The COO slid three browser tabs across her laptop. Copilot. ChatGPT Enterprise. A scheduling assistant the operations lead had bought without telling anyone. None of them were rolled out. None had a governance policy. The Bill C-8 supplier questionnaire from her largest client, a regulated transportation operator, was due in 60 days.
“Where do we start, Mike? We don’t have an AI strategy.”
She wasn’t asking which tool to keep. She was asking how to think about AI as a system. That’s the question this post answers, walking through the 12 weeks I spent inside that 60-person Toronto firm and the 12-month roadmap that came out of it. The names and numbers are anonymized, the sequence is real, and most Canadian SMBs I meet are sitting in some version of the same room.
Key takeaways
– Statistics Canada says 12.2% of Canadian businesses used AI in the last 12 months, up from 6.1% the year before, and another 14.5% plan to start within a year (StatsCan, 2025).
– The pull is real, but most SMBs we meet have bought AI tools before they have an AI strategy, which is why 63% of organizations breached through AI in 2025 had no governance policy in place (IBM Cost of a Data Breach, 2025).
– A workable 12-month roadmap front-loads governance, runs a 90-day Copilot pilot tied to one revenue or margin metric, layers vertical agents in months 4 through 8, and uses month 9 onward to harden under Bill C-8 supplier obligations.
– Forrester projects 132% to 353% three-year ROI on Copilot for SMBs when this sequence is followed (Forrester TEI for Microsoft, 2024).
– The order matters more than the tools.
If you’d rather start with a free 30-minute review of your current AI footprint, our AI assessment is the fastest way to find out where you actually stand.
The Canadian AI strategy gap is a measurable thing, not a vibe
Statistics Canada’s Q2 2025 business survey put concrete numbers on something a lot of us in the MSP world had been seeing anecdotally. 12.2% of Canadian businesses had used AI to produce goods or deliver services in the previous 12 months, more than double the 6.1% reported a year earlier (StatsCan, 2025). The Q3 2025 follow-up showed another 14.5% planning to start within a year. Two-thirds of Canadian businesses, 66.7%, had no plans at all (StatsCan, 2025).
But the headline number hides the real story, which is that adoption is wildly uneven by sector.
For our deeper read on the productivity, utilization, and governance picture inside Canadian SMBs specifically, see The State of AI in Canadian Small Business, 2026. The shorthand version: roughly one in four Canadian SMBs has shipped a generative AI tool past pilot. The other three are stuck somewhere between curiosity and confusion.
If you’re in that group, you aren’t behind. You’re inside a 12-month window where the cost of starting wrong, governance debt, license waste, vendor risk, is still recoverable. The cost of waiting another 12 months while regulated clients send supplier questionnaires and Bill C-8 moves through the Senate is not.
Why “buy first, plan later” stops working in 2026
The three orphaned tools at the Toronto firm cost roughly $34,000 a year combined. When I asked their finance lead to pull weekly Copilot active-user data out of the M365 admin centre, three of 60 seats had any usage. Three. ChatGPT Enterprise was a similar story, an executive who’d signed up six months earlier, two analysts who’d been added later, and nobody else. The scheduling assistant was a one-person experiment that the operations lead admitted she hadn’t logged into in eight weeks.
This isn’t unusual. Across our last 12 months of Canadian SMB AI engagements, the average client we onboard has paid for 2.3 generative AI tools before their first governance policy is written. The median Copilot 90-day seat utilization on those engagements, before we sequence a rollout, is 18%. With a structured rollout it climbs to 67% in the same window. Same tool, same business, same people. Different system.
The risk side of this is louder than the waste side. IBM’s 2025 Cost of a Data Breach report tracked 13% of organizations reporting breaches of AI models or applications. Of those, 97% lacked proper AI access controls and 63% had no AI governance policy or were still drafting one (IBM, 2025). Sixty percent of those incidents led to compromised data; 31% led to operational disruption.
Shadow AI is the part most SMBs miss. Kiteworks’ 2026 AI security review found that one in five organizations now reports a breach traced to AI nobody officially sanctioned, and only 37% have a policy that would catch it (Kiteworks, 2026).
If you’ve read our piece on why free AI tools could cost you more than you think, the pattern’s the same one drilled into the data, just with proprietary tools instead of free ones. Every paid AI seat in your tenant is an unmonitored channel for sensitive data unless somebody’s actually monitoring it. The strategy comes first because the strategy is what tells you what to monitor.
The five-question diagnostic I run before any roadmap
The first thing I did at the Toronto firm wasn’t open a laptop. I sat down with the COO, the operations lead, and the controller for 90 minutes and asked five questions. These are the same five I ask any SMB I meet, and they’re how the strategy actually gets named instead of guessed.
1. What revenue or margin metric will AI move? Not “will it help us.” Which line on the P&L. In their case, senior consultant billable hours were leaking 7 to 10 a week per person to admin work, mostly proposal drafting and meeting recap. That number is what we’d measure against at month 12.
2. Who owns the data the model touches? Map the data first; if you can’t map it, you can’t govern it. Their proposals contained client work product subject to NDAs. That meant any model the consultants used had to keep prompts inside the M365 tenant, never train on inputs, and produce auditable logs.
3. What’s the regulatory floor? PIPEDA federally, sector-specific overlays (PHIPA, Law 25, OSFI guidance, LSO rules) where applicable, and now Bill C-8 for anyone supplying critical-sector clients. Their largest customer was a regulated transportation operator, so even though the firm itself wasn’t a designated operator, they were inside the supplier cascade.
4. Who’s already using AI here, with or without a policy? Shadow AI map. Pull the Microsoft 365 audit log, pull browser sign-in records (with consent), survey employees. We found 11 logged users across three tools, plus three more on free-tier ChatGPT that hadn’t shown up in spend reports.
5. What does the win look like at month 12? Specific outcome, not a vague “everyone is using Copilot.” Their answer: senior consultants reclaim 6 hours a week of admin work, governance binder ready for any client questionnaire, no breach. That’s a strategy. Everything that follows is execution.
If those five questions feel uncomfortable, that’s the point. If you can’t answer them, you don’t have an AI strategy yet, you have an AI shopping list. Our vCIO advisory practice runs this diagnostic with clients quarterly so the answers don’t get stale.
Months 1–3: Governance before pilot
Phase one looks slow from the outside. It compounds because every later mistake is cheaper when the guardrails already exist.
I spent weeks one through three at the Toronto firm in document mode. We adapted our AI Acceptable Use Policy template to their data classes, ran a 90-minute training with leadership and team leads, and got it signed before anyone touched a new prompt. The policy named which data classes (public, internal, confidential, regulated) were eligible for which models, and the answer for client-privileged work was always “models inside the M365 tenant only.”
Weeks two through five were identity hygiene. Conditional access policies for any account using Copilot. MFA enforced everywhere. Privileged Identity Management on admin roles. Most SMBs I onboard have at least two of these gaps. Copilot is only as safe as the M365 tenant it sits inside, and a tenant with a service account using a 2018 password and no MFA is a tenant where Copilot becomes a faster way to exfiltrate data, not a safer one.
Weeks four through eight were the vendor inventory and the shadow-AI map. Every AI tool used by anyone in the firm, paid or free, found and logged. Three tools became the official stack (Copilot for productivity, one vertical agent we’ll get to, one Power Automate workflow). Two were sunsetted with notice and a migration path. Five free-tier accounts were closed and replaced with sanctioned alternatives. The operations lead’s scheduling assistant got a 90-day re-evaluation date instead of being immediately killed because the use case was real, just under-deployed.
Citation capsule. Kiteworks’ 2026 AI Data Security review reports that one in five organizations now traces a breach to shadow AI, and only 37% have a governance policy that would have detected it (Kiteworks, 2026). The number you don’t see in that statistic is the silent breaches: the prompts that quietly went to a model nobody knew was in the building.
Phase one ends when leadership can answer this question without flinching: “If your largest client sent a 30-question AI governance questionnaire today, could you answer it in writing inside a week?” If yes, you’re through Gate 1. If not, stay in phase one.
Months 4–6: A Copilot pilot tied to one number
I’m a fan of Copilot as the foundation tool for SMBs because of the integration story, because the data stays inside the M365 tenant, and because the ROI math is the most honest in the market for businesses that are already on Microsoft 365. If you’re choosing between platforms, our Copilot vs ChatGPT vs Claude comparison has the longer argument. For most Canadian SMBs already running M365, Copilot is the path of least friction.
The pilot at the Toronto firm was 25 seats, one team (the senior consulting bench), one workflow (proposal drafting + meeting recap), one metric (admin hours per consultant per week). We didn’t roll it out to the whole company. We didn’t run a generic “Copilot 101” lunch-and-learn. We picked the workflow that mapped to the metric and built the rollout around it.
Citation capsule. Forrester’s Total Economic Impact of Microsoft 365 Copilot for SMBs projects 132% to 353% three-year ROI for typical Canadian-scale SMBs (Forrester TEI for Microsoft, 2024). The UK government’s 20,000-user cross-government Copilot trial found civil servants saving an average of 26 minutes per day, close to two work weeks of recovered time per person per year (GOV.UK, 2025). For a 25-seat Canadian SMB at a loaded cost of C$35 per hour, Microsoft’s own SMB model translates that into roughly 70 hours per user per year and around C$61,000 in recovered productivity annually.
Our Copilot ROI for Canadian businesses post walks through the per-firm math, and our Copilot pricing guide handles the Canadian list pricing and the promotional windows. The number worth memorizing is this: the ROI is real only if utilization is real. A Copilot seat used twice a month is wallpaper. A seat used four times a week pays for itself many times over.
The mid-pilot pivot is where most rollouts fail. At week six the Toronto firm’s seats showed 22% weekly active use. We changed the enablement format on a Friday. Instead of training videos, we ran a 30-minute team workshop where one consultant brought a real proposal in flight and we drafted it live with Copilot in front of everyone. We did the same thing the next Friday with a different consultant. By week 12, weekly active use was 71%. The tool didn’t change. The change-management changed.
That’s the lesson I keep relearning, and it’s the same one we wrote up in our 40-person firm AI case study. AI productivity gains follow change-management investment, not license spend.
Phase two ends at Gate 2: 60% or higher weekly active use across the pilot team, and the pilot metric (admin hours per consultant per week, in their case) has moved measurably. If the metric hasn’t moved, the workflow you picked was wrong. Pick a different one before scaling.
Stuck at the 20% utilization ceiling?
Most Canadian SMBs we meet at this point already paid for the licenses. The fix is the rollout, not a different tool. Book a 30-minute review and we will tell you whether your pilot can recover or needs to be re-scoped.
Months 7–9: Vertical agents, picked by your industry
Generic Copilot is the foundation. The lift comes from vertical agents, AI tools trained on your industry’s jargon, regulatory environment, and customer behaviour. The shift the analysts kept calling “agentic AI” through 2025 is, in 2026, just the way new categories of work tools are shipping.
For Canadian SMBs already on Microsoft 365 E5, Microsoft 365 E7 (the Frontier Suite) launching May 1, 2026 is the on-ramp to native agent infrastructure. That’s the platform-level story. The day-to-day story is choosing the two or three vertical agents that move your specific P&L, and those are usually industry-specific.
The Toronto firm picked a meeting-intelligence agent that captured calls, drafted recaps, and surfaced commitments in their CRM, plus a Power Automate workflow that pulled CRM updates into proposal drafts so consultants weren’t retyping the same context. By month eight, senior consultants were reclaiming 4.5 hours a week of admin time. By month 12 it was 6.2.
The vertical you sit in shapes which agents make sense. We’ve published industry-specific playbooks for the verticals where Canadian SMBs cluster:
- Accounting and bookkeeping firms: AI for Canadian Accounting Firms walks through a CPA-safe Copilot deployment with billable-hour math.
- Law firms and legal teams: AI for Canadian Law Firms handles privilege-safe deployment patterns and what we send opposing counsel about model use.
- Healthcare clinics and allied health: AI for Canadian Healthcare Clinics covers PHIPA-safe adoption and clinic workflows.
- Professional services more broadly: AI for Canadian Professional Services Firms digs into the billable-hour reclamation playbook our Toronto engagement was built on.
- Field-service businesses: AI for Canadian Field Services handles dispatch, diagnosis, and documentation.
Each of those industries has different regulatory floors and different agent options. The principle is the same: don’t pick agents off a list. Pick agents off your month-12 outcome.
Phase three ends at Gate 3: a vertical agent in production, an ROI math model validated against real numbers, and a documented audit trail showing what data the agent touched and how that data was governed. If you’re operating in a regulated vertical and you don’t have the audit trail, the agent isn’t ready for production yet.
Months 9–12: Bill C-8, supplier hardening, and the second budget cycle
This is where the news cycle and the strategy converge.
Bill C-8 passed Third Reading in the House of Commons on March 26, 2026 and is now in the Senate. It targets designated operators in critical-infrastructure sectors (telecom, finance, energy, transportation), but the supplier-cascade language pulls in any third-party technology provider, MSP, or contractor connected to those operators (McCarthy Tétrault, 2026).
Penalties run up to $15 million, and directors and officers can face personal liability. Significant cyber incidents must be reported to the Communications Security Establishment within a prescribed window expected to be 72 hours (MNP Digital, 2026).
If you supply a regulated client, you’re already inside this cascade whether or not Bill C-8 has had Royal Assent. Their compliance team is sending you questionnaires now. The Toronto firm got their first one mid-pilot, which is partly why we accelerated phase one’s governance binder. By month 12 they could answer the full 30-question supplier audit in 24 hours from documentation we’d already written.
Two other 2026 currents are worth knowing about. The federal Spring Economic Update 2026 revealed six AI strategy pillars and a new Small and Medium Business Procurement Program launching this spring, designed to make federal procurement more accessible to SMBs that can prove they meet AI and security baselines (Finance Canada, 2026). The G7 AI Adoption Roadmap implementation, with a Mitacs SME AI Adoption call open in 2026, is a real funding path for small Canadian firms with documented strategies (ISED, 2026).
The shorthand: Canadian SMBs that have an AI strategy on paper, with governance, ROI math, and an audit trail, are now competing for federal procurement and federal funding their unstrategized peers can’t access.
The other thing that happens in months 9 to 12 is the second budget cycle. Whatever you spent on AI tools, training, and our retainer in months 1 through 9 has to come back in your CFO’s spreadsheet, or the program ends. The metric you picked in week 1 is what closes the loop. The Toronto firm’s 6.2 hours per consultant per week, applied to a 12-person consulting bench at a loaded cost of roughly $90 per hour, came out to roughly $290,000 in recovered annual capacity. Total external spend on the program, including our retainer plus tools plus training, was around $45,000. That’s the math that gets phase two of the strategy funded, and it’s the math you should be modelling on day one.
A 12-month timeline you can hand to your board
Most of the work above sequences onto a single page, and most of the failures we see come from skipping a phase or running phases in parallel that should run in series.
The four gates between phases are the only checkpoints I really care about:
- Gate 1: Governance signed, identity hygiene cleaned, vendor inventory complete, supplier-questionnaire-ready binder exists.
- Gate 2: Pilot team at 60% or higher weekly active use, pilot metric has moved measurably, change-management format proven.
- Gate 3: At least one vertical agent in production, ROI math validated against real numbers, audit trail documented for the data the agent touched.
- Gate 4 (outcome): Bill C-8 supplier evidence package complete, second-cycle budget approved on the strength of measured ROI, next 12 months scoped.
If you’re staring at this thinking “we’re already at month four and we never did phase one,” that’s not a failure, it’s a finding. Stop, build the governance binder, and rerun the pilot. Strategies recover; rollouts that skipped governance accumulate compliance debt that gets more expensive every month.
What the Toronto firm looks like at month 12
The COO who started this story now spends about an hour a quarter on AI strategy reviews with us instead of three days a quarter on AI fire drills. Senior consultants reclaim 6.2 hours a week of admin time, which has compounded into a measurable lift in proposals submitted per month. The supplier questionnaire from the regulated transportation client came back in their second cycle and was answered in a day from the documentation binder we’d built in phase one. They’ve passed two enterprise vendor audits since then. The Bill C-8 conversation, when their compliance team eventually has it, will start from a defensible baseline instead of a panic.
The synthesis I keep coming back to, and this is the one piece worth tattooing on your laptop, is that AI strategy is a sequencing problem, not a tool problem. The order is governance, diagnostic, pilot tied to a metric, vertical layer, compliance hardening. Skip a step and you’re spending money on tools that don’t compound. Run the steps in sequence and the tools start paying for themselves halfway through year one.
If you’ve already paid for AI tools and you’re not sure they’re working, our free 30-minute AI assessment reviews your current footprint, identifies the governance gaps, and gives you a one-page roadmap to phase one. If you’d rather start with a deeper engagement, our vCIO advisory team runs the full 12-month roadmap with you. And if you’re building this from scratch with a fresh tenant, our AI services practice handles the deployment side end-to-end.
You don’t need a bigger AI budget than your peers. You need a sequence they don’t have.
Ready to build your roadmap?
Frequently asked questions
What is an AI strategy for a small business?
An AI strategy for a small business is a sequenced plan that names the revenue or margin metric AI will move, defines which data classes can touch which models, sets the regulatory floor (PIPEDA, Bill C-8 supplier obligations, sector overlays), maps existing shadow-AI use, and specifies a 12-month outcome. It is not a list of tools. The order is governance first, diagnostic second, a pilot tied to a single metric third, vertical agents fourth, and compliance hardening fifth.
How long does it take a Canadian SMB to roll out AI?
End-to-end, the realistic window is 9 to 12 months. You can show pilot value at 90 days if phase one (governance) is already done, but the full roadmap, including vertical agents, ROI validation, and Bill C-8 supplier hardening, takes a year for most 25-to-150 seat firms. SMBs that try to compress the timeline below 6 months almost always skip governance and pay for it later.
How does Bill C-8 affect a small business that doesn’t run critical infrastructure?
Through the supplier cascade. Bill C-8 designates operators in telecom, finance, energy, and transportation, and requires them to manage cyber and AI risk in their supply chains. That obligation flows downstream as supplier questionnaires, contractual commitments, and audit requirements landing on any third-party technology provider, MSP, or service vendor connected to a designated operator. If you supply a regulated client, you are inside the cascade whether or not the bill has Royal Assent yet.
What does AI strategy consulting cost in Canada?
For a 25-to-150 seat Canadian SMB, a full 12-month roadmap engagement typically lands between $30,000 and $80,000 in external spend, including the consulting retainer, training, governance documentation, and pilot enablement. Tool licensing (Copilot, vertical agents, Power Automate flows) is on top of that. Most engagements break even in the first year if the pilot metric is chosen correctly. Lighter advisory engagements, just the diagnostic and policy work, run in the $8,000 to $15,000 range.
Should we start with Microsoft Copilot or with a vertical AI tool?
Copilot first, vertical agents second, in almost every case. Copilot deploys inside your existing M365 tenant, keeps prompts inside your data boundary, and integrates with the productivity apps your team already uses. Vertical agents deliver the bigger lift, but they’re harder to govern, harder to integrate, and almost always assume the M365 foundation is already in place. We’ve published vertical playbooks for accounting, law, healthcare, professional services, and field services that show how the layering works in practice.
How do you measure AI ROI in a 25-person firm?
Pick one P&L line at the start of the engagement, tie one workflow to it, and measure weekly. For a billable-hour business, the metric is usually billable hours per professional per week. For an operations business, it’s usually transactions processed or response time. The Forrester Total Economic Impact model projects 132 to 353 percent three-year Copilot ROI for SMBs, but the projection only holds when utilization is real (60 percent or more weekly active use) and the metric is tracked. A Copilot seat used twice a month is wallpaper, regardless of what the macro ROI study says.
What’s the most common mistake Canadian SMBs make with AI?
Buying tools before writing a governance policy. Across our last 12 months of engagements the average client we onboard had paid for 2.3 generative AI tools before their first AI policy was signed. Median Copilot 90-day seat utilization in those firms, before sequencing a rollout, was 18 percent. With a structured rollout it climbed to 67 percent. Same tool, different system. The strategy comes first because the strategy is what tells you which tools to buy and how to deploy them.
About the author. Mike Pearlstein, CISSP, MSc AI, is the founder of Fusion Computing, a Canadian managed IT and AI advisory firm serving SMBs in Toronto, Hamilton, Vancouver, and nationally since 2012. He runs vCIO engagements, AI rollouts, and Bill C-8 compliance programs for Canadian SMBs in regulated supplier ecosystems. Read Mike’s full bio.
