The AI governance market splits into two camps. Platforms (Credo AI, Holistic AI, Monitaur, Fairly/Asenion, Trustible) offer software to install. Consultancies deliver operational artifacts alongside your engineering team. For Canadian and North American financial services buyers, the choice is not platform-or-consultancy — it is platform-then-consultancy, consultancy-first, or consultancy-only. This brief explains when each applies.
If three or more answers match 'consultancy,' you are not a platform buyer yet.
| Question | Choose a platform when | Choose a consultancy when |
|---|---|---|
| What is your AI governance maturity? | You already have an operating model; you need tooling to scale. | You have AI in production but no operating model — artifacts, gates, review cadence. |
| What is your deadline? | Next 18–24 months. | Next 1–6 months (OSFI E-23 questionnaire, board review, or audit finding). |
| How large is your engineering team? | Large enough to own a platform post-implementation (10+ ML/AI engineers). | Small team, limited platform-operations capacity. |
| How regulator-specific is your need? | US federal + EU AI Act cover most of your exposure. | OSFI E-23, FIFAI II, CIRO, FINTRAC, or SR 11-7 — Canadian and cross-border-specific obligations. |
| What output does your buyer audit team expect? | Dashboards, reports, audit logs from a named platform. | Structured artifacts — Model Cards, Agent Cards, HITL architecture, AIRSA — embedded in your delivery pipeline. |
A fair read of what each category of platform delivers — not a takedown.
What they do well. Purpose-built AI governance platform with policy packs for EU AI Act, NIST AI RMF, ISO 42001 — strong Fortune 500 adoption.
Where they stop. No OSFI E-23, FIFAI II, or CIRO coverage; US-framework-centric; no Canadian FSI delivery story.
What they do well. Shadow-AI discovery, policy-as-code, guardian agents — strong for distributed AI enterprises.
Where they stop. Platform-only; no founder-delivered advisory; no Canadian regulator specificity.
What they do well. Policy-to-proof platform; Forrester Strong Performer in AI governance for insurance and regulated FS.
Where they stop. US insurance-led; no OSFI positioning; platform-implementation motion, not in-bank delivery.
What they do well. Canadian-headquartered (Kitchener, ON); rebranding in progress; patent-pending assurance tech.
Where they stop. OSFI/FINTRAC/CIRO still absent from public messaging; Big 5 bank delivery credentials not publicly demonstrated.
What they do well. AI-native governance platform; risk-based triage; compelling for enterprise AI programs.
Where they stop. US-framework-heavy; no Canadian regulator pages; no fintech-to-bank cascade narrative.
These positions are drawn from each vendor's public 2026 messaging. Every platform in this list is a serious product built by serious teams, and each one has real customers who derive real value. The "where they stop" column is not a criticism; it is a scope statement. A platform is a product, and a product is shaped by the regulators, industries, and buyer personas its team has chosen to serve. When the platform's chosen scope overlaps your obligations, it is likely the right answer. When it doesn't, a consultancy that has operated inside your specific regulator's perimeter is closer to the evidence you need.
Platforms excel when you already have an operating model and need tooling to scale. A bank with a mature model-risk function, a named 2LOD team, an existing AIRSA-equivalent inventory, and a monthly review cadence will get genuine value from a platform that automates policy packs, evidence aggregation, and cross-system reporting. In that configuration, the platform is a force multiplier: it takes artifacts the organization already produces by hand and makes them queryable, comparable, and continuously surfaced to the right reviewers.
Platforms struggle when the operating model doesn't exist yet. A fintech with AI in production, a 3-person engineering team, and an OSFI E-23 questionnaire due in 60 days does not need a platform. They need Model Cards. They need HITL architecture. They need a validation report. A platform cannot manufacture content that the organization has never produced; it can only aggregate and present content the organization already knows how to create. Buying the aggregation layer before the underlying artifacts exist inverts the sequence and stalls every subsequent decision.
The tell: if your buyer-facing audit team (OSFI, SR 11-7 examiner, bank 2LOD reviewer) needs to see evidence artifacts next quarter, you do not have time to implement a platform — even a fast one. You need the artifacts. Platform vendors quote 60–90 days of implementation as a best case; real integrations with existing identity, CI/CD, and model-inventory systems frequently run longer, and the first month of procurement, security review, and DPIA approval lives before implementation even starts. Every day spent on that sequence is a day not spent producing the evidence a regulator or bank 2LOD reviewer will ask for.
A second, related failure mode: buying a platform to cover a regulator the platform does not meaningfully address. If your exposure is OSFI E-23, FIFAI II, or CIRO, a US-framework-centric platform can help with your EU AI Act or NIST AI RMF obligations but will not, by itself, produce the Canadian-specific evidence your examiner expects. The underlying policy content has to be authored somewhere. Either your team writes it, a consultancy writes it with you, or the platform stays silent on the regulator that actually matters this cycle.
Not advisory decks. Engineering-embedded delivery that produces the artifacts alongside your team.
Weeks to Model Cards, Agent Cards, HITL architecture, AIRSA — not 90-day platform onboarding.
OSFI E-23, FIFAI II, SR 11-7, FINTRAC, CIRO — not a policy-pack abstraction.
We work inside your pipeline (git, CI/CD, existing inventory). No new login, no new UI for your team to learn.
You own the artifacts. They live in your documentation, your repositories, your review cadence — not a vendor dashboard.
Consultancy-led delivery in AI governance is not a slide deck and a recommendation memo. It is a named practitioner working inside your CI/CD, your model inventory, and your existing review cadence, producing the Model Cards, Agent Cards, HITL gate definitions, AIRSA records, and Governance Operating Model that your regulator, your bank client, or your board has asked for. The artifacts land in your repositories, versioned alongside the code they describe. Your 2LOD reviewers and your examiner read them directly. There is no separate vendor surface to learn, log into, or explain to procurement.
Four structural differences — each grounded in what you buy and what shows up.
| Dimension | Platforms | RegCore.AI |
|---|---|---|
| What you buy | Software license, dashboards, policy packs | Delivery engagement with operational artifacts |
| Time to first evidence | 60–90 days (implementation + integration) | 2–4 weeks (first artifact package) |
| Regulator mapping | EU AI Act, NIST AI RMF, ISO 42001 (US-centric) | OSFI E-23, FIFAI II, FINTRAC, CIRO, SR 11-7, EU AI Act |
| Output format | Platform dashboards + aggregated reports | Model Cards, Agent Cards, HITL architecture, AIRSA, Governance Operating Model |
| Fit with existing stack | New vendor to integrate | Embedded in your existing git, CI/CD, documentation |
| Ongoing cost model | Annual SaaS license | Engagement-based; retainer optional post-delivery |
| Buyer credibility proof | Vendor dashboard + analyst ratings | Named artifacts that survived 2LOD review inside a Canadian Big 5 bank |
The seven rows above are not a feature comparison. They are a buyer's checklist of what actually shows up at the end of the engagement. Platforms deliver a licensed piece of software with a dashboard, an API, and a policy-pack library; consultancies deliver the content that populates any of those surfaces. That is not an argument for one over the other — it is an argument for understanding what your organization is purchasing. If the output you need is a dashboard, buy a platform. If the output you need is a Model Card your bank 2LOD reviewer can open in a pull request, that is a consultancy deliverable regardless of which vendor's logo sits above it.
Mature FSIs with large engineering functions often run both. A consultancy builds the operating model and first artifact set — Model Cards, HITL architecture, AIRSA — then the organization selects a platform to automate ongoing evidence aggregation and reporting. The artifacts the consultancy produced become the schemas the platform populates. In that sequence the platform earns its license cost because the underlying content is well-formed, version-controlled, and produced by a pipeline the organization already owns. The aggregation layer aggregates real evidence, not placeholders.
The wrong sequence — selecting a platform first, then discovering the operating model is absent — is the most common failure mode we see. The platform becomes shelfware because the content it's supposed to aggregate doesn't exist. Internal owners spend the first two quarters writing policy documents to populate the platform's schemas, then another quarter reconciling those documents with what is actually running in production, then a final quarter preparing for the regulator review the platform was nominally bought to address. Four quarters in, the board asks why the license was renewed.
The right sequence for a mature FSI: scope the operating model, produce the artifact set, prove the artifact set survives 2LOD review, then select a platform to scale the cadence. For a fintech or smaller institution, the platform may never be necessary — a disciplined artifact repository inside git, wired into CI/CD with clear ownership and review cadence, already satisfies most of what an OSFI examiner or bank vendor-risk team will ask for. A platform is an optimization on a working operating model; it is not a substitute for one.
Consultancy-only, this cycle. You need artifacts in 30–60 days. Platform implementation is too slow. After the questionnaire ships, re-evaluate whether you need a platform to scale.
Platform, plus targeted consultancy for gap areas (Canadian regulator specificity, AI Gateway, HITL architecture refinement). The platform is your aggregation layer; the consultancy fills operational gaps the platform can't address.
Consultancy-first. No platform currently covers CIRO 2026 obligations with meaningful specificity. Build the operating model and artifacts first; revisit platforms when market maturity catches up.
Consultancy-led, focused on OSFI E-23 and FIFAI II alignment with your existing SR 11-7 artifacts. Your US model-risk documentation is 70% of the way there — cross-border bridging is where consultancy delivers.
The four profiles above cover the large majority of inbound conversations we take. None of them is a blanket recommendation for or against platforms. Each is a sequencing statement: given your maturity, your regulator exposure, and your deadline, which motion produces defensible evidence fastest. The right buying decision in AI governance is almost always conditional on the cycle you are in — and the cycle you are in is usually set by a regulator, a bank client, or a board request with a date attached. Start from the deadline, work backward to the artifact, and the motion (platform, consultancy, or both) resolves itself.
We publish this analysis because we'd rather not be hired than be wrongly hired. If a platform is your right answer, we'll say so. If operational delivery is the fit, we build the artifacts alongside your team.
