Zendoric
← Back to the day · July 14, 2026

Canada regulates agentic AI in banking: when the supervisor puts a name to the risk (Claude Mythos included)

🕒 Published on Zendoric: July 14, 2026 · 00:03

OSFI, Canada's financial regulator, has published six practices to curb the risks of generative and agentic AI at banks and insurers. And according to an email revealed by Reuters, it went so far as to explicitly cite Anthropic's Claude Mythos when warning about cyber risks: the scrutiny now has a model's name.

By Wealth Professional / Reuters · July 13, 2026.

The Office of the Superintendent of Financial Institutions (OSFI), the regulator that oversees Canada's federal banks and insurers —and with them, much of the country's wealth management— has published a bulletin with six areas of "sound practices" to contain the risks of generative and agentic AI. It is not a new rule or a ban: these are measures institutions "may consider," but the underlying message is unmistakable. The problem is not that firms use AI, but that governance is falling behind what that AI is already capable of doing.

The bulletin is specific. On software, it warns that AI can write insecure code and that agentic tools can deploy it to production without anyone reviewing it; it calls for human validation before publishing. On access, it flags accounts with excessive privileges, shared credentials and the chaining of tools (where one automated step feeds the next) as data-leak channels, and recommends unique identities for each agent, least-privilege access and short-lived credentials. On cybersecurity it acknowledges that AI cuts both ways: it expands the attack surface —automated phishing, prompt injection, AI-written malware— but also gives defense teams faster detection tools. And it closes with resilience: since almost all institutions depend on a handful of AI providers, it warns of concentration risk and correlated failures across firms, and calls for mapping those dependencies, testing outage scenarios and maintaining manual alternatives. The principle running through the whole document is simple to state and hard to apply: treat AI output as an input for a decision, never as the decision itself, and always keep a person accountable for what is material.

What lifts this bulletin from regulatory routine to news is a detail that does not appear in the public text: according to an internal email revealed by Reuters, OSFI expressly cited Claude Mythos, Anthropic's model, when warning banks about cyber risks. This is not an accusation of misuse or a vulnerability attributed to the product —the bulletin itself is provider-agnostic— but a concrete case used internally to illustrate the extent to which a frontier model can become the de facto reference point when a supervisor has to explain risk using real names rather than abstract categories.

In general, this kind of "sound practices" bulletin is the mechanism prudential regulators use when they want to shift industry behavior without legislating just yet: they build on existing frameworks (here, the B-13 guidelines on technology risk, E-21 on operational risk and B-10 on outsourcing, plus E-23 on model risk) and add specific layers for what is new. It is the same logic we have already seen in other financial supervisors that are beginning to treat agentic AI not as a productivity tool but as a piece of critical infrastructure with concentrated providers: when four or five labs train the models that end up feeding half of a country's banking system, the risk of a failure or a vulnerability is no longer a single firm's, it is systemic.

Our reading is that this bulletin confirms a trend we have been pointing to: the conversation about AI risk has shifted from the model in the abstract ("is superintelligence dangerous?") to the concrete supply chain (who can access what, with which credentials, and what happens if the provider goes down or its model hallucinates at the wrong moment?). It is a real short-term risk, not a speculative exercise: an agent with excessive access that pushes code to production, or that acts on a hallucination without anyone reviewing it, does not need to be "superintelligent" to cause operational damage or leak sensitive data. That the supervisor has to name a specific model in an internal email, even if only as a teaching example, is proof that the distance between "frontier technology" and "critical piece of the financial system" has already closed, and that governance —identities for agents, least privilege, provider-dependency maps— is the line of defense to build today while that gap is being closed. In the long run, the same agentic AI that today demands these controls is the one that can free analysts and managers from administrative tasks to focus on judgment and client relationships; but that productivity leap will only be sustainable if the banking sector learns, starting with episodes like this one, to treat its AI models with the same rigor it applies to any other system on which the country's financial stability depends.

🔗 Related on Zendoric

Sources & references