What Should Be in an AI Acceptable Use Policy? A Canadian MSP Guide
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Key Takeaways
- An AI acceptable use policy now sits behind every Canadian cyber renewal and FRFI vendor attestation I see. The de facto regulator is the carrier, not Ottawa.
- Seven clauses anchor a policy that holds under audit: scope, tool tiers, data classification, prohibited uses, human oversight, disclosure, review cadence.
- Approved-vs-prohibited decisions hang on data residency, retention defaults, signed Canadian DPA, admin integration. Consumer ChatGPT and free Gemini fail by default.
- PIPEDA, PHIPA, Quebec Law 25, and Bill C-8 govern AI handling of personal information today. Ontario IPC-OHRC principles and OSFI E-23 raise the floor through 2027.
- I have authored AI AUPs for 11 Canadian SMB clients since Q4 2025. The five-step rollout (Draft, Pilot, Train, Enforce, Review) has held in every engagement.
Daniel called at 8:47 on a Tuesday. Managing partner at a 42-person Toronto litigation firm. His cyber renewal had just landed with a new question 14: did the firm have a written AI Acceptable Use Policy and an annual training record. He had neither. Renewal was due in twenty-three days.
I turned on Microsoft Defender for Cloud Apps shadow-AI discovery on his tenant before we hung up. Five days later it had catalogued fourteen distinct generative AI tools across 42 people, including a WordPress chatbot answering legal questions on the public site that nobody knew was live. That call is why I am writing this guide.
Note: Daniel is a composite drawn from several Canadian engagements. Specific details are changed for confidentiality. The policy structure and outcome numbers are real.
Why every Canadian SMB needs an AI acceptable use policy
Companion guide: oversharing is the operational risk paired with policy. Run the Pre-Copilot SharePoint Audit alongside the AUP rollout so the policy and the data layer ship together.
The pressure does not come from a federal statute. Bill C-27, which contained the Artificial Intelligence and Data Act, died on the Order Paper in January 2025. The pressure arrives quietly, on insurance supplementals and FRFI vendor attestations.
I have read more than a dozen 2026 cyber renewals. Every one asks for a written AI AUP and an annual training record. Answer no twice and your premium moves. The risk math is just as direct: IBM’s 2025 Cost of a Data Breach Report found one in five breached organizations had the incident linked to shadow AI, adding roughly USD $670,000 to average cost.
What Canadian regulators expect: The Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner of Ontario published nine joint generative AI principles in December 2023. The Canadian Centre for Cyber Security generative AI advisory sets a baseline of identity controls, labelling, and audit logging. ISED frames the Canadian AI Code of Conduct as a parallel obligation. NIST AI RMF anchors controls. Sources: priv.gc.ca, ipc.on.ca, cyber.gc.ca, ised-isde.canada.ca, nist.gov.
The 7 mandatory clauses every AI AUP should contain
I keep the structure stable because insurers and FRFI procurement scan for the same seven items. Skip one and the document reads as a memo. The table is the checklist I hand counsel before they touch language.
| Clause | Why mandatory | Common pitfall |
|---|---|---|
| 1. Scope & ownership | Names who the policy binds and who signs off. Insurers want one accountable role. | Listing “IT” with no individual; ignoring contractors. |
| 2. Tool tiers | Sanctioned, conditional, prohibited. Lets people work without filing a ticket. | A flat “approved list” with no path to add tools. |
| 3. Data classification | Defines what may go into which tier. FRFI auditors anchor on this. | Two tiers that ignore client-confidential and regulated data. |
| 4. Prohibited uses | Hard-line don’ts. Categories, not exhaustive lists. | A 30-bullet list that gets ignored when novel cases arise. |
| 5. Human oversight | Names which decisions require a human signature. | Vague “humans should review” with no decision categories. |
| 6. Disclosure | Customer-facing AI must identify itself. Moffatt v. Air Canada is the precedent. | Forgetting the website chatbot, email reply assistant, quote generator. |
| 7. Review & IR tie-in | Quarterly tool list, annual full document, hook into incident response. | A document signed once and never reopened. |
Approved vs prohibited tools: how to draw the line
Daniel’s instinct was to ask which AI tool to buy. That is almost every managing partner’s instinct, and it is almost always wrong. Tool selection is the last decision, not the first.
I draw the line on four dimensions: in-tenant data residency, retention defaults, training opt-out, and signed Canadian DPA. Consumer versions of the four major tools fail most by default. Enterprise editions pass with proper configuration.
| Tool | Tier | Why I sanction (or do not) |
|---|---|---|
| Microsoft 365 Copilot | SANCTIONED | Data stays inside the M365 tenant. Respects Purview labels. Conditional Access via Entra ID. |
| Claude Team / Enterprise | SANCTIONED | Zero-retention by default. Cleanest DPA in the market for Canadian counsel review. |
| ChatGPT Enterprise | CONDITIONAL | DPA, no training, SAML SSO. Sanctioned once admin guardrails are configured. |
| Google Gemini (Workspace) | CONDITIONAL | Workspace edition keeps data in tenant. Sanctioned for Workspace shops. |
| ChatGPT Free / Plus | PROHIBITED | No DPA, no Canadian residency control. Prompts can train models. |
| Free Gemini, personal Claude | PROHIBITED | Same failure pattern. Long-tail AI startups without DPAs land here too. |
| Once a tool clears the AUP, see how ChatGPT Agents automate recurring workflows safely under it. | ||
Employees will ask for tools outside the list. I build a request path into the policy so the answer is never a flat no. Conditional means “use it for this workflow on this data class with documented approval.”
Book a free 30-minute IT assessment to map your current AI surface
Data classification: what you can and cannot put into AI tools
Every AUP I have authored uses four data tiers. Public material may go into any sanctioned tool. Internal business information goes only into sanctioned tools.
Confidential data, including client matter notes, employee personal information, and contracts, may use sanctioned tools only under an executed Data Processing Agreement. Restricted data, including privileged communications, PHI, and regulated financial records, requires case-by-case approval from counsel.
The technical control is Microsoft Purview sensitivity labels with SharePoint auto-labeling. Once labels are applied, Copilot respects them at prompt time. On Daniel’s tenant, the first week of auto-labeling reclassified 860 documents and caught fourteen prompts containing PII patterns. A policy that bans every AI workflow fails the same way one that allows everything fails: people route around it.
PIPEDA, PHIPA, Quebec Law 25, Bill C-8 implications
Canada has no federal AI statute in force, but the privacy floor under AI handling of personal information is high and rising.
PIPEDA continues to govern commercial collection, use, and disclosure. The OPC’s 2023 generative AI guidance reads PIPEDA principles directly into prompt-level practice. PHIPA binds Ontario health-information custodians. Quebec Law 25 is the most prescriptive provincial statute: any AI making automated decisions about a Quebec resident must be disclosed, with a right to human review.
Bill C-8, tabled in 2025 as the successor cybersecurity framework, reaches federally regulated operators and their suppliers. Most of my SMB clients touch C-8 through their FRFI customers’ vendor risk programs. OSFI Guideline E-23 on model risk management comes into force May 1, 2027 and pulls every FRFI supplier into scope.
Why Moffatt v. Air Canada reshapes disclosure clauses: On February 14, 2024, the BC Civil Resolution Tribunal held Air Canada liable for misinformation its chatbot had given Jake Moffatt about a bereavement fare. The tribunal rejected the “separate entity” argument and awarded C$812.02. The dollar figure is small. The precedent is large: every Canadian organization owns the outputs of every AI system speaking on its behalf. Sources: BC CRT 2024 BCCRT 149; McCarthy Tétrault analysis.
Enforcement and monitoring: how to make the policy actually stick
Most policies fail not at drafting but at enforcement. I configure five Microsoft 365 controls in a fixed order on every engagement.
Day one is Conditional Access via Microsoft Entra ID, scoped to Copilot, Claude Enterprise, and ChatGPT Enterprise tenants, requiring MFA and a compliant device. Day three is Microsoft Purview AI Hub with DLP for Copilot Studio enabled. Day seven is SharePoint auto-labeling against the four data tiers.
Week two, Defender for Cloud Apps moves from discovery to enforcement. The first time you flip that switch on a typical 40-person tenant, you will block ten of fourteen tools, sanction three, conditional one. Week three is the all-hands training, attestation capture, and a quarterly cadence locked in the calendar.
The 5-step rollout (Draft, Pilot, Train, Enforce, Review)
| Step | What happens | Who runs it |
|---|---|---|
| 1. Draft | Defender shadow-AI discovery. Stakeholder kickoff (IT, HR, counsel, line-of-business). Counsel drafts clauses against the 7-clause skeleton. | MSP + counsel |
| 2. Pilot | Roll sanctioned list to 5 to 10 person cohort. Capture friction. Refine tool tiers and request path. | IT lead |
| 3. Train | All-hands 60-minute session: tiers, sanctioned tools, request path, what to do if data is pasted by accident. | HR + MSP |
| 4. Enforce | Conditional Access live. Purview AI Hub plus DLP in enforce mode. Defender flips to block. | MSP |
| 5. Review | Quarterly tool-list standup. Annual full review. Insurer evidence packet refreshed every renewal. | Exec + IT |
On Daniel’s tenant, twelve weeks in, Defender showed unsanctioned AI usage down 82%. Forty-one of 42 employees attested. The renewal closed at the same premium. The FRFI vendor attestation went through three weeks later. None of those outcomes happened because the policy was eloquent. They happened because the controls were wired to the clauses.
I have run this exact sequence eleven times since Q4 2025. Not once has it taken longer than twelve weeks when stakeholders show up. An AI readiness assessment at week zero saves at least two weeks of drafting friction.
Common AUP failure modes I have actually seen
Three patterns kill more AUPs than any regulatory issue. The first is letting legal draft alone. Counsel produces clauses; counsel cannot define the four data tiers without input from the people who handle the data.
The second is treating the AUP as a training policy. HR signs off, the policy ships as an LMS module, and the technical controls are never built. Defender stays in discovery mode forever. Six months later the renewal lands and there is no telemetry to show the carrier.
The third failure mode is forgetting customer-facing AI. The website chatbot, the support reply assistant, the booking AI. Moffatt says you own everything those systems say. Daniel had a marketing-installed chatbot offering opinions about case strengths to about 180 people a month for nine months. We muted it within the hour.
I have authored AI AUPs for eleven Canadian SMB clients across professional services, healthcare-adjacent firms, and FRFI vendors. The seven-clause structure has held in every engagement. What varies is which failure mode the client arrives with.
Book a free 30-minute IT assessment and map your AI policy gap
Ontario firms applying this AUP framework to legal practice should pair it with the Law Society of Ontario AI policy template for LSO-specific clause language, and the LawPRO insurance and AI errors disclosure obligations playbook for Rule 7.8-1 incident response.
Frequently asked questions
What should be in an AI acceptable use policy?
Seven clauses: scope and ownership, tool tiers (sanctioned, conditional, prohibited), four-tier data classification, prohibited uses by category, human oversight on high-impact decisions, customer-facing AI disclosure, and a quarterly review cadence tied into the incident response plan. Clause language should be reviewed by qualified Canadian privacy counsel. Technical controls typically configure inside a Microsoft 365 Business Premium or E5 tenant.
Is an AI acceptable use policy legally required in Canada in 2026?
No federal AI statute is in force; Bill C-27 collapsed in January 2025. PIPEDA, PHIPA, Quebec Law 25, Alberta PIPA, BC PIPA, and the OPC’s nine generative AI principles govern AI use that touches personal information. Bill C-8 reaches federally regulated operators. OSFI Guideline E-23 binds FRFIs from May 2027. In practice, cyber insurance carriers and FRFI procurement teams have made a written AUP a commercial requirement well ahead of any statute.
What tools should I sanction in my AI AUP?
For a Canadian SMB on Microsoft 365, my default tier-one list is Microsoft 365 Copilot, Claude Team or Enterprise, and ChatGPT Enterprise with executed DPA. Workspace shops add Gemini for Workspace. Skip consumer versions. Skip the long tail of AI startups without DPAs. Build a request path so employees can move new tools from prohibited to conditional with a documented business case.
How do I classify data for AI use?
Four tiers. Public: external material, any sanctioned tool. Internal: business information, sanctioned tools only. Confidential: client data, employee personal information, contracts, sanctioned tools under an executed DPA. Restricted: privileged communications, PHI, regulated financial data, case-by-case approval only. Microsoft Purview sensitivity labels enforce the tiers; SharePoint auto-labeling backfills classification across existing libraries.
What about PIPEDA and Quebec Law 25?
PIPEDA governs commercial AI use that touches personal information. The OPC reads consent, accuracy, and safeguards principles directly into prompt-level practice. Quebec Law 25 is more prescriptive: any AI making automated decisions about a Quebec resident must be disclosed, with a right to human review. PHIPA binds Ontario health-information custodians. Bill C-8 and OSFI E-23 add cybersecurity and model-risk obligations for federally regulated operators and their suppliers.
How long does it take to deploy an AI AUP?
Twelve weeks for a Canadian SMB on Microsoft 365 Business Premium or E5: six weeks of drafting and stakeholder sessions, two weeks of pilot, one week of training, one week of enforcement cutover, two weeks of review and insurer evidence packaging. Engagements compress to eight weeks when Defender shadow-AI discovery has already been running.
What does an AI AUP engagement cost?
For a 40-person firm on M365 Business Premium or E5, a typical twelve-week engagement runs roughly $12,000 to $18,000 in MSP fees, 6 to 10 hours of outside counsel time, and 20 to 30 hours of internal time. Ongoing costs sit around $300 to $600 per month on top of baseline licensing. IBM’s 2025 figure for a shadow-AI-linked breach is roughly USD $670,000 incremental cost.
How do MSPs help enforce an AI AUP?
The policy defines rules; the MSP wires the controls. Microsoft Defender for Cloud Apps catalogues active AI tools and enforces sanction states. Microsoft Purview sensitivity labels and DLP for Copilot Studio enforce data classification at prompt time. Microsoft Entra ID Conditional Access scopes sanctioned tools to compliant devices and MFA. The MSP runs the quarterly tool-list review and assembles the insurer evidence packet at every renewal.
