Answer — AI Governance
What will the auditor ask about your AI?
Four questions recur: which AI tools are in use, what can they access, what governance applies — and can you demonstrate it from records made at the time? Since September 22, 2023, Law 25 has required every Québec municipality to govern personal information — the auditor looks for proof that the governance actually exists.
Where will the question come from?
From the vérificateur général or the external auditor during the annual audit, from an elected official in a council meeting, or from the Commission d’accès à l’information (CAI) after a complaint or an incident. The trigger varies; the question always lands in the same place: what AI is in use here, and can you demonstrate it?
The auditor’s frame of reference already exists. Since September 22, 2023, Law 25 has bound Québec municipalities directly: governance policies for personal information, a designated person in charge, valid consent, and privacy impact assessments (ÉFVP) for covered projects — all under the CAI’s oversight. AI is no exception: most AI projects involve personal information.
The four questions to expect
-
Which AI tools are in use? Not only the approved ones. The ones that arrived through a vendor update, an agent switched on by default, a subscription taken out by one department. An inventory that covers only declared AI answers a different question than the one being asked.
-
What can those tools access? Which files, which citizens’ personal information, which permissions. This is where the ÉFVP meets reality: you cannot assess the privacy factors of processing you cannot see.
-
What governance applies? Does the policy exist, is the responsible person designated, and where a decision is based exclusively on automated processing, is section 65.2 of the public-sector Act applied — the person informed, the principal factors and parameters disclosed on request, their observations received by a staff member able to review the decision? Meaningful human involvement in the decision changes the analysis; you still have to be able to establish what each tool actually does.
-
Can you prove it? This is the question that separates files that hold from files that don’t. An adopted policy, a spreadsheet inventory, and a filed ÉFVP document intentions. The auditor looks for records made at the time: when a given tool appeared, what it could touch, when a gap was found, when it was closed.
Why is “contemporaneous” the key word?
A file reconstructed in the weeks before the audit shows one day’s state; it does not demonstrate a practice. Demonstrable reasonable diligence — the standard regulators assess — reads from timestamped records, kept continuously, that cannot be rewritten after the fact. And such a history is neutral: it can show gaps. That is precisely what makes it credible — a gap detected, dated, and closed reads as governance that works, not as a fault.
Agentica, an AI Governance company in Montréal, keeps that kind of history: every AI agent in your business environment, continuously mapped and recorded in a tamper-proof history — read-only, metadata and signals only — from which the report for the council or the auditor is generated on demand. The person in charge of protecting personal information and the direction générale remain accountable; the history gives them something to answer with.