Core Features

AI Accelerates, Humans Approve: Enterprise-Grade Quality Control

Multi-stage approval workflows ensure every AI-generated policy, report, and assessment is reviewed before deployment. Speed without sacrificing control.

The AI Output Problem: Speed vs. Quality

Most AI compliance tools generate content instantly and publish it just as fast. That creates risk:

AI-generated policies go live without human review
Reports sent to clients may contain hallucinations
No audit trail showing who approved what
No way to catch errors before they impact compliance

AI that publishes without approval is like code that deploys without testing. Fast, but dangerous.

Approval Workflows: Enterprise Quality Control

Compliance Scorecard requires human approval before AI-generated content goes live. Here's why that matters:

Review Before Publish

Every AI-generated policy, report, or assessment enters a pending state until a designated approver reviews it. No content goes live without explicit human approval.

Why this matters: MSPs maintain quality control while still benefiting from AI speed. You review in minutes instead of writing from scratch for hours.

Complete Audit Trail

Every approval decision is logged with a timestamp, approver name, and optional comments. See exactly who approved what and when.

Track approval history for every document
Prove compliance during audits
Identify bottlenecks in the review process
Maintain accountability across the team

Reject, Comment, Revise

Approvers have three options: Approve, Reject, or Request Changes. Each action includes space for comments, creating a feedback loop between AI generation and human oversight.

Workflow states: Draft → Pending → Approved → Published (or Draft → Pending → Rejected → Draft with feedback)

What Gets Approved?

Approval workflows apply to four critical content types:

AI-Generated Policies

When AI generates a new security policy, it enters a pending state. MSP reviews policy content, ensures it matches client requirements, and then approves for publication to the client portal.

Impact: Catches generic language, industry-specific gaps, or client-specific requirements before policy goes live.

Gap Analysis Reports

Before AI-generated gap analysis reports are delivered to clients, the designated reviewer checks findings for accuracy, verifies recommendations, and approves for delivery.

Impact: Prevents hallucinated vulnerabilities or incorrect remediation steps from reaching clients.

Assessment Templates

When AI creates or modifies assessment templates, changes require approval before they affect client assessments.

Impact: Ensures assessment accuracy and compliance with frameworks (CMMC, NIST, ISO, etc.)

Client AI Setup Configurations

When clients or MSP staff configure AI features for a client, the configuration is placed in the approval queue. The MSP admin reviews settings before enabling AI for that client.

Impact: MSP maintains control over which clients use AI and how, preventing unauthorized AI usage.

How Approval Workflows Work (4 Steps)

Step 1: AI Generates Content

User (MSP or client) requests an AI-generated policy, report, or assessment. AI generates content using a configured provider (E.g., OpenAI, Claude).

Step 2: Content Enters Pending State

Generated content is saved but not published. Status: "Pending Approval." Designated approvers receive email notification.

Step 3: Reviewer Takes Action

Approver navigates to Dashboard → Approvals → Pending, reviews content, and chooses:

Approve: Content is published/activated immediately
Reject: Content returns to draft with reviewer comments
Request Changes: Content returns to the submitter with specific modification requests

Step 4: Audit Trail Updated

System logs approval decision with approver name, timestamp, action taken, and comments. Audit trail is permanent and exportable for compliance documentation.

Approval Queue: Centralized Dashboard

All pending approvals are consolidated on a single dashboard. No hunting through email or multiple screens.

Filter by Type

Policy Approvals
Report Approvals
AI Setup Approvals
Assessment Template Approvals

Sort by Priority

Oldest first (prevent bottlenecks)
Newest first (review recent submissions)
Client name (organize by client)
Submitter name (review by team member)

Notifications

Email notifications when content is submitted for approval
In-app notification badges (Dashboard widget)
Daily digest of pending approvals (optional)

Multi-Level Approvals (Advanced)

For enterprise MSPs with compliance teams, enable multi-level approval workflows:

3-Tier Approval Hierarchy

Level 1: Technician reviews content for completeness
Level 2: Senior engineer reviews for technical accuracy
Level 3: Compliance officer reviews for regulatory compliance

Approval Chain

Content must pass all three levels before publication. Each level can approve, reject, or request changes. Rejection at any level returns content to the submitter.

Use case: Large MSPs with separation of duties (SOC 2, ISO 27001 requirements)

Auto-Approval Rules (Optional)

For trusted content types, configure auto-approval rules to bypass manual review:

When to Use Auto-Approval

Low-risk content: Executive summaries, status reports
Trusted users: Senior engineers with a proven track record
Template-based content: Policies generated from pre-approved templates
Internal use only: Content not sent to clients

Auto-Approval Safeguards

Auto-approved content still logged in audit trail
MSP admin can disable auto-approval anytime
Content flagged by AI confidence score below threshold still requires manual approval

Competitive Differentiator: Approval Before Publication

Most AI compliance tools publish generated content immediately. Compliance Scorecard requires approval first.

Compliance Scorecard

Built-in approval workflows: Multi-stage review before publish
Complete audit trail: Who approved what, when, and why
Reject/revise workflow: Feedback loop between AI and human
Centralized dashboard: All pending approvals in one place
Configurable rules: Auto-approval for trusted content, manual review for high-risk

Typical AI Compliance Tools

AI generates → Content published immediately
No review step
No audit trail
Manual copy/paste to review before sending
MSP must build its own approval workflow

Result: Compliance Scorecard balances AI speed with enterprise quality control. You get the 80x productivity of AI without sacrificing accuracy.

30-Day Approval Expiration

To prevent stale pending approvals, content older than 30 days is automatically expired and returned to draft state.

Why Expiration Matters

Prevents outdated policies from being approved months later
Forces review of old pending items
Keeps approval queue clean and actionable

Expiration Warnings

Email warning at 21 days (9 days before expiration)
Email warning at 28 days (2 days before expiration)
Expired content returns to draft with notification to submitter

Audit Trail Export

Export approval history for compliance audits (SOC 2, ISO 27001, CMMC, etc.)

Export Formats

CSV: Import into Excel for analysis
PDF: Attach to audit reports
JSON: Integrate with SIEM or compliance tools

Exported Data Fields

Content ID and type (policy, report, etc.)
Submitter name and timestamp
Approver name and timestamp
Action taken (approve, reject, request changes)
Comments/feedback
Client name (if applicable)

Speed vs. Quality: The Trade-Off

We're honest about the trade-off: approval workflows add time. But the time is minimal compared to manual creation.

Without AI (Manual Creation)

Write policy from scratch: 4 hours
Review before publishing: 30 minutes
Total time: 4.5 hours

With AI + Approval (Compliance Scorecard)

AI generates policy: 2 minutes
Review before approving: 10 minutes
Total time: 12 minutes

With AI Only (No Approval)

AI generates policy: 2 minutes
No review
Total time: 2 minutes
Risk: Hallucinations, generic content, compliance gaps published live

Verdict: 10 minutes of review time is worth it to avoid compliance failures. You still save 4+ hours per policy.

Who Benefits from Approval Workflows?

Enterprise MSPs

Maintain quality control across large teams. Ensure junior technicians' AI-generated content is reviewed by senior engineers before client delivery.

Regulated Industries (HIPAA, CMMC, FedRAMP)

Prove during audits that all compliance documentation was reviewed and approved by authorized personnel. Audit trail provides evidence of due diligence.

High-Risk Clients

Defense contractors, healthcare providers, and financial services clients where compliance errors have severe consequences. Manual review ensures accuracy before publication.

Quality-Focused MSPs

MSPs who differentiate on quality, not just speed. Approval workflows demonstrate professionalism and attention to detail.

Approval Workflows API

For custom integrations, use the Approval API to submit content for approval or check approval status.

Submit for Approval

POST /api/v3/approvals
{
  "content_id": "POLICY_123",
  "content_type": "policy",
  "approver_role": "compliance_officer"
}

Approve/Reject

PATCH /api/v3/approvals/APPROVAL_123
{
  "action": "approve",
  "comments": "Policy reviewed and approved for client delivery."
}

Get Approval Status

GET /api/v3/approvals/APPROVAL_123

Response:
{
  "id": "APPROVAL_123",
  "status": "approved",
  "approved_by": "USER_456",
  "approved_at": "2026-01-29T12:00:00Z",
  "comments": "Policy reviewed and approved for client delivery."
}

Approval Workflows Limitations

We believe in transparency. Here's what you should know:

Approvals add time: 10-minute review vs. instant publish (but you save 4+ hours vs. manual creation)
Requires designated approvers: MSP must assign approver roles to team members
30-day expiration: Pending approvals expire after 30 days (prevents stale content, but requires timely review)
Multi-level approvals slow down publishing: 3-tier approval may take days if approvers are unavailable (trade-off: compliance vs. speed)