Start Free Trial

MSP AI Compliance Checklist: Protecting Clients from Shadow AI

May 19, 2026 By ShadowLock Team MSPAI compliancechecklist

The MSP AI compliance checklist below covers the items your clients need in place to satisfy SOC 2, HIPAA, GDPR, and cyber insurance reviewers, and that MSPs are increasingly expected to provide as part of their managed service. Each item is paired with the specific action that closes the gap from the MSP side. Skim-ready, action-oriented, and grounded in what auditors actually examine.

Use this checklist two ways: as a pre-audit gap analysis for clients heading into renewals, and as a roadmap for the AI compliance line of your managed service offering. Items are grouped by the four pillars of AI governance plus an MSP-specific operational layer.

Policy (per client)

  • Each client has a written AI acceptable use policy. Action: provide our free policy template as part of onboarding. Most clients accept your template as-is.
  • Policy lists the client’s approved AI tools. Action: customize the approved tools table per client based on what they license.
  • Policy defines prohibited data categories. Action: match the categories to the client’s data classification and regulatory profile.
  • Policy reviewed annually with documentation. Action: include AI policy review in your annual QBR cycle. Document each review.

Vendor Inventory (per client)

  • Client’s AI vendors are in their formal vendor inventory. Action: confirm OpenAI, Anthropic, Google, Microsoft are listed for any client formally using those tools.
  • DPAs are on file for each approved AI vendor. Action: collect signed DPAs or evidence the vendor’s standard terms cover the relevant data categories.
  • Vendor security questionnaires or SOC 2 reports collected. Action: retain copies of the vendor’s most recent SOC 2 Type II report.

Technical Controls (deployed by MSP)

  • AI tool usage detection on every managed endpoint. Action: deploy a multi-tenant AI governance platform across the client’s fleet.
  • Content classification on paste. Action: enable PII, credentials, source code, PHI, and financial classifiers.
  • Blocking on highest-severity categories. Action: at minimum, block credentials and PHI submissions. Expand from there.
  • Coverage extends to desktop AI applications. Action: confirm the platform detects ChatGPT Desktop, Claude Desktop, GitHub Copilot in IDEs.
  • Coverage extends to personal accounts. Action: use endpoint and browser-layer detection (not network-only).
  • Per-client block page customization deployed. Action: customize the block page with the client’s logo and contact info.

Audit Logging (per client)

  • Per-event audit logs containing user, timestamp, tool, classifier matches, outcome. Action: confirm the platform produces this record format for each client tenant.
  • Logs retained for at least 90 days. Action: align retention with the client’s SOC 2 observation window or HIPAA requirements.
  • Logs exportable for client audit evidence. Action: confirm the platform allows export per organization. Walk the client’s compliance team through the export process.

Employee Training (delivered by client, supported by MSP)

  • Client has delivered AI policy training to employees. Action: provide training content as a service or partner with the client to roll it into their existing security awareness cycle.
  • Acknowledgement records collected. Action: confirm the client has acknowledgement records in their HRIS.

MSP Operational Layer

  • AI governance metrics appear in every client QBR. Action: pull dashboard metrics into the QBR template, events detected, sensitive data blocked, audit log availability.
  • Service desk is trained on AI governance handling. Action: train technicians on common false positives, exception request handling, and block-page behavior.
  • Baseline policy is documented at the partner level. Action: document your standard baseline policy (approved tools, prohibited data, blocking thresholds) so onboarding is consistent.
  • Per-client customizations are documented. Action: for each client, document the customizations from the baseline.
  • New tool exception process is defined. Action: document how a client’s exception request flows to the MSP for vendor review.

How the Checklist Maps to Specific Frameworks

SOC 2

Most items map to SOC 2 Trust Services Criteria as they apply to AI tool use. The strongest mappings:

  • Policy items → CC1 (control environment), CC2 (communication)
  • Vendor inventory items → CC9.2 (vendor risk management)
  • Technical control items → CC6.1 (logical access), CC6.7 (data transmission)
  • Audit logging items → CC7.2 (system monitoring)

See our AI data leakage and SOC 2 compliance guide for the complete mapping.

HIPAA

For healthcare clients, the technical safeguards (§164.312) apply:

  • Audit Controls, §164.312(b), covered by audit logging items
  • Access Control, §164.312(a)(1), covered by technical control items
  • Integrity Controls, §164.312(c)(1), supported by the block-and-log pattern

GDPR

For clients processing EU personal data:

  • Article 28 (processor agreements), vendor inventory items
  • Article 30 (records of processing), audit logging items
  • Article 32 (security of processing), technical control items

Cyber Insurance

Underwriters increasingly ask about AI controls during renewals. The checklist items collectively answer the questions underwriters are asking, what tools, what data, what controls, what evidence.

Common Gaps We See in MSP-Served Environments

Across MSP customers, the same gaps appear repeatedly:

The “policy but no enforcement” gap. Client has a written AI policy (often the MSP-provided template) but no technical control behind it. Fix: deploy the AI governance platform across the client fleet. This is the single highest-leverage action.

The “incomplete vendor inventory” gap. Client’s vendor inventory lists their CRM and email provider but does not list OpenAI even though their team uses ChatGPT Enterprise. Fix: extend the inventory to AI vendors as part of onboarding.

The “monitor-only forever” gap. Platform deployed in monitor-only mode that never moves to blocking. Auditors will note this. Fix: promote to blocking on the highest-severity classifiers as part of the standard rollout.

The “QBR doesn’t surface AI value” gap. The MSP is delivering AI governance but never shows the client metrics. Result: client perceives it as an invisible service and may push back on cost at renewal. Fix: surface metrics in every QBR.

The “no exception process” gap. Client employees want to use a new AI tool not on the approved list, but there is no documented path for evaluating it. Fix: document the exception process and route requests through the MSP’s vendor review.

Working Backwards from a Client Audit Date

If a client has a SOC 2 Type II audit in 90 days and is not currently AI-compliant, the priority order:

  • Day 1-7: Publish the AUP using the provided template. Add AI vendors to the inventory. These are organizational actions the client takes with MSP support.
  • Day 7-14: Deploy the AI governance platform across the fleet. Monitor-only mode initially.
  • Day 14-28: Promote to blocking on credentials and PHI. Confirm audit logs are flowing.
  • Day 28-60: Train employees and collect acknowledgements. Run the quarterly review.
  • Day 60-90: Dry-run the evidence package. Walk the client’s compliance team through the audit evidence flow.

Most MSPs can take a non-compliant client to audit-ready in under 90 days using this sequence.

When to Escalate to a Specialist

Most AI compliance situations are well within MSP delivery capability. A few cases warrant escalation to a specialist:

  • Active incident or breach involving AI tools, bring in a security incident response firm
  • Complex regulatory environment (e.g., defense contractors with CMMC requirements), bring in a CMMC C3PAO or equivalent
  • Highly regulated healthcare environment with active HHS attention, bring in HIPAA compliance counsel
  • Public company with material AI exposure, coordinate with the client’s general counsel

For the 95% of cases that do not require specialist involvement, the checklist above is the working playbook.

Frequently Asked Questions

What is on an MSP AI compliance checklist?

The checklist covers five layers: policy (per client), vendor inventory (per client), technical controls (deployed by the MSP), audit logging (per client), employee training (delivered by client with MSP support), and an MSP operational layer (baseline policies, QBR metrics, exception process).

Can MSPs satisfy SOC 2 AI requirements for their clients?

Yes, provided the MSP deploys a multi-tenant AI governance platform and produces the audit evidence per client. SOC 2 increasingly asks AI-specific questions; the MSP-delivered controls answer those questions cleanly.

What about HIPAA for healthcare clients?

The same pattern applies. The MSP deploys the technical control, the client owns the policy and training, the audit logs feed both the client’s compliance program and any subsequent HIPAA risk assessment. See our HIPAA-specific guide for healthcare-specific considerations.

How long does it take to bring a non-compliant client to audit-ready?

90 days for most mid-market clients using the working-backwards sequence above. Faster for smaller clients with clean baselines; longer for larger clients with complex regulatory environments.

Should the MSP own the AI policy or should the client?

The client owns the policy formally, it is their organization’s policy. The MSP provides the template, helps customize it, and supports the rollout. The policy is signed off by client leadership and lives in the client’s policy repository.

Who delivers AI training to the client’s employees?

Usually the client owns delivery (typically rolling it into their existing annual security training). The MSP can provide training content and SCORM modules as an added-value service.

What evidence do clients need to provide at audit?

Five-item package: written AI policy, vendor inventory with DPAs, technical control evidence (logs and screenshots from the AI governance platform), training records, and review documentation. The MSP-delivered platform produces items 3 directly and supports items 2, 4, and 5.

MSP AI compliance is becoming standard practice. The checklist above is what your client base will need in place over the next eighteen months as auditors and underwriters catch up. MSPs that build the operational playbook now will deliver it as a standard line on their service menu, and use it as a competitive advantage in renewals and net-new business.

Stop shadow AI before it becomes a liability

ShadowLock detects and blocks unauthorized AI tool usage across every endpoint. Free 14-day trial.

Start Free Trial →