Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Key Takeaways
- An AI acceptable use policy now sits behind every Canadian cyber renewal and FRFI vendor attestation I see. The de facto regulator is the carrier, not Ottawa.
- Seven clauses anchor a policy that holds under audit: scope, tool tiers, data classification, prohibited uses, human oversight, disclosure, review cadence.
- Approved-vs-prohibited decisions hang on data residency, retention defaults, signed Canadian DPA, admin integration. Consumer ChatGPT and free Gemini fail by default.
- PIPEDA, PHIPA, Quebec Law 25, and Bill C-8 govern AI handling of personal information today. Ontario IPC-OHRC principles and OSFI E-23 raise the floor through 2027.
- I have authored AI AUPs for 11 Canadian SMB clients since Q4 2025. The five-step rollout (Draft, Pilot, Train, Enforce, Review) has held in every engagement.
QUICK ANSWER
A Canadian SMB AI Acceptable Use Policy must cover eight sections: scope and ownership, permitted tool tiers, prohibited data classes (PHI, PII, IP, privileged), prompt confidentiality, output verification responsibility, attribution and disclosure, incident reporting, and a retention and review cadence. Map each section to the OPC’s nine generative AI principles (Office of the Privacy Commissioner of Canada, December 2023) and reference NIST AI RMF Govern, Map, Measure, Manage as the technical control framework.
Daniel called at 8:47 on a Tuesday. Managing partner at a 42-person Toronto litigation firm. His cyber renewal had just landed with a new question 14: did the firm have a written AI Acceptable Use Policy and an annual training record. He had neither. Renewal was due in twenty-three days.
I turned on Microsoft Defender for Cloud Apps shadow-AI discovery on his tenant before we hung up. Five days later it had catalogued fourteen distinct generative AI tools across 42 people, including a WordPress chatbot answering legal questions on the public site that nobody knew was live. That call is why I am writing this guide.
Note: Daniel is a composite drawn from several Canadian engagements. Specific details are changed for confidentiality. The policy structure and outcome numbers are real.
Why every Canadian SMB needs an AI acceptable use policy
Companion guide: oversharing is the operational risk paired with policy. Run the Pre-Copilot SharePoint Audit alongside the AUP rollout so the policy and the data layer ship together.
The pressure does not come from a federal statute. Bill C-27, which contained the Artificial Intelligence and Data Act, died on the Order Paper in January 2025. The pressure arrives quietly, on insurance supplementals and FRFI vendor attestations.
I have read more than a dozen 2026 cyber renewals. Every one asks for a written AI AUP and an annual training record. Answer no twice and your premium moves. The risk math is just as direct: IBM’s 2025 Cost of a Data Breach Report found one in five breached organizations had the incident linked to shadow AI, adding roughly USD $670,000 to average cost.
What Canadian regulators expect: The Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner of Ontario published nine joint generative AI principles in December 2023. The Canadian Centre for Cyber Security generative AI advisory sets a baseline of identity controls, labelling, and audit logging. ISED frames the Canadian AI Code of Conduct as a parallel obligation. NIST AI RMF anchors controls. Sources: priv.gc.ca, ipc.on.ca, cyber.gc.ca, ised-isde.canada.ca, nist.gov.
The 7 mandatory clauses every AI AUP should contain
The control framework underneath the clauses: The NIST AI Risk Management Framework, released January 26, 2023, organizes AI governance into four functions: Govern, Map, Measure, and Manage. Insurers and FRFI procurement use NIST AI RMF as the anchor when they evaluate whether an SMB’s seven-clause AUP has technical depth or stops at language. Each clause should name the corresponding RMF function inline. Source: nist.gov/itl/ai-risk-management-framework.
I keep the structure stable because insurers and FRFI procurement scan for the same seven items. Skip one and the document reads as a memo. The table is the checklist I hand counsel before they touch language.
| Clause | Why mandatory | Common pitfall |
|---|---|---|
| 1. Scope & ownership | Names who the policy binds and who signs off. Insurers want one accountable role. | Listing “IT” with no individual; ignoring contractors. |
| 2. Tool tiers | Sanctioned, conditional, prohibited. Lets people work without filing a ticket. | A flat “approved list” with no path to add tools. |
| 3. Data classification | Defines what may go into which tier. FRFI auditors anchor on this. | Two tiers that ignore client-confidential and regulated data. |
| 4. Prohibited uses | Hard-line don’ts. Categories, not exhaustive lists. | A 30-bullet list that gets ignored when novel cases arise. |
| 5. Human oversight | Names which decisions require a human signature. | Vague “humans should review” with no decision categories. |
| 6. Disclosure | Customer-facing AI must identify itself. Moffatt v. Air Canada is the precedent. | Forgetting the website chatbot, email reply assistant, quote generator. |
| 7. Review & IR tie-in | Quarterly tool list, annual full document, hook into incident response. | A document signed once and never reopened. |
Approved vs prohibited tools: how to draw the line
What the OPC actually says about generative AI: The Office of the Privacy Commissioner of Canada published nine joint federal-provincial principles on December 7, 2023: legal authority and consent, appropriate purposes, necessity and proportionality, openness, accountability, individual access, limiting collection and use, accuracy, and safeguards. The tool-tier decision must map back to these nine points; principle five (accountability) and principle nine (safeguards) carry the most weight in carrier reviews. Source: priv.gc.ca generative AI principles.
Daniel’s instinct was to ask which AI tool to buy. That is almost every managing partner’s instinct, and it is almost always wrong. Tool selection is the last decision, not the first.
I draw the line on four dimensions: in-tenant data residency, retention defaults, training opt-out, and signed Canadian DPA. Consumer versions of the four major tools fail most by default. Enterprise editions pass with proper configuration.
| Tool | Tier | Why I sanction (or do not) |
|---|---|---|
| Microsoft 365 Copilot | SANCTIONED | Data stays inside the M365 tenant. Respects Purview labels. Conditional Access via Entra ID. |
| Claude Team / Enterprise | SANCTIONED | Zero-retention by default. Cleanest DPA in the market for Canadian counsel review. |
| ChatGPT Enterprise | CONDITIONAL | DPA, no training, SAML SSO. Sanctioned once admin guardrails are configured. |
| Google Gemini (Workspace) | CONDITIONAL | Workspace edition keeps data in tenant. Sanctioned for Workspace shops. |
| ChatGPT Free / Plus | PROHIBITED | No DPA, no Canadian residency control. Prompts can train models. |
| Free Gemini, personal Claude | PROHIBITED | Same failure pattern. Long-tail AI startups without DPAs land here too. |
| Once a tool clears the AUP, see how ChatGPT Agents automate recurring workflows safely under it. | ||
Employees will ask for tools outside the list. I build a request path into the policy so the answer is never a flat no. Conditional means “use it for this workflow on this data class with documented approval.”
Led by Mike Pearlstein, CISSP. Fusion Computing has run managed IT for Canadian SMBs since 2012.
Book a free 30-minute IT consultation to map your current AI surface
Data classification: what you can and cannot put into AI tools
Every AUP I have authored uses four data tiers. Public material may go into any sanctioned tool. Internal business information goes only into sanctioned tools.
Confidential data, including client matter notes, employee personal information, and contracts, may use sanctioned tools only under an executed Data Processing Agreement. Restricted data, including privileged communications, PHI, and regulated financial records, requires case-by-case approval from counsel.
The technical control is Microsoft Purview sensitivity labels with SharePoint auto-labeling. Once labels are applied, Copilot respects them at prompt time. On Daniel’s tenant, the first week of auto-labeling reclassified 860 documents and caught fourteen prompts containing PII patterns. A policy that bans every AI workflow fails the same way one that allows everything fails: people route around it.
PIPEDA, PHIPA, Quebec Law 25, Bill C-8 implications
Canada has no federal AI statute in force, but the privacy floor under AI handling of personal information is high and rising.
PIPEDA continues to govern commercial collection, use, and disclosure. The OPC’s 2023 generative AI guidance reads PIPEDA principles directly into prompt-level practice. PHIPA binds Ontario health-information custodians. Quebec Law 25 is the most prescriptive provincial statute: any AI making automated decisions about a Quebec resident must be disclosed, with a right to human review.
Bill C-8, tabled in 2025 as the successor cybersecurity framework, reaches federally regulated operators and their suppliers. Most of my SMB clients touch C-8 through their FRFI customers’ vendor risk programs. OSFI Guideline E-23 on model risk management comes into force May 1, 2027 and pulls every FRFI supplier into scope.
Why Moffatt v. Air Canada reshapes disclosure clauses: On February 14, 2024, the BC Civil Resolution Tribunal held Air Canada liable for misinformation its chatbot had given Jake Moffatt about a bereavement fare. The tribunal rejected the “separate entity” argument and awarded C$812.02. The dollar figure is small. The precedent is large: every Canadian organization owns the outputs of every AI system speaking on its behalf. Sources: BC CRT 2024 BCCRT 149; McCarthy Tétrault analysis.
The 8-section AI AUP checklist (Section x Required content x Why it matters x Example clause)
How this maps to Canadian regulators and standards: The eight sections below trace back to the OPC’s nine generative AI principles (priv.gc.ca, December 2023), the NIST AI RMF four functions (nist.gov, January 2023), and the disclosure precedent set by Moffatt v. Air Canada (BC CRT 2024 BCCRT 149). Insurers and FRFI procurement scan for these eight, in this order.
| Section | Required content | Why it matters | Example clause language |
|---|---|---|---|
| 1. Scope and ownership | Named accountable officer; population bound (employees, contractors, third parties); systems in scope; date of effect. | Insurers want one accountable role. Maps to OPC principle 5 (accountability). | “This policy is owned by the Chief Operating Officer and binds all employees, contractors, and vendors using AI on Firm systems or Firm data, effective [date].” |
| 2. Permitted tool tiers | Sanctioned, conditional, and prohibited lists; documented request path for new tools; signed Canadian DPA requirement. | A flat “approved list” with no path forces shadow-AI workarounds. Maps to OPC principles 2 and 3. | “Sanctioned tools require an executed Canadian Data Processing Agreement and SAML SSO. Conditional tools require written approval from the COO before first use.” |
| 3. Prohibited data classes (PHI, PII, IP, privileged) | Named data classes that may never enter any AI system; tiered classes that require approval; reference to the firm’s data classification scheme. | FRFI auditors anchor on this. Maps to OPC principles 7 and 9; PHIPA, Quebec Law 25, PIPEDA. | “Restricted data (PHI, solicitor-client privileged matter, regulated financial records, source IP) may not be entered into any AI tool without written counsel approval.” |
| 4. Prompt confidentiality and consumer-tool prohibition | Explicit ban on consumer tiers (ChatGPT Free, free Gemini, personal Claude); named examples; reasoning tied to training opt-out and residency. | Consumer-tool prompts can train models. Maps to OPC principle 4 (openness) and principle 9 (safeguards). | “Free or consumer versions of generative AI tools are prohibited for any Firm work product. Pasting Firm data into these tools is a reportable incident.” |
| Section | Required content | Why it matters | Example clause language |
|---|---|---|---|
| 5. Output verification responsibility | Named human accountable for verifying every AI output before client delivery; categories of high-impact decisions requiring written sign-off. | Most-overlooked clause. Moffatt v. Air Canada makes the firm liable for every AI output. Maps to NIST RMF Manage function. | “Every AI-assisted output reviewed by the originating employee. High-impact outputs (client deliverables, regulatory filings, hiring decisions) signed off by a partner or department head.” |
| 6. Attribution and customer disclosure | When AI use must be disclosed to clients; chatbot identification on customer-facing surfaces; internal attribution norms for work product. | Moffatt (BC CRT, 2024) precedent: organizations own all chatbot outputs. Quebec Law 25 requires disclosure for automated decisions about Quebec residents. | “Customer-facing AI must identify itself as AI on first interaction. Automated decisions affecting Quebec residents include a written right-to-human-review notice.” |
| 7. Incident reporting | Named trigger events (data pasted to wrong tool, hallucinated output sent to client, unauthorized tool detected); reporting path; tie-in to incident response plan. | Most policies stop at “report incidents” without listing triggers. Maps to OPC principle 9 and NIST RMF Manage. | “AI incidents (including unsanctioned-tool use, prompt leakage of restricted data, or hallucinated client deliverables) report to security@firm within four business hours.” |
| 8. Retention and review cadence | Audit log retention period (minimum 12 months); quarterly tool-list review; annual full policy review; insurer evidence packet refresh at renewal. | A document signed once and never reopened cannot survive an audit. Maps to OPC principle 5 and NIST RMF Govern. | “Microsoft Purview audit logs retained 12 months. Tool list reviewed quarterly. Full policy reviewed annually. Insurer evidence packet refreshed every renewal cycle.” |
This eight-section structure is the layout that has held across the eleven Canadian SMB AUPs I have authored since Q4 2025. The original seven-clause table earlier in this guide collapses sections 5 and 6 under “human oversight” and “disclosure”; for a carrier-grade document I now separate them. Section 5 (output verification responsibility) is the clause every firm leaves vague and every regulator and underwriter eventually questions.
Enforcement and monitoring: how to make the policy actually stick
Most policies survive drafting and die at enforcement. I configure five Microsoft 365 controls in a fixed order on every engagement.
Day one is Conditional Access via Microsoft Entra ID, scoped to Copilot, Claude Enterprise, and ChatGPT Enterprise tenants, requiring MFA and a compliant device. Day three is Microsoft Purview AI Hub with DLP for Copilot Studio enabled. Day seven is SharePoint auto-labeling against the four data tiers.
Week two, Defender for Cloud Apps moves from discovery to enforcement. The first time you flip that switch on a typical 40-person tenant, you will block ten of fourteen tools, sanction three, conditional one. Week three is the all-hands training, attestation capture, and a quarterly cadence locked in the calendar.
The 5-step rollout (Draft, Pilot, Train, Enforce, Review)
| Step | What happens | Who runs it |
|---|---|---|
| 1. Draft | Defender shadow-AI discovery. Stakeholder kickoff (IT, HR, counsel, line-of-business). Counsel drafts clauses against the 7-clause skeleton. | MSP + counsel |
| 2. Pilot | Roll sanctioned list to 5 to 10 person cohort. Capture friction. Refine tool tiers and request path. | IT lead |
| 3. Train | All-hands 60-minute session: tiers, sanctioned tools, request path, what to do if data is pasted by accident. | HR + MSP |
| 4. Enforce | Conditional Access live. Purview AI Hub plus DLP in enforce mode. Defender flips to block. | MSP |
| 5. Review | Quarterly tool-list standup. Annual full review. Insurer evidence packet refreshed every renewal. | Exec + IT |
On Daniel’s tenant, twelve weeks in, Defender showed unsanctioned AI usage down 82%. Forty-one of 42 employees attested. The renewal closed at the same premium. The FRFI vendor attestation went through three weeks later. None of those outcomes happened because the policy was eloquent. They happened because the controls were wired to the clauses.
I have run this exact sequence eleven times since Q4 2025. Not once has it taken longer than twelve weeks when stakeholders show up. An AI readiness assessment at week zero saves at least two weeks of drafting friction.
Common AUP failure modes I have actually seen
Three patterns kill more AUPs than any regulatory issue. The first is letting legal draft alone. Counsel produces clauses; counsel cannot define the four data tiers without input from the people who handle the data.
The second is treating the AUP as a training policy. HR signs off, the policy ships as an LMS module, and the technical controls are never built. Defender stays in discovery mode forever. Six months later the renewal lands and there is no telemetry to show the carrier.
The third failure mode is forgetting customer-facing AI. The website chatbot, the support reply assistant, the booking AI. Moffatt says you own everything those systems say. Daniel had a marketing-installed chatbot offering opinions about case strengths to about 180 people a month for nine months. We muted it within the hour.
“The clause every firm shortcuts is output verification. They write ‘humans should review AI outputs’ and move on. Then a hallucinated citation lands in a client memo, or a chatbot quotes a refund policy that does not exist, and the underwriter asks who signed off. Name the human, name the deliverable, name the signature. Vague oversight is the difference between a surviving claim and a tribunal read-out.”
I have authored AI AUPs for eleven Canadian SMB clients across professional services, healthcare-adjacent firms, and FRFI vendors. The seven-clause structure has held in every engagement. What varies is which failure mode the client arrives with.
Book a free 30-minute IT consultation and map your AI policy gap
Ontario firms applying this AUP framework to legal practice should pair it with the Law Society of Ontario AI policy template for LSO-specific clause language, and the LawPRO insurance and AI errors disclosure obligations playbook for Rule 7.8-1 incident response.
Frequently asked questions
What should be in an AI acceptable use policy?
Seven clauses: scope and ownership, tool tiers (sanctioned, conditional, prohibited), four-tier data classification, prohibited uses by category, human oversight on high-impact decisions, customer-facing AI disclosure, and a quarterly review cadence tied into the incident response plan. Clause language should be reviewed by qualified Canadian privacy counsel. Technical controls typically configure inside a Microsoft 365 Business Premium or E5 tenant.
Is an AI acceptable use policy legally required in Canada in 2026?
No federal AI statute is in force; Bill C-27 collapsed in January 2025. PIPEDA, PHIPA, Quebec Law 25, Alberta PIPA, BC PIPA, and the OPC’s nine generative AI principles govern AI use that touches personal information. Bill C-8 reaches federally regulated operators. OSFI Guideline E-23 binds FRFIs from May 2027. In practice, cyber insurance carriers and FRFI procurement teams have made a written AUP a commercial requirement well ahead of any statute.
What tools should I sanction in my AI AUP?
For a Canadian SMB on Microsoft 365, my default tier-one list is Microsoft 365 Copilot, Claude Team or Enterprise, and ChatGPT Enterprise with executed DPA. Workspace shops add Gemini for Workspace. Skip consumer versions. Skip the long tail of AI startups without DPAs. Build a request path so employees can move new tools from prohibited to conditional with a documented business case.
How do I classify data for AI use?
Four tiers. Public: external material, any sanctioned tool. Internal: business information, sanctioned tools only. Confidential: client data, employee personal information, contracts, sanctioned tools under an executed DPA. Restricted: privileged communications, PHI, regulated financial data, case-by-case approval only. Microsoft Purview sensitivity labels enforce the tiers; SharePoint auto-labeling backfills classification across existing libraries.
What about PIPEDA and Quebec Law 25?
PIPEDA governs commercial AI use that touches personal information. The OPC reads consent, accuracy, and safeguards principles directly into prompt-level practice. Quebec Law 25 is more prescriptive: any AI making automated decisions about a Quebec resident must be disclosed, with a right to human review. PHIPA binds Ontario health-information custodians. Bill C-8 and OSFI E-23 add cybersecurity and model-risk obligations for federally regulated operators and their suppliers.
How long does it take to deploy an AI AUP?
Twelve weeks for a Canadian SMB on Microsoft 365 Business Premium or E5: six weeks of drafting and stakeholder sessions, two weeks of pilot, one week of training, one week of enforcement cutover, two weeks of review and insurer evidence packaging. Engagements compress to eight weeks when Defender shadow-AI discovery has already been running.
What does an AI AUP engagement cost?
For a 40-person firm on M365 Business Premium or E5, a typical twelve-week engagement runs roughly $12,000 to $18,000 in MSP fees, 6 to 10 hours of outside counsel time, and 20 to 30 hours of internal time. Ongoing costs sit around $300 to $600 per month on top of baseline licensing. IBM’s 2025 figure for a shadow-AI-linked breach is roughly USD $670,000 incremental cost.
How do MSPs help enforce an AI AUP?
The policy defines rules; the MSP wires the controls. Microsoft Defender for Cloud Apps catalogues active AI tools and enforces sanction states. Microsoft Purview sensitivity labels and DLP for Copilot Studio enforce data classification at prompt time. Microsoft Entra ID Conditional Access scopes sanctioned tools to compliant devices and MFA. The MSP runs the quarterly tool-list review and assembles the insurer evidence packet at every renewal.
