Many Canadian businesses are rolling out artificial intelligence tools without treating the risks as a corporate governance issue, leaving potential gaps in oversight, training and business continuity planning, according to Paige Cheasley, national technology practice leader at Gallagher.
"A lot of companies still think of it as more of an IT issue as opposed to an overarching governance aspect," Cheasley said.
That assessment is backed by Gallagher's own data. The firm's 2026 AI Adoption and Risk Survey found that nearly half of respondents still view the IT department as the function responsible for AI-related risks. Less than half have adopted formal risk management frameworks for AI use, and only 56% have communicated their AI adoption strategy to their workforce.
She said the problem is visible in client conversations. Many companies say they are using AI but struggle to articulate what they are doing with it or how it fits into their operations.
"I speak to clients who say we're using AI, but it's hard to get a clear idea of what they're doing with it," she said.
Cheasley said management needs to own the direction, not delegate it to IT by default. That means having a clear view of what the company wants AI to do, whether the infrastructure supports it, and what happens if it fails.
"It's great to brainstorm about great ways to implement AI within the company," she said. "But is it feasible? Is it cost-effective? Do they have the infrastructure in place? What are the potential repercussions if it fails?"
She said the workforce side gets far less attention than it should. Companies need to address how employees will adopt the tools, set clear expectations for acceptable use, and deal with concerns about redundancies head-on.
"No different than making sure you've looked at employee safety concerns in a manufacturing site," she said. "The same idea, just overall corporate governance."
Cheasley said the talent challenge compounds the problem. Reskilling and upskilling employees to work effectively with AI tools takes time and investment, and finding the right people to lead implementation is not straightforward. The Gallagher survey found that more than half of businesses cite skills gaps and recruitment challenges as a barrier to AI implementation.
"We've all run into new software we have to learn to use, and it can get cumbersome," she said. "Learning AI would be no different for any company."
She said employees may take AI outputs at face value without questioning them. Clear guidelines on when to trust and when to verify are essential, particularly given the well-documented risk of AI generating false or misleading information.
"The human factor is somewhat underestimated," she said.
Business continuity is another area where AI has outpaced planning. Cheasley said most companies have incident response or continuity plans in place, but may not have updated them to reflect their dependence on AI systems.
"Have they adjusted it or updated it to account for AI within their business?" she said. "How important is this AI tool? How critical is it? What's going to happen if it fails?"
She said underwriters are already asking these questions. Insurers want to understand how clients govern their AI use and whether employees are trained – and the answers are often incomplete.
"I get a lot of underwriters asking more questions around that as well," she said. "They want to know the governance piece and the training piece."
For mid-sized companies without dedicated risk teams, Cheasley said the starting points are practical: review vendor contracts and understand what recourse exists if an outsourced AI tool fails, set boundaries on what data employees can feed into AI systems, and build in manual checks on outputs.
"Make sure that there's always a human in the loop to double-check the outcome," she said. "Train employees on how to properly prompt the AI to get the result, to reduce the risk of error."
She said data governance is a particular concern – companies need to define what information employees are permitted to input and how to limit the company's exposure if something leaks or is misused.
"What data are they allowed to put in it, what are they not allowed to put in it, how to protect the company from that sort of exposure and reduce the liability there," Cheasley said.
Cheasley said the underlying issue is one of ownership.
"Elevating it more than it's an IT problem," she said. "It's the governance piece and strong management leading the way as to what they're expecting from this tool."
