The Starting Point

Why Most Municipal AI Policies Fail Before They Start

The most common mistake Canadian municipalities make with AI policy is writing the policy before understanding the problem. An administrator downloads a template from the internet, adapts it superficially, and presents it to council — who adopt it with no clear idea of what it actually governs, whether staff will follow it, or how it will be enforced.

The result is a policy that lives in a folder, satisfies no one's audit, and provides no actual governance. When something goes wrong — a ratepayer complaint involving data that a staff member processed through an AI tool, a privacy breach, an OIPC inquiry — the policy offers no protection because it was never connected to how work actually happens.

The 78% of Canadian public sector organizations without a formal AI adoption policy are not simply unprepared — many of them have policies that were written without a foundation. A policy that predates your personal information inventory is guessing at the risk it claims to govern.

Effective AI policy for a municipality starts with two things: a person accountable for it, and an understanding of what data is actually at risk. Everything else follows from there.

The Framework

Seven Steps to a Policy That Works

  1. Appoint a Privacy Officer first
    Before writing policy, designate a person accountable for AI governance — someone with the authority to make decisions about tools and the obligation to respond if something goes wrong. This role can be part-time and does not require a technical background. What it requires is organizational accountability.
  2. Inventory what personal information your staff handle
    Understand what citizen and employee data flows through your organization before deciding what AI tools may interact with it. This inventory is also required by Alberta's ATIA and POPA as part of the Privacy Management Program that became mandatory on June 11, 2026. The inventory is not a one-time exercise — it needs to be maintained.
  3. Identify what AI tools are already in use
    Run a brief shadow AI survey before you write the policy. Ask staff what AI tools they currently use, for what purposes, and with what types of data. This reveals your actual exposure rather than a theoretical one, and it tells you what the policy needs to address specifically — not generically.
  4. Draft the core policy document
    The policy must cover: scope (who and what it applies to), purpose and authority, key definitions, the list of sanctioned tools with conditions of use, prohibited uses, data classification rules (what may and may not be entered into AI tools), breach reporting obligations, and consequences for non-compliance. Keep it under six pages.
  5. Take the policy through council
    An AI Acceptable Use Policy should be adopted by formal council resolution to give it organizational authority and signal to staff that it is a governance matter, not an IT suggestion. This also creates a record that your municipality took a deliberate position on AI governance at a specific point in time.
  6. Train staff before you announce it
    Policy without training fails. Staff need to understand what the policy requires and why it exists — not as a compliance exercise, but as a genuine explanation of the risk that AI tools create with citizen data. Thirty minutes of plain-language training, tailored to actual job functions, does more than a 12-page policy document on its own.
  7. Build a review cycle into the policy itself
    AI tool capabilities change faster than policy cycles. A policy adopted in 2026 that is not reviewed until 2028 will be governing tools and risks that no longer exist, while failing to address new ones that emerged in the interim. Commit to a biannual review as part of the policy document itself — so the review is not discretionary.
What to Include

The Six Sections Every Municipal AI Policy Needs

1. Scope & Authority
Who the policy applies to (all staff, contractors, council members), under what circumstances, and the legal authority for the policy (typically the municipality's general governance authority and provincial privacy legislation).
2. Definitions
Plain-language definitions for: AI tool, sanctioned AI tool, personal information, sensitive personal information, shadow AI, and privacy breach. Definitions determine what the policy actually covers — vague terms produce vague compliance.
3. Sanctioned Tools
An explicit list of approved AI tools with conditions of use. Not "AI tools approved by IT" — a specific list that staff can check against. Include version or access method where relevant (e.g., enterprise vs. consumer version of a tool).
4. Data Rules
What data may be entered into AI tools and what may not. At minimum: personal information about residents and employees must not be entered into non-sanctioned AI tools. A data classification table (sensitive / restricted / general) helps staff apply the rule without consulting the policy every time.
5. Breach Reporting
What counts as a breach, who to report to (the Privacy Officer), required timeframes, and what the Privacy Officer does next. Alberta's ATIA and POPA set specific obligations for breach notification to the OIPC and affected individuals. This section is not optional.
6. Review & Enforcement
The review schedule (at minimum biannual), who is responsible for leading the review, and the consequences for non-compliance. Policies without enforcement provisions are advisory — which is not sufficient for a public body with privacy obligations.
Common Questions

Frequently Asked Questions

Does a small municipality with only a few staff actually need this?

Yes — and especially so. Small municipalities typically have fewer governance resources, less IT oversight, and staff who wear multiple hats. The exposure from shadow AI in a five-person administration is not smaller than in a larger one; it may be larger, because there are fewer people to catch a problem before it becomes a breach.

How long should the policy be?

Effective municipal AI policies for small municipalities are typically three to six pages. Long policies are not read. The goal is a clear, actionable document that staff can understand without legal training. If a staff member needs a lawyer to tell them what the policy requires, the policy has failed at its primary function.

Should Microsoft 365 Copilot be addressed in the policy?

Yes. Microsoft Copilot requires a separate licensing tier and specific organizational configuration before it is enterprise-compliant under Canadian privacy law. If your municipality uses Microsoft 365, the policy should explicitly state whether Copilot is sanctioned, under what conditions, and whether a data processing agreement review has been completed. Treating Copilot as automatically compliant because you already use Microsoft 365 is a common and significant governance error.

Can we use a template from another municipality?

Templates are a useful starting point but require careful adaptation. Provincial privacy legislation varies across Canada. The tools your municipality has sanctioned, the personal information you handle, and the specific shadow AI patterns present in your organization are unique. A policy copied without adaptation may create a false sense of compliance without actually addressing your real exposure.