AI and Model Risk Governance under OSFI E-23 for Financial Institutions with Agentic AI Oversight and Compliance Controls

Effective AI & Model Risk Governance Under OSFI Guideline E-23

The rapid integration of artificial intelligence (AI) into financial services is reshaping how institutions identify, manage, and govern risk. In response, Canada's Office of the Superintendent of Financial Institutions (OSFI) has issued Guideline E-23, a comprehensive framework that extends traditional Model Risk Management (MRM) principles to encompass AI and machine learning systems, including generative AI (GenAI), large language models (LLMs), and autonomous agentic workflows (Agentic AI).

Guideline E-23 establishes enterprise-wide and principle-based governance expectations, requiring financial institutions to maintain board-level accountability for model risk, implement lifecycle controls across all model types, and align their practices with both Basel prudential standards and emerging AI-specific risks such as opacity, bias, and model drift.

Why This Matters?

The consequences of weak AI governance in financial services are significant, both for individual institutions and for the stability of the broader financial system, making compliance with OSFI E-23 a strategic priority and not merely a regulatory obligation.

Modern AI systems introduce risks that lie beyond outside conventional quantitative controls. Financial institutions deploying AI must also manage:

• Hallucination and factual inaccuracy in LLM-generated outputs
• Bias and fairness concerns in automated decision-making
• Privacy leakage and data exposure through prompt injection
• Opacity and lack of explainability in foundation model reasoning
• Drift in model behavior as underlying data distributions evolve

Canadian institutions must now navigate a multi-jurisdictional regulatory landscape. OSFI E-23 is converging with the AMF's Ligne directrice sur la gestion du risque de modèle (Quebec, 2025), the NIST AI Risk Management Framework, and the EU AI Act. Practitioners must understand both alignment and tension between these frameworks to avoid compliance gaps and ensure consistent governance practices across their enterprise.

The Agentic AI Challenge

Agentic AI systems, which can make decisions and autonomously execute actions, represent a significant leap in complexity. Models generate outputs. Workflows trigger decisions. Tools create real-world consequences. Speed, comprehension, and context asymmetries mean that traditional human-in-the-loop review is no longer sufficient. Institutions must shift to policy-governed, human-over-the-loop architectures with robust logic validation, control points, and clear mechanisms to constrain unsafe or unauthorized behaviour.

Impact on Financial Institutions

The implications of OSFI E-23 extend across the enterprise, affecting governance structures, validation practices, technology architecture, and organizational culture.

How Solytics Partners can help

Solytics has an integrated ecosystem of platforms and modules recognized by Chartis Research for capabilities spanning RiskTech, AI risk management, and QuantTech:

• MRM Vault - Model and AI inventory management, lifecycle governance, policy enforcement, and workflow controls for Models, Non-Models, and AI models, ensuring full regulatory traceability.
• NIMBUS Uno - End-to-end risk analytics for model and AI intake, development, validation, deployment, and continuous monitoring of statistical, ML, and generative AI models.
• AI Mate - AI-powered documentation generation using LLMs to support development and validation teams, reducing manual effort while maintaining audit-quality output.
• Vault Bot - GenAI-enabled governance automation, including document weakness assessment, autofill, and entity-level prompt retrieval for accelerated compliance workflows.

Specialized GenAI Monitoring Toolkit

The NIMBUS Uno GenAI monitoring toolkit addresses the specific observability needs of LLM-based systems, providing the following:

• Trace IQ - Prompt and response observability with full audit trails
• Chat Intel - Conversation analytics and quality assurance
• Embedding Insights - Vector drift detection and RAG coverage analysis
• Drift Lens - Semantic and behavioral drift monitoring
• Metrics Analyzer - Hallucination detection, factual accuracy scoring, and toxicity assessment

Beyond technology, Solytics Partners brings deep domain expertise in OSFI E-23, AMF guidance, NIST AI RMF, and international AI standards, enabling institutions to design governance frameworks that are both regulator-ready and operationally sustainable as the regulatory horizon evolves through 2026–2027.

References:

1. OSFI Guideline E-23: Enterprise-Wide Model Risk Management. Office of the Superintendent of Financial Institutions, Canada (https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/guideline-e-23-model-risk-management-2027)

2. AMF Ligne directrice sur la gestion du risque de modèle. Autorité des marchés financiers, Quebec, 2025.

3. NIST AI Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, U.S. Department of Commerce, 2023. (https://www.nist.gov/itl/ai-risk-management-framework)

4. The Montreal Declaration for a Responsible Development of Artificial Intelligence. Université de Montréal, 2018. - (https://montrealdeclaration-responsibleai.com/)

5. EU Artificial Intelligence Act. Regulation (EU) 2024/1689 of the European Parliament and of the Council. - (https://artificialintelligenceact.eu/the-act/)

6. SR 11-7: Guidance on Model Risk Management. Board of Governors of the Federal Reserve System / OCC, 2011. (https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm)

7. Solytics Partners' AI & Model Risk Governance Conclave Post-Event Report. Toronto, The St. Regis – Astor Ballroom, April 9, 2026.