Valley Technology Partners Blog

Local Service. Enterprise Expertise. Personal Attention.

Empowering organizations with secure and reliable technology solutions

The Model Context Protocol (MCP): How We Built a Conversational AI for Google Workspace Compliance

December 1, 2025 by smsweeney in Development, Security

Compliance has always been uneven.

Large enterprises have dedicated teams and six-figure budgets to manage frameworks like CMMC, NIST 800-171, HIPAA, and ISO 27001. Small businesses face the same regulatory requirements with a fraction of the resources, often relying on a single IT manager or the business owner themselves.

I wanted to make that a little easier. So I built an open-source tool called the Google Workspace Compliance Audit Tool, using Anthropic’s Model Context Protocol (MCP).

What the Tool Actually Does

When most people talk about AI in business, they think of chatbots or content generation. This project is different: it’s using AI to orchestrate a structured, multi-step workflow.

The tool is an MCP server that integrates with Claude Desktop. It runs 19 security checks across 5 control areas: Access Control, Identification and Authentication, Audit and Accountability, System and Communications Protection, and MSP Operations. It maps findings against six compliance frameworks: CMMC Level 2, NIST 800-171, NIST CSF, ISO 27001, HIPAA, and the FTC Safeguards Rule.

Here’s how it works:

  1. Workflow Management: It maintains context through the audit, organizing checks into phases with Q&A after each section to gather business context.
  2. API Interpretation: It runs automated checks (2FA enforcement, external sharing rules, inactive accounts, admin roles) using read-only access to Google Workspace APIs, then translates the responses into plain-language findings.
  3. Conversational Guidance: Instead of navigating dozens of Admin Console screens, you say “Start a Google Workspace audit,” and the AI walks you through the process, including manual verification items that require screenshots.
  4. Reporting: It aggregates findings, maps them to your chosen frameworks, scores compliance by control area, and generates a report with prioritized remediation steps.

The goal is to help you understand your security posture before you engage with professionals.

What This Tool Is (and What It Isn’t)

I want to be clear: this tool is not a replacement for a formal security audit or working with a qualified MSSP, assessor, or compliance professional.

This tool is:

  • A self-assessment tool to identify potential compliance gaps
  • A starting point for compliance preparation
  • A way to understand your current security posture across multiple frameworks

This tool is not:

  • An official compliance certification for any framework
  • A substitute for professional auditors or assessors
  • A guarantee of compliance with any regulatory framework

For official certification, you still need to work with the appropriate professionals: a C3PAO or Registered Practitioner for CMMC, healthcare compliance specialists for HIPAA, accredited certification bodies for ISO 27001, or a Qualified Information Security Officer for FTC Safeguards.

Think of this as getting your baseline before the real exam. Knowing where you stand helps you prioritize remediation, budget appropriately, and have informed conversations with assessors.

Why I Built It

Small businesses face real challenges with compliance:

  • Multi-Framework Flexibility: An MSP can run a NIST 800-171 assessment for a government contractor client, then run a HIPAA assessment for a healthcare client. Select the frameworks at the start, and the tool adapts its control mappings.
  • Proactive Self-Service: This is a free, open-source tool to identify gaps before engaging a consultant or facing an audit. It can turn a stressful, reactive expense into something more manageable.
  • Actionable Output: The results don’t just say “Fail.” They provide specific remediation steps, identify which findings require licensing upgrades (and which don’t), and flag cost optimization opportunities from inactive accounts and unused licenses.
  • Read-Only by Design: The tool operates in audit-only mode. It can read user lists, groups, security settings, and audit logs, but it cannot modify, delete, or change any settings in your environment. All API scopes are explicitly read-only.

Getting Started

Installation is a single command:

curl -sSL https://raw.githubusercontent.com/sean-m-sweeney/GoogleWorkspaceAudit/main/install.sh | bash

The installer walks you through Google Cloud setup, credential configuration, and Claude Desktop integration. Once configured, restart Claude Desktop and type: “Start a Google Workspace audit for yourdomain.com.”

I’m planning to add features based on feedback. If you’re an MSP or Google Workspace admin and have ideas for what would make this more useful, I’d like to hear from you.

🔗 Project Link: https://github.com/sean-m-sweeney/GoogleWorkspaceAudit