AG Special Report – Use of Artificial Intelligence in the Ontario Government
- Pamela Seto

- 11 minutes ago
- 5 min read

The Office of the Auditor General of Ontario (“AG”) released a special report on the Use of Artificial Intelligence in the Ontario Government on May 12, 2026.¹ This audit covered the period from January 2025 to November 2025.
Why did the AG conduct this audit?
The AG conducted this audit to ensure the Ontario Public Service (“OPS”), responsible for implementing the Ontario AI Strategy², has the proper principles, safeguards and controls in place for the responsible use of AI to deliver services that the government provides to Ontarians.
To conduct the audit, AG reviewed current Ministry of Public and Business Service Delivery and Procurement (“Ministry”) processes to mitigate risks when selecting AI systems; examined controls to restrict and monitor OPS staff use of AI systems and websites; benchmarked OPS’s AI Strategy against leading practices; and reviewed the procurement process and documents in the establishment of the AI Scribe vendor of record.
Findings
The report found that the Ministry did not have consistent and effective policies and procedures in place to govern the adoption and responsible use of AI.
The following is a high-level summary of some of the notable findings:
Responsible Use of AI System
OPS staff accessed unsafe and unsecure AI websites. There were not effective security controls in place to monitor OPS staff’s actions or activities on such websites.
Approved OPS-generative AI website, Microsoft Co-Pilot Chat, had a low rate of use as opposed to unapproved generative AI websites. Microsoft Co-Pilot had important security features to ensure any information or prompts uploaded would remain within OPS secure environment, which the other unapproved sites did not have.
OPS Staff used Microsoft Co-Pilot Chat on non-default browsers (i.e. Google Chrome; Mozilla Firefox) that did not have data protection features to prevent unauthorized data disclosure such as deleting prompts/responses from a chat history; preventing Microsoft from accessing data; and data not being used to train Microsoft’s AI system.
Risk of AI Systems - Document Verification Services (“DVS”)
The DVS is the first AI system to be launched for use by Ontarians to register for government services. The system enables verification of identities online by using facial recognition technology to access services.
The AG found that there was a bias risk in the DVS because the samples used in the two vendor testing reports were too small and not representative of Ontario’s diverse demographics, which could generate decisions that disadvantaged certain groups based on facial recognition, thereby affecting their access to government services and programs.
Safe Use of AI Scribe Systems
AI Scribe systems were not evaluated adequately during the procurement process by Supply Ontario in consultation with OntarioMD, Ontario Health and the Ministry of Health.
AI Scribe systems inaccurately transcribed medical notes, resulting in hallucinations plus incorrect and incomplete information. It found that in the notes generated by the AI Scribe technologies, out of the 20 approved AI Scribe vendors on the vendor of record:
9 had hallucinations;
12 had incorrect information; and
6 had incomplete information.
OPS AI Strategy and Framework
The AG found the OPS AI Strategy lacked the following key components when benchmarked against other AI strategies in other Canadian and international jurisdictions:
Specific actionable items (detailed initiatives to achieve goals, timelines, measured outcomes and metrics and targets to measure success);
Key sectors identified for AI use;
Prohibition of AI in areas that pose unacceptable risks to the public;
Overarching investment commitment; and
Environmental considerations.
Recommendations
Based on these finding, the AG provided 10 recommendations to the Ministry:
To review and block OPS staff’s access to unsafe and unsecured AI websites and implement measures to ensure all staff take training on AI-related risks.
To establish KPI targets to measure and track Microsoft Co-Pilot Chat’s adoption; to take action to increase use of approved Microsoft Co-Pilot Chat to the targeted rates and usage; and to report KPIs to management on a monthly basis.
To block access to using Microsoft Co-Pilot Chat on other browsers and educate staff on using non-Microsoft browsers.
To validate test results by AI system vendors to ensure the testing:
was performed using a sufficient set representing Ontario’s demographics, and
meets all of the AI Directive³ requirements.
That Supply Ontario increase the weighting assigned to criteria related to security and privacy controls and assign a minimum passing score or threshold.
To review industry standards and guidelines for other jurisdictions related to AI Scribe systems and implement best practices in Ontario to ensure AI Scribe systems are tested to improve quality of notes and minimize inaccuracies; and to require that AI Scribe system vendors implement IT controls within their AI Scribe systems to enforce an attestation from users to confirm review of notes.
To obtain third party-reports from all AI Scribe system vendors annually; to always request a SOC 2 Type 2 report and/or security assessment for any type of software procured; and to ensure evaluate assess the report and reviews for potential risk.
To follow principles of the AI Directive and to evaluate bias risks related to AI systems, requiring evidence of bias testing results or doing their own bias testing prior to selecting a system.
To conduct mandatory live demonstrations to assess the effectiveness of the AI systems.
To research industry standards and strategic documents in other jurisdictions to review foundational elements to support AI strategic priorities; to apply foundational elements to the AI strategy for OPS; to incorporate similar elements to enhance the robustness of its AI strategy; and to support the timely achievement of its AI strategic priority areas.
All recommendations but one were accepted by the OPS. Supply Ontario rejected recommendation #5 on the basis that the weights assigned to mandatory and technical criteria were appropriate. The pushback by Supply Ontario seems reasonable considering that the data privacy/legal and system security controls were collectively assigned 42% weighting in the overall evaluation criteria. The bias controls, threat risk assessments, privacy impact assessments and SOC 2 Type 2 requirements were subsets of the two controls. Regardless, Supply Ontario agreed to establish a minimum passing threshold.
Takeaways
The recommendations from this report are important lessons that every broader public sector organization can take away and apply to their organization’s policies and procedures on responsible AI use. Organizations should consider the following:
How are your organization and staff currently using AI systems and websites? Are there proper technical mechanisms in place to monitor and mitigate use of AI systems in the organization to prevent unauthorized disclosure of confidential and sensitive information?
Are there robust policies and procedures governing AI use by staff? For example, is there mandatory training on responsible AI use to educate staff on what is appropriate use of AI systems at work?
How is your organization procuring AI systems to ensure responsible use? Does your evaluation team understand the technology to properly identify the risks? Are the right criteria and processes being established to procure the AI system?
Do you have appropriate contracts to address and mitigate the risks identified in the procurement stages?
How INQ Law Can Help
INQ Law is a leading law firm that specializes in AI law and policy. We can assist you in mitigating these evolving AI risks by establishing robust policies and procedures on AI governance and responsible use; and by providing procurement and commercial advice when purchasing AI systems to address the risks identified by the AG.
Feel free to reach out to:
Pamela Seto, Corporate Legal Counsel
¹ News Release (May 12, 2026) https://www.auditor.on.ca/en/content/news/26_newsreleases/nr_AR_en26-01.pdf
² Ministry launched AI Strategy, “Industrialize Artificial Intelligence Across Ontario” in November 2024. This strategy sets out the approaching for using AI to deliver services that the government provides to Ontarians. It is part of the Ministry’s mandate – AI Framework.
³ In September 2023, the Ministry developed the AI Framework that defines OPS approach to the use of AI, which includes AI Directive that establishes the requirements for OPS ministries and provincial agencies that use AI Systems. The AI Directive lists six principles and one of them is AI use is rights -affirming and non-discriminatory.





