AI Governance Scorecard
A scored, interactive assessment MSPs run with clients to evaluate their AI governance program. 20 questions across 3 domains with a color-coded scorecard and prioritized gap report you can print and leave behind.
Policy, usage patterns, and monitoring
Color-coded grades and letter score
Prioritized recommendations to leave behind
How to Use This Scorecard
- 1Run it with your client โ Use in a QBR, onboarding session, or renewal conversation to assess AI governance maturity.
- 2Answer honestly together โ Work through all 20 questions across policy, usage, and monitoring domains.
- 3Generate the scorecard โ Get an overall letter grade, domain scores, and a prioritized gap report with actionable recommendations.
- 4Print and leave behind โ Hand the client a print-ready scorecard they can share with leadership and use to plan remediation.
Client Information
Optional โ used in the scorecard header and print output.
Policy & Oversight
Does the organization have a written AI Acceptable Use Policy (AUP)?
Covers permitted tools, data handling, employee responsibilities
Has the AI policy been communicated to all employees?
Via email, onboarding, or signed acknowledgment
Is there a defined list of approved AI tools employees may use?
Named tools with permitted use cases, not just a blanket statement
Does the policy specify which data types may NOT be entered into AI tools?
PII, PHI, financial records, client data, credentials
Is there a designated owner or committee responsible for AI governance?
Someone accountable for maintaining policy and handling incidents
Is the AI policy reviewed and updated at least annually?
Scheduled review cycle exists
Does the organization have an AI incident reporting procedure?
Defined process for reporting accidental disclosures or misuse
AI Usage Patterns
Has the organization conducted a discovery scan to identify AI tools currently in use?
Active inventory of what employees are actually using, not just approved tools
Are there known instances of employees using unsanctioned AI tools (shadow AI)?
Personal ChatGPT, Claude.ai, Perplexity, or any unapproved tool
Does the organization have Microsoft 365 Copilot licenses deployed?
Any Copilot SKU: M365 Copilot, Copilot for Sales, GitHub Copilot, etc.
If Copilot is deployed, has the organization reviewed its data access scope?
Copilot surfaces content the user can access โ overpermissioned content becomes visible
Do employees understand what data types are and are not safe to enter into AI tools?
Tested via training, acknowledgment, or awareness exercise
Has the organization assessed the AI capabilities built into existing SaaS tools?
Salesforce Einstein, HubSpot AI, Zoom AI Companion, Slack AI, Adobe Firefly, etc.
Are vendor AI terms of service reviewed before onboarding new AI tools?
Does the vendor train on customer data? Where is data processed?
Monitoring & Enforcement
Does the organization have visibility into AI tool usage across its environment?
Logging of which employees use which AI tools and at what frequency
Is there a mechanism to detect when sensitive data is being entered into AI tools?
DLP controls, browser extensions, or prompt-level inspection
Can the organization block access to specific AI tools if required?
Firewall, DNS, browser policy, or endpoint management controls
Have AI governance controls been tested within the last 12 months?
Tabletop exercise, red team test, or policy audit
Is there a process to respond to AI policy violations?
Defined escalation path, HR involvement, remediation steps
Are AI governance metrics or usage reports reviewed on a regular cadence?
Monthly or quarterly review of usage data, violations, incidents
Ready to generate the scorecard?
Answer all 20 questions to generate the scorecard. 20 remaining.
Perfect For
Quarterly Business Reviews
Quantify AI governance maturity and justify managed security investments.
Client Onboarding
Baseline AI governance posture before deploying controls or policies.
Renewal Conversations
Show measurable gaps and a remediation roadmap before contract renewal.
Compliance Audits
Document AI governance gaps for HIPAA, SOC 2, GDPR, and EU AI Act readiness.
Want to influence what we build next?
Visit the Voting BoardGet More Free Tools Every Friday
Join MSPs getting free security tools, scripts, and resources delivered weekly.