OSFI E-23 Enterprise Readiness

What this paper is for.

OSFI Guideline E-23 takes effect May 1, 2027. It applies to every federally regulated financial institution deploying models, from traditional statistical models to generative and agentic AI. This paper walks the full enterprise stand-up: scope determination, Appendix A inventory, tiering, the six principles mapped to operating controls, validation cadence, ongoing monitoring, and the artifact set we produce under a compliance agent assisted engagement.

The takeaways our research desk stands behind.

• The 17-field Appendix A inventory is the single artifact regulators will read first.
• Material risk tiering drives validation depth. Most programs over-invest in low-tier models and under-invest in high-tier generative systems.
• Agentic AI requires a distinct control layer: agent cards, action budgets, kill switches. The guideline implicitly expects it.
• Monitoring cadence must be linked to tier, not a fixed interval.
• Issues management under Principle 5 is the most common examination finding.

What is inside.

1. Executive summary
2. Scope and applicability
3. The Appendix A model inventory, field by field
4. Material risk tiering methodology
5. Principle 1: Model risk management framework
6. Principle 2: Model risk lifecycle and ownership
7. Principle 3: Independent model validation
8. Principle 4: Model risk monitoring
9. Principle 5: Issues management and remediation
10. Principle 6: Governance and oversight
11. Integrating generative and agentic AI
12. Cross-walk to SR 11-7, Federal Reserve and OCC MRM guidance, ISO 42001
13. Compliance agent assisted stand-up
14. Artifact pack contents
15. Appendix: sample control library extract

Regulator and standards reach.

Keep reading.