What AIDA Actually Requires
Bill C-27 has been in the Canadian legislative process long enough that many organizations have developed AIDA fatigue — monitoring its progress while deferring substantive preparation until royal assent arrives. This is a compliance strategy with significant risk. AIDA's obligations are not simple policy updates; they require technical changes to AI systems, new documentation practices, and governance infrastructure that takes months to build properly.
This post provides a practical reading of AIDA's requirements for business organizations — not legal advice, which requires qualified counsel — and an actionable preparation framework that organizations can begin now regardless of AIDA's precise timing.
AIDA's Scope: What Systems Are Regulated
AIDA applies to entities that "design, develop, use, or make available for use" AI systems in the course of international or interprovincial trade. For most Canadian businesses deploying AI, this is the applicable trigger.
The statute creates different obligation tiers based on whether an AI system is classified as "high-impact":
High-impact AI systems — those making or assisting with decisions that have significant consequences for individuals' health, safety, fundamental rights, or financial situation — face the full scope of AIDA obligations: impact assessment, risk mitigation, documentation, transparency, and human oversight requirements.
General AI systems face lighter baseline requirements but still must meet minimum standards for design and testing.
The sectors explicitly mentioned in AIDA guidance as high-impact contexts include: employment and human resources (hiring, termination, working conditions), financial services (credit decisions, insurance underwriting, fraud scoring), health care (diagnosis support, treatment recommendations, clinical decision support), government services (benefit eligibility determination, permit approval, enforcement), and content generation affecting public safety.
For organizations in government, finance, and healthcare — the three sectors where Remolda concentrates — virtually every consequential AI deployment will qualify as high-impact. The compliance planning question is not "which of our systems are high-impact?" but "what does high-impact compliance require for each system we operate?"
The Four Core AIDA Obligations
1. Impact assessment: Before deploying a high-impact AI system, the organization must conduct and document an assessment of the risks the system poses to individuals and society. This is not a brief checklist — it requires: identification of the population affected, analysis of how errors in the system's outputs affect individuals, assessment of the system's potential for discriminatory impact, and documentation of the human oversight processes in place.
2. Risk mitigation: Where the impact assessment identifies risks, the organization must implement mitigation measures proportionate to the identified risks. This creates a technical obligation: mitigation must be built into the system design, not just described in a policy document. For AI systems making credit decisions, this might include: bias testing across demographic groups, accuracy monitoring by population segment, human review triggers for edge cases, and a clear appeals process for affected individuals.
3. Documentation and record-keeping: Organizations must maintain documentation of the AI system's design, training data, testing results, and ongoing monitoring — sufficient to demonstrate compliance to the AI and Data Commissioner that AIDA establishes. This requirement has significant implications for organizations using third-party AI models: they must obtain sufficient transparency from their AI vendors to satisfy their own documentation obligations.
4. Transparency to affected individuals: When a high-impact AI system makes or assists in a consequential decision affecting an individual, that individual must be notified that AI was involved, have access to an explanation of the factors considered, and have a path to human review of the decision. For automated credit decisions, benefits determinations, and employment screening — all common enterprise AI use cases — this transparency requirement changes customer and employee-facing processes materially.
AIDA and the Privacy Intersection
AIDA does not operate in isolation. The CPPA — the privacy legislation that Bill C-27 would replace PIPEDA with — creates parallel obligations specifically targeting AI's use of personal information.
The CPPA's automated decision-making provisions require: meaningful consent before personal information is used in automated decision-making, a right to explanation for consequential automated decisions expressed in plain language, and a right to request human review of automated decisions affecting individuals.
Where these obligations overlap — which is wherever personal data feeds a high-impact AI system — organizations need a unified compliance architecture. The practical design question is: how does our system notify affected individuals, provide explanations, and route review requests, in a way that satisfies both CPPA's individual rights provisions and AIDA's transparency requirements simultaneously?
The AI policy development work required here goes beyond legal analysis: it requires designing the explanation and review interfaces into the AI system itself, not just having a policy document that describes them in principle.
PIPEDA's Current Obligations While AIDA Awaits
While organizations prepare for AIDA, PIPEDA remains in force and already creates AI-relevant obligations. PIPEDA's accountability principle requires organizations to be responsible for personal information under their control, including when it is processed by third-party AI systems. PIPEDA's collection limitation principle constrains training data scope. And the Office of the Privacy Commissioner has issued guidance on AI that is directionally consistent with AIDA's framework, meaning organizations that achieve PIPEDA AI compliance are substantially positioned for AIDA compliance.
The overlap is large enough that a PIPEDA AI audit is the correct starting point for AIDA preparation, not a separate exercise.
Building an AI Governance Framework Before Deadline
The organizations that will be well-positioned when AIDA comes into force are those that treat the current legislative preparation period as a genuine opportunity to build governance infrastructure, not as a time to monitor and wait.
A practical AIDA preparation program involves:
AI inventory: A complete catalogue of AI systems in production or development that make or influence decisions about individuals, with basic documentation of what each system does, what data it uses, and what decisions it informs.
Impact classification: Assessment of each inventoried system against AIDA's high-impact criteria, with documented rationale for the classification.
Governance gap analysis: For high-impact systems, assessment of what impact assessment, risk mitigation, documentation, and transparency measures currently exist versus what AIDA will require.
Remediation roadmap: A prioritized plan for building the governance capabilities that gap analysis identifies as missing, with timelines that allow completion before AIDA's compliance requirements take effect.
The AI compliance services required to execute this program are not exclusively legal: technical AI governance (model cards, testing documentation, bias evaluation), process design (human review workflows, appeals processes), and organizational design (accountable individual designation, governance committee structure) are all components.
Related reading: AI for property management illustrates the practical AIDA implications for tenant screening AI — one of the clearest examples of a high-impact AI system under residential tenancy law contexts.