Three-Tier Hierarchical Prompts: System → MSP → Client

Customize AI behavior with 35+ prompt templates, automatic variable substitution, and no-code editing. Your AI, your instructions, your control.

The Generic AI Problem

Most compliance platforms give you generic AI responses that ignore your industry, tools, and standards. The AI doesn't know:

• That you serve healthcare clients requiring HIPAA-specific language
• What security tools your clients actually use
• Your preferred policy format and style
• Industry-specific terminology your clients expect

Generic AI prompts produce generic compliance content. Your MSP isn't generic.

Three-Tier Prompt Hierarchy: From Generic to Specific

Compliance Scorecard's prompt system works like inheritance in programming: specific overrides general.

Tier 1: System Baseline

What it is: ComplianceScorecard's default prompts, optimized for compliance content generation.

Who controls it: ComplianceScorecard engineering team

Example: “Generate a compliance policy document covering the specified topic. Use clear language and include regulatory references.”

Use when: You want to use the platform defaults with no customization.

Tier 2: MSP Override

What it is: Your MSP's custom prompts that apply to all your clients.

Who controls it: MSP Admin users

Example: “Generate a HIPAA-compliant policy for healthcare clients. Always reference PHI handling, patient privacy, and HIPAA sections 164.308, 164.310, 164.312. Use healthcare industry terminology.”

Use when: You serve a specific industry or have standard requirements across all clients.

Tier 3: Client Override (Roadmap Q2 2026)

What it is: Client-specific prompt customization for unique requirements.

Who controls it: MSP Admin (on behalf of client)

Example: “For this medical practice, always include Massachusetts state-specific requirements and reference their EHR system (Epic) in technical controls.”

Use when: A specific client has unique compliance or formatting needs.

How hierarchy works: Client override (if exists) → MSP override (if exists) → System baseline (always exists). Most specific wins.

35+ Customizable Prompt Types

Every AI feature has its own customizable prompt. Tailor each to your needs:

Policy Generation Prompts

• Policy Generation: Main policy document creation (default: 0.5 temperature, 4000 tokens)
• Policy Questions: Assessment question generation (0.7 temp, 1500 tokens)
• Policy ELI5: Plain-language control explanations (0.6 temp, 800 tokens)

Analysis & Reporting Prompts

• Gap Analysis: Compliance gap identification (0.4 temp, 2000 tokens)
• Risk Assessment: Risk scoring and prioritization (0.3 temp, 1500 tokens)
• Executive Summary: Board-ready summaries (0.5 temp, 2000 tokens)
• Remediation Plan: Step-by-step action plans (0.4 temp, 3000 tokens)

Technical Prompts

• Control Explanation: Technical control descriptions (0.3 temp, 800 tokens)
• Tool Integration: Security tool configuration guidance
• Evidence Collection: Automated evidence gathering instructions

Plus: 25+ additional prompt types covering every AI-powered feature in the platform.

Automatic Variable Substitution: No Manual Editing

Write prompts once with variables. The system automatically fills them with real client data.

Available Variables

• {company_name} – MSP name (e.g., “Acme Security Services”)
• {client_name} – Client organization name (e.g., “Beta Healthcare Corp”)
• {industry} – Primary industry vertical (e.g., “Healthcare”)
• {tools} – Deployed security tools (e.g., “Microsoft Defender, Proofpoint, Sentinel, Veeam”)
• {frameworks} – Compliance frameworks (e.g., “HIPAA, NIST CSF, SOC 2”)
• {current_date} – Today's date
• {user_name} – User making the request

How It Works

You write:

“Generate a policy for {company_name}'s client {client_name} in the {industry} industry. Consider their use of {tools}. The policy must align with {frameworks} requirements.”

AI receives:

“Generate a policy for Acme Security Services' client Beta Healthcare Corp in the Healthcare industry. Consider their use of Microsoft Defender, Proofpoint, Sentinel, Veeam, 1Password, Microsoft Entra ID. The policy must align with HIPAA, NIST CSF requirements.”

Result: Every policy is automatically customized to the client's actual environment. No manual find/replace.

No Coding Required: Simple Text Editing

Customize AI behavior without engineering support or technical knowledge.

Editing Interface

• System baseline (read-only): See the default prompt for comparison
• Custom prompt textarea: 10,000 character limit, supports variables and formatting
• Live preview: See how your prompt looks with real client data substituted
• Revert to baseline: One-click reset to system defaults

Per-Prompt Parameters

Fine-tune AI behavior for each prompt type:

• Temperature: 0.0 (deterministic) to 1.0 (creative) – control randomness
• Max Tokens: 50 to 50,000 – control output length
• Model Override: Use different AI model for specific prompts (if BYOK configured)

Example use case: Set temperature to 0.3 for technical controls (need precision), 0.7 for policy summaries (need readability).

Real-World MSP Use Cases

Healthcare MSP: HIPAA-Specific Language

Challenge: All clients need HIPAA-compliant policies with PHI handling procedures.

Solution: Customize policy generation prompt:

“Generate a HIPAA-compliant policy for {client_name}. Always include PHI handling, patient privacy, and reference HIPAA 164.308 (administrative), 164.310 (physical), and 164.312 (technical) safeguards. Use healthcare industry terminology.”

Result: Every policy automatically includes HIPAA-specific guidance. No manual editing required.

Finance MSP: PCI-DSS Focus

Challenge: Clients process credit cards and need PCI-DSS compliance language.

Solution: Customize prompts to reference cardholder data, PCI requirements, and financial regulations.

Result: Policies use correct financial terminology and PCI-specific controls.

Manufacturing MSP: OT/ICS Security

Challenge: Clients have operational technology (OT) and industrial control systems (ICS).

Solution: Customize prompts to address OT/ICS-specific risks, air-gapped networks, and safety requirements.

Result: Policies reflect manufacturing reality, not just IT security.

Multi-Vertical MSP: Industry-Specific Variants

Challenge: Serve healthcare, finance, and legal clients with different compliance needs.

Solution: Use {industry} variable to automatically adjust tone and references based on client industry.

Result: One prompt template serves all industries with automatic customization.

How MSPs Use Prompts (3-Minute Setup)

Step 1: Navigate to Prompts

Dashboard → AI Setup → MSP AI Setup → Step 6: Prompts

See all 35+ customizable prompt types with status indicators (Using Baseline vs. Customized).

Step 2: Customize a Prompt

• Select prompt type (e.g., “Policy Generation”)
• View system baseline (read-only, for reference)
• Edit custom prompt textarea
• Add industry-specific instructions
• Insert variables: {company_name}, {industry}, {tools}, etc.

Step 3: Preview with Real Data

See how your prompt looks with actual client data substituted. Verify variables are replaced correctly.

Step 4: Adjust Parameters (Optional)

• Set temperature (0.0–1.0) to control creativity
• Set max tokens (50–50,000) to control length
• Override AI model for this specific prompt (if using BYOK)

Step 5: Save & Apply

Save MSP-level prompt. Applies to all clients immediately (unless client override exists).

Total time: 3-5 minutes per prompt type. Set once, apply everywhere.

Prompt Template System vs. Competitors

Why This Is Unique

Most compliance platforms use hardcoded prompts with zero customization. ComplianceScorecard offers the most flexible prompt system in the industry.

Integration with Other VERSION 10 Features

Works with BYOK

Use custom prompts with your own AI provider. Set temperature and max tokens per prompt to optimize for your model's strengths.

Works with Context Engine

Your custom prompts are automatically merged with context from the Context Engine (tools, industries, frameworks, RACI, SRM). Best of both worlds: your instructions + automatic data enrichment.

Works with Policy Cloning

When you clone a policy across clients, the custom prompt applies to each clone automatically. No manual editing required.

Works with Multi-Tenancy

MSP-level prompts apply to all clients. Override for specific clients when needed (Q2 2026).

Advanced: Parameter Inheritance

Understanding how parameters (temperature, max tokens, model) are selected:

4-Level Hierarchy

1. System Config: Global defaults (e.g., temperature: 0.7)
2. Prompt-Specific Defaults: Per-type overrides (e.g., policy generation: 0.5)
3. Database Prompt Config: Your custom MSP settings (e.g., 0.3)
4. Request-Level Override: API call specifies parameter (highest priority)

Example:

• System default: 0.7
• Policy generation default: 0.5 (overrides system)
• Your MSP custom: 0.3 (overrides policy default)
• API request: 0.6 (overrides your custom)
• Final temperature: 0.6

This allows fine-grained control at every level without conflicts.

Security & Access Control

Who Can Edit Prompts?

• MSP Admin: Can customize MSP-level prompts (applies to all clients)
• MSP User: Can view MSP prompts (read-only)
• Client Admin: Can customize client-level prompts (if feature enabled, Q2 2026)
• Super Admin: Can edit system baseline prompts (ComplianceScorecard team only)

Input Validation

• Temperature: 0.0–1.0 enforced
• Max Tokens: 50–50,000 enforced
• Prompt length: 10,000 character limit
• No code execution (prompts are strings, not code)

Prompt Template Best Practices

Writing Effective Prompts

• Be specific: “Always include HIPAA 164.312 references” beats “mention HIPAA”
• Use variables: Let the system fill in client data automatically
• Set context: “You are an expert compliance consultant for MSPs serving {industry}”
• Define output format: “Use bullet points, not long paragraphs”
• Reference standards: “Align with {frameworks} requirements”

Temperature Guidelines

• 0.0–0.3: Technical controls, risk scoring, compliance checks (need precision)
• 0.4–0.6: Policy generation, remediation plans (balance precision and readability)
• 0.7–1.0: Executive summaries, plain-language explanations (need creativity)

Max Tokens Guidelines

• 500–1000: Short explanations, control descriptions
• 1500–2500: Assessment questions, gap analysis
• 3000–5000: Full policies, remediation plans, executive summaries

Limitations (Honest Messaging)

We believe in transparency. Here's what you should know:

• Client-level customization not yet available: Currently MSP-level only (client tier coming Q2 2026)
• Limited variable library: 7 variables currently supported (custom variables coming Q3 2026)
• No prompt versioning: Overwrites previous version on save (version history coming Q4 2026)
• No A/B testing: Cannot test multiple prompts to see which performs better (coming Q4 2026)
• Character limit: 10,000 characters per prompt (rarely hit, but limit exists)

Roadmap: What's Coming

Q2 2026: Client-Level Prompts

Allow individual clients to override MSP-level prompts for unique requirements. Three-tier hierarchy complete.

Q3 2026: Custom Variables

Define your own variables beyond the standard set. Example: {backup_tool}, {edr_solution}, etc.

Q3 2026: Community Prompt Library

Share prompts with other MSPs. Browse pre-built templates for specific industries or frameworks.

Q4 2026: Prompt Versioning

Track prompt changes over time. Revert to previous versions. See who changed what and when.

Q4 2026: A/B Testing

Test multiple prompts to see which produces better results. Data-driven prompt optimization.

Q1 2027: AI-Assisted Prompt Optimization

AI suggests improvements to your prompts based on output quality analysis.

Get Started with Custom Prompts

The Prompt Template System is included with VERSION 10 at no additional cost. Customize your first prompt in 3 minutes.

Schedule Demo See Setup Wizard

Questions? Read the FAQ or contact our team.