Pre-seeded MSP AI risk inventory aligned to SOC 2 CC3 and CC9. Update likelihood, impact, controls, and owners as your program matures.
| ID | Risk | Category | Likelihood | Impact | Score | Severity | Current Controls | Owner | SOC 2 |
|---|---|---|---|---|---|---|---|---|---|
| AR-001 | Sensitive Data Leakage via Public AI Tool Employee pastes client PII, credentials, or confidential data into an unapproved AI tool. Data leaves the organization's control. |
Data | 3 | 3 | 9 | Critical | AI AUPPII SanitizerTraining Vol.2 | Risk Owner | CC6.7 |
| AR-002 | Shadow AI Tool Adoption Staff adopt unauthorized AI tools without IT/security review. Unvetted tools may have no DPA, no SOC 2, and unknown data retention policies. |
Governance | 3 | 3 | 9 | Critical | Vendor ChecklistAI AUP | IT / Security | CC1.2 CC8.1 |
| AR-003 | AI Hallucination in Client-Facing Output AI generates confident but incorrect technical advice, pricing, or recommendations that are sent to a client without verification. |
Operations | 3 | 2 | 6 | High | Review PolicyPrompt Guide | Operations Owner | CC2.2 |
| AR-004 | AI-Assisted Social Engineering / Phishing Threat actors use AI to craft highly convincing phishing emails or deepfake voice/video targeting staff or clients. Lowers the bar for impersonation attacks. |
Security | 3 | 2 | 6 | High | Security AwarenessMFAIR Playbook | Security Lead | CC6.1 CC6.8 |
| AR-005 | Over-Reliance on AI Automation AI-automated workflows run without sufficient human oversight. Errors propagate across multiple clients before detection โ especially in RMM or ticketing automations. |
Operations | 2 | 3 | 6 | High | Human-in-Loop PolicyException Logging | Operations Owner | CC7.2 CC7.4 |
| AR-006 | AI Vendor Lock-in / Service Discontinuation Heavy dependency on a single AI vendor whose API, pricing, or availability changes. Disrupts workflows built around that vendor's model or service. |
Vendor | 2 | 3 | 6 | High | Vendor AssessmentAbstraction Layer | IT / Security | A1.2 CC9.2 |
| AR-007 | Biased or Discriminatory AI Output AI produces output that reflects training data biases โ affecting hiring content, client communications, or automated scoring in ways that could create legal or reputational risk. |
Compliance | 2 | 2 | 4 | Medium | Human ReviewOutput Audit | HR / Legal Counsel | CC2.1 |
| AR-008 | AI-Generated Code Introducing Vulnerabilities AI-generated scripts or code deployed without security review contain insecure patterns, hardcoded secrets, or logic errors that create exploitable vulnerabilities. |
Security | 2 | 2 | 4 | Medium | Code Review PolicySAST Scan | Engineering Lead | CC8.1 |
| AR-009 | Intellectual Property Risk from AI Training Data AI outputs that closely reproduce copyrighted material expose the organization to IP claims if used in client deliverables or published content. |
Legal Counsel | 1 | 3 | 3 | Medium | Output ReviewLegal Guidance | Legal Counsel | CC2.1 |
| AR-010 | Staff Productivity Loss from AI Misuse Employees spend excessive time prompting AI for tasks it performs poorly, or use AI as a crutch that degrades core skills over time. |
People | 2 | 1 | 2 | Low | Use Case GuidancePrompt Training | Direct Manager | CC1.4 |