On 1 May 2027, every federally regulated Canadian financial institution must run a single, enterprise-wide model-risk regime — a live inventory, a risk rating for every model, lifecycle governance, and durable evidence — covering all models regardless of source, AI included. AI adoption is climbing toward 70% of these institutions by 2026. The guideline is clear; the tooling to meet it is not. That is the opportunity.
OSFI's Guideline E-23, Model Risk Management, was finalized on 11 September 2025 with an effective date of 1 May 2027, following an 18-month transition already under way.17 It requires every in-scope institution to maintain a comprehensive inventory of non-negligible-risk models, assign each model a risk rating, and govern the full lifecycle — design, review, deployment, monitoring, decommission — with evidence at every step.1
Crucially, E-23 is technology-neutral and source-neutral. It "covers models or data sourced from external sources like foreign offices or third-party vendors,"1 and OSFI deliberately declined to create a separate AI track — the principles apply "regardless of the technology used."7 A bought vendor model, an internal spreadsheet, and a machine-learning system all fall inside the same regime.
That lands at the worst possible moment for scope. AI use at Canadian financial institutions has roughly doubled in recent years and is still climbing steeply — and every new AI use case is another model, or several, that must be inventoried, rated, and governed. The obligation is fixed and dated; the thing being governed is multiplying.
Three numbers size the problem: how many institutions must comply, how fast their AI use is growing, and how large the governance-tooling market becoming.
Most institutions "rely on third-party providers for AI models and systems,"3 which is exactly the category E-23 pulls into scope and the one existing governance tools handle worst — an inventory problem that grows every quarter.
Canadian institutions don't face E-23 in isolation. Parallel regimes demand substantially the same artifacts on a similar timeline, and Canadian regulators have been building the AI-governance groundwork for years.
A principles-based, all-models regime effective 1 May 2027: model inventory, quantitative-plus-qualitative risk rating, lifecycle governance, and ongoing monitoring — with senior accountability.18
Big-4 and law-firm briefings confirm the expanded scope now explicitly includes AI and machine-learning models across all FRFIs.5
OSFI and the FCAC have jointly studied AI in Canadian finance for years — the 2024 risk report on AI uses and risks at FRFIs, and the Financial Industry Forum on Artificial Intelligence (FIFAI), which convened 170+ ecosystem members and produced Canadian responsible-AI frameworks.34
E-23 is the enforceable edge of a much longer Canadian AI-governance effort.
The US National Association of Insurance Commissioners' AI Model Bulletin — adopted in at least 24 states plus DC since December 2023 — requires a written AI program with governance, third-party oversight, consumer notice, and fairness testing.10
For insurers operating cross-border, it demands largely the same control core on a comparable clock.
Under the EU AI Act, AI for risk assessment and pricing in life and health insurance and for creditworthiness is high-risk, with obligations originally set for 2 August 2026 (a proposed deferral to late 2027 is pending, not yet law).11
A third regime, a third set of dates — same underlying artifacts of governance and evidence.
E-23 tells institutions what evidence they must produce. It does not give them a way to produce it — and the volume of models to track is set to increase sharply, while the work to vet and validate them is, in one advisor's words, "very time and resource intensive."6
This is a problem space we are actively researching rather than a shipped product — and the shape it takes follows directly from the gap. If the burden is a growing model estate, third-party AI that's hard to see, and manual evidence across overlapping regimes, then the answer is an agentic governance layer: software that auto-populates the model inventory from where models already live, so teams stop maintaining spreadsheets; captures governance facts once against a neutral control model and maps them to E-23, NAIC and the EU AI Act as lenses; and treats the regulator-ready evidence pack as the output — not a dashboard.
Two principles guide the research. First, govern the AI you bought — start with the vendor and third-party models that E-23 pulls into scope and that other tools cover worst. Second, metadata-first with Canadian data residency — the platform would hold governance metadata, ratings and evidence, never raw data or model weights, keeping sensitive material at the edge. The aim is speed-to-first-evidence: stand up a defensible inventory in days, not quarters, ahead of the 2027 clock.
We're researching how an agentic governance layer could turn E-23 from a compliance scramble into a capture-once, exam-ready workflow. If that's a problem you're facing, let's compare notes.