Canadian Corporate Governance and AI: A Practical Guide for Directors and Officers

Artificial intelligence (AI) has moved from the periphery of corporate operations to the centre of strategic decision-making — and it’s forcing a fundamental question for directors and officers across Canada: How do traditional governance obligations apply when AI systems influence, or even drive, corporate decisions?

The short answer: The humans in charge are still responsible. Understanding what that means — and what’s at stake — is no longer optional. It’s essential.

The corporate governance framework

Canadian corporations are managed and supervised by their directors,¹ who frequently delegate day-to-day management to officers. Both groups are bound by statutory standards of care under federal and provincial legislation, including the Canada Business Corporations Act (CBCA) and provincial equivalents like the Ontario Business Corporations Act.

Core obligations are largely harmonized across jurisdictions. Every director and officer must:

• Act honestly and in good faith with a view to the corporation’s best interests — a standard interpreted broadly to include shareholders, employees, creditors, consumers, governments and environmental considerations.
• Exercise reasonable care, diligence and skill — specifically, the care a reasonably prudent person would exercise in comparable.²

The Supreme Court of Canada has clarified that directors owe a fiduciary duty of loyalty to the corporation alongside an objectively measured duty of care.³ AI is now poised to test these boundaries in new ways.

Understanding AI in the corporate context

Artificial intelligence in the corporate environment takes several forms:

• Large language models (LLMs) generate text, answer queries and synthesize information in real time — assisting with document drafting, contract analysis and research summaries.
• Predictive analytics use machine learning to forecast outcomes, from consumer behaviour to financial performance, informing strategic decisions.
• Automated decision systems screen job applicants, assess credit risk, flag compliance issues and perform countless other functions with minimal human intervention.

But AI has real limitations directors need to understand. LLMs can “hallucinate” — generating plausible-sounding information that is entirely false. Many AI systems are proprietary, giving end-users limited visibility into the data and reasoning behind their outputs. These aren’t just technical quirks; they’re governance risks.

Evolving but fragmented regulatory landscape

Federal developments

Canada currently lacks comprehensive federal AI legislation. Bill C-27 — which included the proposed Artificial Intelligence and Data Act (AIDA) — was terminated following Parliament’s prorogation in January 2025 and the subsequent federal election.⁴ In the absence of legislation, voluntary guidance has emerged from the Office of the Privacy Commissioner of Canada, together with provincial and territorial privacy regulators, on responsible use of generative AI technologies,⁵ but these carry no enforcement teeth.

Additionally, Innovation, Science and Economic Development Canada published a voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems.⁶

Provincial developments

• Ontario now requires employers with 25 or more employees to disclose in job postings whether AI is used to screen, assess or select applicants⁷ — effective January 1, 2026.
• Quebec’s Law 25 (fully in force since September 2024) requires organizations using personal information for automated decisions to inform affected individuals, explain the factors behind the decision and provide a mechanism for human review.⁸

The bottom line: Directors and officers face a patchwork of requirements that varies by jurisdiction and sector. Where the law hasn’t kept pace with technology, risk lives in the gaps.

AI and D&O liability: Where risk meets responsibility

AI adoption introduces several categories of liability exposure:

• Regulatory violations. AI systems may inadvertently breach privacy laws, human rights legislation or sector-specific regulations, particularly where automated decisions produce discriminatory outcomes.
• Fiduciary breaches. Directors and officers cannot transfer responsibility to AI; if an AI-influenced decision harms the corporation, the humans who authorized it remain accountable.
• Operational failures. AI systems can malfunction, produce errors or be manipulated, and financial or reputational harm can trigger claims.
• AI washing. Regulators including the U.S. Securities and Exchange Commission have targeted companies making misleading claims about AI capabilities;⁹ directors who permit exaggerated disclosures face real liability exposure.

The business judgment rule and AI

The business judgment rule generally protects directors from liability for decisions made honestly, in good faith, on an informed basis and in the reasonable belief that the decision serves the corporation’s best interests.¹⁰ But AI complicates what “informed” means.

Directors who blindly accept AI recommendations — without understanding their basis, limitations or potential for error — may struggle to demonstrate appropriate care. Directors who treat AI outputs as one input among many, subject to critical human judgment, are far better positioned.

A practical framework for risk management

• Establish AI governance structures. Nearly half of Fortune 100 companies now cite AI risk as a board oversight responsibility, up from 16% in 2024.¹¹ Canadian boards should:
• Assign AI oversight to a specific committee.
• Ensure at least some directors possess relevant expertise.
• Establish clear reporting lines for AI-related risks.

• Conduct due diligence on AI systems. Before deployment, organizations should:
• Understand what data the AI uses and how it reaches its outputs.
• Assess accuracy, reliability and potential for bias.
• Evaluate vendor track record and support capabilities.
• Consider how the AI will interact with existing processes and controls.

• Implement robust policies and procedures. Transparency and consent regarding AI use should be embedded in corporate culture. Policies should address:
• Permissible uses of AI within the organization
• Human oversight requirements for AI-influenced decisions
• Data handling and privacy protections
• Incident response procedures for AI failures

• Maintain human accountability. The fundamental principle is straightforward: AI assists, but humans decide. Meaningful human judgment must remain part of significant decisions, even when AI plays a supporting role.

• Review and adapt insurance coverage. D&O insurance protects directors and officers from liabilities arising from wrongful acts in their corporate capacities — but coverage for AI-related risks varies significantly. Standard policies may exclude claims tied to intentional misconduct, regulatory fines or known issues. Directors and officers should review their policies carefully and consider:
• Side A D&O coverage to protect individuals when corporate indemnification is unavailable
• Run-off coverage for claims arising after policy terms end
• AI-specific endorsements, where available

Monitor the regulatory environment. With federal AI legislation potentially returning and provincial requirements continuing to evolve, staying current on legal developments isn’t optional — it’s a governance obligation.

Conclusion

Directors and officers can’t avoid AI — it’s too embedded in business operations. But they can’t simply hand responsibility to the technology either. The path forward requires informed engagement: Understanding what AI can and cannot do, establishing governance structures, maintaining meaningful human oversight and securing adequate insurance protection.

Those who address AI governance proactively today will be better positioned to navigate an evolving legal landscape while fulfilling their core obligations to the corporations they serve.

Key takeaways

✓ Directors and officers remain personally accountable for AI-influenced decisions — liability cannot be transferred to technology.

✓ Canada currently lacks comprehensive federal AI legislation, creating a fragmented and fast-changing regulatory landscape.

✓ Ontario now requires AI disclosure in hiring (effective January 2026); Quebec’s Law 25 mandates transparency for automated decisions.

✓ D&O insurance coverage for AI-related risks varies significantly — policy review is essential.

✓ Effective governance requires understanding AI limitations, maintaining human oversight and establishing clear accountability structures.

Ready to build an AI strategy for sustained resiliency? Contact a HUB ProEx Specialist today. View more articles in HUB’s ProEx Advocate Articles & Insights Directory.

NOTICE OF DISCLAIMER
Neither HUB International Limited nor any of its affiliated companies is a law firm, and therefore, they cannot provide legal advice. The information herein is provided for general information only and is not intended to constitute legal as to an organization’s or individual’s specific circumstances. It is based on HUB International’s understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect, and HUB International does not have an obligation to update this information. You should consult an attorney or other legal professional regarding the application of the general information provided here to your organization’s specific situation and particular needs.

¹ Government of Canada, “Canada Business Corporations Act Discussion Paper, Directors’ Liability,” accessed March 12, 2026.
² Government of Canada, “Duty of care of directors and officers (s. 122 1.1),” accessed March 16, 2026.
³ Supreme Court of Canada, “Peoples Department Stores Inc. (Trustee of) v. Wise (SCR 461, 2004 SCC 68),” October 29, 2004.
⁴ Government of Canada, “Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts,” accessed March 16, 2026.
⁵ Office of the Privacy Commissioner of Canada, “Principles for responsible, trustworthy and privacy-protective generative AI technologies,” December 7, 2023.
⁶ Innovation, Science and Economic Development Canada, “Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems,” September 2023.
⁷ Legislative Assembly of Ontario, “Bill 149, Working for Workers Four Act, 2024,” accessed March 16, 2026.
⁸ OneTrust, “Act respecting the protection of personal information in the private sector,” accessed March 16, 2026.
⁹ U.S. Securities and Exchange Commission, “SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence,” March 18, 2024.
¹⁰ Supreme Court of Delaware, “Aronson v. Lewis (473 A.2d 805),” March 1, 1984, and Supreme Court of Canada, “BCE Inc. v. 1976 Debentureholders (SCR 560, 2008 SCC 69),” June 20, 2008.
¹¹ EY Center for Board Matters, “Cyber and AI oversight disclosures: What companies shared in 2025,” October 14, 2025.