Regulatory analysis, written from inside the artifact.

Long-form notes on the frameworks, enforcement actions and operating-model questions that land in front of us every week. Written for practitioners in the second line of defence, for the risk committees that read their reports, and for the counterparties reading yours.

Featured

The three pieces we keep sending to clients.

Each of these lands on a question that has moved from academic to invoiced over the last six months, AI liability, AI-insurance binding, and the collision between legacy data governance and AI governance programmes.

Insurance · Evidence

AI Agent Insurance: No Governance Evidence, No Policy

The AI-liability underwriting questionnaire has started to mirror what a supervisor would ask. Without a portable evidence pack, the bind does not happen and the renewal does not price.

Read the note →Liability · EU PLD

AI Product Liability in Financial Services

The revised EU Product Liability Directive reclassifies software, including AI, as a product. Burden of proof shifts toward the manufacturer. Canadian and US exporters inherit the risk.

Read the note →Data · AI Governance

Data Governance, Reshape for the AI Era

Running a legacy data governance programme and an AI governance programme in parallel is the single largest hidden cost inside regulated institutions. One artifact set should answer both.

Read the note →

Additional reading

Artifacts

The Five AI Governance Artifacts Every Canadian FSI Needs

The core artifact set a Canadian FSI supervisor will recognise, inventory, model cards, validation, monitoring, and the control library beneath them.

Canadian FSI

FINTRAC 2026 Amendments and CIRO Consolidation

What the FINTRAC amendments and CIRO consolidated rulebook mean for AI deployed inside Canadian AML, KYC and trade supervision.

Monitoring

The Intervenability Turn, Monitoring Isn't Enough in 2026

Regulators are moving past detection and into the intervenability question, can you stop, throttle or unwind the AI before harm compounds?

Vendor · B-10

OSFI E-23 Vendor Cascade

How the E-23 obligation reaches into the vendor stack and why nth-party AI discovery is now a table-stakes diligence artifact.

Fintech · Vendor

The OSFI E-23 Vendor Playbook

How fintechs selling into Canadian Schedule I banks answer AI-governance questionnaires without re-papering every engagement.

OSFI · FIFAI

What OSFI Is Signalling Through Its AI Governance Workshops

FIFAI is a channel, not a rulebook. How OSFI's supervisory themes cascade through E-23, B-10 and E-21 to shape AI governance programmes in Canadian FRFIs.

Operating model

AI Governance Consultancy or Platform, When to Choose Each

The build-vs-buy decision for AI governance infrastructure. Where platforms win, where specialists win, and why the answer is almost always both.

Cross-border MRM

SR 11-7 Meets OSFI E-23, A Cross-Border Crosswalk

For firms operating across US and Canadian supervisory perimeters, one validation file that answers both, and the gotchas in the mapping.

Operating model

Three AI Governance Gaps That Existing Tools Cannot Close

Where the current generation of GRC and MLOps tooling stops and what an AI-era governance operating model has to carry.

Emerging topics

What we are watching.

US Federal Banking MRM
SR 11-7 remains the US baseline for model risk management. Forthcoming AI-specific guidance from the Fed, OCC and FDIC is the next watchpoint.
EU AI Act · August 2, 2026
The high-risk regime lands live. Annex IV technical file, Article 15 accuracy and cybersecurity, GPAI obligations, all in force.
OSFI E-23 · May 1, 2027
The 17-field Appendix A model inventory and the six principles. Applies to FRFIs across traditional, generative and agentic AI.
Quebec Law 25 enforcement
The CAI has signalled a shift from education to enforcement. ADM disclosures and cross-border posture are the audit surface.
DORA ICT incident reporting
Incident classification thresholds have started to produce regulator-facing reports. AI in the critical path inherits the obligation.
PLD 2024/2853 transposition
Member-state transposition by December 9, 2026. Disclosure of technical documentation moves from option to rule.

Working with the firm

Beyond the writing.

Every note above maps to a playbook we run for clients. If a piece lands on a question you are facing this quarter, the conversation is welcome.

Speak with a partner →

The reading is the opening act. The operating model is the work.

Every piece above maps to a playbook, a framework and a control set the firm runs. Start with an enquiry; we'll walk you from the note to the artifact.

Speak with a partner All playbooks →