AI Governance Is a Board-Level Issue — Not an IT Problem

The Scenario No Board Wants to Face

 

An OSFI examiner is reviewing your bank’s AI-enabled fraud detection model, one that has been influencing payment holds, card declines, and account-review decisions for two years. The model has improved loss prevention, but its false-positive patterns have begun to affect certain customer segments and channels in ways that raise model risk, operational resilience, conduct, and accountability questions. The examiner asks the board chair what governance was in place when the model was approved.

The chair defers to the Chief Information Officer. The CIO defers to fraud operations and model risk. Fraud operations has performance dashboards. Model risk has documentation. But the board never saw a consolidated view of the model’s materiality, customer impact, risk appetite, escalation thresholds, or accountability structure.

That conversation is becoming more likely. The question is whether the institution has it proactively, through board-level AI governance, or reactively, during supervisory review. Fraud detection is listed by OSFI/FCAC as one of the top AI use cases at financial institutions, and OSFI’s 2026–2027 Annual Risk Outlook says it will continue assessing AI implications on fraud, model, cyber, money laundering, and third-party risks.

Three Converging Signals Make 2026 the Inflection Point

 

Canadian financial institutions have been adopting AI for years. According to a September 2024 joint assessment by OSFI and FCAC1, AI use among federally regulated financial institutions grew from approximately 30% in 2019 to 50% in 2023, with 70% expected by 2026. What has not kept pace is governance.

What makes today different is that regulators are no longer issuing principles and waiting. OSFI Guideline B-132 is already in force. It is not an AI-specific guideline, but it sets expectations for technology and cyber risk governance, accountability, risk appetite, resilience, architecture, incident management, and the management of emerging threats and technologies. Those expectations become highly relevant when AI is embedded in business processes, customer decisioning, fraud detection, or operational resilience.

OSFI Guideline E-233, the updated Model Risk Management guideline effective May 1, 2027, goes further. It explicitly brings AI and machine learning into the model-risk perimeter and places responsibility on senior management to define enterprise-wide model risk accountabilities, ensure qualified personnel for novel technologies such as AI, and ensure appropriate model risk reporting to the board. That makes board-level visibility and challenge unavoidable, even if management owns execution.

OSFI has also moved accountability higher on the agenda through its January 2026 consultation on a proposed Senior Leader Regime. The proposal covers board members and senior management and emphasizes responsibility mapping, effective oversight, and answerability for decisions, conduct, and outcomes. In parallel, OSFI’s 2026–2027 Annual Risk Outlook confirms that AI remains part of its supervisory attention, including its implications for model, cyber, fraud, money laundering, and third-party risks4.

The Governance Gap Most Institutions Are Carrying

 

The structural problem at most Canadian financial institutions is not a lack of governance effort. It is a misalignment of where that effort sits.

AI governance today typically lives one to three levels below the board: in technology risk, model risk management, or second-line compliance. These functions do important work. But when AI is influencing credit decisions, insurance underwriting, fraud detection, and customer interaction at scale, oversight cannot stop at the VP level.

KPMG Canada’s February 2026 survey5 tells the story plainly: while more than 90% of Canadian financial services leaders view generative AI as critical to competitive advantage and 89% report leadership clarity on their GenAI roadmap, few organizations have mature governance frameworks in place. Thirty percent cite data quality as a major barrier, a foundational governance issue, not a technology one.

The gap is structural. Boards have approved AI strategies without approving AI risk appetite. Risk committees have received model validation reports without establishing materiality thresholds. Audit committees have reviewed cyber risk without asking which AI models are in scope. The result is an accountability vacuum, one that OSFI’s forthcoming guidelines are designed to close from the outside if institutions do not close it themselves.

What Board-Level AI Governance Actually Looks Like

 

Board-level AI governance is an accountability architecture, not a committee or a policy document. Three elements define the minimum structure:

  1. An AI risk appetite statement: a board-level declaration of where AI risk is acceptable and where it is not, expressed in the same language as credit risk appetite or capital adequacy thresholds;

  2. A board-level view of material AI models, derived from the enterprise AI/model inventory. Not every model, but the ones affecting customer outcomes, financial exposure, regulatory obligations, pricing, underwriting, fraud detection, or critical operations;

  3. Defined escalation paths so the board is informed when a material model behaves unexpectedly, before a regulator is.

What the Board Owns — and What It Delegates

 

Boards do not need to understand technology architecture or statistical validation methodologies. They do need to establish the governance conditions under which AI operates at their institution. The distinction matters.

Board-level ownership means: setting AI risk appetite, reviewing material model exposure, understanding the institution’s obligations (ie: under B-13 and E-23), and holding management accountable for the governance structure that executes on those obligations.

The March 2026 FIFAI II report, sponsored by OSFI, GRI, and other public-sector stakeholders, is not regulatory guidance, but it is a useful sector reference point. Its AGILE Framework6 frames ‘Awareness’ as a foundational capability: board and senior-management AI literacy, horizon scanning, and risk-management readiness. For boards, this reinforces a practical governance point: AI literacy is not a training event; it is a structural capability that determines whether directors can ask the right questions, demand the right reporting, and recognize early warning signals.

  • What the board can delegate: model validation, technical controls, internal audit execution, day-to-day monitoring;
  • What it cannot delegate: the questions it asks, the risk appetite it sets, and the accountability it holds management to.

Five Steps to Start Now

 

  1. Establish an AI risk appetite statement. Embed it in the enterprise risk framework alongside credit, liquidity, and operational risk. This is a board instrument, not a policy document;

  2. Commission a regulatory gap assessment. Map your current governance posture against OSFI E-23 and in-force B-13 requirements. Lead with risk or compliance, not IT, and report findings directly to the audit or risk committee;

  3. Build an enterprise AI/model inventory owned by management, with a board-level view of material AI models. Define materiality criteria for models affecting customer outcomes, financial exposure, regulatory obligations, fraud detection, underwriting, pricing, or critical operations. Require periodic board reporting on material-model status, risk rating, validation, performance drift, incidents, exceptions, and remediation;

  4. Add AI governance to the board skills matrix. Address gaps through director development, committee education, or succession planning;

  5. Formalize a named AI accountability structure. Assign a senior accountable executive (may be a Chief AI Officer, Chief Risk Officer, Chief Data & Analytics Officer, or equivalent) with clearly defined decision rights, escalation obligations, and reporting requirements to senior management and the board. The title matters less than the accountability, authority, and visibility of the function.

The Window is Closing

 

The institutions that establish board-level AI governance in 2026, before E-23 takes effect and before senior-leader accountability expectations mature, will be in a fundamentally different supervisory position than those that wait. Supervisory relationships, like credit ratings, are easier to build proactively than to repair after an incident.

FSTE advises clients to start with a governance assessment: map your current state against regulatory expectations, identify material gaps, and build an accountability structure that can withstand the scrutiny already underway.

The examiner’s question is coming. Make sure your board has the answer before it is asked.

References:

  1. OSFI-FCAC AI Risk Report, September 2024 ↩︎
  2. OSFI Guideline B-13: Technology and Cyber Risk Management ↩︎
  3. OSFI Guideline E-23: Model Risk Management, effective May 1, 2027 ↩︎
  4. OSFI Consultative Document: Proposed Senior Leader Regime, January 2026;
    OSFI Annual Risk Outlook, Fiscal Year 2026–2027 ↩︎
  5. KPMG Canada: Generative AI Adoption in Canadian Financial Services, February 2026 ↩︎
  6. FIFAI II: AI Risks and Opportunities — Adopting the AGILE Framework for Canadian Financial Services, March 2026 ↩︎
Contenu similaire

Ceci pourrait vous intéresser

Contact

Vous avez des questions, vous souhaitez démarrer un projet? Contactez-nous !

Québec, Canada
Courriel
Linked In
Scroll to Top