Overview and Key Takeaways
Forget smartphones, the internet or PCs. The closest comparable to the transformational impact of Artificial Intelligence (AI) is the discovery of electricity. But the electrification of society rolled out relatively slowly. AI is only gaining speed.
The question for sophisticated companies and their boards is not whether to adapt so but how and what to prioritize. Part of the answer will be driven by AI’s evolving regulatory framework and how it applies to the company’s specific circumstances. But that doesn’t mean that senior executives shouldn’t pay attention to developments in AI regulation outside their industry.
A notable example is the Guideline for the Use of Artificial Intelligence (the “Guideline”) released by Quebec’s Autorité des marchés financiers (the “AMF) in March 2026.[1] While the Guideline sets out the AMF’s expectations regarding AI governance for financial institutions under its supervision,[2] the Guideline builds on broader-based principles of AI risk management.[3] This makes the Guideline helpful beyond the financial sector and for large Canadian companies generally.
Directors in Canada overseeing the development of their company’s AI policies can thus include the Guideline in their analysis. In particular, the Guideline sets a high-level AI governance framework companies can borrow from as may make sense in their circumstances. The Guideline may also shine light on what considerations could inform whether a board has satisfied its duty of care vis-à-vis AI risk management.
This is Episode 2 in our ongoing AI in the Boardroom series. Read Episode 1 here. For more Fasken corporate governance thought leadership, visit our Capital Markets and M&A insights hub and subscribe.
Three Key Elements of the Guideline
The Guideline includes three key elements of relevance beyond financial institutions. These are (1) the importance of a holistic approach, (2) adopting a structured approach to risk assessment, and (3) the appropriate division of responsibilities between the board and senior management.
Holistic Approach
The Guideline instructs that an organization should take a holistic view of AI governance and risk management. It should “identify, assess, quantify, control, mitigate and track” each individual AI system used by the organization while also understanding the organization’s overall exposure to AI-related risks.
Risk Assessment and Rating
As part of this holistic approach, the Guideline expects an organization to assign a risk rating to each AI system it uses. The assignment of risk ratings to AI systems should be consistently applied across the organization. All significant risks related to the AI system should be considered. Factors weighed can include:
- Qualitative factors, such as the AI’s level of autonomy or associated compliance risks.
- Quantitative factors, such as potential financial, operational or security impacts.
An AI system’s risk rating should determine the degree of risk management applied to the AI system, such as (1) the requisite level of approval necessary to use the AI, and (2) the intensity of the monitoring of the AI system. An AI system’s risk rating should also inform the organization’s approach to the lifecycle of the AI system (see below).
Division of Responsibility Among Directors and Management
The Guideline sets staggered expectations regarding the role and responsibility of the board of directors, on the one hand, and senior management, on the other hand.
The board’s role is that of high-level but continuous and informed oversight. It should ensure it has sufficient collective competency to “clearly understand” the organization’s AI risk exposure, especially as relates to its “critical” operations. It should be kept regularly apprised of “evolving trends, risks and material changes” that could potentially alter the organization’s risk profile. The board should also ensure that management promotes a corporate culture focused on the responsible use of AI.
Senior management is also expected to engage in ongoing oversight but at a more granular level. Perhaps most notably, a member of senior management should be accountable for all AI systems used by the organization. Persons reporting to this member of senior management should include each AI “owner”, this being a person charged with overseeing the full lifecycle of an AI system used by the organization.
The Guideline breaks an AI system’s lifecycle into seven stages, being (1) the rationale for adopting an AI system, (2) confirming data sourcing and quality, (3) applying selection criteria to AI procurement or development, (4) assessing the performance and risks associated with the AI (e.g., bias, model drift, hallucinations, and cybersecurity), (5) approval (including the application of restrictions and risk mitigation measures), (6) deployment, and (7) ongoing monitoring.
Three Recurrent Themes Across the Guideline
In addition to these three key elements, the Guideline also features three recurrent themes of broad application beyond financial institutions. These are:
- AI’s dynamism. The Guideline repeatedly notes AI’s dynamic and rapidly evolving nature. A key result is that an organization’s AI risk exposure and associated risk-mitigation efforts should be regularly reassessed. Similarly, the higher the risk rating of an AI system, the more frequently it should be assessed on a standalone basis.
- AI competency. The Guideline regularly notes that a sufficient degree of AI understanding is necessary for AI risk to be appropriately managed and controlled. Key personnel highlighted on this front are senior management, the managers of the teams that use or validate AI systems, and AI “owners” (see above). Another example is those persons involved in AI procurement, who should have sufficient knowledge of the organization’s business needs, how AI systems work, and any risks and mitigating measures associated with the AI system.
- Proportionality. The Guideline expressly acknowledges the “proportionality principle”. In other words, it recognizes that in establishing its AI governance and risk management framework, an organization can take into account its “nature, size, complexity and risk profile.” The Guideline also repeatedly acknowledges that different organizations will have different “risk appetites”.
Key Practical Takeaways for Boards and Executives
As we discussed in Episode 1, AI is a double-edged sword for directors. It presents risks, but also potential rewards. Meeting their duty of care requires that directors get this balance right.
The Guideline is designed with financial institutions in mind. But viewed from 10,000 feet, there is much boards can take from it, regardless of industry sector. Key here is that while the Guideline only expects high-level board oversight, this should be continuous and informed. This should also include ensuring that senior management is implementing an appropriately crafted and diligent AI risk management framework at the operational level.
Notable elements of the Guideline boards can borrow from include its emphasis on a holistic approach and the importance of risk assessment and risk rating. These also include the Guideline’s expectation that a member of senior management will be accountable for all AI systems and that a separate “owner” will oversee the entire lifecycle of an AI system and regularly report to the senior manager. Similarly, the seven stages of an AI system’s lifecycle set by the Guideline are industry-agnostic, and thus of potential value beyond financial institutions.
Lastly, and as the themes recurrent across the Guideline suggest, what is most important is that the board apply sufficient rigour and AI-expertise (whether of their own or through external advisors) in setting the company’s AI governance and risk management. Done properly, this will ultimately always be a company and situation specific analysis, including having regard for the proportionality principle. However, and per the Guideline’s expectation, every analysis should likely have due regard for AI’s dynamism and (widely expected) continued evolution.
