auxlo
Start free assessment
AI Governance

AI governance, built for the Canadian regulatory stack.

Canada's AI rules don't live in one statute, they live across Loi 25, PIPEDA, OSFI E-23, the federal Directive on ADM, and sector-specific guidance. We design AI governance programs that satisfy all of them, anchored on ISO/IEC 42001 and the NIST AI Risk Management Framework, so your AI systems ship faster, not slower.

Book a 30-min scoping callRun a free self-assessment
Frameworks
ISO 42001 · NIST AI RMF
Credentials
CISA · CRISC · AIGP
Coverage
Loi 25 · OSFI E-23 · EU AI Act

The Canadian AI rulebook, as it stands

AIDA, the federal Artificial Intelligence and Data Act, was tabled inside Bill C-27 but did not pass before Parliament was prorogued in 2025. That doesn't mean Canadian AI is unregulated. The current rules in force:

  • Quebec's Loi 25 imposes transparency and human-review rights for any automated decision affecting Quebec residents.
  • PIPEDA applies to personal information used to train or run models, including the meaningful-consent standard.
  • OSFI Guideline E-23 governs model risk management for federally regulated financial institutions, with explicit AI/ML expectations.
  • The federal Directive on Automated Decision-Making binds federal departments and sets the de-facto benchmark for public-sector AI.
  • Sectoral guidance from CRA, Health Canada, provincial human rights commissions, and the Office of the Privacy Commissioner.

Federal AI legislation will return. Programs built on ISO/IEC 42001 and the NIST AI RMF map cleanly onto whatever shape AIDA's successor takes.

What a defensible AI governance program contains

  1. AI inventory and risk tiering. Every model, every vendor AI feature, scored against impact criteria.
  2. AI use policy and acceptable-use rules. Including generative AI for staff and customers.
  3. Pre-deployment impact assessments. Privacy, bias, security, and human-oversight reviews before any model touches production.
  4. Model documentation. Model cards, data sheets, evaluation results, auditable on demand.
  5. Monitoring. Drift, performance, and bias indicators with thresholds and owners.
  6. Incident response. AI-specific runbooks for harmful outputs, model failures, and prompt injection.
  7. Third-party AI due diligence. A vendor questionnaire that actually catches the risks SOC 2 doesn't.

Why senior practitioners matter for AI work

AI governance is where privacy, security, model risk, and ethics overlap. Junior consultants tend to default to checklist execution; the judgment calls, whether a use case is high-risk under Loi 25, whether OSFI E-23 expectations apply, when a model card is enough versus a full PIA, require experience.

Our practice is led by senior, credentialed practitioners (CISA, CRISC, AIGP). You work with the people doing the work.

Sectors we focus on

Financial services (OSFI-regulated and provincial), health technology (PHIPA and provincial equivalents), SaaS and AI-native products selling into regulated buyers, and public-sector vendors responding to the Directive on Automated Decision-Making.

FAQ

Common questions

What regulations govern AI in Canada right now?
There is no single federal AI law in force yet. AIDA (the Artificial Intelligence and Data Act, part of Bill C-27) died on the order paper in 2025 but signals the federal direction. Today, Canadian AI use is governed by a stack: PIPEDA and provincial privacy laws (especially Quebec's Loi 25), the federal Directive on Automated Decision-Making for government systems, OSFI E-23 for federally regulated financial institutions, and sector rules in health and employment.
Which AI governance framework should a Canadian company adopt?
Most Canadian organizations anchor on ISO/IEC 42001 (the AI management system standard) and the NIST AI Risk Management Framework. These map cleanly onto Loi 25's automated decision-making rules and the EU AI Act if you sell into Europe. We help select and tailor the framework to your risk profile.
Does Quebec's Loi 25 affect AI systems?
Yes. Law 25 imposes specific transparency requirements for automated decision-making about Quebec residents: notification, explanation of the principal factors, and the right to request human review. Most Canadian AI deployments touch Quebec users, so Loi 25 is effectively the de-facto AI transparency floor in Canada.
What does an AI governance program look like in practice?
An AI inventory and risk classification, an AI use policy, model documentation standards (model cards, data sheets), pre-deployment impact assessments, monitoring for drift and bias, incident response, and vendor due diligence for third-party AI. We build the program so it scales as you add more models.
Do you work with companies outside Quebec?
Yes. We're Canadian-operated and serve clients across Canada and internationally. Engagements are delivered in English or French.

Your next enterprise contract is waiting on this.

  • Flat fee, total cost known up front
  • Canadian data residency available on paid engagements
Book a free intro call