TL;DR: Your employees already use AI, with or without a framework. A clear usage policy beats a ban that gets worked around: it names the allowed tools, classifies data by what can or can't go in, and sets when human review is required. Further down, we give you a data classification table and a one-page policy template, ready to adapt. And the best complement to a policy is offering an approved tool (ideally private) so no one has to improvise.
Whether you authorized it or not, artificial intelligence has already entered your organization. Right now, bits of emails, contracts or client data may be passing through consumer tools, simply for the sake of efficiency. So the question is no longer "do we allow AI," but "do we frame it, or do we look the other way."
Why a policy, and not just a ban
Banning AI doesn't make its use disappear, it pushes it into the shadows. People find these tools too useful to give up: they'll use them on their personal phone if you block them at the office. A policy acknowledges this reality and channels it: it sets understandable rules rather than a wall everyone climbs over.
There's also an angle that gets overlooked: without a framework, it's the most cautious employee who gets penalized. The one who refuses to paste a client file into a free tool works more slowly than the colleague who does it without a second thought. A policy puts everyone on the same line and removes the grey zone.
Le vrai risque
Before talking about rules, it's worth naming what we're trying to avoid. The risk of AI in the workplace comes down to three concrete points.
Data leakage. Everything you paste into a consumer tool goes to servers you don't control, often abroad. Depending on the terms of use, that content can be used to train the model. An employee file, a price list, a strategy filed the day before a bid: once they're out, they don't come back.
Errors delivered with confidence. An AI assistant has no notion of true or false. It produces the most plausible answer, and it does so with total assurance, even when it invents a figure, a contract clause or a legal reference. Without review, that error ends up in a client email or an official document.
The blur around ownership. Who owns the generated text? Is it free of rights? Does it quietly reuse someone else's protected content? For content that leaves the organization, these questions aren't theoretical.
What a good policy covers
A useful policy stays short and concrete. It doesn't describe AI in general, it answers the questions your employees actually ask when they open the tool. In practice, it comes down to a few clauses:
- The approved tools. A named list, not "the serious tools." You say which ones are allowed, and who can add one.
- Data classification. What can be used with AI, and what must never go in. This is the heart of the policy (see the table below).
- Human review. Anything that leaves the organization, every figure, every fact, every reference: a human validates before it goes out.
- Ownership of what's produced. How you handle generated content, and what you can do with it.
- The point of contact. Who to ask when in doubt. Without it, everyone decides alone, and badly.
If a clause takes more than two sentences to explain, it's probably too fine-grained for a policy and belongs in training instead.
What data can go where
This is the part people really want: a simple rule to know, on the spot, whether you can paste this bit of text or not. A three-level classification is enough for most SMBs.
| Type of data | Examples | Where it can go |
|---|---|---|
| Public | Already-published text, content from your website, press releases, product descriptions | Consumer tool, no concern |
| Internal, non-sensitive | General drafts, templates, meeting notes with no person's name or client data | Approved tool only, with caution |
| Confidential | Client files, HR data, contracts, financial statements, personal information, health data | Never in a consumer AI: a private tool hosted on your side, or nothing at all |
The rule of thumb: if you wouldn't put the information on a poster in the waiting room, it doesn't go into a consumer tool. When in doubt, treat it as confidential.
How it ties into Law 25
This is the point too many organizations overlook: dropping personal information into a consumer AI is potentially disclosing it to a third party, often outside Quebec. Under Law 25, that isn't done lightly.
Concretely, an organization that entrusts personal information to a provider located outside Quebec must assess whether the protection remains comparable, and depending on the project, conduct a privacy impact assessment (PIA). Pasting a client's file into a free tool short-circuits all of that, with no record and no consent. And it isn't just an abstract fear: in 2026, a joint investigation by Canadian privacy authorities concluded that some of OpenAI's (ChatGPT) practices did not comply with their laws.
An AI policy is therefore not a big-company luxury, it's a natural piece of your compliance. It turns an obligation you already have into everyday actions.
The world's best policy fails if the official alternative doesn't exist. We set up private AI assistants, which keep your data in-house, so your teams have an approved tool instead of a temptation. Let's talk about your use of AI.
Keeping the policy alive
A policy that sleeps in a shared folder protects no one. Three things make the difference between a decorative document and a framework that's actually applied.
A short presentation instead of an email blast. Fifteen minutes at a team meeting, with two or three examples drawn from your day-to-day, beats a PDF no one opens. People remember scenarios, not clauses.
An approved tool that's pleasant to use. If the allowed option is slower or more painful than the consumer tool, your employees will go back to the latter. Adoption follows comfort, not the rulebook.
A review once a year. The tool landscape changes fast. A policy written eighteen months ago probably mentions tools no one uses and ignores others that have become essential.
Mistakes to avoid
The worst: a twelve-page policy no one reads. The second: a policy with no fallback tool, that bans without offering a viable option. And the third, more subtle: a policing tone that paints AI as a trap. Your employees use it because it helps them. A policy that acknowledges this and frames the use will be followed. A policy that waves the threat ends up in a drawer, and the wild usage resumes.
Your policy fits on one page. The skeleton to adapt:
- Purpose: frame the use of AI to benefit from it without exposing our data.
- Approved tools: the named list, and who can change it.
- Data classification: public, internal, confidential: what goes where.
- Personal information: never in a consumer tool (Law 25).
- Human review: anything that goes out, every figure, every fact is validated.
- Accuracy: AI can make things up: verify before using.
- Point of contact: who to turn to when in doubt.
How we go about it
We help draft a policy fitted to your reality (not a generic template copied from elsewhere), we tie it into your Law 25 process, and we deploy the private tool that makes it applicable. The goal isn't to slow AI down, it's to reap its benefits without opening a breach.
AI is already in your shop, with no rules? We'll help you set the framework.
Sources
- Commission d'accès à l'information du Québec : main changes brought by Law 25
- Joint investigation by Canadian authorities into OpenAI – ChatGPT (May 2026): practices found non-compliant with personal information protection laws