders bury accountability inside an MSA whose remedies clause says "reasonable commercial efforts." ### Is there a continuous-operations capability, or is "managed" just a synonym for "support tickets"? An MIP runs a managed-operations team that monitors agent health, attests governance posture quarterly, tracks token cost month over month, and updates baselines when Microsoft ships a new model. A pretender has a ticketing system. Ask to see the cadence of the quarterly governance review and the named role of the person who runs it. If the answer is vague, the capability is not there. ### Is there vertical depth in your sector, or are you the experiment? Generalists will tell you they have "experience across many industries." A vertical-specific MIP will instead tell you the name of the foundation, hospital, or nonprofit whose engagement is most similar to yours, and will offer a reference call. Sector vocabulary surfaces in the first thirty minutes of conversation. If your prospective partner does not know the difference between an FQHC and a Critical Access Hospital, or between a private foundation and a community foundation, you are the experiment. ### Is the partner deeply aligned with a primary AI platform? Vendor depth buys economics the client cannot access alone: nonprofit Microsoft licensing, Solutions Partner co-investment funding, preferential pricing on Microsoft 365 Copilot SKUs, early access to Microsoft Foundry features. A partner without that depth is reselling at retail, and the client absorbs the markup. Ask which Solutions Partner designations the firm holds, and ask which co-investment programs the engagement is eligible for. The answers are public. These five questions are not a marketing checklist. They are the buyer's side of the conversation, and they sort the category in about twenty minutes. ## 05. Centered Networks' MIP. Centered Networks is the first MIP purpose-built for mission-driven organizations on Microsoft 365 and Azure. The structure is published. The prices are published. The guarantees are structural. The Centered AI Practice is the four-stage productized ladder: AI Quickstart (a two-week board-ready diagnostic), Agent Launchpad (a first production agent in four to six weeks), Frontier Transformation (the full Microsoft Frontier stack in 90 days), and Managed AgentOps (continuous agent governance, billed monthly). Each stage has a fixed fee, a fixed duration, and a named guarantee. The CompleteCare architecture is the seven-tier managed-services spine the AI Practice runs on top of: Foundations, Govern, Automate, Insight, Construct, Intelligence, and Shield. Five Microsoft Solutions Partner designations — including Data & AI — sit underneath all of it. The Open Repo Promise keeps every agent, policy, and runbook in the client's tenant, under the client's ownership, with month-to-month exit on the managed engagement. Pax8 and Inforcer named the MIP category. Centered Networks built it for the sector the AI labs and the global integrators will not reach. > Pax8 and Inforcer named the category. We built it for the sector the AI labs and the global integrators will not reach. ## Two ways in. The Discovery Sprint is the diagnostic. The Frontier Briefing is the board-level conversation. Most engagements begin with one or the other. **Start a Discovery Sprint.** Two weeks, structured, no commitment beyond insight. We assess your Microsoft 365 environment, name the right starting tier, and deliver a 90-day roadmap your board can act on. **Request a Frontier Briefing.** A 90-minute, no-charge session on the Managed Intelligence Provider model and what it means for your organization. Built for boards and executive teams that need to align before procurement begins. --- # Discovery Sprint: Two weeks. A 90-day roadmap your board can act on. URL: https://www.centerednetworks.com/services/discovery-sprint.html ## Service · Discovery Sprint ## Two weeks. A 90-day roadmap your board can act on. The Discovery Sprint is a structured Microsoft 365 and AI readiness assessment for nonprofits, foundations, and rural hospitals. We identify your top three to five use cases, score your governance posture, and deliver a written 90-day roadmap with measurable KPIs. **Engagement overview:** 2 weeks duration / $5,000–$10,000 banded by org size / No contract, no commitment beyond the roadmap. Aligned to Microsoft's Envisioning & PoC for Agents methodology. ## Why a Sprint, not a vendor call ### Your board is asking. The answer needs to survive the next meeting. Most mission-driven leadership teams are having the same conversation right now: the board is asking about AI, staff are already using ChatGPT informally, and the funder questionnaire just added a question about AI governance. Nobody on the inside has the time or technical depth to write an honest answer. The temptation is to take a free vendor pitch, get a deck of slides, and move on. But the slides don't survive the next board meeting. What survives is a written plan with specific use cases, named owners, governance gaps surfaced and ranked, and KPIs leadership can measure against. A Discovery Sprint produces that document. Two weeks. Structured methodology. A real engagement with a real deliverable: not a sales meeting in disguise. The Sprint also answers the question every leadership team eventually asks: **where do we actually start in the CompleteCare stack?** The 90-day roadmap names the tier that fits your situation and tells you why, so the next conversation is about scope, not category. ## What you get ### Four written deliverables, in your hands at the end of week two. Written in the language a board, a funder, or a compliance reviewer can act on. All four are yours regardless of what you do next. **Deliverable 01 — Prioritized AI use cases (3–5):** The top use cases for your organization, ranked by mission impact, technical feasibility, and time to value. Each one has a named workflow, a named owner, and an estimated effort band. Filtered through Microsoft's Envisioning & PoC for Agents prioritization framework: the same methodology Microsoft asks its top partners to use. **Deliverable 02 — Business case with measurable KPIs:** For each prioritized use case: hours saved per week, cases routed faster, board reports drafted, donor outreach personalized. Numbers leadership can hold us, and you, accountable to. A board-ready business case with specific metrics per use case. **Deliverable 03 — 90-day implementation roadmap:** A phased plan from where you are to first production AI in 90 days. Weeks 1–4: secure the foundation. Weeks 5–8: deploy the pilot. Weeks 9–12: measure and expand. Each phase names the CompleteCare tier or tiers involved. **Deliverable 04 — Governance readiness assessment:** A direct answer to the question your board is asking: can we deploy Microsoft 365 Copilot and custom agents safely, and if not, what specifically has to happen first? Identity, data classification, sensitivity labels, Conditional Access, and responsible-AI policy gaps surfaced and ranked. All four deliverables are yours regardless of what you do next. There is no obligation to engage Centered Networks for the implementation. ## How it works ### Two weeks. Discovery, then prioritization and roadmap. Stakeholder interviews, a Microsoft 365 tenant review, a use-case workshop, and an executive presentation. Six to eight hours of your team's time spread across two weeks. **01 · Week 1 — Discovery** - Days 1–2: Stakeholder interviews with leadership, IT, and two to three line-of-business owners. Workflow mapping for the highest-friction processes. - Days 3–4: Microsoft 365 tenant review against Copilot and CIS IG1 readiness. Identity, data, license inventory, and shadow-AI exposure assessed. Microsoft Secure AI Productivity assessment methodology. - Day 5: Use-case workshop. Staff and leadership identify where AI could realistically help, and where it should not. **02 · Week 2 — Prioritization and roadmap** - Days 6–7: Use-case scoring through Microsoft's prioritization framework. Business case modeling. Governance gap analysis. - Days 8–9: 90-day roadmap drafted. Tier recommendation finalized. Risks and dependencies documented. - Day 10: 60-minute executive presentation. Full findings, prioritized use cases, business case, roadmap, governance verdict. Written deliverables handed off. **03 · Closeout — Executive presentation** A 60-minute session with leadership, the board representative, and whoever will be accountable for the next step. Full findings presented. Written deliverables in your hands. Questions answered. Decision timeline yours to set. ## At a glance — Engagement details - **Duration:** 2 weeks, calendar time, from kickoff to executive presentation - **Your time commitment:** 6–8 hours of stakeholder time spread across two weeks, plus IT-admin access for the tenant review - **Format:** Stakeholder interviews, tenant review, use-case workshop, governance assessment, executive presentation - **Aligned to:** Microsoft Envisioning & PoC for Agents methodology; Microsoft Secure AI Productivity assessment - **Pricing:** $5,000–$10,000, banded by organization size and tenant complexity. Qualified prospects in our priority segments may receive the Sprint at no charge: ask about eligibility on the scoping call. - **Commitment:** None beyond insight. No 12-month contract. The roadmap is yours regardless of what you do next. ## Pricing. One-time engagement. No hidden fees. The roadmap is yours. | Organization | Investment | |---|---| | Small org (100 or fewer users, single tenant) | $5,000 | | Mid-size (100–500 users) | $7,500 | | Large or complex (500+ users, multi-tenant, or healthcare) | $10,000 | | Qualified-prospect sponsorship (priority segment, scoping required) | $0 | ## Built for mission-driven organizations with a decision to make. **This is built for you if:** - Your organization has 50 to 1,000 users: nonprofits, foundations, community-serving organizations, rural hospitals - Your board has started asking about AI strategy and you need a credible written answer before the next meeting - Your IT director wants to deploy Microsoft 365 Copilot but needs the governance baseline documented first - You are evaluating Microsoft 365 Copilot licensing and need a go / not-yet verdict before signing - Your funder questionnaire now includes AI-governance language and you need a real answer, not a slide deck **This is not a fit if:** - You are looking for a free pitch deck or a sales-led discovery call. The Sprint is structured work with a real deliverable. - Your organization is outside the mission-driven sector. We work exclusively with nonprofits, foundations, and rural hospitals. - Leadership has already chosen a different partner and wants a second-opinion deck. The Sprint produces a written plan, not a competitive analysis. ## What happens after ### The roadmap names your next step. Here are the most common ones. Every path leads to a CompleteCare tier. The Sprint is the front door. **If governance gaps come first → CompleteCare Foundations.** Close the identity, device, email-security, and data-protection baseline before any AI or SOC work. This is the prerequisite tier for most organizations. **If AI is the priority and the foundation is in place → Copilot Kickstart or CompleteCare Intelligence.** A four-week productized Microsoft 365 Copilot deployment, or the ongoing managed AI program. The Sprint confirms which is the right entry point. **If you need governed AI for healthcare → Healthcare AI Readiness.** The HIPAA-aligned version of this engagement, with clinical-continuity considerations and BAA documentation built in from the start. **If a specific agent use case is obvious → Agent Kits.** Six named, productized agent deployments, each a four to six week engagement. The Sprint identifies which kit fits; the kit delivers the agent. ## We build what we recommend ### The National Mall Gateway: what this looks like at scale. We built the National Mall Gateway, the digital civic education platform for America's 250th anniversary, on Microsoft Azure for the Trust for the National Mall. The platform serves 360-degree virtual tours, lesson plans, custom itineraries, and accessibility-first features to an expected 50 million visitors during 2026. We developed a custom generative AI model in Microsoft Foundry to draft educational resources from vetted National Park Service content, and built the infrastructure with Terraform for near-instant disaster recovery. The project is featured as a Microsoft Customer Story. Every recommendation in a Discovery Sprint is grounded in the same methodology we used here: real governance, real architecture, real accountability. ## Frequently asked questions about the Discovery Sprint. **How is this different from a free discovery call?** A free discovery call is a sales conversation. The Discovery Sprint is two weeks of structured work: stakeholder interviews, tenant review, use-case scoring, governance assessment, written deliverables, and an executive presentation. The roadmap is yours whether you continue with us or not. **Is the Sprint really 2 weeks, end to end?** Yes. From the kickoff call to the executive presentation, two weeks of calendar time. We typically need 6 to 8 hours of stakeholder time spread across the two weeks, plus IT-admin access for the tenant review. **Why does pricing vary?** Sprint scope scales with the size and complexity of your environment. A 50-user nonprofit on a single Microsoft 365 tenant is a different engagement from a 500-user healthcare system with multi-tenant and HIPAA workloads. The scoping call determines which band you sit in. **What does "qualified prospect sponsorship" mean?** We occasionally sponsor the Sprint at no charge for organizations in our priority segments: typically community foundations, rural hospitals, and nonprofits in active funder-driven AI conversations. Ask on the scoping call; it is at Centered Networks' discretion. **Do we have to use Centered Networks for the implementation?** No. The roadmap is yours regardless. Roughly 80% of Sprint clients engage us for the next step because the roadmap maps cleanly to a CompleteCare tier. That is a separate decision made after the deliverables are in your hands. **What if we already have Copilot licensed but not deployed?** That is the most common starting point. The Sprint includes a specific assessment of why Copilot is not producing ROI yet. It is almost always governance, prompt-library quality, or adoption discipline rather than the platform itself. **Can the Sprint cover Microsoft 365 in general, not just AI?** Yes. While the Sprint leads with AI readiness (because that is where most boards are focused right now), the methodology covers identity, security, data, productivity, and governance: the full Microsoft 365 platform. The roadmap names whichever CompleteCare tier or tiers fit your situation, not just Intelligence. **Who runs the Sprint?** A senior Centered Networks engagement lead supported by a Microsoft-certified solutions architect for the tenant review. Chris or another member of the leadership team is the executive contact throughout. ## Microsoft alignment ### Five Microsoft Solutions Partner designations, including Data & AI. The Discovery Sprint methodology is aligned to Microsoft's Envisioning & PoC for Agents framework and the Microsoft Secure AI Productivity assessment: the programs Microsoft asks its top partners to use when helping mission-driven organizations evaluate AI readiness. - Microsoft Solutions Partner for Modern Work - Microsoft Solutions Partner for Data & AI (Azure) - Microsoft Solutions Partner for Security - Microsoft Envisioning & PoC for Agents aligned - Nonprofit charity tenant authorization - HIPAA BAA available on request --- # The Centered AI Practice URL: https://www.centerednetworks.com/services/ai-practice.html ## The Managed Intelligence Provider · for mission-driven organizations ## Walk your organization up the Frontier Firm staircase: safely, measurably, repeatably. The Centered AI Practice is a four-stage engagement ladder that takes mission-driven organizations from "we use ChatGPT informally" to "we operate as a Frontier Firm with managed AgentOps." Start with a two-week Shadow AI Diagnostic. Land in a recurring relationship where your agents are governed, your costs are managed, and your AI ROI is documented every quarter. Microsoft 5x Solutions Partner · Data & AI designation included · Built on CompleteCare · Month-to-month from day one. ## The problem ### Your board is asking about AI. Your staff is already using it. Both conversations are happening without you. Two patterns are colliding inside every mission-driven organization in 2026. The first is **board pressure**. Funders, regulators, peer organizations, and increasingly your own board members have begun asking the same question: "what's your AI plan?" The cost of having no answer used to be reputational. It's now becoming material: funders are asking about AI governance in due diligence, cyber-insurance underwriters are asking about AI-specific controls, and regulators are beginning to ask about responsible-AI posture. The second is **shadow AI**. Across every sector, 98% of employees are using unsanctioned apps including shadow AI tools, 90% of organizations report regular personal-AI-tool use for work tasks, and 80% of SMB AI users bring their own AI tools to work. That means donor records, grant material, client documentation, board materials, and, in healthcare contexts, PHI is walking out of your organization into models you don't control. 35% of breaches this year involved data stored in unmanaged data sources. Average breach cost: **$5.27 million**. They took 26.2% longer to identify and 20.2% longer to contain. > Who takes the blame when something goes wrong? Most mission-driven organizations don't have a name attached to that answer. The Centered AI Practice is built to put a name there: and a plan, a deployment, and a managed relationship behind it. ## The Frontier Staircase ### Microsoft's own research describes a three-pattern progression. The Practice is aligned to it. Microsoft's *Work Trend Index 2025: The Year the Frontier Firm Is Born* names three adoption patterns for agentic AI. The Centered AI Practice maps directly to them: four named stages, productized pricing, Microsoft-credible methodology at every step. **01. Human with assistant.** Every employee has a Microsoft 365 Copilot assistant. Governed, sanctioned, your organization's data protected. The alternative to shadow AI. **02. Human-led agents as digital colleagues.** Agents join teams as digital colleagues. The first Copilot Studio agent in production, taking on specific tasks at human direction. **03. Humans set direction, agents run workflows.** Humans set direction and agents run entire business processes. Multi-agent orchestration. The Frontier Firm at full capability. ## The Centered AI Practice ### Four stages. Each one a named engagement with fixed pricing. Start wherever you are. The ladder is designed so each stage is a complete outcome on its own: you don't have to commit to Stage 4 to benefit from Stage 1. **Where to start:** | If your organization is here… | …start here. | |---|---| | Staff uses ChatGPT, Claude, or Gemini informally. No governance. Board has begun asking. | Stage 1: Centered AI Quickstart | | Microsoft 365 Copilot purchased or about to be. Need a production deployment with governance attached and a first agent live. | Stage 2: Centered Agent Launchpad | | Stage 2 complete. Ready for the full Microsoft Frontier stack, Microsoft 365 E7, Agent 365, multi-agent orchestration. | Stage 3: Centered Frontier Transformation | | Agents in production. Need someone to govern, monitor, and evolve them month over month. | Stage 4: Centered Managed AgentOps | ### 01 · Stage 1 · 2 weeks · Fixed fee — Centered AI Quickstart The diagnostic that produces a board-ready AI plan in 14 days. Shadow AI exposure audit. Microsoft 365 Copilot readiness diagnostic. A 90-day adoption roadmap with named stage gates and KPIs. Executive briefing, recorded and board-ready. **$5,000–$15,000.** Microsoft funding typically offsets $2K–$5K via Copilot and Power Immersion Briefing. ### 02 · Stage 2 · 4–6 weeks · Fixed fee — Centered Agent Launchpad The meaningful start. Microsoft 365 Copilot deployed into production. First Copilot Studio agent in production, built from one of the four Centered Networks Agent Kits. Governance baseline in place: Agent 365 registry, Entra Agent ID, content safety policies. **$25,000–$50,000.** Microsoft funding typically offsets $15K–$50K via Copilot and Power Envisioning and Deployment Accelerator. ### 03 · Stage 3 · 90 days · Fixed fee — Centered Frontier Transformation The full Microsoft Frontier stack. Microsoft 365 E7 deployment. Microsoft Agent 365 control plane. Three or more custom agents in production using multi-agent orchestration. AI Center of Excellence design with governance rituals, RAI sign-off, and monthly value review. **$75,000–$150,000.** Microsoft funding typically offsets ~$47K via Copilot Accelerate ECIF. ### 04 · Stage 4 · Recurring · Month-to-month — Centered Managed AgentOps The Managed Intelligence Provider relationship. Agent performance monitoring. Drift detection with documented rollback procedures. Monthly governance audit. FinOps for AI: token tracking, model optimization, cost-per-outcome reporting. Quarterly AI ROI and Risk Review, board-ready. **$500–$1,500 per agent per month** plus 15% PEC on Copilot Studio consumption. No lock-in. ## Risk reversal ### Three structural guarantees. One for each stage where the stakes are highest. The guarantees propagate across the Practice because a single promise is a slogan; a stacked set of stage-specific promises is a structural commitment. Each guarantee is linked to a specific stage page where the full terms are published. **01 · Stage 1 · Centered AI Quickstart — The 14-Day Diagnostic Promise.** If the Stage 1 Shadow AI Diagnostic doesn't produce a board-ready exposure report and a 90-day roadmap on your desk by Day 14, you pay nothing. Period. **02 · Stage 3 · Frontier Transformation — The Open Repo Promise.** Every artifact we build: Copilot Studio agents, governance policies, RAI documentation, runbooks, dashboards. All of it lives in your tenant under your ownership. If you ever leave, you keep everything. No work product trapped in a Centered Networks tenant. **03 · Stage 4 · Managed AgentOps — The No-Shadow-AI-Drift Promise.** For Stage 4 customers: if shadow-AI usage of sensitive content categories trends above the Month 1 baseline for two consecutive months, the M365 Managed Services team includes targeted remediation in that month's retainer at no additional cost, until the trend reverses. ## Why Centered Networks ### Three structural differentiators. **01. We are a Managed Intelligence Provider, not an MSP.** The MSP category evolved from break-fix (2005) to Managed Services (2015) to MSSP (2020) to Cloud-first MSP (2025). Industry analysis names 2026 as the era of the Managed Intelligence Provider: an MSP helping customers consider, prepare for, and use AI. We built the Practice around that destination, not around legacy managed services. **02. Microsoft 5x Solutions Partner, including Data & AI.** Most local MSPs hold one or two Solutions Partner designations. We hold five. That stack of designations gates Microsoft funding access, gates the FY26 Copilot Specialization track, and gates the field engagement model that makes Stage 2 and Stage 3 funded engagements possible. The Data & AI designation is the one most directly at stake in every AI Practice engagement. **03. Mission-driven sector specialization.** The Practice is calibrated to nonprofit Microsoft licensing economics: $25.50 per user per month for Microsoft 365 Copilot, $50 per organization per month for Copilot Studio, at the 75% nonprofit discount. The agents in our Agent Kit library are designed around mission-driven workflows. The change management vocabulary is mission-driven, not Fortune-500. ## Pricing transparency ### What this costs for a typical 150-user nonprofit, Year 1. List prices compared to customer net after Microsoft incentive recovery. | Item | List price | Customer net (after Microsoft incentive recovery) | |---|---|---| | Stage 1: Centered AI Quickstart | $10,000 | ~$5,000 | | Stage 2: Centered Agent Launchpad | $35,000 | ~$10,000 | | Stage 4: Managed AgentOps (Months 4–12) | $13,500 | $13,500 | | **Year 1 customer net** | | **~$28,500** | Compare to: a Big-4 consultancy AI engagement at $300K–$750K. A solo AI consultant at $200 per hour with no production deployment. A generic MSP "turn on Copilot" project with no governance and no agent. Microsoft 365 Copilot licensing at $25.50 per user per month (75% nonprofit discount) is separate from the above and is a Microsoft direct purchase we facilitate. ## The prerequisite: CompleteCare Foundations. Production agents do not get deployed onto an ungoverned tenant. The Centered AI Practice is built on top of CompleteCare Foundations (or an equivalent identity, device, and email baseline). Most customers run Foundations and the Stage 1 AI Quickstart in parallel, and the baseline is in place by the time Stage 2 begins. If you're not on Foundations, start there. It's the floor the Practice stands on. The Foundations tier is designed to run in parallel with Stage 1 so there is no forced sequencing delay before your AI plan is in motion. ## Frequently asked questions about the Centered AI Practice. **What if a workflow needs an AI tool Microsoft doesn't offer?** We lead with the Microsoft stack because it's the cleanest path to governed AI for our clients — one tenant, one identity, one governance posture. For most mission-driven organizations, that integration is the value: data already lives in Microsoft 365, identity already runs on Entra, and compliance and audit trails already flow through Purview. When a workflow genuinely requires a different model or a sector-specific tool — a domain-tuned model, a specialized clinical or grants-management AI, or a capability Microsoft doesn't yet deliver — we tell you, we explain why, and we deploy it. We don't push you into Microsoft when it's not the right answer, and we don't push you out of Microsoft for the sake of vendor neutrality. The right tool for the job is the rule. **Do we need Microsoft 365 Copilot licenses before starting Stage 1?** No. Stage 1 runs on your existing Microsoft 365 environment. The AI Quickstart includes a readiness diagnostic and a license fit analysis so you make the Copilot purchase decision with the right data, not the wrong data. **Can we skip Stage 1 and start with Stage 2?** Sometimes. If you already have a documented AI plan, a governance posture in place, and a clear use case for the first agent, Stage 2 can be the starting point. The AI Quickstart is the right entry for customers who don't yet have a defensible AI story to take to the board. **What if our board doesn't approve Stage 2?** That's a healthy outcome of Stage 1. The roadmap stays yours under the Open Repo Promise. You can run Stage 2 in three months, six months, or a year later when budget and board readiness line up. We don't pressure-sell Stage 2 to a customer not ready for it. **How is this different from a generic MSP "turn on Copilot" project?** A generic MSP project ends when Copilot is turned on. The Practice begins there. Generic MSPs do not deploy agents, do not configure governance baselines, do not run AgentOps, and do not have the Microsoft Solutions Partner depth to unlock Copilot Specialization funding. Different category. **Do we need to be a nonprofit to qualify for the Practice?** No. The Practice is built for mission-driven organizations broadly: nonprofits, foundations, rural hospitals, and FQHCs. The nonprofit Microsoft licensing economics apply only to 501(c)(3) and equivalent entities; for other mission-driven organizations the Practice still applies with standard Microsoft licensing. **What happens to our work if we leave?** Everything stays with you. Copilot Studio agents, Power Platform connectors, governance policies, RAI documentation, KPI dashboards, deployment runbooks: all of it lives in your tenant under your ownership. The Open Repo Promise is structural; we don't hold customer agents hostage. **Is there a multi-year commitment?** No. Stage 4 Managed AgentOps is month-to-month with 30-day notice. Stages 1, 2, and 3 are fixed-fee project SOWs: once the project completes, there is no continuing project obligation. The relationship is what continues. ## Microsoft alignment ### Five Microsoft Solutions Partner designations, including Data & AI. The Centered AI Practice is credentialed at every layer of the Microsoft stack it deploys. The five designations together are what gates access to Microsoft funding, the FY26 Copilot Specialization track, and the field engagement model that makes funded engagements possible. - Microsoft Solutions Partner for Data & AI (Azure) - Microsoft Solutions Partner for Modern Work - Microsoft Solutions Partner for Security - Microsoft Solutions Partner for Infrastructure (Azure) - Microsoft Solutions Partner for Digital & App Innovation (Azure) - Nonprofit charity tenant authorization - Month-to-month from day one --- # Centered AI Quickstart: 2-Week Copilot Readiness & Shadow AI Audit URL: https://www.centerednetworks.com/services/ai-quickstart.html ## Service · Centered AI Quickstart ## Two weeks to a defensible answer on AI. A productized AI diagnostic for mission-driven organizations. Shadow AI audit, Copilot readiness check, 5-Driver scoring, and a board-ready 90-day roadmap, delivered in two weeks. $5K to $15K, fixed fee. Funded in part by Microsoft. Microsoft 5× Solutions Partner · Mission-driven specialization · Board-Ready Promise · Month-to-month across the Centered AI Practice. ## Why now ### The board question changed. Your answer hasn't. The question every board chair is asking this year is some version of "where do we sit on AI?" Most executive directors don't have a defensible answer. Meanwhile, staff have already started. **75% of employees use AI at work, sanctioned or not. 80% of small and mid-sized business AI users bring their own tools.** The shadow AI inventory across our recent client engagements has found ChatGPT, Claude, Gemini, Perplexity, and Grammarly in every environment we've audited, including organizations whose leadership told us, on the intake call, "we don't use AI here." The first question isn't whether to deploy Microsoft 365 Copilot. It's what's already running, what the exposure is, and what a credible next step looks like. That's what the Centered AI Quickstart delivers in two weeks. ## What you get ### Five board-ready deliverables in two weeks. The Quickstart produces written outputs your board, your auditor, and your cyber-insurance broker can act on. No checklist. No recycled deck. No pre-sales call disguised as a workshop. **01 — Shadow AI risk register.** Tool-by-tool inventory with risk level, exposure type, and recommended response. Sourced from interviews and, on S and M tiers, Microsoft Defender for Cloud Apps. **02 — 5-Driver AI Readiness scorecard.** Scoring across Microsoft's framework: Business strategy, Tech & data, AI strategy, Org & culture, AI governance. A 1-to-3 scale per driver with named gaps. **03 — 5-stage maturity placement.** Where you sit on Microsoft's official Exploring → Planning → Implementing → Scaling → Realizing model. Common vocabulary for every future Microsoft and partner conversation. **04 — 90-day AI roadmap with 3–5 prioritized use cases.** Use cases scored on impact × effort and tagged to a Microsoft Frontier Firm pattern: assistant, human-led agent, or autonomous agent. **05 — Scoped, priced next-stage proposal.** A specific dollar figure for Agent Launchpad ($25K–$50K), Frontier Transformation ($75K–$150K), or "stay on Quickstart insights and reassess in 90 days." Written in plain English. No bait-and-switch. ## How it works ### Two weeks, four work streams, one written deliverable. **Week 1 — Discovery and diagnostic** - Day 1: Kickoff and 60-minute executive intake interview - Days 2–4: Shadow AI audit (interviews + Defender for Cloud Apps pull on S and M tiers) - Days 3–5: Microsoft 365 Copilot readiness diagnostic (identity, data, license posture) - Days 4–5: 5-Driver AI Readiness scoring against Microsoft framework - End of Week 1: **Interim shadow AI exposure picture delivered** **Week 2 — Synthesis and roadmap** - Days 6–7: Synthesis: placement on 5-stage maturity model, drafting use case roadmap - Days 8–9: Risk register finalized; next-stage proposal scoped and priced - Day 10: **60-minute executive readout. Board-ready 12-slide deck handed over editable.** - Within 30 days: One 30-minute office-hours call to debrief board reaction ## Risk reversal ### Two structural promises in writing. Both go into the engagement letter before you sign. **01 — The Board-Ready Promise.** If, at the end of the engagement, you don't have a written document you'd be comfortable presenting to your board, we return **100% of the engagement fee**. You keep whatever drafts we produced. No questions. The deliverable is the test, not the hours we logged. If the output isn't board-grade by anyone's honest read, the fee comes back. That's the whole promise. **02 — The No-Upsell Promise.** The Quickstart includes a scoped, priced next-stage proposal, but **only if the data supports it**. If you're not ready for Agent Launchpad or Frontier Transformation, we say so in writing. The Quickstart is a paid diagnostic, not a sales call dressed up as one. About 25–40% of clients receive a written recommendation to wait. That's the service working correctly. ## Who this is for ### Mission-driven leaders who need a credible answer before committing budget. Centered AI Quickstart is built for executive directors, COOs, CIOs, and board cyber-risk owners at 50–500 person mission-driven organizations: nonprofits, foundations, rural hospitals, FQHCs, and faith-based health systems. **This is the right fit if you have:** - An active Microsoft 365 tenant (Business Premium, E3, or E5) - Board, funder, or insurer pressure on AI governance - Curiosity about Microsoft 365 Copilot, possibly one or two licenses already purchased experimentally - A suspicion that shadow AI is happening and no documented picture of what's running - Budget for a structured paid diagnostic ($5K–$15K) but not yet for a deployment **This isn't a fit if:** - You don't have a Microsoft 365 tenant - You're already actively deploying Copilot at scale - You're looking for a free pre-sales advisory call ## Microsoft alignment ### Funded in part by Microsoft. Delivered by a Microsoft 5× Solutions Partner. **Microsoft Copilot + Power Accelerate funding.** The Centered AI Quickstart is positioned as the partner-delivered version of Microsoft's Copilot + Power Accelerate Envisioning & PoC program. The three pricing tiers, $5K (XS), $10K (S), and $15K (M), map to Microsoft's published funding ceilings for the same engagement size. Microsoft Copilot + Power Accelerate can co-fund the engagement substantially, sometimes fully. On the scoping call, we confirm Copilot + Power Accelerate eligibility for your tenant before you sign the engagement letter. **You'll know the net cost before you commit.** We hold five Microsoft Solutions Partner designations: Modern Work, Security, Infrastructure (Azure), Data & AI (Azure), and Digital & App Innovation (Azure). ## At a glance — Fixed fee. Three tiers. Microsoft funding eligible. | Feature | $5,000 — XS · 25–50 users | $10,000 — S · 50–200 users | $15,000 — M · 200–500 users | |---|---|---|---| | Duration | 2 weeks | 2 weeks | 2 weeks | | Executive intake (60 min) | Yes | Yes | Yes | | Copilot readiness diagnostic | Yes | Yes | Yes | | 5-Driver AI Readiness scoring | Yes | Yes | Yes | | Shadow AI assessment | Interviews + usage analytics | Defender for Cloud Apps report | Defender for Cloud Apps + 3–5 staff interviews | | 90-day roadmap with 3–5 use cases | Yes | Yes | Yes | | Next-stage scoped proposal | Yes | Yes | Yes | | Executive readout (60 min) | Yes | Yes | Yes | | 30-day post-readout office hours | Yes | Yes | Yes | | Microsoft funding eligible | Up to $5K | Up to $10K | Up to $25K | If you proceed to Centered Agent Launchpad after the readout, the full Quickstart fee applies as a credit against the Launchpad engagement. Tiers can be upgraded mid-engagement; we charge the difference. ## In practice ### What this looks like in practice. **Community foundation, 60 to 120 staff.** Came in with board pressure on AI governance after a funder asked for their AI policy at an annual meeting. Tenant had zero Copilot licenses. Shadow AI audit surfaced ChatGPT and Grammarly in active use across the grants team. Quickstart completed in 10 days; the 12-slide readout went to the next board meeting verbatim. > "We went from having no answer to having a document we were proud to hand to the board. That was the whole ask, and it was done in two weeks." — Executive Director (Representative client profile) **Human services nonprofit, 180 to 300 staff.** Leadership suspected shadow AI; the intake confirmed it. The S-tier Defender for Cloud Apps pull identified eight distinct AI tools in use across the organization, with two carrying data-classification exposure the general counsel wanted documented. The 90-day roadmap became the basis for an Agent Launchpad engagement three months later. > "The shadow AI inventory was the thing we didn't know we needed. Once we saw the tool list, everything else clicked into place." — COO (Representative client profile) **Rural critical-access hospital, 200 to 350 staff.** Cyber insurance renewal was three months out. Underwriter had asked for an AI governance statement. The M-tier Quickstart produced the risk register, the maturity placement, and a roadmap the compliance officer could attach to the renewal submission. Microsoft Copilot + Power Accelerate funding offset $15K of the engagement fee. > "The timing worked perfectly. We had something to show the underwriter, and we had a plan for what comes next. Neither existed six weeks ago." — Chief Information Officer (Representative client profile) ## What comes next ### The Quickstart is the first stage of the Centered AI Practice. Centered AI Quickstart is the Foundation-stage engagement. After it, the path forward, if and only if your data supports it, looks like this: - **Centered Agent Launchpad** ($25K–$50K, 4–6 weeks). Build 2–3 production agents on a governed Microsoft 365 Copilot foundation. - **Centered Frontier Transformation** ($75K–$150K, 90 days). Microsoft 365 E7 / Frontier Suite upgrade, Agent 365 control plane, AI Center of Excellence design. - **Centered AgentOps Managed Service** ($500–$1,500 per agent per month). Ongoing monitoring, governance, and value reporting. You don't commit to any of this when you start the Quickstart. The Quickstart's job is to tell you which next stage, if any, fits. --- # Centered Agent Launchpad: Your First Production AI Agent in 6 Weeks URL: https://www.centerednetworks.com/services/agent-launchpad.html ## Service · Centered Agent Launchpad ## From Copilot license to first production agent in six weeks. Centered Agent Launchpad lands a live, governed, measured AI agent for your team. Six pre-built Agent Kits as starting points. Microsoft Agent 365 governance from day one. A Power BI scoreboard at handover. Three structural guarantees. Microsoft Solutions Partner, Data & AI · Five Solutions Partner designations including Modern Work and Security · Microsoft Copilot Deployment Accelerator funded (up to $50K offset) · Open Repo Promise: every artifact stays in your tenant. ## The Problem ### You bought Copilot. The board is asking what's next. Most mission-driven organizations that activated Microsoft 365 Copilot 60 to 120 days ago are stuck at Chat. The license is paying every month. Some staff use it for drafting. Nobody has built anything. The board is asking what's next, the major funder is asking about AI strategy, and the answer is harder to construct every quarter. This is the gap between *having Copilot* and *running an AI practice*. The difference is agents: not chatbots, but digital colleagues with specific jobs, governed under Microsoft Agent 365, measured against KPIs the board can read. The problem is that custom agents from scratch take months and cost $150K from a large consultancy. Internal IT trying to build them rarely ships to production. The agent dies in someone's OneDrive at the prototype stage. The Microsoft Funding offer expires unused. And the board question stays unanswered. > Launchpad is the answer. Six weeks. One production agent. Three structural guarantees. ## How it works ### The Observe / Govern / Secure Production Path A four-to-six-week productized engagement that lands your first production AI agent on Microsoft Agent 365. The methodology mirrors Microsoft's own Agent 365 control plane framework, intentionally. We're not inventing a new vocabulary; we're operationalizing the one Microsoft already gave the market. The engagement is bounded. The deliverables are named. The guarantees are structural. By Week 6, you have a live agent in production, a Power BI KPI scoreboard publishing weekly, and a board-ready executive readout with the 90-day expansion roadmap. You're not paying for slideware. You're paying for a working agent and the governance infrastructure to add the next one. ## The six-week path ### What happens each week. Fixed weeks, named milestones, named deliverables. You know exactly where you stand every Friday. **Week 01 — Discovery Sprint** - Workflow selection, data-driven, not preference-driven - KPI baseline and target definitions - Data inventory and access scope - Governance posture review **Week 02 — Governance baseline and Agent 365 setup** - Entra ID, Conditional Access, Purview labels confirmed - Microsoft Agent 365 control plane configured (Observe / Govern / Secure) - Agent registry, mapping, lifecycle management activated - Agent selection from the Agent Kit catalog or custom scope finalized **Week 03 — Copilot Studio build** - Agent built in Copilot Studio - Grounded in your data sources (SharePoint, CRM, Fabric) - Human-in-the-loop checkpoints designed - Audit trail enabled **Week 04 — Pilot with 3 to 5 staff users** - Pilot cohort onboarded - Role-based training delivered - Prompt library published - First-week feedback captured **Week 05 — Iteration and production hardening** - Two iteration rounds based on pilot feedback - Load testing and drift detection baseline - Cost monitoring and FinOps oversight - Full governance posture applied **Week 06 — Launch, scoreboard, handover** - Agent live in production - Power BI KPI dashboard publishing weekly - Handover package: source, prompts, dashboard, runbook - Executive readout with 90-day expansion roadmap ## Starting points ### Six pre-built Agent Kits. Pick one. We adapt it to your workflow. You're not starting from a blank canvas. We have six pre-built Agent Kits: patterns we see repeating across the mission sector. Each ships with a working prototype, configurable workflows, governance posture, and a measurement framework. **Donor Intelligence.** Drafts donor outreach, summarizes giving history, surfaces major-gift prep briefings. Grounded in your CRM. **Best fit for:** foundations, larger nonprofit development offices. **Intake and Routing.** Reads incoming forms and emails, classifies, routes to the right team, drafts acknowledgments. **Best fit for:** legal services, FQHCs, foundation LOI review, constituent service requests. **Knowledge Keeper.** Answers staff questions grounded in your policies, board materials, and program documentation. **Best fit for:** organizations with high turnover, new-hire onboarding pain, or tribal knowledge problems. **Research Assistant.** Drafts grant prospect profiles, foundation due diligence, and program literature synthesis. **Best fit for:** grants offices, rural hospital clinical research, program research teams. **Constituent Support.** Handles routine constituent questions: eligibility, application status, program details. Escalates the rest. **Best fit for:** legal services hotlines, patient services, social services intake. **Board Reporter.** Synthesizes program data into board-ready reports, donor briefings, and grant interim reports. **Best fit for:** executive directors and program leads whose quarterly board prep takes a week. ## Risk reversal ### Three structural commitments. We stack them because the three ways AI engagements fail are distinct: the agent doesn't ship, nobody uses it, or you leave and take nothing. Each guarantee targets one of those failure modes. **01. The 6-Week Production Promise.** The agent is live in production within six weeks of kickoff, **or we keep working at no additional cost** until it is. The clock starts at kickoff and stops at production go-live. If a Microsoft-side licensing issue or a client-side data decision causes a delay, we pause transparently and re-baseline. Otherwise we're on the hook. We can stand behind this because the engagement is productized. We don't design from scratch on your time. Most Launchpad engagements ship by Week 5; six weeks is the ceiling, and it exists to leave margin for the pilot feedback loop. **02. The First-Agent-Live Promise.** By Week 6, at least three pilot users are actively using the agent. If fewer staff are using it during production weeks, **we re-scope the workflow at no charge and re-train the cohort**. We treat adoption as a deliverable, not a hope. The most common failure mode of AI projects is "we built it but nobody used it." We underwrite against that specifically. Adoption is engineered from Week 1. The workflow selection process, the prompt library, the pilot cohort structure, and the role-based training are all designed to land with real usage, not just a technically deployed agent. **03. The Open Repo Promise.** Every artifact: the Copilot Studio agent, the prompt library, the Power BI dashboard, the governance configuration, the runbook, **lives in your Microsoft 365 tenant. Exported. Documented. Yours.** If you leave CN tomorrow, you take the agent with you and it keeps running. We earn the relationship through value, not through artifact gatekeeping. This isn't a guarantee we have to enforce. It is structural. The agent lives in your tenant from the moment it's built. ## Investment ### Three tiers. Microsoft funds part of it. Fixed scope, fixed timeline, fixed price. The tier determines the complexity of the first agent and the number of integrations, not the timeline or the guarantees. **Tier 1 — Starter · $25,000.** One agent from the Agent Kit catalog. Fifty to 200 users. Single data source. The fastest path to a governed production agent. **Tier 2 — Custom · $35,000.** One custom Copilot Studio agent with more integration work. Up to two data sources. For organizations where a catalog kit needs meaningful adaptation. **Tier 3 — Two agents · $50,000.** Two agents from the catalog, or one complex agent with external system integration: CRM, EHR, or donor database. For organizations with two clearly separable high-value workflows. **Microsoft Copilot Deployment Accelerator funding.** Most qualifying clients see meaningful offset via the **Microsoft Copilot Deployment Accelerator**, sized **$5K (XS) / $10K (S) / $25K (M) / $50K (L)** by seat tier. CN handles the funding paperwork as part of the engagement. Net cost is often **$0 to $15K** for a Tier 1 engagement after accelerator offset. Client-procured Microsoft 365 Copilot is $25.50/user/month at Nonprofit Program pricing. Copilot Studio is $50/organization/month with the 75% nonprofit discount, including 25,000 messages. ## What needs to be true before kickoff. **A governance baseline is required.** Launchpad requires either Centered AI Quickstart completed (or in flight), or CompleteCare Foundations active. The reason is structural: we don't deploy agents into ungoverned environments because doing so creates exactly the AI risk the Microsoft Agent 365 framework exists to prevent. If you don't have either prerequisite yet, the Discovery Sprint scoping call will identify the path. Typically that's a combined Quickstart and Launchpad engagement, which we can sequence in 8 to 10 weeks total. ## Built for mission-driven organizations ready to move past Chat. **This is built for you if:** - You have Microsoft 365 Copilot licensed and activated, but the board is asking what's next - You have AI Quickstart or CompleteCare Foundations in place (or both are scoped) - You have a workflow that is eating your team's time and has a clear data source to ground the agent - Leadership wants a board-ready AI deliverable with a KPI scoreboard, not a prototype - You want the agent to stay in your tenant permanently, not locked inside a vendor platform **This isn't a fit if:** - You haven't activated Microsoft 365 Copilot yet: start with AI Quickstart or the Discovery Sprint - Your governance baseline isn't in place: ungoverned agents create exactly the risk you're trying to avoid - You want a fully autonomous agent on day one: agents need human-in-the-loop stages and a pilot period before broader deployment - You want a set-it-and-forget-it build: Launchpad is a live handover, not a black box ## In practice ### What this looks like for organizations like yours. **Community foundation, 25 to 60 staff.** Grants team was spending 6 to 8 hours per LOI cycle on initial prospect research and donor briefing prep. Selected the Donor Intelligence kit in the Week 1 Discovery Sprint, grounded it in Raiser's Edge NXT. Agent went to production in Week 5. The grants team recovered 5 hours per LOI cycle within the first month and the board received its first AI-sourced program report at the next quarterly meeting. > "We had been told AI was two years away for organizations our size. Launchpad proved the opposite: we had a governed, board-ready agent in six weeks and it cost less than a single grant writer's annual salary." — Program Officer (Representative client profile) **Legal services nonprofit, 80 to 150 staff.** Intake team was spending 40% of their hours on triage and routing. Selected the Intake and Routing kit. Week 2 governance baseline confirmed that Microsoft Purview sensitivity labels weren't configured for client data, which Launchpad resolved before the agent touched any client records. Agent live in Week 6; intake triage time dropped 55% within 30 days of launch. > "The fact that the governance work happened before the build was the unlock. Every other vendor wanted to build first and figure out data governance later. CN did it in the right order." — Operations Director (Representative client profile) **Rural critical access hospital, 200 to 350 staff.** Clinical research team was sourcing literature reviews manually across PubMed and clinical databases. Selected the Research Assistant kit with Epic FHIR integration (Tier 3). Agent went live Week 6 with full HIPAA audit trail and human-in-the-loop review for any patient-adjacent query. Time-to-literature-synthesis dropped from 4 hours to 25 minutes for standard queries. > "Our CIO was skeptical that a six-week timeline was realistic for a HIPAA-governed environment. The governance baseline work in Week 2 was what made it possible." — Clinical Research Coordinator (Representative client profile) ## Frequently asked questions about Agent Launchpad. **What's the difference between Copilot Quickstart and Agent Launchpad?** Quickstart deploys Microsoft 365 Copilot itself, hardens governance, and activates the foundational Agent 365 control plane. Launchpad builds and ships the first production agent on top of that foundation. Quickstart is "Copilot is safe and live." Launchpad is "first agent is live, governed, and measured." **Can we start with two agents instead of one?** Yes, that's Tier 3. We recommend starting with one for first-time engagements to compress the timeline and let the change-management curve settle. Tier 3 makes sense for organizations with two clearly separable high-ROI workflows or one workflow that requires deep external system integration. **Do we have to start with Donor Intelligence?** No. The six kits are starting patterns, not a sequence. Foundations often pick Donor Intelligence; rural hospitals often pick Research Assistant; intake-heavy nonprofits pick Intake and Routing. The Week 1 Discovery Sprint is where the choice is made, based on workflow data. **What if our CRM is older or unusual?** Tier 3 covers external system integration. We've worked with Raiser's Edge NXT, Salesforce NPSP, Dynamics 365 Nonprofit Accelerator, Bloomerang, EveryAction, Epic via FHIR, OCHIN, and Athenahealth. If your system has an API and your data is accessible, we can integrate. **What about EU data residency or Anthropic model restrictions?** Microsoft Copilot Cowork (which includes Anthropic models) is off by default for EU tenants per Microsoft's EU Data Boundary policy. We default to OpenAI models for EU clients and respect your tenant's configured model controls. The agent we build doesn't bypass your tenant's existing model governance. **What does the managed services team handle after Launchpad?** If you continue into CompleteCare Intelligence after Launchpad, the managed services team operates the agent day-to-day: drift detection, cost monitoring, governance audit, monthly value reports, and quarterly use-case expansion. If you'd rather run it in-house, the handover package contains everything your internal IT team needs. **Can we evaluate other vendors during this conversation?** Yes. We invite that explicitly. The Open Repo Promise exists in part because we believe the right vendor for any client is the one who'll hand them the source code on day one. Compare that promise against any custom AI consultancy and ask whether they'll do the same. The answer tells you a lot. ## Microsoft alignment ### A Data and AI-designated partner. AI agent deployment sits squarely in the Data and AI designation: building, governing, and operating intelligent workloads on Microsoft 365 and Azure. We also hold the Modern Work designation, which matters here because Microsoft 365 Copilot and Agent 365 are the foundation every Launchpad engagement runs on. - Microsoft Solutions Partner for Data and AI - Microsoft Solutions Partner for Modern Work - Microsoft Copilot Deployment Accelerator eligible - Microsoft Agent 365 governance from day one - Open Repo Promise: every artifact stays in your tenant - Three structural guarantees on every engagement --- # Centered Frontier Transformation: Become a Frontier Firm in 90 Days URL: https://www.centerednetworks.com/services/frontier-transformation.html ## AI Practice · Stage 3 · Frontier Transformation ## Become a Frontier Firm in 90 days. Productized. Fixed-fee. Mission-driven-sector specialized. Centered Frontier Transformation: Microsoft 365 E7 deployed, three to five production agents live, AI Center of Excellence operational, and a board-level Frontier Firm KPI dashboard delivered. 90 days. $75K–$150K. Up to $47K of Microsoft funding offsets the fee. Microsoft 5x Solutions Partner · The partner-delivered Frontier Firm play · Productized 90-day engagement · No 12-month consultancy lock-in. ## Where are you in the progression ### Every board with an AI line on its strategic plan is asking the same question. The answer requires understanding where your organization sits on the Microsoft Frontier Firm progression, and how to move. **01. Pattern 1 — Human with assistant.** Every employee has Microsoft 365 Copilot. People are more productive. AI is additive to individual work. **02. Pattern 2 — Human-led agents.** Agents join teams as digital colleagues, handling specific tasks at human direction. Most mission-driven organizations are at this boundary now. (Most clients start here.) **03. Pattern 3 — Humans set direction; agents run workflows.** Multi-agent orchestration. Humans approve, agents execute end-to-end business processes. The Frontier Firm destination. Most mid-market mission-driven organizations are operating at the Pattern 1 and early Pattern 2 boundary. The strategic question is how to move: defensibly, on a timeline the board can support, at a cost that does not require a $1M Big-4 engagement. That is what Centered Frontier Transformation is for. ## The 90-day engagement ### What gets delivered, when. Three 30-day phases, each with named milestones. The structural commitment to the timeline is on us. **01 · Days 1–30 — Frontier Foundation.** Microsoft 365 E7 deployed across the licensed user base. Agent 365 control plane configured against the Observe, Govern, and Secure framework. Identity perimeter modernized with Entra Suite ID Governance, Internet Access, and Private Access. Data governance maturity audit on Purview Information Protection, Insider Risk, and DLP. First production agent live by Day 30. Microsoft funding stack projection delivered as the first deliverable. **02 · Days 31–60 — Multi-agent operations.** Three to five production agents deployed: a mix of CN Agent Kit catalog agents (customer service triage, contract review, sales preparation, finance document intelligence) and custom Copilot Studio agents built for your specific workflows. Multi-agent orchestration patterns running. AI Center of Excellence stood up: governance committee, monthly design review cadence, evaluation rubric, shared prompt library, and ROI tracking against named KPIs. Two or three named departments running pilots with executive sponsors. **03 · Days 61–90 — Scale and production hardening.** Org-wide rollout of what the pilots proved. Frontier Firm KPI dashboard live: Pattern 2-to-Pattern-3 progression metrics tracked monthly. Industry-specific compliance overlay applied (HIPAA, FERPA, GLBA, SOC 2, nonprofit donor privacy). Managed AgentOps handover to CompleteCare Intelligence or to your internal IT team. Board-level Frontier Firm readout delivered with a 12-month roadmap. ## Microsoft 365 E7 ### The Frontier Suite: E5, Copilot, Entra Suite, and Agent 365 in one SKU. E7 is the licensing SKU Microsoft created for Frontier Firm deployments. It is E5 plus Copilot plus the Entra Suite plus Agent 365, at $99 per user per month. The Agent 365 control plane is the component most organizations underestimate. It is Microsoft's framework for governing AI agents at production scale: agent registry, agent-to-data mapping, lifecycle management, role-specific access controls, threat protection integration, and analytics. Without it, multi-agent workflows cannot operate safely at scale. With it, the Pattern 2-to-Pattern-3 transition becomes operationally tractable. **The Microsoft funding stack offsets a meaningful portion of the engagement fee for most clients.** Copilot and Power Deployment Accelerator (up to $50K), Secure Productivity CSP Deployment Accelerator (up to $38K), and the EA Deployment Voucher (up to $100K for E5+ EA customers) can together offset 25–40 percent of the engagement fee at the median. We model your specific funding stack as the first deliverable of the Frontier Foundation phase. ## AI Center of Excellence ### The component most clients realize, by Day 90, was the highest-impact part. Most organizations get stuck after a few successful Copilot pilots because they lack the operating discipline to scale them. There is no governance committee. No evaluation rubric for new agent proposals. No shared prompt library. No ROI tracking. No cadence for the Responsible AI review. Pilots stay isolated and do not compound. The AI CoE installs the discipline. **Pattern 2 actually scales when you have governance infrastructure, not just deployed agents.** **What the AI CoE includes:** - Governance committee chartered with executive sponsorship - Monthly design review cadence for new agent proposals - Evaluation rubric: what proceeds and what does not - Quarterly Responsible AI review - Shared prompt library accessible to all departments - Champion network across pilot departments - ROI dashboard the Executive Director can take to the board - Pattern 2-to-Pattern-3 progression metrics tracked monthly ## Risk reversal ### Three guarantees. None of them cosmetic. Structural commitments that put our delivery economics on the line, not aspirational language. **01. The 90-Day Frontier Promise.** If we do not deliver the named Day 30, Day 60, and Day 90 milestones on schedule due to factors within our control, **we work additional days at no charge until we do.** The structural commitment to the timeline is on us. We can stand behind this because the engagement is productized and the phases are named in the SOW. Most clients hit Day 30 with their first agent live and ahead of schedule. **02. The Production-Live Agents Promise.** If we do not deliver the named number of production-live agents in your tier (three at $75K, four at $100K, five or more at $150K), we either deliver the gap at no charge or **refund a per-agent pro-rata of the engagement fee.** Production-live is defined in the SOW with specific acceptance criteria. Production-live means the agent is in active use by named users, handling real workflows, not a demo environment. The definition is in the contract before we start. **03. The Open Repo and No-Lock-In Promise.** Every artifact we produce, including agent code, Copilot Studio definitions, prompt libraries, the AI CoE charter, governance policies, KPI dashboards, and runbooks, is delivered into **a repository you own.** After Day 90, you continue with CompleteCare Intelligence on a month-to-month basis, hand off to your internal IT team, or move to a different partner. No 12-month consultancy lock-in. This is structural, not aspirational. The repository lives in your Git provider. Nothing is proprietary. Any partner can pick up where we left off. ## Engagement tiers ### Three tiers. Fixed-fee. No T&M. Select the tier that matches your user base. The named deliverables and the 90-day timeline are the same across all three. **Foundation tier — $75,000 fixed-fee, 90 days.** For organizations with 200–500 users. - Microsoft 365 E7 deployment - Agent 365 control plane setup - Standard Copilot configuration - Identity Perimeter Modernization - **3 production agents** live by Day 90 - AI CoE charter and governance structure - Day 90 board readout **Production tier — $100,000 fixed-fee, 90 days.** For organizations with 500–1,000 users. All Foundation, plus: - Full AI CoE stand-up with champion network - Multi-agent orchestration patterns - Two department-level pilots with executive sponsors - **4 production agents** live by Day 90 - ROI tracking dashboard **Expansion tier — $150,000 fixed-fee, 90 days.** For organizations with 1,000 or more users. All Production, plus: - Copilot Tuning (where 5,000 or more Copilot licenses are in scope) - Copilot Cowork enablement for long-running multi-step work - Three department-level pilots - Industry compliance overlay: HIPAA, FERPA, GLBA, SOC 2, donor privacy - **5 or more production agents** live by Day 90 Microsoft 365 E7 licensing at $99 per user per month is separate from the engagement fee, procured directly from Microsoft. For the median engagement, the Microsoft funding stack offsets 25–40 percent of the engagement fee. We model your specific funding scenario as the first deliverable. Compare to Big-4 transformation programs at this depth: $500K–$2M over 12–18 months on time-and-materials terms. Centered Frontier Transformation delivers comparable Pattern 2-to-Pattern-3 progression in 90 days at one-tenth the cost. ## Built for organizations ready for the Frontier. **This is built for you if:** - CompleteCare Foundations is active: the governance and security baseline is non-negotiable for production agents at this scale - Your board has an AI strategy and is asking when, not whether - You have 200 or more Microsoft 365 users and want production agents, not just Copilot licenses - You want the Frontier Firm outcome without a 12-month, $500K consultancy program - You want named milestones, named guarantees, and a repository you own - You want an AI Center of Excellence that will outlast the engagement **This is not a fit if:** - CompleteCare Foundations is not yet in place: production agents at this scale require a governed security baseline - Your organization has fewer than 200 Microsoft 365 users: the economics of E7 deployment and Agent 365 require this floor - Your board has not aligned on an AI strategy: the 90-day engagement assumes executive sponsorship is in place before kickoff - You want a free pilot or proof of concept: this is a production deployment, not an assessment **Not quite ready for Frontier Transformation?** The Centered AI Practice ladder is designed to build readiness. AI Quickstart ($5K–$15K, 2 weeks) establishes your Board-Ready AI Readiness document and 90-day roadmap. Agent Launchpad ($25K–$50K, 4–6 weeks) puts your first production agent into operation. Either stage can be completed before Frontier Transformation. For organizations with strong CompleteCare Foundations but without a completed Quickstart or Launchpad: a combined Discovery and Transformation engagement is available. It adds 30 days to the front of the timeline (120 days total) and adds $25K to the base tier. We will tell you during the Frontier Readiness call which path is right. ## In practice ### What this looks like in practice. **Regional nonprofit health system, 600 users.** Entered the engagement at the Production tier. CompleteCare Foundations was already active. E7 deployed across the licensed base in 22 days. Four production agents live by Day 55: a clinical documentation intake router, a contract review assistant, a grants compliance checker, and a finance document intelligence agent. AI CoE governance committee chartered with three executive sponsors. Board received the Frontier Firm KPI dashboard on Day 88. > "We had been told by three consultancies that this would take 18 months and $800K. The structured milestones and the guarantee language were what got it past our board." — Chief Operating Officer (Representative client profile) **Grantmaking foundation, 1,100 users.** Expansion tier. Copilot Tuning configured against the foundation's 12-year grants database. Five production agents deployed, including a donor data analysis agent and a grantee reporting assistant. Donor privacy compliance overlay applied against GLBA and state-specific nonprofit donor privacy statutes. Pattern 2-to-Pattern-3 KPI baseline established for the board. Month 4 Intelligence retainer activated. > "The AI CoE was the piece we had not anticipated needing. By Day 60, every department head was submitting agent proposals. Having an evaluation rubric meant we could say yes to the right ones and no to the ones that were not ready." — Chief Technology Officer (Representative client profile) **Community hospital system, 420 users.** Foundation tier, combined Discovery and Transformation engagement (120 days). No prior Quickstart or Launchpad. E7 deployed with HIPAA compliance overlay across clinical and administrative users. Three production agents live: a prior authorization intake agent, a clinical documentation assistant, and an operational intelligence agent for supply chain exception handling. Managed AgentOps handover completed at Day 90 to the CompleteCare Intelligence team. > "The combined path was the right call. The extra 30 days at the front meant we were not improvising on governance while also deploying E7. Everything arrived in the right order." — Chief Information Officer (Representative client profile) ## Frequently asked questions. **Why a partner-delivered Frontier engagement?** Microsoft directs the Frontier Suite, Agent 365, Copilot Tuning, and Copilot Cowork story upmarket and to system integrators. Big-4 consultancies deliver it as 12–18 month, $500K–$2M transformation programs built for the Fortune 500. The gap is real: a 500-user nonprofit health system or a 1,200-employee foundation wants the Frontier Firm outcome but cannot absorb a Big-4 program. Centered Frontier Transformation is the productized, mission-driven-sector-aware engagement that closes the gap. **Why does the Frontier Suite cost what it does?** E7 at $99 per user per month is the only commercial SKU that bundles E5 (the security floor) plus Copilot (the user experience) plus Entra Suite (the identity perimeter modernization) plus Agent 365 (the agent control plane). The Microsoft funding stack offsets a meaningful portion of the licensing investment. The first deliverable of the engagement is the funding-stack projection for your specific licensing scenario. **What if we want to deploy agents that Microsoft does not directly support?** Microsoft Agent 365 and Copilot Studio cover most mission-driven workflows. For genuinely novel agent needs that do not fit the Microsoft fabric, we partner with the CompleteCare Construct tier, which builds custom Azure-hosted agent applications on Azure AI Foundry. Same engagement model, separate tier. **Can you guarantee ROI?** We guarantee the deliverables (the three structural guarantees on this page) and we measure ROI against named KPIs in the Day 90 board readout. We do not claim guaranteed ROI on agent workflows themselves, because ROI is a function of how your organization adopts the agents, not just how we build them. The AI CoE and the champion network maximize the probability; the guarantees provide the structural commitment. Partners who promise guaranteed ROI on 90-day AI engagements have usually defined ROI narrowly enough to be guaranteed but broadly enough to be meaningless. **What happens after Day 90?** You choose. The Open Repo Promise means every artifact is in a repository you own. The No-Lock-In Promise means our CompleteCare Intelligence retainer is month-to-month at $2,500 per month. Three paths after Day 90: continue with Intelligence (the path most clients take), hand off to internal IT using our documentation, or move to a different partner. We earn the next month or we do not keep it. **How does the combined Discovery and Transformation engagement work?** For clients with strong CompleteCare Foundations but without a completed Quickstart or Launchpad, the combined engagement adds 30 days to the front of the timeline (120 days total) and absorbs the Discovery Sprint and Agent Launchpad activities into the Frontier Foundation phase. Adds $25K to the base tier. We will tell you during the Frontier Readiness call whether the combined engagement is right or whether the staged ladder is the better path. ## Microsoft alignment ### Five Solutions Partner designations, including Data and AI. Frontier Transformation maps directly to Microsoft's Modern Work, Data and AI, and Digital and App Innovation designations. The engagement is built on Microsoft-native technology throughout. - Microsoft Solutions Partner for Modern Work - Microsoft Solutions Partner for Security - Microsoft Solutions Partner for Data & AI (Azure) - Microsoft Solutions Partner for Infrastructure (Azure) - Microsoft Solutions Partner for Digital & App Innovation (Azure) - HIPAA BAA available on request --- # Managed AgentOps for Microsoft Copilot Agents URL: https://www.centerednetworks.com/services/managed-agentops.html ## Stage 4 of the Centered AI Practice · Managed Intelligence Provider ## Agents that get better every month, not just stay live. Managed AgentOps is the ongoing operations discipline for organizations with agents already running in production. Monitoring, drift detection, governance refresh, FinOps, and proactive use-case development on a documented monthly cadence. Per-agent-per-month pricing. Month-to-month. Microsoft 5x Solutions Partner, including Data and AI · Microsoft AI Operations partner-eligible play · Built on Microsoft Agent 365 Observe / Govern / Secure · Month-to-month: 30 days' notice, no minimum after engagement starts. ## Engagement prerequisite **Managed AgentOps requires at least one production agent already deployed.** This is structural, not a sales construct: there is nothing to operate if there is nothing in production. Most customers arrive at AgentOps having just completed Stage 2 (Agent Launchpad) or Stage 3 (Frontier Transformation). If you do not have agents in production yet, the right starting point is the Centered AI Quickstart or Agent Launchpad, not this page. ## Production agents are not a deployment problem. They are an operations problem. The pattern across every organization that has shipped its first Copilot Studio agent is the same. Month one, the agent works. Month three, the prompts are stale. Month six, a Microsoft model update has shifted the agent's behavior in ways nobody documented. Month twelve, governance has eroded because nobody owns the quarterly review, shadow AI has begun re-emerging because the sanctioned agent stopped feeling fresh, and the board's AI ROI question has gone from "show us the wins" to "are we sure this is still working?" Four failure modes show up over and over. **Failure mode 01 — Prompt drift.** The prompt library that shipped on Day 1 was tuned against Day 1 user behavior. By Month 6, users are asking different questions, the agent is producing weaker answers, and nobody has updated the library because nobody owns it. **Failure mode 02 — Model drift.** Microsoft updates the underlying models on its own cadence. When the model shifts, every agent's behavior shifts: sometimes in subtle ways that don't trip an alert but visibly degrade the user experience. **Failure mode 03 — Governance erosion.** Responsible AI policies, content safety filters, and data-access boundaries set up at launch are not self-maintaining. New SharePoint sites get created, new sensitive content categories emerge, new staff join, and the governance posture drifts from the deployment-day baseline. **Failure mode 04 — Shadow AI re-emergence.** The whole point of deploying a sanctioned agent was to give staff a governed alternative to unsanctioned tools. If the sanctioned agent stops feeling fresh, those tools come back: and the donor records, grant material, board minutes, and PHI start walking out again. > Managed AgentOps is a recurring operations discipline, not a check-in. ## Ten workstreams, documented cadence ### What AgentOps covers every month. Ten named workstreams, each tied to a documented cadence and a named deliverable. Nothing in this list is aspirational: every item is a real piece of work the M365 Managed Services team performs every month on every agent. **01. Agent performance monitoring.** Continuous instrumentation of every production agent using the Copilot Studio Agents Report and Microsoft Agent 365 analytics. Usage, latency, completion rates, escalation rates, and end-user satisfaction tracked against the Month-1 baseline. Weekly automated sweep plus monthly reviewed analysis, documented in the runbook your organization owns under the Open Repo Promise. **02. Prompt library curation.** Every agent has a prompt library. That library is a living artifact. The M365 Managed Services team reviews and tunes prompts monthly based on actual usage patterns, weak-answer reports, and new business workflows. Prompt patterns that emerge across the broader Centered Networks customer base propagate to your library on a quarterly cadence. **03. Model lifecycle management.** When Microsoft updates the model underlying Copilot or Copilot Studio, your agents are regression-tested against a documented evaluation suite before the update influences production behavior. Where a model update degrades agent performance for your use cases, we coordinate the rollback or mitigation pattern with Microsoft. **04. Governance evolution review.** Monthly review of Responsible AI policies, content safety filters, data-access governance, and Entra Agent ID configuration. Sensitivity-label propagation audited. New SharePoint sites and Microsoft Teams channels assessed for agent-access implications. The Microsoft Agent 365 registry kept current. **05. Shadow AI scan.** Monthly review of Defender for Cloud Apps unsanctioned-app detections, Microsoft Purview Insider Risk Insights signals, and anomalous DLP events. If shadow-AI usage of sensitive content categories trends above the Month-1 baseline, the No-Shadow-AI-Drift Promise applies. **06. FinOps for AI.** Token consumption tracked per agent. Model selection optimized: the cheapest model that meets the quality bar wins, every time. Cost-per-outcome calculated for each agent against its named KPI (hours saved, cases routed, donor outreach personalized, claims denials reduced). AI spend the board can interrogate. **07. KPI dashboard.** A Power BI dashboard built against your Agent 365 analytics and Copilot Studio Agents Report, customized to your agents and your KPIs. The dashboard lives in your tenant and continues to update at steady state. Available to the executive sponsor and the AI program lead on demand; refreshed monthly with commentary. **08. Monthly Value Brief.** A written deliverable, not a slide. Three to five pages, sent to the executive sponsor monthly. What changed in the past 30 days. What the agents produced. What we tuned, what we caught, what we recommend next. Designed so the executive can forward it to the board chair without rewriting. **09. Quarterly AI ROI and Risk Review.** A board-ready readout every quarter. Adoption metrics, productivity outcomes, FinOps reporting, risk posture, agentic roadmap, new use-case recommendations. Designed for the board cybersecurity-and-AI agenda item. **10. New use-case development.** One to two new agent proposals per quarter, sourced from cross-customer pattern intelligence and from observed friction in your workflows. Each proposal is scoped with a named owner, named workflow, estimated effort band, and expected KPI impact. The executive sponsor decides whether to advance, defer, or decline. ## Delivery cadence ### What you receive and when. **Every week (automated):** - Agent performance telemetry refresh - Shadow AI signal sweep (Defender for Cloud Apps, Purview Insider Risk) - FinOps consumption snapshot **Every month (M365 Managed Services team delivers):** - Monthly Value Brief: 3 to 5 page written deliverable for the executive sponsor - Agent KPI dashboard refresh with commentary - Governance evolution review: what changed, what we tuned, what we recommend - Shadow AI scan results against the No-Shadow-AI-Drift Promise baseline - Prompt library updates pushed to production - FinOps reconciliation: actual vs. projected, with optimization recommendations **Every quarter (board-ready):** - Quarterly AI ROI and Risk Review: written report plus 60-minute executive readout - New use-case proposal package (1 to 2 agents) - Cross-customer pattern propagation report: what we learned from the CompleteCare customer base and applied to your environment - Microsoft platform roadmap brief: what's coming from Microsoft and what it means for your agents **As needed:** - Microsoft model-update regression test (whenever Microsoft ships a model change) - Incident response if an agent behavior degrades or a governance signal trips ## Per-agent-per-month pricing ### Priced on complexity. Transparent on the Microsoft fee. A per-agent-per-month rate based on agent complexity, plus 15% of your monthly Microsoft Copilot Studio consumption, disclosed as a separate line item. | Agent complexity | Monthly rate per agent | Representative agents | |---|---|---| | Low band: simple retrieval agents | $500 | FAQ handlers, document Q&A, single-source knowledge agents. The Donor Intelligence Q&A agent or the Board Reporter agent drafting standard monthly summaries from Microsoft 365 data. | | Mid band: multi-step task agents | $1,000 | Intake routing, document approval, grant-inquiry handlers, donor research, claims denial navigation. Agents that compose multiple Copilot Studio actions and integrate with one or two business systems. | | High band: multi-agent compositions | $1,500 | Planner/critic/executor patterns, agents that trigger other agents, agents integrated with three or more business systems, agents handling HIPAA or regulated content categories. | **Plus 15% Microsoft platform fee.** 15% of your monthly Microsoft Copilot Studio consumption is added to the invoice as a separate line item. This is the Premium Engagement Credit on Copilot Studio consumption that Microsoft makes available to AI Operations partners. It is disclosed transparently, not buried in the per-agent rate. **Example A — Small foundation, three agents.** Three low-band agents: a Donor Intelligence Q&A agent, a Grant-Inquiry FAQ handler, a Board Reporter agent. 3 agents at $500 each = $1,500 per month. Plus 15% of Copilot Studio consumption (typically $200 to $400 per month at this footprint). Total monthly invoice: $1,700 to $1,900. Annual cost: $20,000 to $23,000. **Example B — Mid-sized nonprofit, eight agents.** Two low-band agents, five mid-band agents, one high-band agent: (2 × $500) + (5 × $1,000) + (1 × $1,500) = $7,500 per month. Plus 15% of Copilot Studio consumption (typically $800 to $1,500 per month at this volume). Total monthly invoice: $8,300 to $9,000. Annual cost: $100,000 to $108,000. **What is not included:** - Microsoft licensing: Microsoft 365 Copilot, Copilot Studio, and Microsoft Agent 365 licensing is client-procured directly from Microsoft. Nonprofit pricing (75% Microsoft Nonprofit Program discount) applies where eligible. - Major new agent builds beyond the one to two per quarter new-use-case development cadence. Net-new agents are scoped as Intelligence Pods ($4,500 each) or a new Agent Launchpad engagement, depending on scope. - Stage 3 platform uplifts. If your organization advances to Microsoft 365 E7 or Frontier Suite mid-engagement, that is a Centered Frontier Transformation engagement scoped separately. ## Structural guarantees ### Three guarantees. Written into the SOW, not the marketing. Every offer in the Centered AI Practice ladder carries three structural guarantees. Managed AgentOps is no exception. **01. The No-Shadow-AI-Drift Promise.** If shadow-AI usage of sensitive content categories, measured via Defender for Cloud Apps unsanctioned-app detections, Microsoft Purview Insider Risk Insights signals, and anomalous DLP events, trends above your Month-1 baseline for two consecutive months, the M365 Managed Services team includes targeted shadow-AI remediation work in that month's retainer **at no additional cost**, and continues to include it every month until the trend reverses. Your organization is structurally protected against the failure mode that wrecks most production agent deployments. The No-Shadow-AI-Drift Promise is why the shadow AI scan is not aspirational: it is the instrument that triggers the guarantee. **02. The Open Repo Promise.** Every artifact the M365 Managed Services team produces or tunes, including Copilot Studio agent definitions, prompt library entries, Power Platform connector configurations, governance policies, Responsible AI documentation, KPI dashboards, runbooks, and regression test suites, lives in your Microsoft 365 tenant under your ownership. We do not hold customer agents hostage in a Centered Networks tenant. **If you leave the engagement, you keep every artifact you paid for, ready to run.** Combined with the month-to-month commercial structure, this means you can exit on 30 days' notice with everything intact and operating. Any partner can pick up where we left off, or your own team can. **03. The Quarterly Frontier Forward Promise.** Every quarter, the M365 Managed Services team delivers at least one, and typically two, new agent proposals sourced from cross-customer pattern intelligence and from observed friction in your workflows. Each proposal is scoped with a named owner, named workflow, estimated effort band, and expected KPI impact. **If a quarter passes without at least one proposal landing on the executive sponsor's desk, the next month's retainer is waived.** This is the structural guarantee that AgentOps is not just "we'll check on your agents sometimes." The engagement is forward-leaning by contract, not by goodwill. ## Who this is built for. **A clean fit:** - Organizations that just completed Centered Agent Launchpad with one or two agents in production and want the operations discipline before the agents drift - Organizations that just completed Centered Frontier Transformation with three to five agents live and want a named operator for the recurring AgentOps work - Organizations with three or more production agents currently running informally through a stretched IT director or a contractor with no documented cadence - Leadership teams that have already realized production agents are an operations problem, not a deployment problem, and want their AI getting better every month Sweet spot: **3 to 12 production agents**. Below 3, most organizations are better served by an Intelligence Pod or a broader CompleteCare Intelligence engagement. Above 12, the engagement is custom-scoped during the Readiness call. **Not the right starting point if:** - Your organization has zero agents in production. There is nothing to operate. Start with the Centered AI Quickstart for a 90-day roadmap, then Agent Launchpad to put the first agent in production - Your organization is running production agents without CompleteCare Intelligence (or equivalent) underneath. AgentOps built on top of ungoverned Copilot tenant infrastructure is built on sand - Your IT organization already has dedicated agent operators, an AgentOps runbook, and a documented monthly cadence. Managed AgentOps is a complete operations discipline, sold as a complete discipline, not as point-solution coverage ## In practice **Community foundation, 50 to 150 staff.** Arrived at AgentOps six weeks after Agent Launchpad completed, with a Donor Intelligence Q&A agent and a Board Reporter agent in production. Month 1 baseline established across both agents. By Month 4, prompt library had been updated three times based on actual usage. Shadow AI signals stayed flat against the baseline. The executive director now forwards the Monthly Value Brief to the board finance committee without modification. > "We shipped two agents. The question we were dreading was 'how do we know they're still working in six months?' AgentOps is the answer to that question." — Executive Director (Representative client profile) **Rural critical-access hospital, 200 to 400 staff.** Entered AgentOps at Stage 4 having completed Frontier Transformation, with three agents in production including a Patient-Intake Triage agent handling HIPAA-regulated content. High-band pricing applied for the regulated content workload. Model regression testing ran twice in the first six months when Microsoft updated the underlying Copilot Studio model. Neither update was allowed into production without clearance. Governance posture maintained at the Frontier Transformation baseline throughout. > "HIPAA doesn't stop at deployment. AgentOps is how we keep the compliance posture from decaying after the project closes." — CIO (Representative client profile) **Workforce development nonprofit, 100 to 250 staff.** Eight agents at engagement start: two low-band, five mid-band, one high-band multi-agent composition. Quarterly Frontier Forward Promise delivered two new agent proposals in Q1 (a grant-inquiry routing agent and a case-worker documentation assistant). Both advanced to scoped Agent Launchpad engagements. Shadow AI signals tripped in Month 5; remediation work was included in that month's retainer per the No-Shadow-AI-Drift Promise. Trend reversed by Month 7. > "Month 5 would have been the month everything quietly went wrong. The No-Shadow-AI-Drift Promise is what caught it. And the remediation was in the bill we were already paying." — COO (Representative client profile) ## Microsoft alignment ### Built on the Microsoft Agent 365 control plane. Managed AgentOps is built explicitly on Microsoft's Agent 365 control plane and aligned to Microsoft's FY26 AI Operations partner-eligible play. **Microsoft Agent 365: Observe / Govern / Secure.** AgentOps operationalizes all three pillars on the customer's behalf. Observe: agent registry, agent-to-data mapping, analytics dashboards, role-specific oversight. Govern: lifecycle management, policy enforcement, Responsible AI documentation, audit trail. Secure: Entra Agent ID for agent identity, content safety, threat protection, data-access governance. **AI Operations partner-eligible play.** Microsoft's FY26 partner program names AI Operations as a partner-eligible service category in the Copilot + Agents at Work and Secure AI Productivity solution plays. The 15% Premium Engagement Credit kicker on Copilot Studio consumption is the Microsoft-side commercial mechanism for partners delivering this category, which is why our pricing surfaces it as a transparent line item. **Microsoft-native monitoring, no third-party stack.** The monitoring, drift detection, and KPI dashboard workstreams use Microsoft-native instrumentation: Copilot Studio Agents Report and Microsoft Agent 365 analytics. We do not bolt on a third-party AgentOps platform. Your dashboards live in your Microsoft tenant. This is structurally required under the Open Repo Promise. ## Frequently asked questions. **How is Managed AgentOps different from CompleteCare Intelligence?** Intelligence is the broader managed-Copilot program: governance setup, first-wave deployment, prompt library, training, the full stack of work that takes an organization from "we licensed Copilot" to "we run Copilot as a governed program." Managed AgentOps is the subset of Intelligence focused specifically on the operations discipline for production agents. Most customers run both: the Intelligence tier on the Copilot program, the AgentOps engagement on the agents that ship into it. They are priced and scoped separately so customers with smaller agent footprints are not paying for what they do not need. **What if we have a smaller agent footprint, say one or two agents?** For one or two agents, the per-agent overhead is meaningful relative to the agent count. The honest recommendation is usually to run AgentOps inside a broader CompleteCare Intelligence engagement rather than as a standalone AgentOps engagement. Once the agent count crosses three, the dedicated AgentOps engagement starts to make sense. We will tell you which is right during the 30-minute Readiness call: there is no upsell pressure to start AgentOps before it earns its keep. **Do we have to use Centered Networks to run AgentOps?** No. The Open Repo Promise means every artifact lives in your tenant under your ownership. You can run AgentOps internally if you have the engineering capacity, the dashboard discipline, and the cross-customer pattern intelligence to do so. Most mission-driven IT teams cannot staff this internally, but if yours can, you do not need us. We are not the right partner for organizations that have already built an internal AgentOps team. **Can we run AgentOps ourselves, even partially?** Yes. The engagement supports a co-managed pattern. Some customers handle the agent KPI dashboard reviews internally and hand off the prompt curation, model regression, and shadow-AI work to the M365 Managed Services team. Others do the inverse. The Monthly Value Brief and the Quarterly AI ROI and Risk Review are always team deliverables: that is where the cross-customer pattern intelligence and the board-ready framing come in. Scope the co-managed split during the Readiness call. **What happens if an agent goes wrong?** "Goes wrong" usually means one of three things: a Microsoft model update has degraded the agent's behavior, a governance signal has tripped, or end-user satisfaction has dropped against the Month-1 baseline. Each has a documented response runbook. Model-update regression: we roll back to the previous behavior or apply the mitigation pattern and brief the executive sponsor. Governance trip: incident response per the No-Shadow-AI-Drift Promise. Satisfaction drop: we tune the prompt library, the workflow integration, or the agent definition. Agent deprecation happens, and saying so up front matters: not every agent that ships is the right agent forever. **What is the minimum agent count?** There is no formal minimum, but the practical floor is three production agents. Below three, the economics tilt toward absorbing AgentOps into the broader Intelligence tier engagement. We will give you a straight answer on which path makes sense during the Readiness call. **Do we have to be on Stage 3 (Frontier Transformation) to use AgentOps?** No. Most customers arrive at AgentOps having completed Stage 2 (Agent Launchpad) with one or two agents in production, and never need Stage 3. Stage 3 is the right move when the organization is ready for the full Microsoft Frontier stack: Microsoft 365 E7, Microsoft Agent 365 at full scope, multi-agent orchestration, an AI Center of Excellence. AgentOps is the recurring service for everyone with agents in production, regardless of whether they entered through Stage 2 or Stage 3. **How does the 15% Microsoft platform fee work in practice?** Your monthly Microsoft Copilot Studio consumption is reported through the Microsoft Partner Center. The 15% Premium Engagement Credit is added to your monthly Centered Networks invoice as a separate line item. If your Copilot Studio consumption is $1,000 in a given month, $150 is added to that month's AgentOps invoice. The kicker is disclosed transparently, not bundled into the per-agent rate. This is the Microsoft-side commercial mechanism for partners delivering the AI Operations partner-eligible play. --- # CompleteCare: Microsoft 365 managed services for nonprofits, foundations, and rural hospitals URL: https://www.centerednetworks.com/services/completecare.html ## The Microsoft platform, run as a service ## CompleteCare: Microsoft 365 managed services for nonprofits, foundations, and rural hospitals. One umbrella, seven stackable services, month-to-month from day one. CompleteCare is how Centered Networks delivers the Microsoft platform to mission-driven organizations. Foundations is the universal starting point. Six upper tiers (Govern, Automate, Insight, Construct, Intelligence, Shield) stack on top as your maturity, regulatory exposure, and ambition grow. One master agreement covers the whole relationship. The structural commitment is on us, not on you. Two weeks · No commitment beyond insight / 60 minutes · We'll tell you which tier(s) to start with. - Microsoft Solutions Partner, five designations including Data & AI - ~20 years of nonprofit-specific Microsoft IT - Month-to-month, no 12-month lock-in ## One umbrella. Seven stackable services. One master agreement. CompleteCare is the managed-services brand of Centered Networks. Inside CompleteCare are seven services, each independently buyable, each with the same operating model, each mapped to a distinct capability area on the Microsoft platform. Most clients start with Foundations: the Microsoft 365 Business Premium baseline, delivered as a 12-month installment plan and anchored to the CIS Top 18 IG1 cybersecurity standard. From there, the stack opens. The architecture follows three rules. **01. Foundations is the prerequisite for Govern, Intelligence, and Shield.** These three tiers operate on the M365 tenant. They read its identity signals, govern its data, and defend its endpoints. They cannot run safely on a tenant without the baseline. A SOC cannot defend a tenant where MFA is not enforced. An AI program cannot deploy Copilot on a tenant with shadow data exposure. **02. Automate, Insight, and Construct can stand alone.** These tiers operate on Power Platform, Microsoft Fabric, and custom Azure: adjacent to but architecturally separate from the M365 tenant. A client can engage on these without Foundations active, though we recommend the foundation for governance reasons. **03. Each tier is independently buyable.** No bundling pressure. No forced sequence. You add the tier you need when you need it, remove a tier with 30 days' written notice, and scale up or down as your needs evolve. One Master Services Agreement covers the whole relationship; per-tier Statements of Work describe each tier's scope. ## Seven tiers, one stack ### The CompleteCare Stack **01. Foundations — Universal prerequisite.** Microsoft 365 Business Premium, baselined to CIS Top 18 IG1. The ongoing managed service that the rest of the stack sits on. Stack: Entra ID P1 · Intune · MDO P1 · MDE P1 · Exchange / SharePoint / Teams · Purview (BP subset). **02. Govern — Requires Foundations.** Microsoft Purview compliance program for sensitive data. Stack: Purview Information Protection · DLP · Insider Risk · eDiscovery · Audit Premium. **03. Automate.** Workflow automation via Power Platform. Stack: Power Automate · Power Apps · Copilot Studio agents. **04. Insight.** Data and analytics platform on Microsoft Fabric. Stack: Fabric · Power BI · Lakehouses · Data Factory · Synapse. **05. Construct.** Custom mission-critical applications. Stack: Azure App Service · Functions · SQL · Cosmos DB · Container Apps. **06. Intelligence — Marquee tier · Requires Foundations.** Managed AI: Microsoft 365 Copilot, agents, and the Managed Intelligence Provider platform. Stack: Microsoft 365 Copilot · Microsoft Agent 365 · Entra Agent ID · Copilot Studio · Azure AI Foundry. **07. Shield — Requires Foundations.** Advanced security: 24×7 SOC on Defender XDR and Sentinel. Stack: Defender XDR · Defender for Identity · Defender for Cloud Apps · Sentinel SIEM. **The non-negotiable.** Foundations is the universal prerequisite for Govern, Intelligence, and Shield. These operate on the M365 tenant and require the baseline. Automate, Insight, and Construct can stand alone, though we recommend Foundations for cross-cutting governance. ## How clients grow ### Start with Foundations. Add tiers as your maturity grows. Most CompleteCare clients enter at Foundations and add upper tiers over the following 12 to 24 months as regulatory exposure, AI ambition, or board pressure evolves. The path is not prescriptive, but the sequence below reflects the pattern we see most often. **01 · Stage 1 · Month 0 — Foundations.** Initial engagement. The client is on Business Premium and needs the platform deployed and managed to a defensible CIS IG1 baseline. By month 12 of Foundations, the typical client reaches IG1 alignment. **02 · Stage 2 · Month 6 to 12 — Govern.** Compliance readiness. Client has regulatory exposure (PHI, donor data, grant-funded data, student records) and needs to operationalize Microsoft Purview beyond the BP-included features. Often triggered by a major-funder compliance question, a regulatory inquiry, or a near-miss audit. **03 · Stage 3 · Month 9 to 15 — Intelligence.** Copilot and agents in production. Client is ready to deploy Copilot and agents in production. Foundations plus Govern have established the data-governance prerequisites that make AI safe. **04 · Stage 4 · Month 12 to 24 — Shield.** 24×7 security operations. Client has elevated cybersecurity exposure (regulatory, board-driven, or post-incident) that warrants the 24×7 SOC on Defender XDR and Sentinel. **+ Demand-driven · Anytime — Automate, Insight, Construct.** Engaged when a specific need arises. These tiers do not follow the maturity ladder. A manual workflow consuming staff capacity (Automate), a board report taking three weeks to assemble (Insight), an off-the-shelf SaaS product that does not fit the program model (Construct). No sequence required. ## Two ways to engage ### Managed service or Project SOW. You choose the relationship. CompleteCare is built around an ongoing managed-services relationship, but not every client wants that. Two engagement models are available across every tier. **The default — Managed service.** Recurring monthly engagement. One Service Delivery Manager owns the relationship across all tiers you hold. Weekly, monthly, and quarterly reporting built in. - Foundations: flat monthly retainer banded by user count - Upper tiers: one-time Kickoff Project plus Monthly Retainer plus optional Pods - 30 days' written notice to terminate any recurring tier - Month-to-month from day one, no 12-month lock-in **Best fit:** organizations that want IT off the to-do list permanently, that need predictable operating-expense pricing, and that benefit from continuous improvement and cross-client threat-intel propagation. **The alternative — Project SOW.** One-time scoped engagement. Defined scope, defined timeline, defined deliverables. Available for every tier in the stack. - Business Premium implementation SOW - Purview deployment SOW - Copilot rollout SOW - Sentinel SOC stand-up SOW - Custom Azure application build SOW **Best fit:** organizations not ready for a managed-services relationship, that have board-approved capital for a defined deliverable, or that have internal IT capable of running steady-state but need a specialist to stand the capability up. ## What CompleteCare actually costs, compared to the alternatives. The pricing pattern is consistent across the stack: Foundations is a flat monthly fee banded by user count; each upper tier is a one-time Kickoff Project plus an ongoing Monthly Retainer plus optional Pods. Below is the 50 to 150 BP-licensed user band, the most common starting point. | Comparison | CompleteCare | Hire an IT manager | Generic MSP | Traditional upfront SOW | |---|---|---|---|---| | Year-1 cost (50 to 150 users) | Foundations: $54,000 ($4,500/mo) plus $5K to $15K Service Initiation SOW | $90,000 to $120,000 | $60,000 to $180,000 | $50,000 to $100,000 | | Full stack at maturity | ~$150K/yr recurring plus ~$90K to $110K across Kickoff Projects over 18 to 24 months | N/A (one person, no equivalent coverage) | No equivalent: no implementation arc, no framework, no transparency | Implementation only; ongoing service is a separate contract | | What is delivered | Full 4-Phase IG1 implementation, ongoing managed services, CIS IG1 reporting, Defensible IT Dashboard | One person. No Microsoft 365 specialization. No security operations function. | Break/fix. Reactive. No framework. | Implementation only. You keep what was built. | | Contract terms | Month-to-month | Employment relationship | Typically 12 to 36 month contracts | Project terms | | Build the full team in-house | CompleteCare full stack: ~$150K/yr recurring | $400,000 to $600,000 fully loaded for IT manager, security analyst, data engineer, and AI specialist. You hire, retain, train, and manage them all. | | | > The full CompleteCare stack at maturity costs roughly one-quarter what building the equivalent team in-house would cost. ## The No-Lock-In Promise ### The structural commitment is on us. **01. Month-to-month from day one.** Every CompleteCare recurring tier is month-to-month. No 12-month contract. No 36-month auto-renewal. No early-termination fee. If a tier is not delivering value in any given month, you give **30 days' written notice** on that tier and walk away from it. This is materially different from how most managed-services providers in this category structure their work. They lock clients in because their economics depend on it. Ours do not. We built CompleteCare around delivering visible monthly value, because the structural commitment is on us, not on you. **02. One master agreement, full transparency.** One Master Services Agreement covers the whole CompleteCare relationship regardless of how many tiers you hold. Per-tier Statements of Work describe each tier's scope, deliverables, and pricing. **No hidden fees. No scope creep by default.** Your Service Delivery Manager owns the relationship across all tiers. Weekly, monthly, and quarterly reporting is standard on every managed-service engagement. You always know what we're doing and what it's producing. **03. Projects are project-term.** Project SOWs have their own milestones and terms described in each engagement document. Recurring services are month-to-month. **We earn this every month, or we do not.** If you want ongoing management after a project engagement, the managed service is still available. If you do not, the project deliverables are yours regardless. ## Who we work with ### Built for mission-driven organizations. CompleteCare is delivered to nonprofits, foundations, and rural hospitals with 50 to 1,000 Microsoft Business Premium-licensed users. Representative clients include The Asia Foundation, Silicon Valley Community Foundation, Neighborhood Legal Services of Los Angeles, the Trust for the National Mall, Children's Hospital Los Angeles, and Bonner General Health. ## Frequently asked questions about CompleteCare. **What is CompleteCare?** CompleteCare is Centered Networks' managed-services brand. It is a single umbrella with seven stackable tiers (Foundations, Govern, Automate, Insight, Construct, Intelligence, and Shield), each delivering a distinct capability area on the Microsoft 365 and Azure platform. Clients enter at Foundations and add upper tiers as their maturity, regulatory exposure, and strategic priorities evolve. **Do I have to start with Foundations?** If you want Govern, Intelligence, or Shield: yes. Those three tiers operate on the M365 tenant and require the Foundations baseline (or a documented equivalent) to be deliverable safely. If you want Automate, Insight, or Construct only: no. Those operate on Power Platform, Microsoft Fabric, and Azure respectively, and can stand alone. We still recommend Foundations for cross-cutting governance reasons. **Can I buy a one-time project instead of a managed service?** Yes. Every CompleteCare tier is available as a Project SOW: a scoped, fixed-deliverable, one-time engagement. Typical examples: a Business Premium implementation project, a Purview deployment project, a Copilot rollout project, a Sentinel SOC stand-up project, a custom Azure application build. When the project ends, you keep what we built. If you want ongoing management later, the managed service is still here. **How is CompleteCare different from a generic Microsoft-shop MSP?** Three structural differences. First, the architecture: most MSPs sell undifferentiated managed IT; CompleteCare sells seven productized tiers each addressing a distinct capability area with a named methodology. Second, the operating model: most MSPs run a reactive helpdesk; CompleteCare runs planned engineering capacity against a 30-60-90 rolling roadmap, with weekly reporting and quarterly business reviews. Third, the contract: most MSPs lock clients into 12 to 36 month agreements; CompleteCare is month-to-month from day one. **What does month-to-month actually mean? Is there a catch?** There is not a catch. The recurring monthly tiers carry no 12-month contract; you give 30 days' written notice and the tier stops. Project SOWs have their own milestones and terms specified in the engagement document. Recurring services are month-to-month; projects are project-term. **How much does CompleteCare cost?** Foundations starts at $2,500 per month for organizations with up to 50 BP-licensed users and runs to $11,000 per month for 501 to 1,000 users. Upper tiers in the 50 to 150 user band cost a Kickoff Project of $15,000 to $30,000 plus a Monthly Retainer of $1,500 to $4,000. A mature CompleteCare client (Foundations plus Govern plus Intelligence plus Shield) typically runs approximately $12,500 per month recurring plus $90,000 to $110,000 of Kickoff Projects spread across the first 18 to 24 months. See the Pricing Schedule for full bands and incremental Pod pricing. **Who is the Service Delivery Manager?** Every CompleteCare client has a CN Service Delivery Manager assigned at the account level, the operational owner across every tier the client holds. The SDM runs the monthly Roadmap Review, owns the Client Maturity Tracker, produces the Monthly Value Brief, and is the single accountable point of contact for the relationship. The SDM is what makes the stack work as one engagement rather than seven disconnected services. **What if my organization is not on Microsoft 365 Business Premium?** If you are willing to consolidate to Business Premium, we will walk that consolidation with you as part of the Foundations engagement. Microsoft 365 Business Premium is the licensing CompleteCare is architected around: Entra ID P1, Intune, MDO P1, MDE P1, the BP-included Purview subset. If you are not willing to move to Business Premium, CompleteCare is not the right fit and we will tell you that on the Discovery call. **How do I get started?** A Discovery Sprint or a 60-minute CompleteCare scoping call. The Discovery Sprint is a two-week structured engagement that produces a 90-day roadmap and identifies your right starting tier. The scoping call is a faster path: we walk through your current Microsoft 365 environment, confirm the right entry tier, and produce the initial Service Initiation SOW. Either path works. --- # Managed Microsoft 365 for Nonprofits | M365 InstantOn URL: https://www.centerednetworks.com/services/m365-instant-on.html ## Service · M365 InstantOn ## The server is gone. The discipline isn't. M365 InstantOn is the productized way to bring real operating discipline to your Microsoft 365 tenant. We deploy a CIS-certified security baseline across identity, devices, email, collaboration, and data protection in 14 calendar days, then keep it aligned with continuous drift detection, monthly uplift releases, and a Quarterly Roadmap Review. Fixed price, fixed scope, fixed timeline. Microsoft Solutions Partner · Nonprofit charity tenant authorization · CIS-certified baseline · Portability Promise. ## The activation gap ### Your Microsoft 365 license is the simple part. Operating the tenant isn't. When you ran a file server, your IT partner monitored it, patched it, hardened it, and backed it up. That server is gone. Microsoft 365 is your infrastructure now, and most nonprofits stopped getting the discipline that used to surround it. They pay Microsoft for the tenant and assume Microsoft runs it. Microsoft runs the platform. Nobody is running the tenant. Most of the nonprofits we talk to are paying for Microsoft 365 Business Standard or Microsoft 365 Business Premium, and most of those tenants are 30 to 50 percent activated. MFA is enforced on some accounts but not all. Conditional Access exists, but coverage is unclear. Devices aren't all in Microsoft Intune. SharePoint and OneDrive sharing controls sit at their defaults. There is no documented baseline, no source of truth, no audit trail. That isn't a competence problem. It's a productization problem. The Microsoft 365 surface is wide, the configuration space is enormous, and the work of activating, hardening, and continuously managing it has historically only existed as expensive custom consulting or as a black-box managed service. > M365 InstantOn is a third option. ## Why this matters now ### Four shifts that changed what it takes to run Microsoft 365. **The tenant is the new server.** When you ran a file server, your IT partner monitored it, patched it, hardened it, and backed it up. Your tenant deserves the same operating discipline. Microsoft runs the platform; your tenant is yours to run. **Identity is the new perimeter.** Your perimeter walks out the door every evening on laptops, phones, and personal devices. Conditional Access, MFA enforcement, device compliance, and session controls are the modern equivalent of a locked front door. For a 50-person nonprofit or a 17-bed hospital, the math is more urgent, not less. **AI is the new opportunity.** Microsoft 365 Copilot respects existing permissions and labels, which means a tenant with forgotten over-shares and missing labels will surface confidential HR files, donor records, or PHI to people who shouldn't see them. The opportunity is real. The data foundation has to come first. **Centralized, repeatable security is no longer optional.** Microsoft pushed more than fifty updates to Entra, Intune, and Defender alone last year. CIS recommended forty-eight changes to Windows policies in Intune in the same window. No one is going to read every release note, apply every change to your tenant by hand, and remember to do it again next month. The work has to be centralized, baselined, and repeatable, or it doesn't get done. ## How it works ### The InstantOn Method: two parts, one outcome. A 14-day productized Launch, then a continuously managed lifecycle. Both ringed for safety. Both built on a CIS-certified baseline. Both designed for organizations that need real operating discipline without the cost of building it themselves. ### Part one · Activation — M365 InstantOn Launch **$10,000 one-time fixed fee.** A 14-day productized Launch against a pre-built, CIS-certified baseline tuned to your license mix: Microsoft 365 Business Premium, E3, or E5. Every change is staged in a documented change ticket with a named approver, deployed inside an approved change window, and snapshotted automatically. Every deployment rings out from Pilot (2 to 3 named users) to Canary (a representative cross-functional slice) to Broad (everyone else), report-only first wherever Microsoft supports it. **What you get in 14 days:** - A CIS-certified security baseline deployed across Microsoft Entra ID, Microsoft Intune, Microsoft Defender for Business and Office 365, Exchange Online Protection, SharePoint, OneDrive, Microsoft Teams, and Microsoft Purview - MFA enforced across all accounts, with Conditional Access tuned to your sign-in patterns - Microsoft Intune enrollment and compliance baselines for Windows, with macOS, iOS, and Android supported where licensing applies - Microsoft Defender for Office 365 Safe Links, Safe Attachments, anti-phishing, and mailbox auditing - SharePoint and OneDrive sharing guardrails, with Teams safety defaults - Starter Microsoft Purview sensitivity labels and DLP in audit-first mode - A pre-change snapshot and rollback path for every deployed policy - The Tenant Audit Report v1, a branded section-by-section view covering Licensing, Secure Score, User Accounts, Administrative Roles, Conditional Access, Entra ID, Exchange Online, SharePoint, OneDrive, and Teams - The Cyber Insurance Evidence Pack v1 - The Copilot Pre-Wire Checklist - A Day-30 KPI Report: Secure Score lift, Conditional Access coverage, device compliance **What the baseline targets.** A Secure Score lift in the 20-to-30-point range during the first 30 days, Conditional Access coverage above 95 percent of sign-ins, and device compliance above 90 percent of managed devices by Day 30. Pre-validated against your license mix at kickoff. ### Part two · Lifecycle — M365 InstantOn Managed **$1,000 per month, 12-month minimum.** Continuous lifecycle management for a tenant that has already been baselined: continuous drift detection, a monthly uplift release, and quarterly executive briefings. Month-to-month after the first year, 30 days' written notice to cancel. **What you get every month:** - Continuous drift detection across identity, devices, email, sharing, and data policies; daily drift reports surfaced as tickets in our service desk with named owner and triage path - Daily automated baseline snapshots; approved rollback to last-known-good completed within 4 business hours, often inside one - A monthly uplift release that packages Microsoft's safety updates into a controlled adoption path your team reviews and approves - Reviewed change management: every change to your baseline staged in a change ticket with a named approver and an approved change window - A monthly Tenant Audit Report excerpt, board-ready and free of jargon - A quarterly 60-minute Roadmap Review with your Executive Director or Chief Operating Officer - Microsoft Roadmap Watch: a heads-up before Microsoft changes land - A direct Admin Q&A Channel for your IT lead, one-business-day response standard - An annual baseline refresh suitable for cyber insurance and audit - The Portability Promise, in force every day of the engagement **What your team commits.** During the 14-day Launch, your IT or operations lead invests approximately 2 hours per week (about 4 hours total) reviewing the baseline, attending the Pilot kickoff, approving the Broad cutover, and joining the Day-14 walkthrough. During Managed, about 30 minutes per month, plus the quarterly 60-minute Roadmap Review and the annual baseline refresh session. The clean offer is the pair: **$22,000 in Year One**, then **$12,000 per year** ongoing. A 12-month minimum on Managed, month-to-month after that with 30 days' written notice to cancel. The Portability Promise stays in force regardless. **For Critical Access Hospitals and clinical facilities.** For 17-bed Critical Access Hospitals, Federally Qualified Health Centers, and rural community health centers, we operate a purpose-built variant: the **M365 InstantOn Critical Access Hospital Edition** at $15,000 Launch plus $2,500 per month Managed. It carries the Bedside-Safe Migration Method, the Continuity Promise, the Joint Commission Email Posture Memo, and the Grant-Documentation Pack as standard deliverables. ## Two editions ### One method, two editions. Priced for the risk. The same operating discipline, tuned for two different risk profiles. The Standard edition is engineered for non-clinical nonprofits and community-serving organizations where a recovery takes a weekend. The Critical Access Hospital Edition is engineered for clinical facilities where a recovery takes patient care. **Standard — $10,000 Launch + $1,000 per month Managed.** - Built for: Nonprofits with 50 to 500 staff and annual budgets between $5M and $50M. Non-healthcare or healthcare-adjacent without acute clinical risk. - Methodology: The InstantOn Method (Pilot, Canary, Broad rings across 14 calendar days). - Carried guarantees: 14-Day Launch Promise, Continuity Promise, Portability Promise. - Standard deliverables: CIS-certified security baseline, Cyber Insurance Evidence Pack, Board-Ready Outcome Brief, Copilot Pre-Wire Checklist, Tenant Audit Report (quarterly cadence). **Critical Access Hospital Edition — $15,000 Launch + $2,500 per month Managed.** - Built for: Critical Access Hospitals (under 25 beds), Federally Qualified Health Centers, rural community health centers, and any clinical facility where a help-desk surge could affect patient care. - Methodology: The Bedside-Safe Migration Method (clinical-calendar-aware cutover, no deployments during code-stroke windows, shift handoff, or known admissions peaks; 14 calendar days). - Carried guarantees: 14-Day Bedside-Safe Promise, Continuity Promise (clinical scope: six-month engagement extension at no charge if a clinically-significant outage is traceable to our configuration), Portability Promise. - Standard deliverables: Everything in Standard, plus BAA executed before kickoff, Clinical secondary escalation contact on the rollout schedule, HHS 405(d) alignment built into the baseline, **Joint Commission Email Posture Memo** as a standard deliverable, **Grant-Documentation Pack** for HRSA, USDA Rural Development, and state rural health grant cycles. ## Risk reversal ### Three guarantees. None of them cosmetic. We stack them because nonprofit operations and IT leads carry three distinct fears: during the activation, after it, and about the relationship itself. Each guarantee names the remedy in dollars or in time. **01. The 14-Day Launch Promise.** If Launch isn't complete in 14 calendar days of signed kickoff, your first month of Managed is free, a **$1,000 credit** on the Standard track. If it isn't complete in 21 days, the first month of Managed is free and we also waive **$2,500** of the Launch fee. We can stand behind this because the Launch is productized. We don't design from scratch on your time. Pilot Day 2 to 3, Canary Day 6 to 9, Broad Day 10 to 12, Validation and handoff Day 13 to 14. The Day-30 KPI Report follows. The CAH Edition carries the equivalent 14-Day Bedside-Safe Promise, with clinical-continuity remedies if any single clinical workflow disruption is caused by our work during cutover. **02. The Continuity Promise.** During Managed, if a drift event traces back to our configuration and goes undetected past the daily drift report, **the affected month is credited**. If it causes a security incident, we extend the engagement six months at no charge and bring in a senior engineer to re-baseline the affected area. The Critical Access Hospital Edition extends this promise to clinical continuity: a six-month extension at no charge if a clinically-significant outage is traceable to our configuration in the first 12 months. Continuous drift detection runs every day across identity, devices, email, sharing, and data policies. Drift events surface as tickets in our service desk with a named owner inside 24 hours, not as findings in a dashboard nobody opens. Approved rollback to last-known-good completes within 4 business hours, often inside one. **03. The Portability Promise.** Nothing about your baseline is locked inside a proprietary box. On request, at any time, we deliver a **portable export of your baseline configuration**, every **runbook in Markdown** that you own forever, your **change history**, and a **documented offboarding path** including rollback artifacts and an offboarding walkthrough. **No offboarding fee. No data hostage.** The Portability Promise is structural, not aspirational. The artifacts you keep are not proprietary scripts in a language no one else uses; they are documented configuration baselines and operational runbooks that any competent Microsoft Partner can read and continue from. The unlock isn't that we're nice. The unlock is that the design has no lock-in to engineer out of. ## Built for nonprofits with 50 to 500 staff. **This is built for you if:** - You're a 501(c)(3) with 50 to 500 staff and an annual budget between $5M and $50M - You're on Microsoft 365 Business Standard, Business Premium, E3, or E5 - You want a documented baseline you can hand to your IT lead, your board, your auditor, and your cyber insurance underwriter - Leadership is asking about Microsoft 365 Copilot, and you want the answer to be "yes, the tenant is ready" - You'd rather pay a fixed fee than negotiate every change **This isn't a fit if:** - Your nonprofit has fewer than 50 staff; the per-tenant economics don't work, though we're glad to make a referral - You have more than 1,000 staff; that's a different procurement cycle and we can point you toward scoped enterprise alternatives - You won't move to Microsoft 365 Business Premium licensing, which the Microsoft Defender and Microsoft Intune baseline depends on - You want a set-it-and-forget-it engagement with no ongoing accountability; Managed is built for active partnership ## In practice ### What this looks like in practice. **Human services, 50 to 150 staff.** Inherited a tenant with MFA on roughly 60 percent of accounts, Conditional Access partially configured, and no Microsoft Intune. Launch completed in 11 days. Secure Score moved into the high seventies over the first 30 days; Conditional Access coverage settled above 95 percent of sign-ins; device compliance reached 92 percent by Day 30. The Operations Director reported recovering 4 to 6 hours a week within the first month. > "We had been quoted this work three times by three different MSPs. Every quote came back over $40,000, with a six-month timeline and a managed-services tail we couldn't escape. This was the opposite of all of that." — Operations Director (Representative client profile) **Faith-based organization, 200 to 400 staff.** Multi-site, mixed device fleet, legacy authentication still enabled in two departments. Launch completed in 13 days with a five-day Pilot validation in the IT department before the broader rollout. Zero help-desk surge on cutover day. The IT Director used the Cyber Insurance Evidence Pack to negotiate a premium reduction at the next renewal; the exact figure depends on carrier and starting posture. > "The Portability Promise was the unlock. Every prior MSP wanted us inside their platform. Centered handed us a documented baseline and a runbook set, and told us we owned them." — IT Director (Representative client profile) **Arts and cultural organization, 75 to 125 staff.** Came in through the Readiness Assessment, which confirmed that Microsoft 365 Business Standard was leaving security capabilities on the table. We co-developed the business case for a Business Premium uplift, then ran Launch. They are now nine months into Managed, with quarterly Roadmap Reviews anchored on the Tenant Audit Report. > "What I appreciated most was that we never felt sold to. Every conversation was about what the organization needed, not what they were trying to upsell." — Executive Director (Representative client profile) The numbers above are what the baseline targets in similarly licensed environments, not guaranteed averages. Your starting posture, your license mix, and your governance maturity will move the dial up or down. We pre-validate the target range at kickoff. ## How M365 InstantOn compares. The same operating discipline, priced and delivered three different ways. | Comparison | M365 InstantOn | National MSP retainer | In-house Microsoft engineer | |---|---|---|---| | Year One total | $22,000 | $60,000 to $120,000 | $140,000 to $180,000 | | Pricing model | Productized, fixed | Hourly or custom retainer | Fully loaded salary | | Timeline to baseline | 14 calendar days | 60 to 120 days | 90 to 180 days | | Configuration ownership | You own your baseline configuration and runbooks (Portability Promise) | The MSP's platform | Yours, but undocumented | | Drift detection | Continuous; daily drift reports; tickets in our service desk inside 24 hours | Variable, often manual | Whatever the engineer prioritizes | | Nonprofit specialization | Built for nonprofits with 50 to 500 staff | Generic SMB or enterprise | Depends on the hire | | Exit cost | None. Portability Promise applies. | Often substantial; lock-in is common. | Recruiting and re-hiring cost. | ## Copilot readiness ### Copilot ready, not Copilot exposed. Microsoft 365 Copilot respects the permissions and labels already in your tenant. That sounds reassuring until you consider what most tenants actually look like underneath: forgotten over-shares, missing sensitivity labels, retention policies set to defaults, project sites from three years ago with the original membership still attached. Copilot will use exactly the permissions you've already set. That's the good news. It's also the bad news. The platform we operate on is the only multi-tenant approach to Microsoft Purview in the MSP space. That matters because Purview is the data-governance foundation Copilot needs: DLP policies, sensitivity labels, and retention policies, deployed and maintained at the baseline level. Without it, Copilot is decorating the house before the foundation is built. **What InstantOn deploys before Copilot is safe to turn on:** - **Microsoft Purview foundation:** DLP rules in audit-first mode with built-in sensitive-info classifiers, starter sensitivity labels, retention policies aligned to your records-retention posture - **The Copilot Readiness Assessment:** a four-dimension score covering M365 adoption, security, technical readiness, and data governance, with a prioritized remediation list - **The Copilot Pre-Wire Checklist:** the specific controls Copilot relies on, documented so your IT lead can verify readiness in one sitting - **Ongoing shadow-AI visibility:** per-user Copilot adoption, dormant-license detection so you can reassign seats, and visibility into other AI sessions across the tenant > When leadership asks "are we ready for Copilot?", the answer is yes, not "let me check." ## Cyber insurance ### Your cyber insurance evidence pack pays its way. At renewal, underwriters now ask nonprofits for MFA coverage percentages, Conditional Access deployment evidence, device compliance documentation, and audit logging proof. Most nonprofits we talk to don't have any of this packaged into evidence an underwriter can actually read. The **Cyber Insurance Evidence Pack** is included as a Launch deliverable and refreshed annually with Managed. It packages your Conditional Access coverage report, MFA enforcement evidence, device compliance posture, audit logging proof, and baseline configuration history into the format underwriters expect. Clients have used the Pack to negotiate premium reductions at renewal; the magnitude varies by carrier, broker, and starting posture. For most nonprofits, even a modest reduction at first renewal recovers a meaningful share of the annual Managed fee. ## A lower-commitment start ### Start with a Readiness Assessment. Not ready to commit to a Launch? A fixed-fee Readiness Assessment is the lower-commitment way in. **What the $1,950 assessment delivers:** - A current-state review across identity, endpoints, email, collaboration, and data protection - A gap heatmap against the M365 InstantOn baseline and your choice of framework lens (CIS Controls v8, HIPAA Security Rule administrative and technical safeguards, NIST CSF, or Essential 8) - A license alignment review that often surfaces $5,000 to $30,000 a year of underused or mismatched licensing - Your top risks and quick wins - A recommended Pilot scope - A budgetary roadmap Sign a Launch within 30 days and the full $1,950 credits to the Launch fee. You keep the assessment either way. ## Frequently asked questions about M365 InstantOn. **What happens to our current MSP?** You decide. M365 InstantOn operates the Microsoft 365 layer specifically: identity, devices, email, collaboration, and data protection. If your current MSP handles help desk, hardware, network, or other infrastructure, they can keep doing that. We coexist regularly. If your MSP currently does some Microsoft 365 work, we'll work with you on a clean handoff so nothing falls through the cracks. **We're already paying for Microsoft 365. Why is this a separate cost?** Microsoft 365 licensing gives you the capability. Operating discipline gives you the outcome. Microsoft doesn't tune Conditional Access for your environment, configure Microsoft Intune for your device fleet, deploy Microsoft Purview labels for your data, watch for drift, or document the baseline. That continuous work is what M365 InstantOn is. The license is a prerequisite, not a substitute. **What if we want to leave after 12 months?** You give 30 days' written notice and cancel. We do an offboarding walkthrough to make sure the handoff is clean. Under the Portability Promise, you keep a portable export of your baseline configuration, every runbook in Markdown, your change history, and a documented rollback path. No offboarding fee. No data hostage. Any competent Microsoft Partner can pick up where we left off, or your own team can. **What's the actual tech backbone? Is this Microsoft365DSC?** We operate your baseline on a purpose-built, CIS-certified, MSP-grade multi-tenant policy management platform. It's the same class of operational tooling used by Microsoft's 2024 Partner of the Year, and it gives our team single-pane visibility into your tenant's policy state, daily drift detection across identity, device, email, sharing, and data layers, automated baseline snapshots with a documented rollback path, and branded customer-facing reporting. You don't manage the platform; we do. Your baseline is exportable and portable under the Portability Promise. **Is M365 InstantOn aligned to HIPAA, CJIS, or state-specific frameworks?** The baseline ships with mappings to CIS Controls v8, HIPAA Security Rule administrative and technical safeguards, HHS 405(d), NIST CSF, Essential 8, and CMMC. We provide a Business Associate Agreement for healthcare-adjacent work on request. The Critical Access Hospital Edition adds clinical-continuity engineering and a Joint Commission Email Posture Memo. For Criminal Justice Information Services, state-specific frameworks, or other regulated-data scenarios, we'll discuss scope on the fit call. We won't take an engagement we can't deliver against. **We've been burned by an MSP before. Why is this different?** Three things make this materially different from a generic MSP engagement. First, the Portability Promise: your baseline configuration, runbooks, and change history are yours from Day 1, with a documented offboarding path. There is nothing for us to lock you into. Second, productized delivery: fixed scope, fixed timeline, fixed price, ringed rollout. Third, the stacked guarantees: the 14-Day Launch Promise, the Continuity Promise, and the Portability Promise all carry concrete remedies if we miss. We put our delivery economics on the same side of the table as your outcomes. **Can we see what the monthly reporting looks like?** Yes. Email us and we'll send a sample Tenant Audit Report with anonymized data. Or, if you want to see it against your own tenant context, the Readiness Assessment includes a sample report based on your environment. **How do you handle exceptions to the standard baseline?** Every tenant has exceptions: a service account that can't carry MFA, a vendor app that needs sharing relaxed, a regulated workflow that requires custom DLP. We capture every exception in the exception log, apply it through reviewed change management with a named approver and an approved change window, and review the exception list quarterly. Heavy exception handling outside the standard baseline may scope up, and we'll flag that on the fit call. **What if our IT lead leaves during Managed?** The operating model survives them. That's the point of a documented baseline, a runbook set, and a quarterly Roadmap Review cadence. Onboarding a new IT lead is a two-hour walkthrough of the baseline and the Tenant Audit Report, not a six-month archaeology project. We do that walkthrough with you when the time comes. **Do you do Microsoft 365 migrations from Google Workspace or on-premises Exchange?** Migration is scoped separately. M365 InstantOn is built for organizations already on Microsoft 365 that need the tenant operated with real discipline. If you're migrating into Microsoft 365 from another platform, talk to us on the fit call. We may bundle the migration into Launch or scope it as a separate prior engagement, depending on complexity. **What's the capacity for Launch engagements?** We accept four net-new Launch engagements per quarter on the Standard track, and two on the Critical Access Hospital Edition. That's the operational ceiling for our delivery team while honoring the 14-Day Launch Promise. When a quarter fills, the next quarter opens for booking. No urgency theater: real deadlines are urgency enough. ## Microsoft alignment ### A Microsoft Solutions Partner for Modern Work and Security. M365 InstantOn sits squarely in the Modern Work designation: identity, productivity, and collaboration as a single, governed stack. The Security designation matters here because Microsoft Defender, Microsoft Entra ID Conditional Access, and Microsoft Purview are the foundation of every InstantOn engagement. Centered Networks holds both designations. - Microsoft Solutions Partner for Modern Work - Microsoft Solutions Partner for Security - Nonprofit charity tenant authorization - CIS-certified baseline - HIPAA BAA available on request - 501(c)(3) verification required --- # Anthropic and OpenAI launched AI services firms. Mission-driven organizations need a different kind of partner. URL: https://www.centerednetworks.com/blog/anthropic-openai-mip-validation.html ## Perspective ## Anthropic and OpenAI launched AI services firms. Mission-driven organizations need a different kind of partner. In the past three weeks, the two largest AI labs in the world have launched standalone enterprise services firms. The pattern matters. So does the gap they're leaving open. Published: May 22, 2026. Reading time: 5 min. Author: Centered Networks. On May 4, 2026, Anthropic announced a partnership with Blackstone, Hellman & Friedman, and Goldman Sachs to form a $1.5 billion AI-native services firm—backed by a consortium that also includes General Atlantic, Apollo Global Management, Sequoia Capital, Leonard Green, and GIC. One week later, on May 11, OpenAI launched its own Deployment Company, seeded with $4 billion from TPG and nineteen other investors including Advent, Bain Capital, and Brookfield. OpenAI simultaneously acquired Tomoro, the AI consulting firm, and absorbed its roughly 150 engineers into the new entity. Both firms are running the same playbook: send technical teams into operating businesses, identify the highest-ROI AI use cases, build production deployments around one or two priority workflows, and then stay embedded to maintain and expand. This is the model Palantir invented and called "Forward Deployed Engineers." Anthropic and OpenAI just industrialized it for the model-vendor era. There are three things to understand about what this means for mission-driven organizations. ## The AI labs are validating the same thesis The largest AI companies in the world have now spent more than $5.5 billion in three weeks saying—out loud, with their balance sheets behind it—that the future of enterprise AI is not in licenses or APIs or self-serve adoption. It is in embedded delivery teams that live inside operating businesses, redesign workflows around agents, and stay long enough to make the deployments actually work. This is the conclusion most experienced AI leaders have already reached privately: models alone aren't the bottleneck. The bottleneck is operational integration. Organizations that have tried to roll out Microsoft 365 Copilot, Claude, or GPT on their own have learned that "buy the license, ship the URL, train the team" is not a strategy. Real deployment requires governance, workflow redesign, change management, agent lifecycle operations, and ongoing optimization that the model vendor cannot deliver and the in-house IT team usually cannot either. Anthropic and OpenAI are now putting institutional capital behind that thesis. That's category validation at scale, and it should change how every mission-driven board thinks about its AI plan. ## Neither firm is going to serve mission-driven organizations Read the targeting language carefully. Anthropic's firm is explicitly aimed at "community banks, mid-sized manufacturers, and regional health systems." OpenAI's is targeting general mid-market enterprise. Both are positioned below the Accenture and Deloitte tier—the segment large systems integrators have chronically underserved. But "mid-market" still means something specific in this context. It means companies that can absorb $250,000 to $2 million in AI services spend. It means regional health *systems*, not 25-bed Critical Access Hospitals. It means community *banks*, not 40-person community development organizations. It means manufacturers running enterprise ERP, not 200-person foundations with three IT staff and a HIPAA Business Associate Agreement on every vendor. Mission-driven organizations—nonprofits, foundations, and rural hospitals—operate at a different scale, with different economics, on a different stack, with different governance constraints. They need exactly the kind of forward-deployed partner Anthropic and OpenAI are bringing to mid-market. They will not get it from these firms. The unit economics don't work. > That gap is the most important thing in this story. It isn't a market failure. It's a market opening. ## The MIP model is built for the gap The Managed Services Provider industry has been talking about this evolution for over a year. **Pax8, Inforcer, and a growing chorus of MSP industry analysts** have been making the same point: the MSP category that defined IT for the last twenty years is ending. What replaces it is the **Managed Intelligence Provider**—an MSP whose primary job is to deploy, govern, and continuously operate AI inside client organizations. Not break-fix. Not patch-and-monitor. Managed intelligence. The "M" in MIP is what separates this from what Anthropic's and OpenAI's firms are doing. Their model is project-led: assess, deploy, maintain at arm's length. The MIP model adds something the model-vendor firms don't: **ongoing operations as a core deliverable, not a tail engagement.** Agents need lifecycle management. Tokens need cost monitoring. Governance posture needs to evolve as the underlying models change. Drift needs to be detected and corrected. Compliance needs continuous attestation. None of that fits inside a project SOW. It fits inside a managed-services relationship—billed monthly, governed quarterly, owned by a delivery manager with skin in the game. For mission-driven organizations that lack the in-house AI talent to run governed AI on their own—which is most of them—the MIP model is what makes AI sustainable past the initial demo. It is also the only model that matches their procurement reality: predictable monthly costs, no surprise consulting invoices, and the structural ability to walk away if the relationship isn't delivering. ## What this means for foundations, nonprofits, and rural hospitals Three things, concretely. First, the AI conversation in your organization is no longer optional. Anthropic's and OpenAI's announcements are visible to your funders, your peer organizations, and increasingly your own board. Within the next twelve months, you will be asked what your AI plan is. The cost of having no answer is moving from reputational to material. Second, the right partner for you is not the same partner serving community banks and regional health systems. You need an MIP built for your scale, your stack, your governance posture, your sector vocabulary, and your funding model. The economics of the firms Anthropic and OpenAI just launched do not bend down to mission-driven scale, and pretending otherwise wastes time and budget. Third, the work itself has a beginning, a middle, and an end—and then it transitions to a managed relationship. It starts with a real diagnostic, not a sales call. It moves to a meaningful first deployment, usually a single production agent against a high-value workflow. It scales to a multi-agent governance posture on the Microsoft platform you already pay for. And then it transitions into ongoing managed operations, where the AI keeps working, keeps improving, and keeps your governance defensible quarter over quarter. That ladder is what we have built. The **Centered AI Practice** is a four-stage productized engagement for mission-driven organizations adopting Microsoft 365 Copilot and agents—from a two-week Shadow AI Diagnostic to ongoing Managed AgentOps. The pricing is published. The Promises are structural. The Microsoft alignment is verified across five Solutions Partner designations including Data & AI. The major AI labs just told the market that the future of enterprise AI is forward-deployed and managed. The MSP industry analysts at Pax8 and Inforcer have already named what that looks like for organizations that don't fit the mid-market profile. We agree with both of them, and we have built the MIP for the sector neither of them is coming to serve. --- # Before you enable Copilot: seven questions every mission-driven board should answer first. URL: https://www.centerednetworks.com/blog/before-you-enable-copilot.html ## Field note ## Before you enable Copilot: seven questions every mission-driven board should answer first. A Copilot rollout fails or succeeds in the seven decisions made before the license switch flips. None of them are about Copilot itself. Published: May 22, 2026. Reading time: 6 min. Author: Centered Networks. Every Microsoft 365 Copilot rollout we have seen go badly in a mission-driven organization went badly in a predictable way. It was almost never about the model, the prompt design, or the user interface. It was about seven decisions that should have been made before the license was assigned and were either skipped, delegated, or assumed. This is the checklist we work through during the first week of every Discovery Sprint. Most boards we present it to have not been asked these questions before. Almost none can answer all seven on day one. That is the gap the work closes. ### 01 — Where is your sensitive data, and who can see it today? Copilot indexes everything a user already has access to. That is the design. If your SharePoint sites have years of accumulated oversharing—board minutes in a Communications folder, donor lists in a shared drive, HR files in a department site that grew open permissions over a decade—Copilot will surface every one of them on demand. The week after deployment, a staff member will ask Copilot "what does the board think about Program X" and get back a synthesis of three sets of minutes nobody knew were readable. The remediation work happens before Copilot is enabled, not after. A real Copilot readiness program starts with a SharePoint and OneDrive permissions audit, an oversharing report, and a documented remediation plan. This is unglamorous, and it is non-optional. ### 02 — Do you have a Microsoft Purview sensitivity-label scheme—and is it applied? Sensitivity labels are how you tell Copilot what to treat as confidential. Without them, Copilot has no signal that "Donor Reconciliation Q4" is more sensitive than the office holiday party flyer. The label scheme needs to be defined (typically four to six labels, mapped to your data classes), applied (manually at first, then via auto-labeling policies), and policy-bound (encryption, watermarking, export restrictions where appropriate). Most foundations and nonprofits we work with have a labeling scheme that exists in policy but does not exist on documents. Copilot will not invent the labels. If they aren't applied, they aren't enforced. ### 03 — Is conditional access enforced on the accounts that will use Copilot? A Copilot license on an unmanaged personal device with no multi-factor authentication is a license to leak. Conditional access policies in Microsoft Entra are what turn "this person has a Copilot license" into "this person can use Copilot from a compliant device, with MFA, from a known location, with session controls." Most of the controls are already paid for in your Microsoft 365 Business Premium or E3/E5 licensing—they just are not turned on. The honest test: can a staff member with a Copilot license open Copilot Chat from their personal phone on hotel Wi-Fi, with no MFA prompt, and ask it to summarize a board document? If yes, you have an identity problem, not a Copilot problem. ### 04 — Do you have a real responsible-AI policy, or do you have a one-pager? Most boards have approved an AI policy in the last twelve months. In our experience, eight out of ten of those policies are a one-page document copied from a sector template, approved without amendment, and filed. That document will not survive contact with deployment. A real responsible-AI policy names specific permitted use cases (Copilot for drafting board communications, yes; Copilot for grant decisions, no), specific prohibited uses (no personally identifiable information of unrelated parties, no protected health information in unmanaged prompts), an escalation path (who decides on edge cases), and a review cadence (the policy will be wrong within six months and you need a way to update it). The policy is the boundary inside which the AI operates. If it is vague, the operation will be vague. > The policy is the boundary inside which the AI operates. If it is vague, the operation will be vague. ### 05 — Have you trained the staff on what Copilot will and won't do? The single largest category of "Copilot disappointed us" feedback comes from staff who expected ChatGPT and got a tool grounded in their organization's data. Copilot will refuse questions ChatGPT will answer. Copilot will produce citations to documents the user has access to, and the citations will sometimes be wrong. Copilot will summarize a document and miss the most important clause. These are not failures—they are characteristics of a grounded enterprise AI tool. The staff need to know that going in. Training is part of the deployment, not a follow-up project. Plan for two formal sessions: a one-hour "what Copilot is and isn't" overview for all licensed users, and a deeper "use cases that work in your role" workshop by team or function. The single best investment in a Copilot rollout is the time the staff spend learning what to ask it. ### 06 — Who owns the prompt-and-output review loop? Copilot will produce outputs that need a human in the loop. A grant summary that misstates the eligibility criteria. A donor brief that miscites a giving total. A board-facing memo that compresses a nuanced position into a misleading single sentence. The model will be confidently wrong, occasionally, in exactly the cases that matter most. That is not a Copilot problem—it is a workflow design problem, and the design has to name a human owner. Usually this is the role of the Communications lead, the COO, or in smaller organizations the Executive Director. Whoever it is, they need to know that AI-assisted outputs going to the board, to a funder, or to a regulator pass through their desk first. The accountability does not move just because the first draft did. ### 07 — Do you have a kill switch—and do you know how to use it? If a Copilot agent starts exposing data it should not, or a custom Copilot Studio agent built on top of your tenant starts producing outputs you cannot defend, can you disable it within five minutes? Can your IT lead do it, or does the answer involve a call to a vendor and a four-hour SLA? The kill switch exists in Microsoft 365 admin, but it is not always wired into your organization's incident response. This is the question that turns Copilot from a technology procurement into a governance posture. The board does not need to know how to flip the switch. The board does need to know that the switch exists, that a named person can operate it on a defined timeline, and that the policy condition that triggers it is written down before something goes wrong. --- The good news is that none of these are theoretical. The seven questions map directly to capability areas of the CompleteCare platform—Foundations and Govern handle questions one through four, Shield handles seven, the AI Practice handles five and six—and they are the same seven we work through during a Discovery Sprint. The bad news is that almost no organization gets all seven right on day one. The work is real, the timeline is two to four weeks for most mid-sized nonprofits and foundations, and the cost of skipping it is paid in a slow drip of data exposure, staff frustration, and board confidence loss that takes longer to repair than the deployment took in the first place. The Managed Intelligence Provider model exists because these seven questions cannot be answered by the model vendor and usually cannot be answered by the in-house IT team alone. They are an interdisciplinary problem—data, identity, policy, training, governance, incident response—and they reward a partner who has seen the same patterns in dozens of organizations and can shortcut the path from question to defensible answer. That is what the MIP does. If you are about to enable Copilot, do not press the button until you have a written answer to each of the seven. If you do not have written answers, the work to get them is short, scoped, and worth more than the Copilot rollout it precedes. --- # Shadow AI is already in your organization. The question is what to do about it. URL: https://www.centerednetworks.com/blog/shadow-ai-is-already-here.html ## Field note ## Shadow AI is already in your organization. The question is what to do about it. Boards keep treating shadow AI as a future risk. It is a present condition. Here is what the staff are actually doing—and the governed response that works. Published: May 22, 2026. Reading time: 7 min. Author: Centered Networks. Most boards we talk to treat shadow AI as a future risk—a thing to put on the agenda next quarter, once the policy refresh is done and the IT roadmap is updated. It is not a future risk. It is a present condition. The question is not whether the staff are already using ChatGPT, Claude, and Gemini outside the organization's governance. They are, today, in nearly every nonprofit, foundation, and rural hospital we engage with. The only variable is the volume. The interesting question is what you do about it once you know. The instinct to ban it does not work. The instinct to ignore it does not work either. The response that does work is more boring than either, and it begins with admitting that the staff are not waiting for the policy. They have already adopted the tools, made the data exposure, and formed habits the policy has not yet named. The work is catching up to where the organization already is. ## What shadow AI actually looks like inside a 200-person foundation These are not hypothetical scenarios. They are present-tense field observations from the past twelve months of Discovery Sprints inside mission-driven organizations. A development associate is drafting donor briefs in ChatGPT on a personal account. Donor names, giving history, and prior conversation notes—pasted into a tool whose default setting on a free-tier consumer account still permits prompt content to inform model behavior. The associate does not know about the toggle. Nobody told them. The briefs are excellent, and the executive director compliments the turnaround. A program officer is using Claude.ai to summarize a stack of confidential grant reviews before a recommendation meeting. The reviews contain reviewer names, candid assessments of grantee leadership, and dollar figures that have not been disclosed externally. The summaries save four hours of reading. The program officer is delighted. The compliance officer has not been asked. A communications lead is running every board email through Gemini for "tone polish" before it goes to the chair. The emails include strategic positioning, draft language about a planned reorganization, and one paragraph about a senior staff personnel issue. The lead is using a personal Google account because the work Google Workspace tenant does not have Gemini turned on for staff. A finance assistant has uploaded the full operating budget spreadsheet—line items, salary bands, restricted-fund allocations—into a consumer AI tool to "ask questions about it" in plain English. The questions are good ones. The audit trail is non-existent. Six months from now, when the assistant takes a job at a peer foundation, the prompt history goes with them. Each of these staff members is doing what every productivity blog and LinkedIn thought-leader told them to do this year. They are using the best tool available for the job. The organization has not given them a better one. So they used the one they had. ## The three failure modes we see most often ### 01 — Data exposure through personal accounts. When a staff member uses an AI tool on a personal account, the organization has no audit trail and no termination control. There is no log of what was uploaded, no policy enforcement on what could be uploaded, and no way to revoke access when the person leaves. Their prompt history—which may contain donor lists, grant decisions, board memos, or HR notes—leaves with them. It sits in a personal account, indefinitely, accessible to whoever inherits that login. The organization cannot delete it because the organization cannot see it. This is the failure mode that gets named in incident reports a year after the fact, after a former employee's email is breached and the breach forensics reveal a prompt history that should never have left the building. ### 02 — Inadvertent training-data contribution. Most consumer AI tools have, at various points over the past two years, defaulted to using prompt content to inform model behavior. The defaults have improved—most providers now offer enterprise tiers that contractually exclude prompts from training, and the consumer defaults are clearer than they were. But the audit risk is unchanged: nobody in your organization can prove, on which date, with which tool, on which staff account, the opt-out toggle was set. That uncertainty is the exposure. A funder asking pointed questions about data handling will not accept "we think most of our staff probably opted out." The defensible position is not "we trust the vendor's default." The defensible position is "the tools our staff use are tenant-bound and contractually scoped, and we can produce the documentation." ### 03 — Strategy and reasoning leakage. The data itself is not always the most sensitive part of a prompt. The reasoning is. When a program officer types "we are considering pulling funding from Program X because the leadership transition has not gone well and we are losing confidence in the executive director," the most sensitive content is not the program name—it is the deliberative process behind the funding decision. That kind of strategic reasoning is the substance of foundation work, and it gets typed into ungoverned tools every day, in every organization we audit. The thinking is what makes a foundation a foundation. Outsourcing the thinking to an ungoverned tool means outsourcing the thinking trail to an ungoverned tool. That is a posture no general counsel would sign off on if they were asked. They are not being asked, because the prompts are happening on personal devices, on personal accounts, at home, after hours. ## Why "ban it" doesn't work The reflexive board response to shadow AI is a blanket prohibition. We have watched this fail inside mid-sized foundations within ninety days of the policy memo. The pattern is consistent. First, the policy goes out. Second, staff productivity drops measurably—not catastrophically, but the work product the board got used to in the prior six months is no longer arriving on the same schedule. Third, the staff who were the heaviest users quietly resume using the tools on personal devices, off-network, during off-hours. The ban displaces the usage; it does not end it. The ban becomes a paper tiger. IT cannot enforce it on personal devices and home networks. HR cannot enforce it without surveillance that no mission-driven organization will tolerate. The legal exposure increases, because the policy now says one thing while the practice does another—and the gap between policy and practice is exactly what a funder, a regulator, or a litigant will want to surface in discovery. ## Why "ignore it" doesn't work either The opposite instinct—wait until the dust settles, see how the market matures, address it next year—is materially more dangerous than it looks. The compliance and reputational exposure compounds with every quarter of unmanaged usage. The first funder due-diligence questionnaire that asks, "Describe your AI governance posture and the controls your organization has implemented for staff use of generative AI," is going to land in an inbox without warning. The organization that cannot answer that question loses ground in the conversation that follows, and the conversation that follows is increasingly the one that determines whether the renewal gets signed. The reputational version is worse. A single Form 990 attachment, audit finding, or local-press story about sensitive data being exposed through ungoverned AI usage will outlast the response. The board's preferred posture—"we are watching the space carefully"—is not a defense when the question becomes "and what controls did you have in place?" The right time to put controls in place was a year ago. The second-best time is now, before the question arrives. > The choice isn't between AI and no AI. It's between governed AI and ungoverned AI. Your staff already made the first decision for you. ## Meet the shadow usage with sanctioned, governed alternatives The response that works in the mission-driven sector is not "stop using AI." It is "stop using the ungoverned tools, and here is the governed one we have given you, with training, with policy, with a help channel, and with the same general capability your shadow tool had." The Managed Intelligence Provider model is built around exactly this substitution. The Microsoft-native answer is more capable than most boards realize. Microsoft 365 Copilot Chat is included at no additional charge with most Microsoft 365 business licenses—it is a tenant-bound, enterprise-data-protected chat experience the staff can use today, governed under your existing identity and compliance posture, with no prompt content used for training and a clear audit trail. Microsoft 365 Copilot, the licensed product, extends that grounded experience into Word, Excel, PowerPoint, Outlook, and Teams. Copilot Studio lets you build the role-specific agents the staff actually want—the donor-brief drafter, the grant-review summarizer, the budget Q&A assistant—inside the governance perimeter rather than outside it. The model is not "ban the bad tools." The model is "redirect the staff energy that already exists toward the tools the board can defend." Done well, the sanctioned alternative is a better daily experience than the shadow tool was, because it has access to the organization's actual documents and context. Done poorly, it is just one more thing the staff have to log into. The difference is the rollout work, which is the same work covered in our previous field note on the seven questions every mission-driven board should answer before enabling Copilot. ## The seven-day diagnostic question Before the policy, before the rollout, before the board memo, there is a single piece of work that costs almost nothing and changes the conversation. Run an anonymous staff survey. Three questions, no follow-ups, no identifying fields: 1. Which AI tools have you used for work tasks in the past thirty days? 2. What kind of organization data have you put into them? 3. What would you like to use AI for that you currently cannot? The first answer tells you what is already in your environment. The second answer tells you what your real exposure is. The third answer is the most valuable—it is the rollout backlog, written by the staff, for free. We have run this survey in organizations that were "certain" their shadow AI usage was minimal and found that more than seventy percent of respondents were using at least one consumer tool for work tasks, with finance and donor data showing up in the second answer at rates that surprised every executive director who saw the result. The data is almost always shocking. It is also exactly the data the board needs to make a real decision instead of a theoretical one. ## What the response plan looks like once you have the data With the survey in hand, the response plan is concrete and ordered: 1. **Deploy the sanctioned tool.** A Microsoft 365 Copilot rollout, scoped against the survey's third-answer use cases, with the governance work covered in the seven-questions piece. Start where the staff energy already is, not where the vendor roadmap suggests. 2. **Update the policy with realistic permitted-use language.** Name the sanctioned tools, name the prohibited tools, and name the categories of data that may or may not be used in either. Vague policies fail. Specific policies hold. 3. **Publish a single-page approved-AI-tools guide for staff.** One sheet, in plain language: "Use this for that. Do not use this for that. Ask here if you are not sure." Most policy documents fail because the staff cannot find the answer they need in the moment they need it. A one-pager fixes that. 4. **Turn on continuous visibility through Microsoft Defender for Cloud Apps.** The same Microsoft 365 licensing that supports Copilot can surface shadow AI tool usage on managed devices and networks. It will not catch everything—a personal device on a home network is still invisible—but it will narrow the unknowns to a manageable set and let the response stay current instead of going stale. The four steps fit inside ninety days for most mid-sized organizations. They are exactly the kind of interdisciplinary work—identity, policy, training, monitoring—that the Managed Intelligence Provider model exists to handle, because no single in-house role owns the whole problem and the work is the same across every organization that does it well. --- The shadow AI conversation tends to land on boards as a binary—allow it or forbid it. That framing is wrong. The staff have already chosen. The only choice the board still has is whether the AI happening inside the organization is governed or ungoverned. Both options have costs. Only one of them has a written answer for the funder, the auditor, the regulator, and the chair when the question finally lands. The work to get from ungoverned to governed is short, scoped, and well-understood. It is not a transformation. It is a substitution—a better tool, inside the perimeter, with the training and policy that make it defensible. That is the response we recommend, that is the response that holds, and that is the response that lets the conversation with the board stop being about risk and start being about value. --- # What a Discovery Sprint actually delivers, day by day. URL: https://www.centerednetworks.com/blog/what-a-discovery-sprint-actually-delivers.html ## Field note ## What a Discovery Sprint actually delivers, day by day. A two-week paid diagnostic is easy to say. Here is the honest answer—what we do, what you do, what lands on the table on Day 14. Published: May 22, 2026. Reading time: 8 min. Author: Centered Networks. "Two-week paid diagnostic" is easy to say. The phrase shows up on our Discovery Sprint page, in every proposal we write, and in roughly every conversation we have with a prospective client. The reasonable next question—what does the work actually look like—does not always get answered well. Most consulting firms hold the day-by-day mechanics inside the engagement, so the buyer is asked to commit before they can see the shape of the work. This is the honest answer, written from the perspective of a 200-person foundation or rural hospital running its first Discovery Sprint with us. It includes the unglamorous parts: the upfront intake, the tenant access we need, the calendar invites, the artifacts we produce, and the structural promise that closes the engagement. You should finish this piece knowing exactly what the Sprint is, and whether it is worth the fee on your specific situation. ### 00 — The pre-engagement: week zero, before the clock starts. The Sprint is fixed-fee and fixed-duration, which only works if we walk in already loaded. Before Day 1 we ask for six things, and we will not start the clock until we have them: a signed scoping agreement and statement of work, read-only tenant access to your Microsoft 365 and Azure environments, a list of five to eight stakeholder interview targets with calendar coordinates, your current AI policy if one exists (a draft is fine; we expect a one-pager), the most recent IT or security audit you can share, and a list of the top five systems the organization runs day-to-day—your fundraising CRM, your EHR, your accounting platform, whatever the operational core looks like. This intake takes roughly three business days on the client side, sometimes a week if the IT lead is part-time or the access provisioning has to wait on a board chair. The work is bounded and we send a checklist. The Sprint clock starts the morning we have all six. Everything that follows depends on this material being in place, which is why we treat it as part of the engagement rather than as a precursor to it. The tenant access piece is the one that occasionally surprises people. We are asking for a read-only Global Reader role in Microsoft Entra and equivalent read access in Azure—not because we plan to change anything, but because the assessment tooling cannot generate a meaningful posture report on the outside. We document the access we use, log every read, and remove the role on Day 14. The scoping agreement names this in plain language, and your IT lead can revoke at any point. ### 01 — Days 1–3: discovery interviews and tenant assessment. The first three days run in parallel on two tracks. On the people side, we run 60-minute interviews with the Executive Director or CEO, the CFO or COO, the IT lead, two program leads, and one front-line staff member. The interviews are not surveys—they are structured conversations with a small set of questions we keep returning to: what do you do, what slows you down, where are you already using AI (named tools, ChatGPT included), and what are you afraid of. The front-line interview is the one that surfaces the shadow AI footprint that the executive team does not always know about. On the tenant side, we run an automated assessment of the Microsoft 365 environment using Microsoft Partner tooling. The assessment pulls license utilization, identity posture (Microsoft Entra conditional access coverage, multi-factor authentication adoption per identity), data classification status (Microsoft Purview sensitivity labels applied, where, and to what), a SharePoint and OneDrive oversharing report, and Defender and Sentinel signal coverage across your endpoints and identities. None of this is generated by hand. The tooling exists and we are an accredited operator—our work in Days 1–3 is to run it correctly against your tenant, not to invent the analysis from scratch. What the assessment finds is usually not what the client expects. We have walked into Business Premium tenants with conditional access policies written and never enforced, into E5 tenants paying for Purview and Defender capabilities that were never turned on, and into SharePoint estates where the "Everyone except external users" group had inherited edit access on roughly 40 percent of sites. The first three days are not about judgment. They are about establishing ground truth. ### 02 — Days 4–7: the analysis. By Day 4 we have raw discovery on one side and raw tenant data on the other. The analysis week turns both into four written artifacts, each scoped to be readable by a non-technical executive committee: 1. A **shadow AI scan**—which ungoverned AI tools are in active use, by whom, doing what, and where the organizational exposure sits (data leakage, vendor lock-in, compliance gaps). 2. An **oversharing report**—what content in SharePoint and OneDrive would Microsoft 365 Copilot expose on day one, prioritized by sensitivity and remediation difficulty. 3. A **governance posture** assessment—where you sit against the seven readiness questions we walked through in an earlier field note, scored on a four-point scale per question with the specific gap named. 4. An **AI opportunity matrix**—the top eight to twelve workflows in your organization scored by AI impact and implementation feasibility, with one recommended starting point that is small enough to ship in six weeks and meaningful enough to defend to a board. The four artifacts are designed to compose. The shadow AI scan and the oversharing report describe the current state. The governance assessment names the work that has to happen before any new AI deployment. The opportunity matrix gives the organization a defensible first move. Together they form the spine of the Day 14 deliverable. ### 03 — Days 8–11: deliverable construction. The second week is writing. We assemble the four artifacts into a single board-presentable document and add the strategic layer that an executive committee actually needs in order to act: - The findings, formatted as a 25- to 40-page document with an executive summary the board chair can read in ten minutes. - A **90-day roadmap** with three or four prioritized work streams, each with scope, duration, expected outcome, and a rough investment range. Excel for the operators, PDF for the board packet. - A **governance remediation plan**—the specific tactical work to close the readiness gaps named in artifact three, sequenced and sized. - A **first-deployment recommendation**, usually one workflow scoped at Agent Launchpad size—a six-week production deployment in the $25,000 to $50,000 range, with a written scope and named success metrics. - The **Microsoft license and incentive picture**—what you are already paying for, what is underused (the typical foundation has 30 to 40 percent of its E3 or Business Premium entitlements dormant), and what Microsoft funding programs might offset the work ahead. This is where the Sprint frequently pays for itself in the first 60 days post-readout. We write the document in plain language and pass it through a second-reader review on Day 11. If anything in the analysis is uncertain, we say so in writing rather than rounding to a confident sentence. The board deserves to see the confidence interval. > Two weeks. No marketing fluff. You leave with a written plan, a scoped recommendation, and the Microsoft incentive math. The promise is structural, not aspirational. ### 04 — Days 12–14: the readout. The last three days are the handoff. Day 12 and 13 are reserved for final document polish and scheduling. Day 14 is the readout: a 90-minute board-ready presentation to the executive team plus the IT lead, in person if you are in our footprint and over Teams if you are not. We walk through the findings, the 90-day roadmap, the governance remediation plan, and the recommended first deployment. We answer questions. We leave the document with you in editable form—the deliverable is yours, not ours. The next step is yours. There is zero implicit obligation to engage Centered Networks for the work the roadmap describes. We have had Discovery Sprint clients take the document, hand it to their incumbent IT firm, and execute the roadmap that way. We have had others ask us to scope the first deployment on the spot. Both are fine. The Sprint is priced and structured to stand on its own, which is the whole point of paying for it. One detail that matters for the readout itself: we recommend the IT lead attend, not just the executive committee. The roadmap names specific tactical work—a conditional access policy set, a Purview label scheme, a SharePoint permissions remediation plan—and the person who is going to either execute that work or supervise it needs to hear the rationale directly. The single most common request we get after the readout is "send a follow-up working session with our IT lead." We build that into the engagement at no additional cost. ### 05 — What you walk away with. On the morning of Day 14, before the readout begins, here is the full list of artifacts you keep—in writing, in your tenant or your file share, in editable formats your team can update without us: - The 25- to 40-page Discovery Sprint findings document. - The 90-day roadmap, in Excel and PDF. - The shadow AI scan. - The SharePoint and OneDrive oversharing report. - The Microsoft license and incentive analysis. - The governance remediation plan. - The first-deployment scope document. The structural promise is the part that surprises people, so it is worth restating in the language we use on the Discovery Sprint page itself: **the deliverable lands on Day 14 or you pay nothing. We refund the engagement fee in full, no questions asked. We have not yet had to invoke this promise.** Two weeks is a serious commitment from both sides, and the refund clause is how we put our money where the timeline is. --- The Discovery Sprint exists because the alternative—a long open-ended consulting statement of work, or a free pre-sales discovery that puts the organization's strategy in a deck someone else owns—has consistently produced worse outcomes for our clients. A paid, scoped, time-boxed diagnostic gets the work done, gives you ownership of the deliverable on Day 14, and gives both sides clarity on whether to continue. We have run dozens of these. The pattern holds. If you want the formal pricing, the structural promise in contract language, and the intake form, the Discovery Sprint page has all three. If you want the broader category context—why the Managed Intelligence Provider model exists, and how the Sprint fits inside it—the MIP overview is the right next read. If you want to talk first, we are happy to do that too. --- # A foundation board AI charter you can adopt today. URL: https://www.centerednetworks.com/blog/foundation-board-ai-charter.html ## Resource ## A foundation board AI charter you can adopt today. A board-ready charter built from real deployments inside real foundations. Yours to adopt verbatim, modify, or use as a starting line. Published: May 22, 2026. Reading time: 5 min reading, 8 min reviewing. Author: Centered Networks. Most foundation boards approved an AI policy in 2024 or 2025 from a template they never modified. The template was usually written by a law firm or a sector association, presented as a one-pager, voted through in a single meeting, and filed. It satisfied the moment. It did not survive contact with deployment. The problem with template policies is that they are written to satisfy auditors, not to operate the work. When the executive director sits down to actually apply the policy—to decide whether a program officer can paste a grantee's narrative into Microsoft 365 Copilot, whether the communications lead can publish an AI-drafted blog post, whether a custom agent built on top of the grants database should be allowed to send email—the template does not answer. The staff fills in the gap with judgment. The judgment is uneven. The board does not know. Below is a charter built from the work of deploying AI inside real foundations. It is yours to adopt verbatim, modify, or use as a starting point. The charter is offered without restriction; the only thing we ask is that you read the framing first, because the language matters more than the structure. ## Why this exists Template policies fail in deployment because they are written to satisfy auditors, not to operate the work. A real charter has to be four things at once: specific enough to enforce, flexible enough to amend, clear enough for the executive director to apply without calling counsel, and defensible enough for an outside review by funders, regulators, or an investigative reporter. The structure below is one we have used as a starting point with several foundations. It is deliberately short—a long charter is an unread charter—and deliberately concrete. Adjust it for your context. The variables in brackets are the obvious customizations; the harder customization is the list of permitted and prohibited uses, which has to reflect your actual data classes and your actual operating model. ## The charter ### Artificial Intelligence Charter of [Foundation Name]. Adopted by the Board of Directors on [Date]. **I. Preamble.** The Board of [Foundation Name] recognizes that artificial intelligence is increasingly woven into the operating fabric of mission-driven organizations. This charter establishes the principles, boundaries, and accountability under which the staff of [Foundation Name] will deploy and operate AI in service of the mission. **II. Scope.** This charter applies to all use of AI tools by [Foundation Name] staff and contractors, including but not limited to: large language models (e.g., Microsoft 365 Copilot, ChatGPT, Claude), AI-enabled productivity tools, custom AI agents, AI-assisted research tools, and AI-assisted creative tools. **III. Permitted uses.** Staff may use AI tools, under the controls established by the Executive Director, for the following purposes. This list is illustrative and the Board expects the Executive Director to localize it for [Foundation Name]'s actual operations. - Drafting board communications and grant memos, with human review before distribution. - Summarizing public documents and meeting transcripts, with citation to the source material. - Research on public funders, grantees, and peer organizations. - Internal knowledge management, subject to compliance with the Foundation's sensitivity-label policy. - AI-assisted training of staff on the Foundation's own materials. **IV. Prohibited uses.** Staff may not, under any circumstances, use AI tools for the following purposes. - AI-assisted grantmaking decisions without documented human review and explicit disclosure to the affected grantee. - Exposing personally identifiable information of grantees, donors, or staff to AI tools that are not governed by the Foundation's data protection controls. - Drafting externally-published communications without review by the Communications lead or their designee. - Deploying custom AI agents that act on external systems—sending email, updating records, moving funds, or interacting with grantees—without explicit Board awareness and a documented operating envelope. **V. Governance.** The Executive Director, supported by the IT or operations lead, is accountable for the day-to-day operation of this charter. The Board's [Audit, Risk, or Governance] Committee reviews adoption and incidents quarterly. Material incidents, defined in Section VIII, are escalated to the full Board within 14 days. **VI. Review cadence.** This charter is reviewed by the Board at least annually, and amended when (a) the underlying technology changes materially, (b) the [Audit, Risk, or Governance] Committee recommends, or (c) the Executive Director identifies a gap in operation. The charter is a living document; the AI environment will change faster than annual review. **VII. The kill switch.** The Executive Director, the IT lead, and the Board Chair each have the authority to immediately suspend any AI tool, agent, or workflow operating under this charter. The suspension does not require advance Board approval but must be reported to the [Audit, Risk, or Governance] Committee within 72 hours, with a written account of the trigger, the action taken, and the proposed path to resolution. **VIII. Material incidents.** A material incident under this charter is any of the following. - Any unauthorized exposure of grantee, donor, or staff personally identifiable information via an AI tool. - Any externally-visible output produced by AI that the Foundation cannot defend on factual grounds. - Any AI-driven grant recommendation that bypasses the documented review process. **IX. Signatures.** Adopted by the Board of [Foundation Name] on the date below. - Board Chair: _______________ - Executive Director: _______________ - Date: _______________ > A charter is the boundary inside which the AI operates. The technical work, the staff work, and the partner relationship are how the boundary holds. ## How to amend it for your organization This charter is written as a starting line, not a finish line. In our experience, three amendments tend to come up first. The biggest is tightening the prohibited uses when your data classes are particularly sensitive. A healthcare-aligned foundation will add HIPAA-bound language to Section IV and will usually expand Section VIII to define protected health information as a material-incident category. A foundation that holds donor-advised funds will add language about donor confidentiality. A foundation that funds advocacy work in contested jurisdictions will add language about the protection of grantee identity. The second is loosening the review cadence when your operations move fast. Annual review is the floor; some foundations move to semi-annual review during the first eighteen months after adoption, when the AI environment and the staff's use of it are both changing quickly. The third is naming committees that do not yet exist. Most foundations under one hundred million in assets under management do not have an Audit, Risk, or Governance Committee as a separately constituted body. The Executive Committee or the Governance Committee usually absorbs the responsibility. Either is fine; the charter just needs to name the actual body that will do the work. Have your general counsel review before adoption. ## What it doesn't replace A charter is the boundary; it does not do the work. Adoption is the start of the operating posture, not the end of it. To make the charter real, you still need: - **Operational implementation.** The seven questions from "Before you enable Copilot" are the day-one work the charter assumes is in place. Permissions audits, sensitivity labels, conditional access, training, review loops, kill-switch readiness—none of these are charter language. They are charter prerequisites. - **Technical enforcement.** Conditional access, Microsoft Purview sensitivity labels, audit logging, and data loss prevention policies do not enforce themselves. Someone has to configure them, monitor them, and tune them. A policy without enforcement is a posture without protection. - **Staff training.** The charter is invisible to a staff member who does not know it exists. Adoption needs a communication plan, an onboarding update, and a refresher cadence. - **A relationship with an MIP or equivalent partner.** The technical layer, the audit posture, and the quarterly review are interdisciplinary work. The Managed Intelligence Provider model exists to operate it on behalf of organizations that should not be hiring an in-house AI governance team. The charter is the easy part. The work the charter assumes is in place is the harder part. Both have to exist for either to matter. --- # Microsoft 365 Copilot vs ChatGPT for nonprofits: an honest comparison. URL: https://www.centerednetworks.com/blog/microsoft-copilot-vs-chatgpt-for-nonprofits.html ## Comparison ## Microsoft 365 Copilot vs ChatGPT for nonprofits: an honest comparison. The marketing for both makes the choice sound obvious in opposite directions. The honest answer is more nuanced than either side admits—and it usually picks itself once three specific facts about your organization are clear. Published: May 22, 2026. Reading time: 7 min. Author: Centered Networks. Most nonprofit and foundation leaders we talk to are deciding between Microsoft 365 Copilot and a ChatGPT Enterprise (or Plus) license. The marketing for both makes the choice sound obvious in opposite directions—Microsoft says use Copilot, OpenAI says use ChatGPT—and the honest answer is more nuanced than either side admits. The right answer depends on three specific facts about your organization. Once those three are clear, the choice usually picks itself. This piece walks through those three factors, what each tool actually does, the cost reality, and where each genuinely shines. The conclusion is Microsoft-first for governed operational work, and we say so clearly—but the path to that conclusion is the part most comparison pieces skip. --- ## What each tool actually does. ### Microsoft 365 Copilot. Tenant-bound: Copilot can only see what your user can already access in Microsoft 365. Grounded: it cites the documents it pulled from. Governed: it operates under your Entra identity, your Purview sensitivity labels, and your tenant audit logs. License-coupled: it works with Microsoft 365 Business Premium, E3, or E5; there is no standalone version that works the same way. It is essentially an AI assistant for your existing Microsoft 365 work—Outlook, Teams, Word, Excel, PowerPoint, SharePoint, OneDrive. It is most powerful in the places your organization already does its work, and it inherits the governance posture you have already built around that work. ### ChatGPT (and Claude). Open-ended: the model does not know about your organization's documents unless you paste them in. Optionally tenant-bound on Enterprise or Team plans, but the default Plus tier is not. Strong general-purpose research and writing capability. License-independent: it works without any Microsoft licensing relationship. It is essentially a powerful general-purpose AI tool. Its strength is the breadth of its training and the freedom of the interaction—there are no permissions, no labels, no tenant boundary, no audit log by default. That is a feature for exploratory work and a problem for governed operational work. --- ## The three factors that decide it. The choice between these tools is rarely about the model. It is about three operational facts that are usually already true about your organization before you start the evaluation. ### 01 — Where does your organization's data live? If 80% or more of your sensitive work product lives in Microsoft 365—SharePoint, OneDrive, Teams, Outlook—Copilot is the obvious anchor. It can see that work, ground its outputs in it, and respect the existing permissions. The grounding is the value: a Copilot draft of a board memo references your actual board minutes, your actual program documents, your actual donor briefs. ChatGPT cannot do that unless your staff paste the relevant context in by hand each time—which most of them will not do consistently, and which creates its own data-handling problems. If your operational data is genuinely scattered—Google Workspace for documents, Dropbox for files, a custom system for grants, email for everything else—the Copilot value proposition is weaker. For the mission-driven sector we serve, though, the Microsoft 365 reality is dominant. Foundations, nonprofits, and rural hospitals overwhelmingly run on Microsoft. The data is already there. ### 02 — How regulated are you? HIPAA-covered organizations—rural hospitals, healthcare-aligned foundations, anyone touching protected health information—need a tool that can be governed under a Business Associate Agreement with documented data-handling controls. Microsoft 365 Copilot operates under your existing Microsoft 365 BAA. ChatGPT Enterprise requires a separate BAA negotiation and a different deployment posture, and ChatGPT Plus does not offer one at all. The same calculus applies to donor data subject to state privacy laws (the California Consumer Privacy Act, the New York SHIELD Act) and the EU GDPR if you have any EU donors. Microsoft's audit and residency story is structurally cleaner because it sits on top of your existing tenant—the same identity, the same audit log, the same data-loss-prevention policies that govern the rest of your operation. With ChatGPT you are building that governance layer from scratch, in parallel, on top of a tool that was not designed for it. ### 03 — What will you actually use it for? This is the factor that gets skipped most often, and it is the one that most cleanly separates the two tools. The honest answer is that they are good at different things. - **Drafting work** (board memos, grant proposals, donor briefs, internal communications). Copilot wins because the drafts reference your actual documents, your actual program language, your actual prior board votes. - **Exploratory research** (researching a new program area, scanning the literature, exploring policy ideas, comparing approaches). ChatGPT or Claude often wins because they are better at open-ended exploration that doesn't yet have an organizational context. - **Custom workflow agents** (an intake-processing bot, a grants-review assistant, a constituent-services concierge). Copilot Studio wins because it integrates natively with Microsoft 365 data and identity, which is where the governance has to land. - **Code generation or technical writing.** Both work; ChatGPT and Claude have a slight edge on novel technical work outside the Microsoft ecosystem; Copilot wins inside the Microsoft developer stack. If you are honest about which of these four buckets dominates your day-to-day usage, the choice usually presents itself. --- ## The cost reality. Per-seat pricing is roughly comparable on paper, and most published comparisons stop there. The mission-driven economics are different. **Microsoft 365 Copilot.** $30 per user per month, plus a qualifying Microsoft 365 license (Business Premium at roughly $22 per user per month, or E3 at roughly $36 per user per month). For a 50-person nonprofit, that's approximately $52–$66 per user per month all-in, or $31,000–$40,000 per year before any Microsoft funding offset. Microsoft nonprofit pricing on the underlying Microsoft 365 license substantially reduces the base cost for eligible organizations. **ChatGPT Enterprise.** Approximately $60 per user per month, with no underlying licensing required. For 50 people, around $36,000 per year. ChatGPT Plus at $20 per user per month is materially cheaper but is the consumer-grade tier, not the governed-deployment tier—it is not a like-for-like comparison. The headline math looks similar. The picture changes when Microsoft incentives are factored in. As a Microsoft Solutions Partner, CN can pursue Copilot deployment funding for eligible mission-driven customers under current Microsoft programs, which often offsets a meaningful portion of the year-one cost. ChatGPT does not have a comparable nonprofit-specific discount or co-investment structure. We won't quote a precise offset here because the dollar amount varies by program eligibility, engagement scope, and Microsoft's quarterly priorities—what we will say is that the funding picture moves the all-in cost in a direction worth understanding before you sign either contract. --- ## Where each genuinely shines. Even-handedly. Both tools are good at what they were designed for. Neither was designed for everything. **Microsoft 365 Copilot — Shines at grounded operational work.** - Drafting from your own organizational content—board memos, grant narratives, donor briefs, program documents. - Summarizing meetings, Teams threads, and email chains across long timeframes. - Working inside Excel and PowerPoint, where the data and the structure already live. - Governed agent deployment via Copilot Studio—intake bots, grants-review assistants, constituent concierges built on your tenant. - Anything that benefits from grounding in *your* data, with citations a reviewer can verify. **ChatGPT & Claude — Shine at open-ended exploratory work.** - Research on the open web, especially when paired with browsing or retrieval. - Open-ended brainstorming, where the absence of organizational context is a feature, not a bug. - Code generation outside the Microsoft developer stack—Python data work, web development, novel technical writing. - Working through complex reasoning without context constraints—policy analysis, scenario planning, comparative research. - Exploring ideas that don't yet exist in your documents. The reality on the ground: most foundations and nonprofits we work with end up using Microsoft 365 Copilot for operational work and ChatGPT or Claude for exploratory and research work. The two are not really competing. They cover different parts of the workflow, and the better question is which one anchors the operational layer—not which one wins outright. > The choice isn't really "Copilot or ChatGPT." It's "governed deployment that survives audit, or an experiment that surfaces three years from now in a compliance review." ## The MIP recommendation. For the operational AI layer—the AI tools your staff use to do their jobs, day to day, on your organization's data—use Microsoft 365 Copilot. The governance, identity, and audit story is structurally easier because it sits on top of an environment you have already governed. The MIP economics work in your favor: as a Microsoft Solutions Partner, CN can pursue Copilot deployment funding that ChatGPT cannot match for eligible mission-driven customers. And the platform is moving in the direction your organization will need to move next—custom agents, governed automation, AgentOps—rather than asking you to build that layer separately. For non-sensitive exploratory work—literature reviews, open-web research, brainstorming, scenario exploration—ChatGPT or Claude is fine, and we won't pretend otherwise. The formal CN position on multi-vendor deployment is on the AI Practice page: we lead with the Microsoft stack because it is the cleanest path to governed AI for our clients, and when a workflow genuinely needs a different tool, we deploy that tool. We don't push you into Microsoft when it is not the right answer, and we don't push you out of Microsoft for the sake of vendor neutrality. The right tool for the job is the rule. The wrong move is to pick the wrong tool for the operational layer because the marketing was loud, and then spend the next 18 months building governance infrastructure on top of a tool that wasn't designed for it. We have seen this happen—a foundation that anchored on ChatGPT Plus for "AI" generally, then realized two years in that the donor-facing drafts had been written against pasted context with no audit trail, no labels, and no defensible governance position. The rebuild is expensive. Choosing the right anchor at the start costs nothing extra and saves the rebuild. That is the broader case for the Managed Intelligence Provider category: govern the operational AI layer the same way you govern the rest of the operation, and the rest follows. ---