The federal government's push to scale AI adoption among Canadian businesses from 12% to 60% would represent quite a multiplier in the number of companies using the technology – but the cyber insurance market is not idly waiting for it to happen, according to Neal Jardine (pictured), chief operating officer and president of BOXX Canada.
" Adoption without governance isn't a strategy, it's a liability. The government is essentially asking Canadian SMEs to accelerate into a curve without teaching them how to steer." Jardine said. He said the strategy needs to go beyond encouraging adoption and include clear guidance on how businesses can use the technology safely – otherwise the push to scale will outpace the ability to manage the risk.
The strategy, unveiled earlier in June by Prime Minister Mark Carney, pledges more than $2 billion in new investment to accelerate AI adoption, train workers, and build sovereign infrastructure. It includes $700 million through the AI Compute Access Fund aimed at helping small and medium-sized businesses access the technology. But the document is light on specifics around safety, governance and liability – the areas that determine how much risk that adoption creates.
Jardine said SMEs adopting AI need to think about data exfiltration – employees putting sensitive information into a model without realizing it – as well as prompt injection, where a malicious input tricks an AI system into producing something it shouldn't. AI tools can also be used against a business, helping threat actors build more convincing phishing or social engineering attacks.
" The attack surface isn't just your network anymore, it's your prompts and how you use AI. Every input an employee sends to an AI model is a potential data loss event that most businesses have no visibility into. AI is also fast; it can collapse the time between exposure and impact as it can act autonomously," he said.
Jardine said BOXX is already factoring AI into its pricing, even though insurance applications are not asked whether they use it.
"We've made a deliberate underwriting decision to assume AI adoption is already happening inside the businesses we insure or the supply chains they rely on, because the data tells us it is. Waiting for applicants to disclose it would mean pricing yesterday's risk," he said.
He said the government's strategy does not change his day-to-day as a cyber insurer. What it does is confirm a direction the market was already preparing for.
"Insurance doesn't follow risk; it maps it. " Jardine said. " We were there when ransomware rewrote the threat landscape, we were there when social engineering became a balance sheet problem, and we're here now as AI restructures both the attack and the defense."
He said AI is already priced within the broader cyber market, and some clients are beginning to seek affirmative AI coverage – policy language that explicitly addresses AI-related exposures rather than relying on general cyber terms.
Jardine said clients are already coming to BOXX asking whether their existing cyber policy covers AI use and what steps they need to take to protect themselves. "That means that people are looking to use technology, but looking to use it in a responsible way," he said.
For SMEs moving toward adoption, Jardine said the starting point is not the technology itself but the data behind it.
"The output's only as good as the input, even though we don't always know how the output got there," he said.
He said most SMEs have not done the basic groundwork on the data they are feeding into AI systems – and that exercise, data mapping, is the foundation of responsible AI use from an insurance perspective.
" Before you talk about AI governance, before you talk about AI security, you have to answer a more fundamental question: do you actually know what data you have? Most SMEs need a clear picture of what the data is they're going to put in, whether it's sensitive, whether it's not," he said. "Where is that data going to live? How are you going to verify that data has not been changed?"
He said businesses should also update their privacy policies to reflect AI use, ensure customers are informed about how their information is being processed, and invest in basic cyber hygiene – whether that means ring-fencing an in-house AI tool or purchasing an enterprise license for a commercial platform to keep data within a controlled environment.
The urgency, Jardine said, comes from the speed at which AI operates.
" A misconfigured AI tool doesn't leak data slowly; AI moves fast, and you can lose a lot of data very quickly, and the sheer volume of the data can lead to problems going bad fast and being significant," he said.
He said data mapping is not glamorous work, but it is the exercise that makes everything else – governance, security, insurance – work properly.
"The businesses that will lose to AI aren't the ones that refuse to adopt it; they're the ones that adopt it without understanding what it's doing inside their organization. AI won't replace your workforce. Poor AI governance might."
