Governance & Acceptable Use

This guide provides policy templates, enforcement procedures, and training frameworks for how MSPs and clients should define, document, and disclose AI use responsibly.

Introduction

Documented guardrails reduce shadow IT, clarify responsibilities, and prevent unsafe expectations. These core rules apply whether AI is used by staff, embedded in services, or adopted by clients.


Internal and Client-Facing Policies

  • Reality: Without documented policies, staff or clients may adopt AI tools unsafely, leading to shadow IT and unmanaged risk.

  • Guardrails:

    • Create separate internal (staff) and client-facing (service) policies

    • Define roles, responsibilities, and escalation points for AI use

Defining Augmentation vs Automation

  • Reality: Not all AI tasks are equal. Some augment human work, others attempt full automation. Misclassification can create unsafe expectations.

  • Guardrails:

    • Classify each AI use case

    • Require human-in-the-loop (HITL) for automation

    • State explicitly which functions AI may suggest vs execute

Training Staff and Clients

  • Reality: Staff and clients may lack awareness of AI risks, making them vulnerable to misuse or overtrusting outputs.

  • Guardrails:

    • Deliver regular training on responsible AI use

    • Include safe prompting, data handling, and error recognition

    • Use simulations (e.g., phishing with AI-generated lures)

Policy Enforcement

  • Reality: Policies are only effective if enforced consistently.

  • Guardrails:

    • Define consequences for policy violations (HR action, service restriction)

    • Audit compliance with client AI agreements

    • Provide clear reporting channels for violations


Internal AI Acceptable Use Policy Template

Internal usage needs a defined baseline, or staff will improvise with AI tools in inconsistent ways.

Policy Area
Requirement
Decision Criteria

Data Confidentiality

Treat all customer and company information as highly confidential

Prohibit disclosing PII, confidential, or sensitive data to public AI platforms

Accountability

Users retain full responsibility for all AI-generated outputs

AI assists human judgment; never replaces critical thinking

Transparency

AI-generated content must be acknowledged where it materially contributes

Outputs used in client documentation require review and attribution

Secure Usage

All AI interactions occur over secure, authenticated systems

Only use approved enterprise AI systems for processing sensitive data

Internal AI AUP Checklist


Client AI Disclosure Framework

DPA Negotiation Summary

MSPs should require vendors to ban training on client data, guarantee data residency, and disclose subprocessors with audit rights. These terms set the baseline for compliant AI adoption.

Clause Type
Required Language
Risk Mitigation

Data Usage

"MSP and client data SHALL NOT be used for vendor model training"

IP exposure and privacy violations

Data Residency

Specify exact jurisdictions for data storage and processing

GDPR/CCPA compliance violations

Subprocessors

Full disclosure of all subcontractors and processing chains

Unauthorized data exposure

Audit Rights

Right to examine algorithmic decision-making and adherence

Limited control over AI vendor ecosystem

Client Communication Protocol

Clients often experiment with AI without understanding the risks. Give practical guardrails for AI use, covering policy, data handling, and safe tool selection by:

  • Helping clients establish their own AI acceptable use policies

  • Advising against inputting confidential information into public AI platforms

  • Running AI tools through the same due diligence as other SaaS apps

  • Using solutions with no-training / data localization features

Key terms: policy enforcement, compliance audit, risk acceptance, AI governance, acceptable use policy (AUP), risk ownership, responsible AI, prompt hygiene, AI-enhanced phishing, augmentation, automation, HITL (human-in-the-loop).


Bottom Line

Strong AI governance gives MSPs control over how AI enters their environment. Clear policies, consistent enforcement, and client communication reduce shadow IT and align AI adoption with security standards.


Last updated

Was this helpful?