The evidence pack is the product. Three arms produce and defend it.

OSFI Guideline E-23 is the Office of the Superintendent of Financial Institutions' Model Risk Management guideline, which becomes enforceable May 1, 2027 for federally regulated financial institutions. It requires model documentation, independent validation, ongoing monitoring programs, and Board-level governance structures for all material models — explicitly including AI and machine learning systems. The guideline does not tolerate informal processes or retroactive documentation; it expects evidence artifacts produced from a running governance process.

E-23 is formally directed at federally regulated financial institutions, but its requirements cascade to fintech vendors through bank procurement and vendor risk management processes. Canadian banks are already requiring E-23-aligned model documentation, validation evidence, and HITL gate architectures from their AI vendors before deployment approvals. In practice, any fintech selling AI into a Big 5 or regional bank must produce governance artifacts that satisfy the bank's 2LOD risk team — which means satisfying E-23 by proxy.

The Financial Industry Forum on Artificial Intelligence (FIFAI) is OSFI's convening mechanism for dialogue with industry, academia and peer regulators on AI risk and governance in federally regulated financial institutions. FIFAI is not a guideline and does not carry enforceable obligations — what it carries is supervisory signal. The consistent themes OSFI has articulated through FIFAI include: AI inventory and supply-chain lineage; controls that keep pace with adoption; responsible innovation rather than adoption avoidance; workforce and consumer AI literacy; and systemic, ecosystem-level risk from foundation-model concentration and multi-tiered vendor chains. Those themes are operationalised through binding OSFI guidelines — E-23 model risk management (effective May 1, 2027), B-10 third-party risk management (revised 2024), E-21 operational risk and resilience (revised 2024), and B-13 technology and cyber risk. A programme built against those guidelines, calibrated to the FIFAI themes, is positioned for OSFI's AI posture whether or not a formal AI-specific guideline is issued.

A Model Card is a structured documentation artifact that captures a model's intended use, training data, validation results, known limitations, performance characteristics, and monitoring requirements. Canadian banks require Model Cards because they are the primary evidence artifact 2LOD review teams use to evaluate whether a model satisfies OSFI E-23 expectations. A Model Card that was written retroactively to satisfy a project gate does not establish the provenance chain E-23 requires — the Model Cards we produce are structured to withstand regulatory examination, not to close a ticket.

A Model Card documents a single model — its training data, validation, limitations, and monitoring. An Agent Card documents an AI agent system, which typically orchestrates one or more models against tools, retrieval sources, and decision logic. The Agent Card captures design rationale, operational constraints, escalation logic, and decision boundaries — the reasoning layer that Model Cards alone do not cover. Agentic AI in financial services needs both artifacts because regulators will ask not only what the model does, but why the agent chose to invoke it.

A HITL gate is a structural checkpoint where an AI system must enter a pending_approval state and wait for a human decision before an action is committed. This is distinct from a post-hoc alert or a review dashboard — the gate blocks execution, not reviews it after the fact. HITL gates matter for regulated AI because OSFI E-23, SR 11-7, and the EU AI Act all require human oversight that is auditable, timestamped, and attributable. A HITL gate that exists only in policy is not a gate; it is a recommendation that will not survive a compliance audit.

Bill C-27 combined the Consumer Privacy Protection Act (CPPA) — the proposed federal replacement for PIPEDA — and the Artificial Intelligence and Data Act (AIDA). Bill C-27 lapsed on January 6, 2025 at prorogation and AIDA was formally withdrawn on February 11, 2025. Canada currently has no federal AI statute in force. PIPEDA remains the federal private-sector privacy baseline; CPPA's content is expected to return in a future parliamentary cycle. In the interim, AI-specific obligations for Canadian FSIs flow from OSFI E-23 (effective May 1, 2027), OSFI B-10 third-party risk, OSFI E-21 operational resilience, OSFI FIFAI supervisory themes, FINTRAC, CIRO, Quebec Law 25 (in force, up to $25M CAD or 4% global revenue), and cross-border regimes — SR 11-7, forthcoming US federal banking AI guidance, NIST AI RMF, and the EU AI Act. A program built to PIPEDA and OSFI E-23 today, with voluntary NIST AI RMF + ISO/IEC 42001 alignment, is well-positioned for whatever federal AI law returns next.

SR 11-7 is the US Federal Reserve's Supervisory Guidance on Model Risk Management (issued as Fed SR Letter 11-7 and OCC Bulletin 2011-12 in April 2011, with FDIC adoption via FIL-22-2017 in June 2017). It predates modern AI but its three-pillar structure — conceptual soundness, ongoing monitoring, and outcomes analysis — is being applied directly to AI/ML models by US bank examiners. For Canadian institutions operating in the US or US subsidiaries of Canadian banks, SR 11-7 is the operative model risk standard, and the evidence expectations map closely to OSFI E-23. An AI governance program designed to satisfy E-23 is largely structured correctly for SR 11-7, with additional attention to US-specific validation and documentation conventions.

The EU AI Act reaches full applicability on August 2, 2026, and has extraterritorial reach — it applies to any provider placing an AI system on the EU market or whose AI output is used in the EU, regardless of where the provider is incorporated. For Canadian fintechs with EU customers or EU-resident end users, high-risk AI in financial services triggers conformity assessment and technical documentation obligations, with penalties up to 7% of global revenue. The practical effect is that Canadian AI providers cannot treat the EU AI Act as someone else's problem if any part of their product touches the EU.

A Regulatory Readiness Assessment establishes current-state compliance posture across OSFI E-23, SR 11-7, NIST AI RMF, EU AI Act, PIPEDA, Quebec Law 25, FINTRAC, CIRO, and other applicable frameworks, producing a gap analysis and sequenced remediation roadmap. The exact duration depends on the number of AI systems in scope, regulatory jurisdictions in play, and the state of existing documentation. The assessment itself is scoped during the initial conversation — every engagement begins there, because governance work without a current-state baseline produces documents rather than evidence.

Big 4 advisory firms produce governance frameworks and policy documents; AI governance platforms — Credo AI, Holistic AI, ValidMind, Asenion (formerly Fairly AI) — come from data-science or platform backgrounds and provide tooling that assumes governance is already defined. RegCore.AI produces operational governance infrastructure — HITL gates, Agent Cards, evidence pipelines — that draws from governance perimeters at Canadian BFSI institutions, designed to withstand 2LOD review against real regulatory submissions. Our knowledge of bank compliance culture, 2LOD documentation standards, and OSFI examination expectations is first-hand, not acquired from reading guidelines.

Every RegCore agent ships as a reference implementation: a repo, a Docker image, an MCP (Model Context Protocol) server exposing its tools, and an output schema mapped to the relevant regulator. An engagement installs and certifies the agent inside the client's perimeter — the client becomes the deployer of record. Subscription covers ongoing regulator-mapping maintenance and RegWatch feed updates. Customer-deployed, engagement-installed, schema-maintained: the client holds the keys; RegCore maintains the mapping.

RegCore engagements are human-led and agent-augmented. Our own RegWatch, AIRSA, Evidence Pack Generator, Model Monitoring, AI Gateway and HITL Gate run inside a governed, observed environment — the same environment pattern we ship to clients. Every artifact we produce is signed, versioned and reproducible from its inputs; every agent run is logged; every output cites its source. When we ship an agent to a client, it is an agent we would ship to a regulator, because we run the same agents on ourselves.