The Questions to Ask Before Approving Any AI Tool
What due diligence should MSPs complete before approving an AI tool for business use? The starting point is a small, consistent set of questions applied to every tool, regardless of how harmless it seems. What data does the tool collect, and is that data used to train the vendor's models? Where is the data stored, and does that location matter for the client's regulatory obligations? Who else in the vendor's supply chain, sub-processors, and cloud hosts can access the data?
It also matters whether the client is using the consumer or enterprise version of the tool, since the answers to the questions above often differ significantly between the two, even when using the same underlying AI model. A consumer chatbot account and an enterprise API agreement from the same vendor can have entirely different data handling terms.
Finally, ask who within the client's business is accountable for approving future AI tools. Without a named owner, AI tools tend to spread informally across a business, which is the exact problem covered in CyberSentriQ's guide to shadow AI.
Consumer vs Enterprise AI: How Data-Handling Terms Differ
Many AI platforms offer both consumer and enterprise versions, but the differences between them can be significant. One of the most common issues MSPs uncover is employees using personal, consumer accounts instead of the approved enterprise version, often without realizing the security and compliance implications.
When evaluating an AI tool, make sure you:
- Confirm whether the business is using the enterprise or consumer version.
- Verify that submitted data won't be used to train the vendor's AI models.
- Check where customer data is stored and how long it is retained.
- Ensure the appropriate agreements are in place, such as a Data Processing Agreement (DPA) for GDPR or a Business Associate Agreement (BAA) when handling regulated health data.
- Confirm employees aren't accessing the same AI tool through personal accounts that fall outside your governance controls.
The key takeaway is that approving an AI tool isn't enough. MSPs should approve the specific version, licensing tier, and contractual terms that meet the customer's security, privacy, and compliance requirements.
Where AI Tools Touch Regulated Data (and the Client's Liability)
The risk profile of an AI tool changes completely depending on what kind of data passes through it. A marketing AI tool drafting social media copy poses a very different risk from a chatbot summarizing patient records or a tool processing financial statements. Where regulated data, health information, financial records, or personal data under the GDPR is involved, the client's existing compliance obligations do not disappear simply because an AI vendor is now part of the workflow. The client remains liable for how that data is handled, regardless of who built the AI tool. This is why the due diligence process has to map out specifically which business processes feed regulated data into AI tools, rather than treating AI risk as a single, general category.
In healthcare contexts, this often means the MSP needs to confirm whether a BAA chain exists all the way through to the AI vendor, since any gaps in that chain can expose the client to liability they did not realize they had assumed.
Building an Approved-AI List and Enforcing It
Approving an AI tool is only the first step. To reduce risk, MSPs need to help customers ensure approved tools are used consistently and unapproved tools don't slip into everyday use.
A practical governance approach includes:
- Maintaining an approved AI tool register that defines which tools, licensing tiers, and use cases are permitted.
- Using DNS-layer controls to allow approved AI services while blocking or monitoring access to unapproved tools.
- Reviewing AI tool usage regularly to identify shadow AI and other unsanctioned applications.
- Reinforcing governance through Security Awareness Training so employees understand which AI tools are approved, why restrictions exist, and how to request approval for new tools.
By combining technical controls with user education, MSPs can turn AI governance from a documented policy into an effective operational control that reduces risk and supports ongoing compliance.
A Reusable AI Vendor Due-Diligence Checklist
A structured due diligence process helps MSPs evaluate AI tools consistently before they're approved for customer use. Use this checklist to reduce risk and support informed AI adoption:
- Confirm whether the business is using the consumer or enterprise version of the AI tool.
- Review the vendor's terms for data processing and AI model training.
- Verify where customer data is stored and whether it meets regulatory requirements.
- Identify any third-party subprocessors that may access customer data.
- Ensure the appropriate agreements, such as a Data Processing Agreement (DPA) or Business Associate Agreement (BAA), are in place where required.
- Document which business processes and data types will be used with the tool.
- Assign an internal owner to approve, review, and govern the tool.
- Record the approved tool, licensing tier, and permitted use cases in the customer's AI register.
Remember, responsibility for protecting sensitive and regulated data usually rests with the business using the AI tool, not the vendor. That's why due diligence should happen before deployment, not after a security or compliance incident. For MSPs, AI vendor due diligence is an opportunity to deliver an ongoing governance service that helps customers adopt AI safely, demonstrate compliance, and reduce operational risk.
Request a demo to see how CyberSentriq helps MSPs strengthen AI governance with DNS-layer controls, Security Awareness Training, and the visibility needed to manage AI adoption with confidence.
AI Vendor Due Diligence FAQs
Compliance is not a fixed property of an AI tool. It depends on the specific tier, contractual terms, and configuration in use. Enterprise agreements often include data protection terms, such as a Business Associate Agreement for HIPAA or a Data Processing Agreement for GDPR, that consumer tiers typically do not.
Data handling terms. Consumer tiers often allow data to be used for model training and offer fewer data residency or retention guarantees. Enterprise tiers typically include clearer no-training-on-your-data clauses and formal data processing agreements.
In most cases, liability sits primarily with the business that controls the data, not the AI vendor alone. This is why due diligence before adoption matters more than assigning blame after an incident occurs.
DNS-layer filtering lets an MSP allow-list approved AI tools and block or monitor unapproved ones per client. Combined with security awareness training and a documented, approved AI list, this turns a due diligence policy into an enforceable control.