15 Questions Every Practice Should Ask Their IT Partner About AI

When did your practice last review what your IT support contract actually covers? For most professional practices, the answer is "when we signed it", which was probably before ChatGPT existed, before Microsoft Copilot was deployed across M365, and before AI became embedded in the everyday software your teams use.

Your IT partner may be excellent at keeping your network running, your devices secure, and your backups flowing. But that's not the same as being equipped to advise you on AI governance, data sovereignty, or the compliance implications of the AI tools now embedded in your workflows.

These 15 questions will tell you quickly whether your IT partner is a genuine strategic asset for navigating the AI era, or whether you've outgrown their capability.

On AI governance capability

1. Can you provide a written statement of how your services address our AI governance obligations under UK GDPR?

An IT partner with genuine AI governance capability should be able to answer this in writing without hesitation. Vague verbal reassurances are not sufficient, and the question itself will immediately signal whether they've thought about it.

2. Do you have a formal process for assessing AI tools before recommending them to clients?

Every IT partner is now recommending AI tools, Copilot, security AI, backup AI, and more. Do they assess these tools against your data protection obligations before rolling them out? If not, you're the compliance officer by default.

3. What is your own AI use policy, and do you apply it when working on client systems?

If your IT support team uses AI tools when accessing your systems or handling your data, those tools become part of your data processing chain. You have a right to know, and to have appropriate contractual protections in place.

On Microsoft 365 and Copilot

4. If we deploy Microsoft Copilot, what data governance steps should we take first?

Deploying Copilot without governance preparation is one of the most common AI compliance mistakes currently being made in UK professional practices. Copilot can surface and share data from across M365, including data that's been improperly stored or shared. A competent IT partner should be able to walk you through the preparation required.

5. How do you help us maintain our M365 data governance as Copilot and AI features are rolled out?

AI features are being added to M365 continuously, in Teams, in SharePoint, in Outlook. Your IT partner should have a process for reviewing and advising on these changes as they arrive, not just at annual review.

On Shadow AI and staff tool use

6. Can you identify what AI tools are currently being used across our network?

A good IT partner should be able to generate a report of outbound traffic to known AI services, ChatGPT, Claude, Perplexity, Midjourney, and dozens of others. If they can't, you have limited visibility into Shadow AI risk.

7. What controls can you put in place to prevent staff from uploading client data to unapproved AI services?

This isn't about banning AI, it's about having the ability to enforce your policies technically, not just culturally. Web filtering, DLP controls, and endpoint management all play a role.

On data sovereignty and residency

8. Where is our data stored, and has that changed with any AI features you've enabled?

Cloud AI services often process data in the US or other regions. Post-Brexit, UK GDPR transfers rules apply. Your IT partner should know where your data is at all times, including when it's being processed by AI services.

9. Do the AI tools you've deployed on our behalf have data processing agreements with you, and are those covered by our contract with you?

Under UK GDPR, your IT partner is a data processor when handling your personal data. Any sub-processors they use (including AI tools) should be covered by appropriate agreements flowing down to you.

On compliance and accreditations

10. Are you ISO 27001 certified, and does that certification cover AI tool use?

ISO 27001 certification signals a systematic approach to information security. The question of whether AI tools are in scope of the ISMS is newer, and most IT partners haven't formally addressed it yet.

11. Are you Cyber Essentials Plus certified?

A basic but important signal of security posture, particularly for practices handling sensitive client data.

On AI incident response

12. If an AI tool caused a data breach involving our client data, what would your response process be?

AI incidents are different from traditional IT incidents, they may involve data being processed by third-party AI vendors, model outputs containing sensitive information, or data retention by AI services beyond your control. Your IT partner should have a specific response capability, not just a generic incident response plan.

On sector understanding

13. Do you have clients in our sector, and how does your service address sector-specific compliance requirements?

An IT partner who works exclusively with AEC firms, or legal practices, or clinical settings, will have a fundamentally different understanding of your compliance landscape than a generalist MSP. The difference shows in every recommendation they make.

14. How do you stay current on regulatory developments in AI governance and data protection?

The UK AI regulatory landscape is moving fast. The ICO is publishing AI-specific guidance. The EU AI Act has extra-territorial reach for some UK firms. A good IT partner should have a view on how these developments affect their clients' compliance posture.

On future readiness

15. How are you preparing your own service to support clients' AI governance obligations over the next 12–24 months?

The final question is about trajectory, not just current capability. Is your IT partner investing in AI governance expertise? Are they developing tools and processes for managing AI across their client base? Or are they hoping it will remain someone else's problem?

The answers to these 15 questions will tell you clearly whether your IT partner is a strategic ally for the AI era, or whether you need one that is.