VERSION 10: Founder’s Perspective
Not long ago, I told my team we weren’t adding AI to Compliance Scorecard. I said we don’t do features just because they’re trendy.
Version 10 is where we made a hard decision about what business we’re actually in.
We are not in the document business. We are not in the template business. And we are not in the “add AI and hope it sounds impressive” business.
We are in the infrastructure business.
I’ve spent 30-plus years building software including federal contracting work where compliance wasn’t a selling point; it was the cost of doing business. That background made me skeptical of anything that looked like hype. I changed my mind not because AI got better at marketing, but because we found use cases where it actually solved problems that had been broken for years.
V10 is the result of that shift. It’s the most significant release we’ve ever shipped.
The Problem That’s Been Hiding in Plain Sight
MSPs don’t struggle with generating policies. They struggle with making compliance services hold up under scrutiny across dozens of clients, multiple frameworks, and different regulators all at the same time.
That’s where most tools fall apart. They were built for a single enterprise. Not for an MSP managing 40 companies, each with SOC 2, CMMC, FTC Safeguards, HIPAA, ISO, or some mix of all of them. I’ve watched MSPs try to make that work with single-tenant platforms and shared folders. They end up rebuilding the wheel for every client engagement, and the work doesn’t scale.
Most compliance platforms, ours included, for a while; treated the work like a documentation exercise. Upload a Word doc. Get a signature. Check the box. Move on. Nobody checked whether users actually understood what they signed. Nobody connected the policy to the control to the evidence to the system it was supposed to protect. It looked responsible. It felt productive. But the moment an auditor asked, “prove it,” the whole thing got quiet.
That’s not governance. That’s theater.
What We Actually Built
V10 doubles down on the architecture that reflects reality. True multi-tenant separation: MSP to Company to Client, with inherited controls, shared services, and framework mappings that flow across all layers. When an MSP onboards a new client who needs SOC 2 and CMMC, they’re not starting from scratch twice. Controls are normalized instead of rebuilt every time a client adds a requirement. The work you do for one carries forward into the next. That’s how compliance becomes scalable instead of exhausting.
We built OSCAL-aligned data structures, so controls, evidence, and mappings are structured objects, not just text stored in a database. The federal compliance ecosystem is moving toward machine-readable formats, and we intend to be ahead of that curve, not chasing it.
Automation in V10 is tied directly to mapped controls and real system telemetry. If a control requires MFA, the system knows what that means in context and where evidence should come from, through API integrations with ConnectSecure, huntress, Liongard, Microsoft Graph, and a growing list of others. That’s very different from uploading a screenshot once a year.
AI That Operates Inside Structure
AI is part of V10, but not as a gimmick. I was publicly skeptical of AI in compliance for a reason. Most of what’s marketed today is noise. Too many vendors slapping it onto slides without delivering anything meaningful. Compliance isn’t a sandbox. There’s too much at stake to experiment with half-baked automation.
But we found the broken use case: policy adoption. For years, the entire industry treated it like a formality. Sign here. Done. No one checked for comprehension. When something went wrong, the MSP got blamed because the user “agreed” to a policy they never read, let alone followed.
So, we built AI that reads the actual policy, generates comprehension questions, tests the end user, tracks pass/fail performance across the entire company, and auto-generates plain-language explanations that connect the policy to the employee’s daily role. It also produces structured analysis; gap analyses, executive summaries, remediation plans, from actual assessment data, not generic templates. The AI operates within the framework model, not outside of it. It understands the control, the framework relationship, and the tenant boundary.
Every AI feature in V10 is optional. The compliance engine works with or without AI enabled, because the structure must stand on its own. We also built Bring Your Own Key support; OpenAI, Azure OpenAI, Anthropic, Google Gemini; your keys, your data controls, your choice. We surface data privacy guidance for each provider tier so MSPs can make informed decisions about where their clients’ compliance data gets processed. We don’t lock anyone into a proprietary model.
Third-Party Risk and Shared Responsibility
One of the areas I’m most focused on right now is third-party risk management and the Shared Responsibility Model. Every vendor in your stack has different boundaries around what they secure and what you’re responsible for. Most MSPs don’t have a structured way to track those boundaries, which means gaps go unnoticed until an audit or an incident exposes them.
We’re building vendor intelligence directly into the platform, collecting SRM documentation, trust center data, and compliance evidence from cloud and SaaS vendors, then normalizing it into RACI matrices that map to your controls. The goal is a three-tier model: what the vendor handles, what the MSP handles, and what the client is responsible for. When you can see all three layers clearly, you can identify and close gaps instead of discovering them under pressure.
AI Governance is a Compliance Conversation Now
Compliance cannot be a yearly artifact exercise anymore. AI adoption has already happened. Regulatory pressure is increasing. Auditors are asking harder questions. MSPs are being pulled into governance conversations whether they like it or not.
Here’s the uncomfortable truth: 78% of AI users are bringing their own tools to work. Only 27% of organizations have comprehensive AI governance. That gap is where the real risk lives. Your clients don’t have the visibility, tooling, or expertise to govern AI themselves. They’re going to call you. They already are.
Compliance Scorecard is positioned to help MSPs deliver AI governance alongside traditional compliance. The 4A Framework we use; Alignment, Authorization, Adoption, and Assessment apply directly: align AI usage with policy, authorize it at the executive level, ensure adoption includes real comprehension, and assess it continuously against controls. That’s the same governance discipline applied to a new category of risk. And with NIST formalizing AI risk management through the AI RMF and the Cyber AI Profile, the frameworks are catching up to what we’ve been building toward.
Why This Matters
If your compliance service cannot tie a control to a decision, and that decision to a person, and that person to attributable evidence, it will not survive long term. I’ve watched it happen. MSP builds a compliance practice, sells it to clients, and the first time an auditor asks for evidence tied to a specific control, the whole thing falls apart. That’s not a service. That’s a risk.
Compliance shouldn’t spike during audit season and go dormant the rest of the year. It should operate continuously, the same way accounting does. That’s been my belief since we started this company, and Version 10 is us putting the architecture behind it.
Not prettier dashboards. Not louder claims. Infrastructure that allows MSPs to sell compliance, and AI governance, without rebuilding everything client by client.
I’m not the only guy with all the answers. We build based on what helps MSPs operationalize, sell, reduce risk, and grow revenue. If you want to see what Version 10 looks like in practice, join one of our weekly live demos. I’d rather show you than tell you.
That’s what we built.
Tim Golden
Founder & CEO, Compliance Scorecard
