Artificial intelligence (AI) is rapidly transforming how public institutions operate. Governments are increasingly exploring the use of AI to streamline administrative processes, analyze complex data, improve service delivery, and enhance decision-making. However, questions about data privacy, algorithmic bias, cybersecurity, environmental impact, and human accountability are becoming central to public-sector operations. As governments accelerate the adoption of AI technologies, the need for strong governance frameworks has never been more critical.
In May 2026, the Office of the Auditor General of Ontario released a landmark report, Use of Artificial Intelligence in the Ontario Government (PDF) – a comprehensive audit of AI use in the Ontario Public Service (OPS). Although the audit focuses on provincial operations, the findings provide valuable insights for municipalities that are increasingly exploring and adopting AI solutions.
The Auditor General’s 2026 Report
The Office of the Auditor General of Ontario (OAGO) examined how the Ministry of Public and Business Service Delivery and Procurement (MPBSDP), on behalf of the OPS, was implementing and overseeing Ontario’s 2024 AI strategy ‘’Industrialize Artificial Intelligence Across Ontario’’, including the governance, procurement, and operational controls supporting AI adoption across government.
The audit sought to determine whether the OPS had the foundations needed to adopt AI safely, ethically, and effectively. Specifically, it assessed whether the OPS had:
- a comprehensive strategy and governance framework for consistent and responsible AI use;
- strong cyber security, privacy, and bias mitigation controls when selecting or procuring AI tools; and
- effective oversight of employee AI use.
The audit covered the period from January to November 2025 and benchmarked Ontario’s AI practice with national and international standards.
Key Findings
- Weak Governance and Oversight
- The Auditor General (AG) found that while Ontario had taken important early steps toward AI adoption, clear governance structures were absent, including measurable objectives, implementation timelines, accountability mechanisms, and performance indicators. As a result, ministries lacked a consistent operational framework to guide AI adoption across government.
- Cybersecurity and Privacy Gaps
- Between April and August 2025, OPS employees visited about 400 AI-related websites – of which 60% were classified as unsafe or unsecured. Many of these were public, generative AI tools capable of retaining user input or using uploaded data to train algorithms.
- Low AI literacy
- Only 3% of employees had completed the ‘Responsible Use of AI’ training. The training course was intended to help employees understand how to safely use both government-approved and public AI tools, but participation was not mandatory. Low completion rates increased the risk of data misuse and reduced the organization’s overall readiness to manage AI adoption.
- Bias and Accuracy Concerns
- The OPS’s Document Verification Service (DVS)—which uses facial recognition AI to verify digital service users—was tested on a sample too small to represent Ontario’s population. The absence of data that is reflective of Ontario’s full demographic diversity curbed confidence that the system performs fairly across demographic groups, particularly for racialized or older residents. The AG raised concerns that biased outcomes could create inequities in access to public services.
- Procurement Weakness
- The AG identified significant gaps in Ontario’s procurement and oversight of third-party AI vendors, particularly in relation to AI scribe systems used in the health-care sector. Some vendors were approved without submitting key privacy and security documentation, including third-party cybersecurity audits, privacy impact assessments, and threat-risk assessments. In several cases, the procurement process relied heavily on vendor self-attestation rather than independent verification of compliance. The AG concluded that stronger procurement standards, more rigorous testing, and enhanced vendor oversight were necessary to reduce risks related to privacy, bias, security, and reliability.
Auditor General’s Conclusion
The Auditor General concluded that while Ontario had early frameworks, the OPS did not yet have effective, consistent processes to manage AI across the government. The absence of AI governance, training, and control showed that Ontario’s AI strategy was ambitious in theory, but uneven in practice.
The report set out 10 recommendations directed primarily at strengthening Ontario’s AI governance framework and operational safeguards, which fall into five key areas:
Focus Area | Recommendations |
|---|---|
Cybersecurity & Training | Block unsafe AI sites and make responsible‑use training mandatory |
Measurement & Adoption | Establish and monitor key performance indicators for approved AI tools |
Fairness & Bias Detection | Validate vendor testing using data that represent Ontario’s demographic diversity |
Procurement Practices | Weight privacy, security, accuracy, and bias controls more heavily; require third‑party certifications and live demonstrations |
Strategic Governance | Strengthen the OPS AI Strategy with clear actions, deliverables, funding, and environmental considerations |
Relevance to Municipalities
Municipalities are already increasingly exploring and adopting AI tools for service delivery, administration, and information management. Although not covered by the audit, the findings from this provincial audit provide a blueprint for municipalities for what ‘responsible public-sector AI governance’ should look like and where local governments can strengthen their own practices.
Three key lessons stand out for municipalities:
- Governance must come before adoption
- Municipalities should establish clear AI governance frameworks before deploying AI technologies. Policies should define acceptable use cases, approval processes, accountability structures, ethical standards, privacy protections, and human oversight requirements. Taking a wide-angle lens to align related internal corporate policies and with institutional obligations set out in legislation such as the Municipal Freedom of Information and Protection of Privacy Act, among others, is important.
- Cybersecurity and data protection are foundational
- Restrict the use of public AI tools that could store or use sensitive data. Work with IT and legal teams to guarantee that AI systems comply with data protection requirements and public-sector obligations. For municipalities without internal IT and legal teams, collaborating with neighbouring municipalities on an approach to share costs, resources, and lessons learned may be the way forward.
- Build Employee Capacity
- Introduce mandatory AI literacy training. Public services – at all levels – should understand what AI can and cannot do, and the risks of entering sensitive data into generative AI systems. Training on any new AI use policies your municipality may adopt, and related privacy and records management procedures, may be a place to start.
By implementing these practices, municipalities can start aligning with expectations set under Ontario’s Enhancing Digital Security and Trust Act, 2024 —legislation that empowers the Province to regulate AI transparency, accountability, and risk management across the public sector.
The Auditor General’s 2026 report reinforced a clear message: AI is not just a technology issue – it’s a governance issue. Municipalities that proactively invest in governance frameworks, workforce readiness, cybersecurity safeguards, and ethical oversight will be better positioned to harness the benefits of AI while maintaining public trust, transparency, and accountability.