Skip to main content
Agentica

Answer — AI Governance

Can one record serve both the AMF AI Guideline and OSFI E-23?

Yes — if it is structured to be read by both frameworks. The AMF’s AI guideline and OSFI’s Guideline E-23 come into force the same day, May 1, 2027, and each expects a maintained inventory: the AMF speaks of AIS, E-23 of models.

The May 1, 2027 double deadline

Two texts, two regulators, one date. The AMF’s guideline on the use of artificial intelligence (final since April 2026) covers Québec-authorized insurers, financial services cooperatives, trust companies, and authorized deposit institutions. OSFI’s Guideline E-23 on model risk management (final since September 2025) covers federally regulated financial institutions, and its definition of “model” explicitly includes AI/ML methods. Both take effect May 1, 2027.

An institution under both jurisdictions — or a group with entities on each side — therefore faces two vocabularies for one operational reality: its AI systems, their access, their risks, and their history.

What each text expects, in its own words

ExpectationAMFOSFI E-23
The object“artificial intelligence system (AIS)”“model” (including AI/ML)
The inventory“AIS inventory” / centralized inventorycomprehensive, accurate, evergreen model inventory
The ratingrisk rating, updated periodicallymodel risk rating
The follow-throughongoing monitoring, AIS lifecyclemodel lifecycle, robust controls

The correspondence is real, but it maps — it does not merge. Handing the AMF a federal-vocabulary “model inventory,” or handing OSFI an inventory of “AIS,” makes the reader do the translation. Each regulator needs to find its own words.

How does one base serve both?

The principle is Scoreable Proof: collect once, prove many. One underlying base — the living inventory of systems, their access, their ratings, their timestamped history — can produce, on demand, the AMF extract in the AMF’s vocabulary and the E-23 extract in OSFI’s. The same logic extends beyond the two guidelines: NIST’s official crosswalk between its AI Risk Management Framework and ISO/IEC 42001 shows that one documented inventory corresponds across frameworks — it substantiates a position under each of them, and never “satisfies” anything on its own.

Two conditions make that base credible: it must be maintained continuously (a record reconstructed before an examination demonstrates one day, not a practice), and it must be tamper-proof (evidence that can be rewritten is not evidence). That is what Agentica provides: continuous, immutable, hash-chained recording of your AI ecosystem under independent custody, from which each regulatory inventory is extracted rather than written. Starting in 2026 instead of 2027 has one simple consequence: by the first examination, the history already exists.

Sources