According to our survey of 200 Quebec SMBs in 2024, 78% of employees use public AI tools (ChatGPT, Claude, Gemini, free Copilot) as part of their work. In 91% of those organizations, there is no formal policy governing this use.
Risk 1: Confidential Data Leaking to Public Models
When an employee pastes a client contract into ChatGPT to get a summary, that data may be used to train OpenAI's future models (depending on account settings). For data covered by a confidentiality clause, NDA, or Bill 25, this is a potential violation.
The solution: Deploy Microsoft Copilot with Data Boundary settings configured, or use Azure OpenAI Service — where your data is never used for Microsoft/OpenAI model training.
Risk 2: Shadow AI — Tools You Don't Control
Your employees use dozens of unapproved AI tools: Otter.ai to transcribe confidential meetings, Grammarly Business (which reads everything you type), Notion AI, Chrome extensions with AI. Most of these tools transmit data to servers in the United States or Europe without your knowledge.
Risk 3: Hallucination Applied to Real Decisions
AI models can generate convincing but factually incorrect information — known as hallucination. In a professional context, this translates to: inaccurate legal clauses in a contract, invented financial figures in a report, incorrect compliance instructions. Without a human validation process, these errors propagate.
Risk 4: AI-Augmented Social Engineering
Cybercriminals now use AI tools to generate personalized phishing emails, voice and video deepfakes impersonating executives, and phishing chatbots capable of sustaining a convincing conversation. Awareness training that was sufficient in 2022 is no longer enough in 2026.
Elements of an SMB AI Policy
- List of approved and prohibited AI tools.
- Classification of data types that can (or cannot) be shared with AI tools.
- Mandatory human validation for any AI-generated content intended for clients or partners.
- Reporting process for AI manipulation attempts (deepfakes, highly personalized suspicious emails).
- Annual updated training on new social engineering tactics.