MCP Governance Readiness Survey

Client Assessment Template

Client Details

1. AI Tool Landscape

Understanding what AI tools are in use and how they connect to business systems.

1.1 Which AI tools are currently in use or being piloted across your organisation?
Microsoft 365 Copilot
GitHub Copilot
ChatGPT Enterprise / Team
Claude (Anthropic)
Google Gemini
Custom / in-house AI agents
Other:
None / Don't know
1.2 Are any of these AI tools connected to your business data sources (email, files, CRM, databases, APIs)?
Yes — we know which ones
Possibly — but we haven't mapped them
No
Don't know

If yes, please list known connections:

1.3 Are developers or teams installing AI tool integrations (MCP servers, plugins, extensions) independently?
Yes — with no central oversight
Yes — but with some governance
No — all installations are centrally managed
Don't know

2. Governance & Oversight

Assessing whether governance structures exist for AI-to-data connections.

2.1 Who is responsible for approving connections between AI tools and your data sources?
Named individual / team (specify below)
IT / Security team — but no formal process
No one — no process exists
Don't know
2.2 Does your AI acceptable use policy or security policy cover MCP servers or AI tool integrations?
Yes — MCP is specifically addressed
Partially — AI policy exists but doesn't cover MCP
No AI-specific policy exists
Don't know what MCP is
2.3 Is there a formal change control or approval process for new AI integrations?
Yes — documented and enforced
Informal — case-by-case
No

3. Visibility & Inventory

Understanding the organisation's awareness of its current AI integration footprint.

3.1 Do you maintain an inventory of all MCP servers or AI tool integrations deployed in your environment?
Yes — complete and up to date
Partial — some are documented
No inventory exists
Don't know
3.2 Which cloud services are connected (or could be connected) to AI tools via MCP?
Microsoft 365 (Exchange, SharePoint, OneDrive)
Salesforce / CRM
ServiceNow / ITSM
AWS / Azure / GCP services
Internal databases (SQL, Postgres, etc.)
ERP systems (SAP, Dynamics, etc.)
Other:
3.3 Do you have audit logs for data accessed by AI tools through MCP connections?
Yes — centralised logging
Partial — some tools log, others don't
No logging
Don't know

4. Security Posture

Evaluating security controls around AI integrations and the MCP layer.

4.1 Have you reviewed your AI tool supply chain since the Microsoft 365 Copilot vulnerability disclosures (CVE-2025-32711)?
Yes — reviewed and acted upon
Aware but not yet reviewed
Not aware of these disclosures
4.2 Are MCP server connections authenticated using your identity provider (e.g. Entra ID, Okta)?
Yes — all connections use SSO / IdP
Some — mixed authentication
No — or using static tokens / API keys
Don't know
4.3 Do AI tools have least-privilege access to data, or do they inherit broad user permissions?
Least-privilege — scoped per tool
Inherits user permissions (broad access)
Don't know

5. Risk Assessment Summary

To be completed by the assessor based on the responses above.

Area Risk Level Notes
AI tool visibility
Critical High Medium Low
Governance framework
Critical High Medium Low
MCP inventory
Critical High Medium Low
Authentication & access
Critical High Medium Low
Audit & logging
Critical High Medium Low
Overall readiness
Critical High Medium Low

6. Recommended Next Steps

Based on this assessment, the recommended actions for this client are:

Confidential — MCP Governance Readiness Survey  |  AheadMG + FEAW Services  |  2026