US and Canadian AI Compliance: What Professional Services Firms Need to Know Right Now

If you run an accountancy practice, law firm, HR consultancy, or marketing agency and you use AI tools in your work, the regulatory ground beneath you is shifting — and not just in the jurisdictions where those laws are being written. What happens in Washington, Sacramento, and Ottawa has a direct bearing on how you manage your AI vendor relationships, what you can claim about your services, and how exposed you are when something goes wrong.

This briefing cuts through the noise on the most significant US and Canadian AI compliance developments and explains what they mean for professional services businesses operating internationally.

The US Has Chosen Deregulation — But Enforcement Has Not Disappeared

In January 2025, President Trump revoked the Biden administration's AI executive order, signalling a decisive shift towards an innovation-first, deregulatory posture at federal level. There is no comprehensive federal AI statute in the United States, and the current administration has made clear it has no appetite to create one.

For international businesses, this might sound like a relaxation of pressure. It is not.

In the absence of federal frameworks, US states are building their own. Utah now requires professionals in regulated occupations to make prominent disclosures when they use generative AI. California continues to enact targeted AI transparency legislation. Colorado, which passed what was considered landmark AI legislation, is actively working to narrow its scope under industry pressure. The result is a fragmented patchwork of obligations that varies by state, sector, and use case — and that patchwork applies to any firm doing business with US clients or operating in US markets.

Federal enforcement, meanwhile, remains active in the areas that matter most to professional services. The Federal Trade Commission's Operation AI Comply is actively pursuing companies that make deceptive, unsubstantiated, or exaggerated claims about their AI capabilities. The FTC has shown some flexibility — it recently vacated a consent order against the AI writing assistant Rytr, citing the new AI Action Plan — but the message to businesses is clear: if you cannot substantiate what you claim your AI does, you are a target. That warning applies whether your firm is based in London, Toronto, Dubai, or Sydney, if your marketing claims reach US audiences.

Separately, the Equal Employment Opportunity Commission and private litigants continue to pursue algorithmic bias claims with significant energy. Rising class-action lawsuits against companies such as Workday over AI-powered hiring tools signal that discrimination risk embedded in automated decision-making is a live enforcement and litigation issue — not a future concern.

Canada's Legislative Gap Is Now a Compliance Risk in Itself

Canada spent several years developing the Artificial Intelligence and Data Act as part of a broader federal digital framework. When Parliament was prorogued in January 2025, AIDA died on the order paper. Canada now has no dedicated federal AI law.

What it does have is a collection of existing privacy, human rights, and provincial statutes that govern AI deployments by default — and regulators who are clearly willing to use them.

Quebec's Law 25 is the sharpest instrument in this toolkit. It imposes strict transparency obligations around automated decision-making and carries penalties of up to $25 million or 4% of global turnover. Ontario's Bill 194 creates accountability frameworks for public sector AI, and rules under Bill 149 will require employers to disclose AI use in hiring processes from 2026. For any organisation with Canadian operations, employees, or clients, these obligations are already in scope or fast approaching.

The OpenAI Ruling Changes the Vendor Due Diligence Calculus

The single most consequential development in North American AI regulation in recent months came not from a legislature but from a joint enforcement action. On 6 May 2026, Canadian federal and provincial privacy commissioners issued a landmark joint finding against OpenAI, ruling definitively that publicly accessible internet data is not free to scrape and that OpenAI had violated Canadian privacy law by training its models on personal data without valid consent.

This matters enormously for professional services firms — and not only those with Canadian operations.

If you are using AI tools in your practice, the question of how those tools were trained is now a live compliance question, not a technical detail to leave to your vendor. A supplier's assurance that its model was built on "publicly available data" is no longer sufficient. The Canadian ruling has established that "publicly available" and "lawfully obtained" are not the same thing. Firms that rely on AI models trained on non-consented data face potential liability under privacy frameworks across multiple jurisdictions, including those operating under GDPR in the UK and EU.

Four Things Professional Services Firms Must Do Now

Substantiate every AI claim you make publicly. If your firm's website, proposals, or marketing materials make claims about what your AI tools can do — the accuracy, speed, or capability they deliver — those claims must be verifiable and documented. The FTC's enforcement focus on AI washing is not directed only at technology companies. Professional services firms that market AI-enhanced services to US clients are exposed to the same scrutiny.

Adopt a recognised governance framework. The fragmentation of AI law across US states, Canadian provinces, the UK, EU, and beyond makes jurisdiction-by-jurisdiction compliance unworkable on its own. Aligning your AI governance practices with the NIST AI Risk Management Framework or ISO 42001 gives you a defensible, auditable baseline that satisfies regulators across multiple regimes simultaneously. It also makes due diligence conversations with enterprise clients significantly more straightforward.

Build human oversight into every AI-assisted workflow. Courts in both the US and Canada have sanctioned legal professionals who submitted AI-generated work containing fabricated case law — including the recent Ontario decision in Ko v Li. This is not a theoretical risk. Any firm using AI to draft documents, research precedents, or generate client-facing outputs must enforce clear human-in-the-loop verification protocols. Sign-off processes, accuracy checks, and accountability trails are no longer optional practice management improvements; they are professional liability essentials.

Conduct proper vendor due diligence on AI tools. Following the Canadian OpenAI ruling, a privacy impact assessment on your AI vendors is a compliance requirement, not a best-practice recommendation. You need to know how your vendors' models were trained, what data they process, where that data is stored, and what consents underpinned its collection. If your vendor cannot answer those questions clearly, that is itself a significant compliance risk indicator.

The Bigger Picture for International Firms

The temptation when reading about US deregulation is to assume the compliance environment is easing. It is not. What the US situation actually represents is the replacement of a coherent federal framework with a more complex, less predictable multi-level enforcement environment — one where state regulators, federal agencies with active mandates, and private litigants all remain capable of generating serious consequences.

Canada, meanwhile, has moved from legislative ambition to enforcement reality. The OpenAI ruling signals that Canadian regulators will use existing laws assertively while the legislature catches up.

For firms based outside North America, neither development is abstract. Your vendor relationships, your client data obligations, and your marketing claims are all touched by these shifts.

Talk to Ops Intel

Ops Intel helps professional services businesses understand their AI compliance obligations across multiple jurisdictions and build governance frameworks that hold up under scrutiny. Whether you need a vendor due diligence review, a gap analysis against NIST or ISO 42001, or practical guidance on what your AI use means for your regulatory position, our team can help.

Get in touch to arrange an initial compliance consultation.