OSFI E-23: The Guideline That Brings AI and Model Risk Together
OSFI’s Guideline E-23 is here. Most banks see it as a compliance requirement.
In practice, it is doing something bigger. It is forcing model risk management and AI governance into the same conversation.
For years, these ran separately. Model risk teams focused on validation, documentation, and audit readiness. AI governance teams focused on transparency, ethics, and emerging GenAI risks.
E-23 signals that regulators now expect consistent oversight across all models. AI is no longer a side effort. It sits inside the broader risk framework.
Two Viable Paths to E-23 Compliance
Banks are generally taking one of two approaches.
Some are integrating AI governance into existing MRM frameworks, treating GenAI as another model class governed through the same lifecycle and controls.
Others are building AI governance programs separately, with dedicated teams and specialized oversight.
Both approaches can work. Regulators are not prescribing a single structure. What matters is that governance is clear, consistent, and operational.
Unified Governance
A unified model can reduce duplication and create a single source of accountability. One inventory, one validation standard, one governance story.
The tradeoff is speed. Traditional MRM processes were not built for the pace of GenAI. Without modernization, unified governance can become overly rigid.
Separate AI Governance
A separate model can move faster and provide deeper focus on GenAI-specific risks.
The tradeoff is fragmentation. Multiple inventories, inconsistent controls, and unclear ownership can emerge over time, especially as AI scales across the enterprise.
There is no universal answer. The right approach to E-23 compliance depends on institutional maturity, culture, and how quickly AI adoption is accelerating.
Opportunity to Automate
E-23 is arriving quickly, but it also creates leverage.
Many institutions are still relying on manual workflows, disconnected tools, and siloed governance. AI is exposing those limits.
E-23 gives banks a reason to modernize, not just comply, by building governance that is scalable, repeatable, and embedded into how models are actually developed and monitored.
What to Focus On Now
Regardless of structure, most banks are prioritizing a few outcomes:
- A reliable inventory of models and AI use cases tied to accountability.
- Validation processes that scale as demand increases.
- Controls that are not only documented, but demonstrably operating.
Related: Get to know the ValidMind tools designed to help ease E-23 compliance
Closing Thoughts on E-23 Compliance Strategies
E-23 reflects a broader shift. Model risk management and AI governance are converging into one enterprise discipline.
The question is not whether banks choose a unified or separate structure. Both can meet regulatory expectations.
The real question is whether governance will be built to scale with AI, or whether it will become the constraint that slows everything down.
E-23 is the moment to get that foundation right.
