AI in the Workplace
A briefing for small organizations on unsanctioned AI use and the case for a simple policy
What Is Happening in Canadian Workplaces
Generative AI tools have moved into the workplace faster than most organizations have been able to respond. Across Canada, employees are using AI to draft emails, summarize documents, perform research, analyze data, and produce content. Many are doing it with tools they found and set up on their own, using personal accounts, with no organizational awareness or oversight.
The tools are here. The policies are not. For small organizations, that gap has gone largely unaddressed.
The Numbers
The following figures are drawn from Canadian surveys published in 2025 and 2026.
| Stat | What It Measures | Source |
|---|---|---|
| 51% | Canadian employees using generative AI at work weekly or more | KPMG Canada, March 2026 (n approx. 2,000) |
| 73% | Of those users, working with AI daily or several times a week | Same KPMG March 2026 report |
| 73% | Canadian businesses that have not considered an AI usage policy | Statistics Canada / HunterTech, Feb 2026 |
| 26% | Companies with any AI governance successfully in place | MIRABILIS.ai, May 2025 (n = 300 firms) |
| 21% | Workers using only personal AI accounts for work tasks | IBM Canada, Sep 2025 (national office-worker survey) |
| 54% | Workers using some personal AI account at work | Same IBM Sep 2025 study |
Sources: KPMG Canada March 2026 / kpmg.com/ca | IBM Canada Sep 2025 / newswire.ca | HunterTech / Statistics Canada Feb 2026 / huntertech.ca | MIRABILIS.ai May 2025 / mirabilis.ai
Why This Matters
Most organizations address this only after a data or content issue surfaces. A simple policy, put in place before that happens, is a much easier conversation.
Data privacy
Free AI tools are not bound by your organization's privacy obligations. Pasting client information, donor records, or internal communications into a public AI platform may constitute a breach under PIPEDA or Quebec Law 25, regardless of intent.
Accuracy and accountability
AI-generated content can be factually wrong. When it goes out under your organization's name without review, the organization owns the error. A clear policy establishes that staff are responsible for what they publish, regardless of how it was produced.
Consistency
Without shared guidance on approved tools and standards, staff produce work in different ways, at different quality levels, with no common baseline. A policy creates one.
Board and donor confidence
For non-profits, board members are beginning to ask whether AI governance is in place. A documented policy is a straightforward answer to that question.
What an AI Usage Policy Covers
A policy for a small organization does not need to be long. A single page, written in plain language, is enough to address the most significant gaps. The sections below outline the minimum structure. Getting from this outline to a working document is the step that most organizations need help with.
Scope
Who the policy applies to: staff, volunteers, contractors, and board members acting on behalf of the organization.
Key Definitions
| Term | Definition |
|---|---|
| Approved AI tools | Platforms reviewed and authorized by management for work use |
| Personal AI accounts | Free or individual accounts (ChatGPT, Gemini, Claude, etc.) used without organizational oversight |
| Sensitive data | Client or donor personal information, financial records, unpublished content, confidential communications |
Core Rules
- Personal AI accounts are not to be used for work tasks without approval
- Sensitive data must never be entered into a free or personal AI platform
- AI-generated content must be reviewed by a staff member before external use
- Staff remain responsible for the accuracy of any AI-assisted work published under the organization's name
- Significant AI involvement in client or donor-facing materials should be disclosed where appropriate
Approved Tools
A short list of tools the organization has reviewed and approved for use, with any data restrictions noted. Updated as tools and needs change.
Acknowledgement and Review
Staff confirm they have read and understood the policy. The policy is reviewed annually or following any incident involving AI use.
What Most Organizations Do Next
The framework outlined in this document is a starting point, not a finished policy. Turning it into something your team can actually follow requires one more step: translating the structure into plain operating rules that fit your specific tools, staff, and sector.
In practice, most small organizations move through three steps:
- Review or adopt a one-page policy written for their specific context
- Agree on a short list of approved tools and any data restrictions
- Communicate it to staff in a brief team conversation
For most offices, this can be put in place in under a week. It starts with the right document and a short conversation with the right people.
SquareStair Media works with small businesses and non-profits to draft that document. Get in touch at info@squarestairmedia.com.
This document is provided for informational purposes and does not constitute legal or compliance advice. Organizations with specific regulatory obligations should consult appropriate counsel.