Every framework your portfolio touches.
Canadian, US, EU, UK and international obligations converge on the same control surface — governance, data, validation, evidence, provenance. We maintain one authoritative control mapping, indexed clause by clause against every regime below, so the artefact that answers OSFI E-23 also answers the EU AI Act, NIST AI RMF and ISO/IEC 42001 with the rewiring each supervisor expects.
Select a framework to see what we know in it, which services cover it, and the playbooks that ship against it.
The Canadian regulator record is indexed in our retrieval catalog (OSFI, FINTRAC, OSC, FSRA, and Ontario sources). Non-Canadian frameworks are covered through senior advisory work, not the catalog.
Canada
10 frameworksModel Risk Management Guideline
Effective May 1, 2027The 17-field Appendix A model inventory. Applies to FRFIs across all model types — traditional, generative, agentic.
Open framework →Third-Party Risk Management
Effective May 1, 2024The third-party AI cascade — nth-party traceability through vendor stacks embedded in enterprise software.
Open framework →Operational Risk & Resilience
Revised 2024Critical operations, tolerances for disruption, and the resilience posture required when AI sits in the critical path.
Open framework →Financial Industry Forum on AI
Discussion report seriesOSFI-convened industry workshops on AI governance expectations for federally regulated financial institutions.
Open framework →Personal Information Protection and Electronic Documents Act
In forceFederal private-sector privacy law. Meaningful consent, accountability, access rights.
Open framework →Act to modernize legislative provisions as regards the protection of personal information
In force since September 22, 2023ADM transparency, PIAs, cross-border transfer rules. Penalties up to $25M CAD or 4% of global revenue.
Open framework →Personal Health Information Protection Act (Ontario)
In forceOntario health information privacy — relevant only for BFSI institutions with direct health-data exposure (e.g., group insurance, health-savings accounts).
Open framework →Proceeds of Crime (Money Laundering) and Terrorist Financing Act
In force with ongoing regulatory amendmentsAI-driven AML, KYC, and transaction monitoring under FINTRAC supervision.
Open framework →Canadian Investment Regulatory Organization
Active SRO since January 1, 2023 (IIROC + MFDA merger)Algorithmic supervision, gatekeeping, and AI-assisted order handling obligations for investment dealers.
Open framework →Applicability of Canadian Securities Laws and the Use of AI by Market Participants
Published Q4 2024Staff guidance on how Canadian securities laws apply when registrants, issuers and dealers use AI.
Open framework →United States
06 frameworksFederal Reserve Supervisory Letter — Model Risk Management
In force (2011)The US MRM baseline, still the reference point for validation, governance and documentation expectations in US banking supervision.
Open framework →AI Risk Management Framework
Published January 2023 · GenAI Profile July 2024Govern / Map / Measure / Manage. Profileable to any jurisdictional overlay.
Open framework →Cybersecurity Framework
Published February 2024Govern, Identify, Protect, Detect, Respond, Recover — the foundational security overlay for AI systems.
Open framework →Health Insurance Portability and Accountability Act
In forceUS health information privacy — relevant only for BFSI institutions with direct health-data exposure (e.g., payer banking, health-savings platforms).
Open framework →Federal Financial Institutions Examination Council
Modular, ongoing updatesManagement, operations, outsourcing and information security booklets that shape US bank AI oversight.
Open framework →System and Organization Controls 2
AICPA standardSecurity, Availability, Processing Integrity, Confidentiality, Privacy — the gating attestation for vendor procurement.
Open framework →European Union
04 frameworksRegulation (EU) 2024/1689
High-risk regime live August 2, 2026Risk-tiered obligations, Article 15 accuracy/robustness/cybersecurity, Annex IV technical file, GPAI model rules.
Open framework →General Data Protection Regulation
In forceLawful basis, ADM rights, DPIA triggers, cross-border SCCs for AI data pipelines.
Open framework →Product Liability Directive (revised)
Transposition December 9, 2026Software — including AI — as a product. Burden of proof shifts toward the manufacturer.
Open framework →Digital Operational Resilience Act
Effective January 17, 2025ICT risk management, incident reporting, third-party oversight including AI service providers.
Open framework →International
07 frameworksAI Management System Standard
Published December 2023The certifiable AI management system standard. Plan, Do, Check, Act across the AI lifecycle.
Open framework →AI Risk Management Guidance
Published 2023The companion risk guidance that pairs with 42001 and ISO 31000 on AI-specific risk.
Open framework →Information Security Management System
2022 revisionThe ISMS baseline every regulated AI deployment is expected to sit on top of.
Open framework →Privacy Information Management System
Published August 2025Extends ISO 27001 with privacy-specific controls. The certifiable layer for privacy-by-design in AI systems.
Open framework →Cloud Security Controls
Code of practiceCloud-specific control overlays for customer and provider responsibilities.
Open framework →Cloud PII Protection
Code of practicePII handling in public cloud — transparency, data subject rights, sub-processor disclosure.
Open framework →Principles for effective risk data aggregation and risk reporting
Issued 2013, fully applicable to G-SIBsThe baseline for data governance and risk reporting capability — directly applicable to AI systems in risk models and aggregation pipelines.
Open framework →Bring your framework stack. We bring the compliance intelligence layer.
Tell us which regimes your portfolio answers to and we will map your existing posture against every applicable clause — gaps, evidence, and the fastest route to an artifact your regulator will read.