AI Implementation
Internal AI Policy Template
Most Canadian small businesses have an AI policy gap: staff using ChatGPT for client data with no rules, no review, no boundaries. This template gives you the policy doc — 9 sections covering allowed tools, allowed inputs, review process, training, and incident response.
The 9 policy sections
Purpose and scope — why this policy exists, who it applies to.
Approved AI tools — explicit list of approved tools + plan tier required.
Prohibited inputs — client PII, health, financial, source code, internal strategy.
Output review — human review required for client-facing output. No-review categories.
Data retention and training opt-out — Enterprise tiers and no-train settings required.
Attribution and disclosure — when to tell clients AI was used.
Training requirements — onboarding + quarterly refresh.
Incident response — what to do if PII gets into a prompt.
Policy ownership and revision — who owns this, when to update it.
Canadian-specific considerations
PIPEDA implications: client data going to US-hosted AI tools requires consent + risk assessment.
Provincial law: Quebec (Law 25) is stricter; AODA + Ontario healthcare have their own overlays.
Crown corporation and government contractors have additional restrictions.
Talkerstein recommendation
Implement this BEFORE you discover an incident. The policy itself takes a half-day to draft, a week to adopt, and prevents the kind of incident that costs $10k-$100k in remediation + reputation.
Related
AI Readiness Assessment
Talkerstein AI Implementation service
Workshop the policy with your team
90 minutes. We customize the template, train the team, and leave you with the signed policy doc. Book →
Related Resources
About The Author

Rishon Talkar
Principal & Managing Partner
Founder and digital growth advisor trusted by organizations from SME to enterprise for websites, eCommerce, SEO, paid media, automation, and revenue strategy.



