Init Intelligence Atlas

Multi-tenancy + customer-data isolation for AI ITSM (May 2026)

3 min read

Multi-tenancy + customer-data isolation for AI ITSM (May 2026)

Source report: /tmp/multi-tenancy-isolation-2026-05-12.md (230 lines, ~4,225 words).

Core thesis — the MSP wedge

Network Right’s vault page gives Init Intelligence the strongest primary-source procurement signal in the entire competitor set:

  • AI service-desk products that Network Right tested did not fit the multi-tenant provider pattern (they assumed Okta-centric, single-customer deployment).
  • The unacceptable failure mode is: “cross-customer knowledge bleed: an AI system must never retrieve another customer’s documentation or secrets.”

That sentence is the MSP wedge. Init Intelligence’s MSP-AI-enablement thesis is fundamentally about solving this.

Vendor isolation matrix

VendorPostureHonest?
AtomicworkPer-tenant self-hosted vector DB with PII redaction at ingestion✅ Clean, public, named
Serval3 real self-host modes (Cloud SaaS / Hybrid / Self-Managed K8s)✅ Only one with real self-host
ConsoleMarkets intra-customer multi-workspace as “tenant isolation”⚠️ Buyer-conflation risk
RisottoMarkets intra-customer multi-workspace as “tenant isolation”⚠️ Buyer-conflation risk
RavennaMarkets intra-customer multi-workspace as “tenant isolation”⚠️ Buyer-conflation risk
SiitLogically isolated multi-tenant on shared infra✅ Honest disclosure
STLabsLogically isolated multi-tenant on shared infra✅ Honest disclosure
TreelineInternal isolation between 3 acqui-hired MSPs = most competitively load-bearing unknown❓ Not disclosed

Key buyer education point: intra-customer multi-workspace ≠ cross-customer isolation. MSP buyers need the latter.

BYOK / CMEK / HYOK = unanimous whitespace

No Tier-A AI ITSM vendor offers customer-controlled keys as of May 2026.

The absence is the finding, not a feature comparison.

Live LLM-isolation incidents (2024-2026)

  • CVE-2024-38206 — Microsoft Copilot Studio SSRF (Black Hat 2024).
  • CVE-2025-32711 EchoLeak — M365 Copilot exfiltration.
  • Slack AI prompt-injection (2024).
  • PROMPTPEEK NDSS 2025 — KV-cache cross-tenant side-channel.
  • OWASP LLM08 formalization (Excessive Agency).

Corrections to brief framing (honest)

  1. Slack 2019 “cross-tenant leak” — actually the 2016 incident disclosed Sept 2019, a vendor-credential failure, NOT architectural cross-tenancy. Flagged rather than invented.
  2. BYOK/CMEK/HYOK unanimous whitespace across Tier-A = the finding, not a feature delta.

Tenancy architecture facts

provider_id × customer_id × resource partition key

  • Retrofitting two-level tenancy is a multi-quarter rebuild.
  • Per-MSP-customer vector stores (Atomicwork pattern, pinned to the MSP-customer level).
  • Per-MSP-customer OAuth grants.
  • Customer-visible audit trail.
  • BYOK requires per-MSP-customer data-key rotation in the schema design.

MSP-mode multi-tenancy dimension

Most peers map one vendor customer = one tenant. MSP-mode maps one vendor customer (an MSP) = N tenants (the MSP’s customers). This second dimension is uncontested across the Tier-A set as of May 2026.

Procurement gaps worth re-checking later

  • Console trust center contents — title-only fetch.
  • Serval trust center — title-only fetch.
  • Ravenna /security404.
  • Risotto /security404.
  • Edrazero security disclosure on public site.

Notes

  • Atomicwork is the per-tenant vector DB benchmark in the Tier-A set.
  • Serval is the only competitor with real self-host options — relevant to regulated-vertical and sovereign-cloud deals (see asia-pacific-ai-itsm-2026).
  • Treeline’s MSP internal isolation between its 3 acqui-hired MSPs is undisclosed and competitively load-bearing.
  • Console / Risotto / Ravenna conflate intra-customer multi-workspace with cross-customer isolation in their marketing.

Graph View

Backlinks