Pandora Case study
AI governance · Canadian finance

AI governance in Canadian finance: meeting OSFI E-23.

On 1 May 2027, every federally regulated Canadian financial institution must run a single, enterprise-wide model-risk regime — a live inventory, a risk rating for every model, lifecycle governance, and durable evidence — covering all models regardless of source, AI included. AI adoption is climbing toward 70% of these institutions by 2026. The guideline is clear; the tooling to meet it is not. That is the opportunity.

Effective May 1, 2027 400+ institutions All models, all sources
The problem

A hard deadline meets an exploding model estate.

OSFI's Guideline E-23, Model Risk Management, was finalized on 11 September 2025 with an effective date of 1 May 2027, following an 18-month transition already under way.17 It requires every in-scope institution to maintain a comprehensive inventory of non-negligible-risk models, assign each model a risk rating, and govern the full lifecycle — design, review, deployment, monitoring, decommission — with evidence at every step.1

Crucially, E-23 is technology-neutral and source-neutral. It "covers models or data sourced from external sources like foreign offices or third-party vendors,"1 and OSFI deliberately declined to create a separate AI track — the principles apply "regardless of the technology used."7 A bought vendor model, an internal spreadsheet, and a machine-learning system all fall inside the same regime.

That lands at the worst possible moment for scope. AI use at Canadian financial institutions has roughly doubled in recent years and is still climbing steeply — and every new AI use case is another model, or several, that must be inventoried, rated, and governed. The obligation is fixed and dated; the thing being governed is multiplying.

The market

The scope, the surge, and the tooling spend.

Three numbers size the problem: how many institutions must comply, how fast their AI use is growing, and how large the governance-tooling market becoming.

400+2
Federally regulated financial institutions
OSFI oversees more than 400 financial institutions and 1,200 pension plans — banks, life and P&C insurers, and trust and loan companies, all in scope for E-23.
→ 70%3
AI adoption at FRFIs, expected by 2026
Up from ~30% (2019) and ~50% (2023); 75% of responding institutions plan to invest in AI over the next three years.
$12.6B9
AI model-risk-management market by 2030
Projected to grow from USD 5.47B (2023) to USD 12.57B (2030) at a 12.8% CAGR, per Grand View Research.

Most institutions "rely on third-party providers for AI models and systems,"3 which is exactly the category E-23 pulls into scope and the one existing governance tools handle worst — an inventory problem that grows every quarter.

The landscape

E-23 is one clock among several — all ticking together.

Canadian institutions don't face E-23 in isolation. Parallel regimes demand substantially the same artifacts on a similar timeline, and Canadian regulators have been building the AI-governance groundwork for years.

The regulator · Canada

OSFI Guideline E-23

A principles-based, all-models regime effective 1 May 2027: model inventory, quantitative-plus-qualitative risk rating, lifecycle governance, and ongoing monitoring — with senior accountability.18

Big-4 and law-firm briefings confirm the expanded scope now explicitly includes AI and machine-learning models across all FRFIs.5

The policy groundwork

OSFI–FCAC AI risk work

OSFI and the FCAC have jointly studied AI in Canadian finance for years — the 2024 risk report on AI uses and risks at FRFIs, and the Financial Industry Forum on Artificial Intelligence (FIFAI), which convened 170+ ecosystem members and produced Canadian responsible-AI frameworks.34

E-23 is the enforceable edge of a much longer Canadian AI-governance effort.

The parallel regime · US

NAIC Model Bulletin

The US National Association of Insurance Commissioners' AI Model Bulletin — adopted in at least 24 states plus DC since December 2023 — requires a written AI program with governance, third-party oversight, consumer notice, and fairness testing.10

For insurers operating cross-border, it demands largely the same control core on a comparable clock.

The parallel regime · EU

EU AI Act (high-risk)

Under the EU AI Act, AI for risk assessment and pricing in life and health insurance and for creditworthiness is high-risk, with obligations originally set for 2 August 2026 (a proposed deferral to late 2027 is pending, not yet law).11

A third regime, a third set of dates — same underlying artifacts of governance and evidence.

The gap

The guideline is written. The tooling to satisfy it isn't ready.

E-23 tells institutions what evidence they must produce. It does not give them a way to produce it — and the volume of models to track is set to increase sharply, while the work to vet and validate them is, in one advisor's words, "very time and resource intensive."6

  • The inventory explodes. Each AI use case must be captured and evaluated separately, so "the volume of models that will need to be tracked will significantly increase"6 — and spreadsheets don't scale to a live, rated, audited estate.
  • Bought AI is the blind spot. Most institutions run third-party AI they can't fully see into3 — exactly what E-23 pulls into scope, and exactly what enterprise governance tools and runtime gateways handle worst.
  • Evidence is the product, and it's manual. Regulators want a durable, exam-ready trail — inventory, ratings, reviews, monitoring. Assembling that by hand across three overlapping regimes is where firms are least prepared.
How we approach it

An agentic model-governance layer — a problem we're researching.

Pandora · active research

Capture once, satisfy many regimes.

This is a problem space we are actively researching rather than a shipped product — and the shape it takes follows directly from the gap. If the burden is a growing model estate, third-party AI that's hard to see, and manual evidence across overlapping regimes, then the answer is an agentic governance layer: software that auto-populates the model inventory from where models already live, so teams stop maintaining spreadsheets; captures governance facts once against a neutral control model and maps them to E-23, NAIC and the EU AI Act as lenses; and treats the regulator-ready evidence pack as the output — not a dashboard.

Two principles guide the research. First, govern the AI you bought — start with the vendor and third-party models that E-23 pulls into scope and that other tools cover worst. Second, metadata-first with Canadian data residency — the platform would hold governance metadata, ratings and evidence, never raw data or model weights, keeping sensitive material at the edge. The aim is speed-to-first-evidence: stand up a defensible inventory in days, not quarters, ahead of the 2027 clock.

  • Auto-populated inventory — pull model metadata from source systems, not spreadsheets.
  • Capture once, map to many — one control set viewed through E-23, NAIC and EU AI Act lenses.
  • Govern the AI you bought — vendor and third-party models first.
  • Metadata-first, Canadian residency — never raw data or weights; sensitive material stays at the edge.
This is early-stage research, not a released Pandora product. It reflects how we would approach the E-23 problem, informed by the regulatory landscape above.
See what Pandora builds
Sources
  1. Guideline E-23 — Model Risk Management (2027). Office of the Superintendent of Financial Institutions (OSFI), Canada. "Effective date: May 1, 2027"; scope covers banks, foreign bank branches, life and P&C insurers, and trust and loan companies; requires an inventory of non-negligible-risk models, a risk rating per model, and lifecycle governance (design, review, deployment, monitoring, decommission); covers models/data from external and third-party sources. https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/guideline-e-23-model-risk-management-2027
  2. Who does OSFI regulate. OSFI, Canada. "In total, OSFI oversees more than 400 financial institutions and 1,200 pension plans" — including all banks operating in Canada, federal trust and loan companies, life insurers, P&C insurers, fraternal benefit societies, and foreign bank branches. https://www.osfi-bsif.gc.ca/en/about-osfi/osfi-knowledge-centre/who-does-osfi-regulate
  3. OSFI–FCAC Risk Report — AI Uses and Risks at Federally Regulated Financial Institutions. OSFI & Financial Consumer Agency of Canada, 24 September 2024. AI adoption ~30% (2019) → ~50% (2023) → 70% expected by 2026; 75% of responding institutions plan to invest in AI over the next three years; most rely on third-party providers for AI models and systems; top risks include model risk. https://www.osfi-bsif.gc.ca/en/about-osfi/reports-publications/osfi-fcac-risk-report-ai-uses-risks-federally-regulated-financial-institutions
  4. FIFAI II — AI Risks and Opportunities: Adopting an AGILE Framework in Canadian Financial Services. OSFI / FCAC / Global Risk Institute (Financial Industry Forum on Artificial Intelligence). FIFAI 2 (May–November 2025) convened 170+ members of the financial ecosystem and produced the AGILE framework, building on the earlier EDGE responsible-AI principles. https://www.osfi-bsif.gc.ca/en/about-osfi/reports-publications/fifai-ii-ai-risks-opportunities-adopting-agile-framework-canadian-financial-services
  5. Guideline E-23 is here. Deloitte Canada. Effective 1 May 2027; expands scope beyond deposit-taking institutions to all FRFIs including insurers; applies to all models, not just those requiring formal regulatory approval, and includes AI and machine-learning models. https://www.deloitte.com/ca/en/Industries/financial-services/perspectives/osfi-expanded-guidelines.html
  6. Are you ready for Guideline E-23? KPMG Canada. "Final guidance was published in September 2025 with an effective date of May 1, 2027"; each AI use case must be captured separately, so "the volume of models that will need to be tracked will significantly increase"; validation activities "can be very time and resource intensive." https://kpmg.com/ca/en/insights/2025/08/are-you-ready-for-guideline-e23.html
  7. Backgrounder: Guideline E-23. OSFI, Canada. "Guideline E-23 will come into effect in May 2027, following an 18-month transition period"; it is "a principles-based framework that applies to all types of models, regardless of the technology used." https://www.osfi-bsif.gc.ca/en/news/backgrounder-guideline-e-23-model-risk-management
  8. OSFI Releases Final Guideline E-23 for Model Risk Management and AI Use by FRFIs. Blake, Cassels & Graydon LLP. Published 11 September 2025, effective 1 May 2027; requires a model inventory recording all models and their risk rating, a quantitative-and-qualitative risk-rating scale, and model lifecycle governance; covers AI models and externally/third-party-sourced models. https://www.blakes.com/insights/osfi-releases-final-guideline-e-23-for-model-risk-management-and-ai-use-by-frfis/
  9. AI Model Risk Management Market Size, Share Report, 2030. Grand View Research. AI model-risk-management market USD 5.47 billion (2023) → USD 12.57 billion (2030) at a 12.8% CAGR (2024–2030); software >63% of 2023 revenue; North America >39% share. https://www.grandviewresearch.com/industry-analysis/ai-model-risk-management-market-report
  10. Nearly Half of States Have Now Adopted the NAIC Model Bulletin on Insurers' Use of AI. Quarles & Brady LLP. As of March 2025, 24 states had adopted the NAIC Model Bulletin on the Use of AI Systems by insurers with little to no material change; NAIC originally adopted the bulletin in December 2023. https://www.quarles.com/newsroom/publications/nearly-half-of-states-have-now-adopted-naic-model-bulletin-on-insurers-use-of-ai
  11. EU AI Act — Annex III high-risk systems (insurance & credit). EU AI Act reference (artificialintelligenceact.eu). AI for creditworthiness/credit scoring and for risk assessment and pricing in life and health insurance is high-risk under Annex III, with obligations originally applying from 2 August 2026 (a proposed "Digital Omnibus" deferral to late 2027 is pending, not yet law). https://artificialintelligenceact.eu/annex/3/

Rethinking model governance for the 2027 clock.

We're researching how an agentic governance layer could turn E-23 from a compliance scramble into a capture-once, exam-ready workflow. If that's a problem you're facing, let's compare notes.