๐Ÿ‘#FTF#FTF Edition #5

AI Governance Scorecard

A scored, interactive assessment MSPs run with clients to evaluate their AI governance program. 20 questions across 3 domains with a color-coded scorecard and prioritized gap report you can print and leave behind.

20 questions~10 minNo data leaves the browserPrint-ready
AI GovernanceMSP ToolsClient FacingAssessmentComplianceQBR
20 Questions

Policy, usage patterns, and monitoring

Scored Domains

Color-coded grades and letter score

Gap Report

Prioritized recommendations to leave behind

How to Use This Scorecard

  1. 1Run it with your client โ€” Use in a QBR, onboarding session, or renewal conversation to assess AI governance maturity.
  2. 2Answer honestly together โ€” Work through all 20 questions across policy, usage, and monitoring domains.
  3. 3Generate the scorecard โ€” Get an overall letter grade, domain scores, and a prioritized gap report with actionable recommendations.
  4. 4Print and leave behind โ€” Hand the client a print-ready scorecard they can share with leadership and use to plan remediation.
Assessment progress0 / 20 ยท 0%

Client Information

Optional โ€” used in the scorecard header and print output.

Policy & Oversight

0 / 14 pts
1

Does the organization have a written AI Acceptable Use Policy (AUP)?

Covers permitted tools, data handling, employee responsibilities

2

Has the AI policy been communicated to all employees?

Via email, onboarding, or signed acknowledgment

3

Is there a defined list of approved AI tools employees may use?

Named tools with permitted use cases, not just a blanket statement

4

Does the policy specify which data types may NOT be entered into AI tools?

PII, PHI, financial records, client data, credentials

5

Is there a designated owner or committee responsible for AI governance?

Someone accountable for maintaining policy and handling incidents

6

Is the AI policy reviewed and updated at least annually?

Scheduled review cycle exists

7

Does the organization have an AI incident reporting procedure?

Defined process for reporting accidental disclosures or misuse

AI Usage Patterns

0 / 14 pts
1

Has the organization conducted a discovery scan to identify AI tools currently in use?

Active inventory of what employees are actually using, not just approved tools

2

Are there known instances of employees using unsanctioned AI tools (shadow AI)?

Personal ChatGPT, Claude.ai, Perplexity, or any unapproved tool

3

Does the organization have Microsoft 365 Copilot licenses deployed?

Any Copilot SKU: M365 Copilot, Copilot for Sales, GitHub Copilot, etc.

4

If Copilot is deployed, has the organization reviewed its data access scope?

Copilot surfaces content the user can access โ€” overpermissioned content becomes visible

5

Do employees understand what data types are and are not safe to enter into AI tools?

Tested via training, acknowledgment, or awareness exercise

6

Has the organization assessed the AI capabilities built into existing SaaS tools?

Salesforce Einstein, HubSpot AI, Zoom AI Companion, Slack AI, Adobe Firefly, etc.

7

Are vendor AI terms of service reviewed before onboarding new AI tools?

Does the vendor train on customer data? Where is data processed?

Monitoring & Enforcement

0 / 12 pts
1

Does the organization have visibility into AI tool usage across its environment?

Logging of which employees use which AI tools and at what frequency

2

Is there a mechanism to detect when sensitive data is being entered into AI tools?

DLP controls, browser extensions, or prompt-level inspection

3

Can the organization block access to specific AI tools if required?

Firewall, DNS, browser policy, or endpoint management controls

4

Have AI governance controls been tested within the last 12 months?

Tabletop exercise, red team test, or policy audit

5

Is there a process to respond to AI policy violations?

Defined escalation path, HR involvement, remediation steps

6

Are AI governance metrics or usage reports reviewed on a regular cadence?

Monthly or quarterly review of usage data, violations, incidents

Ready to generate the scorecard?

Answer all 20 questions to generate the scorecard. 20 remaining.

Perfect For

Quarterly Business Reviews

Quantify AI governance maturity and justify managed security investments.

Client Onboarding

Baseline AI governance posture before deploying controls or policies.

Renewal Conversations

Show measurable gaps and a remediation roadmap before contract renewal.

Compliance Audits

Document AI governance gaps for HIPAA, SOC 2, GDPR, and EU AI Act readiness.

Want to influence what we build next?

Visit the Voting Board

Get More Free Tools Every Friday

Join MSPs getting free security tools, scripts, and resources delivered weekly.