AI Policy & Governance Framework

Why AI Governance Cannot Be Deferred

Organisations that deploy AI tools without governance frameworks face predictable problems: staff use AI in ways that create legal or reputational risk, senior leaders discover AI-assisted work after the fact and have no way to assess whether it was appropriate, and when something goes wrong there is no defined process to respond.

The window to establish governance before problems occur is short. Once AI tools are in widespread use, retrofitting governance is harder than establishing it from the outset — because it requires changing behaviour that has already formed.

What We Develop

Acceptable Use Policy. A clear, practical document that tells staff what they may do with AI tools, what they may not do, and what they must do when using AI in their work — including disclosure requirements, verification obligations, and prohibited use cases. Written in plain language, not legal boilerplate.

Risk Classification System. A framework that categorises AI use cases by the potential impact of an error or misuse — from low-risk drafting assistance to high-risk automated decision-making affecting individuals. Each risk tier carries different requirements for human oversight, approval, documentation, and review.

AI Deployment Approval Process. A structured process for evaluating and approving new AI tools or AI use cases before they are deployed. This includes assessment criteria, the roles responsible for approval decisions, and documentation requirements. The process is scaled to risk level — simple approvals for low-risk tools, more rigorous assessment for high-impact applications.

Roles and Accountability Structure. Clear assignment of AI governance responsibilities — who is accountable for AI policy compliance, who reviews AI incidents, who approves new AI use cases, and who is responsible for keeping the governance framework current. For larger organisations, we recommend an AI governance committee with defined membership and terms of reference.

Incident Response Procedures. A defined process for identifying, escalating, and responding to AI incidents — cases where an AI system produces harmful, erroneous, or unexpected output that affects operations or stakeholders. The absence of incident response procedures means organisations improvise when something goes wrong, typically not well.

The Canadian Regulatory Landscape

Canada's approach to AI governance is evolving rapidly. The Artificial Intelligence and Data Act, introduced as part of Bill C-27, will establish mandatory requirements for high-impact AI systems once enacted. The Privacy Commissioner has published guidance on AI and the Privacy Act and PIPEDA. The Treasury Board Secretariat has issued directives governing AI in federal departments.

We design governance frameworks that account for this landscape — not just current requirements, but the direction of regulatory travel. Organisations that build governance now, calibrated to anticipated regulatory requirements, will be better positioned when AIDA and subsequent regulations come into force than those that wait.

The Legal Sector Context

Law firms and in-house legal departments using AI face obligations that go beyond general privacy and AI governance requirements. Professional conduct rules impose obligations on competence, supervision of work, and confidentiality that apply to AI-assisted legal work. We develop governance frameworks for legal organisations that address these professional obligations specifically — including guidance on supervising AI output, disclosing AI use to clients, and managing privilege considerations when AI tools access confidential information.

Governance That Works in Practice

We are not in the business of producing governance documentation that sits on an intranet. Every framework we develop includes an implementation plan: how to communicate the policy to staff, how to train managers on their governance responsibilities, how to build compliance mechanisms into existing workflows, and how to measure whether the governance is working. A governance framework is only as valuable as the behaviours it produces.