Skip to content
Financial services Cleantech Healthcare

AI Risk by the Numbers: What Canadian FinServ, Energy, and Healthcare Leaders Need to See Before 2027

Gurinder Singh Mann Gurinder Singh Mann 12 min read
AI Risk by the Numbers: What Canadian FinServ, Energy, and Healthcare Leaders Need to See Before 2027

Canada's AI adoption rate sits at 12%. The federal government wants it at 60% by 2034. Meanwhile, in financial services, 70% of institutions expect to be running AI models by the end of 2026. The national number and the sector number describe two different countries.

For Canadian regulated industries the concern is regulatory guidance meant to govern AI is arriving on different timelines for different sectors. Financial services has binding deadlines less than a year away. Energy has almost nothing AI specific on the books. Healthcare sits somewhere in between. And the omnibus federal AI law that was supposed to cover everyone died on the Order Paper in January 2025.

This post maps where AI risk actually concentrates across Canadian financial services, energy and cleantech, and healthcare, using published data, regulatory timelines, and what we're seeing in practice. Each section is written for the leaders in that sector. The cross-cutting patterns at the end apply to all three.

The adoption picture

Statistics Canada reports that 12.2% of Canadian firms used AI to produce goods or deliver services in 2025, double the rate from the prior year. An additional 14.5% planned to adopt within 12 months. The Canadian Federation of Independent Business puts GenAI usage higher at 45% nationally, rising with firm size. PM Carney's "AI for All" strategy, launched June 4, 2026, targets $200 billion in additional economic growth and an increase in AI adoption to 60% by 2034.

These are national averages. They obscure what's happening inside regulated industries.

In financial services, OSFI and FCAC surveyed federally regulated financial institutions and found AI use rose from 30% in 2019 to 50% in 2023. Seventy percent of respondents expected to use AI models by 2026. 75% planned to invest in AI over the next three years. The use cases are not experimental. Institutions are deploying AI in underwriting, claims management, algorithmic trading, and compliance monitoring.

In energy and healthcare, comparable sector-specific adoption data doesn't exist. That absence is itself informative. It means the sectors are adopting AI without the baseline measurement that would let regulators, boards, or the public track what's happening and how fast.

The other thing the adoption numbers don't capture is what kind of AI is being adopted. A customer service chatbot and an ML model making credit decisions both count as "AI adoption." Their risk profiles have almost nothing in common. For regulated industries, the type of adoption determines the regulatory exposure, and the aggregate numbers don't distinguish.

Financial services: the most regulated, the most exposed

Financial services is the sector with the clearest regulatory picture and the tightest deadlines. Two binding instruments take effect on the same day.

OSFI Guideline E-23 was published September 11, 2025 and takes effect May 1, 2027. It replaces the 2017 version (which only applied to deposit-taking institutions) and now covers all federally regulated financial institutions: banks, foreign bank branches, life and P&C insurers, trust and loan companies. It explicitly includes AI and ML models in its definition of "model." Key requirements include an enterprise-wide model risk management framework, a comprehensive model inventory, risk-based classification using both quantitative and qualitative factors, lifecycle management from design through decommissioning, and oversight of third-party models (cross referencing Guideline B-10).

Quebec's AMF AI Guideline was finalized April 7, 2026 after public consultation. It also takes effect May 1, 2027. It is the first AI guideline from a provincial financial regulator, applying to authorized insurers, financial services cooperatives, trust companies, and deposit institutions. It goes further than E-23 in some areas: it requires a designated senior executive accountable for all AI systems, lists prohibited discriminatory factors and proxies for bias mitigation, and mandates privacy impact assessments under Quebec's Private Sector Act.

For institutions operating in Quebec, both apply. The operational requirement is to meet whichever standard is stricter on each point.

Eleven months before these deadlines, the governance gap is already visible. OSFI has stated it expects institutions to demonstrate "progress during the transition." The FIFAI II report, released in March 2026 after four workshops with over 170 participants, introduced the AGILE framework for AI risk management and flagged emerging risks from agentic AI, trading volatility, and third-party concentration. Canada's five largest banks and two insurers ranked among the top 15 globally for transparency of responsible AI activities in 2025, according to Evident Insights. That recognition applies to the largest institutions. It does not describe the mid-tier.

The threat landscape adds pressure from the other direction. Deepfake attacks have increased twentyfold over three years, a statistic cited by the Federal Reserve Board's Michael Barr at FIFAI II. The Canadian Centre for Cyber Security's Ransomware Threat Outlook 2025-2027 warns that AI is making attacks cheaper, faster, and harder to detect. Financial institutions are simultaneously adopting AI internally and facing AI-powered threats externally.

The CSA's Staff Notice 11-348 (December 2024) clarified that existing securities law applies to AI use by registrants, issuers, and marketplaces, with specific attention to "AI washing" in disclosure. FINTRAC expects AML AI systems to have model transparency, validation, auditability, and bias monitoring.

What a FinServ leader should take from this: The compliance deadline is May 2027, but the supervisory expectation is now. If you don't have a model inventory that includes AI and ML systems, that's the first gap to close. If you operate in Quebec, you have a dual-track compliance obligation that requires mapping both E-23 and the AMF Guideline against your current practices. Third-party AI models, including vendor-provided tools, fall within scope. The institutions treating this as a 2027 problem are already behind the curve OSFI has set.

Energy and cleantech: the regulatory gap nobody has named

There is no dedicated AI guidance from any Canadian energy regulator as of mid-2026. This is a genuine gap in the regulatory landscape.

What exists instead is a set of adjacent obligations that apply to AI without mentioning it by name.

Bill C-8 (reintroducing the former Bill C-26's Critical Cyber Systems Protection Act) would require federally regulated critical infrastructure operators, including interprovincial pipelines, power lines, and nuclear energy systems, to establish cybersecurity programs, report incidents to CSE, and comply with Cyber Security Directions. Penalties run up to $15 million. NERC CIP reliability standards are mandatory and enforceable across major provinces, though AI is not yet embedded in those standards. The Canada Energy Regulator, as a federal institution, is subject to the Treasury Board Directive on Automated Decision-Making.

Meanwhile, AI is entering the energy sector through multiple doors at once.

Grid operators are dealing with electricity demand from AI data centres on a scale they've never seen. AESO's CEO said Alberta has "never seen this level and volume of load connection requests." By September 2025, requests reached 20.7 GW against a roughly 12 GW peak system. AESO allocated its entire 1,200 MW interim large-load cap to two data centre projects near Edmonton. B.C. launched a competitive process in January 2026 to manage AI and data centre electricity demand. Ontario's IESO is further along operationally, with the BluWave-ai/Hydro Ottawa "EV Everywhere" pilot funded through its Grid Innovation Fund.

AI is also showing up in emissions monitoring. The federal government's enhanced methane regulations (December 2025) include a nationally consistent monitoring and reporting system with openness to real-time measurement technologies. AI-driven methane detection is a direct application. Canada ranks second globally on the Global Cleantech Innovation Index, with nine companies on the 2026 Global Cleantech 100. AI in cleantech R&D operates under net-zero accountability obligations (the Canadian Net-Zero Emissions Accountability Act targets net-zero by 2050 and a 75% oil and gas methane reduction by 2030) but without AI specific guardrails.

The energy sector is simultaneously powering AI infrastructure and beginning to depend on AI for operations. The regulatory framework hasn't caught up to either reality.

What an energy or cleantech leader should take from this: The absence of AI specific regulation does not mean absence of obligation. Cybersecurity requirements under CCSPA (once enacted), NERC CIP compliance, privacy law, and automated decision making rules all apply to AI systems deployed in energy operations. The nearest hard action is CCSPA readiness: cybersecurity programs, incident reporting capability, and the governance to demonstrate compliance. Building an AI inventory now, before a regulator asks for one, is the lowest-cost way to prepare for whatever comes next.

Healthcare: where the device meets the data

Healthcare AI regulation in Canada splits along two lines: the device and the data. Health Canada governs the device. Provincial privacy law governs the data. Both are already enforceable, which puts healthcare ahead of energy in regulatory clarity, though the framework is fragmented.

Health Canada finalized its Pre-market Guidance for Machine Learning-Enabled Medical Devices in February 2025. AI clinical tools are regulated as Software as a Medical Device (SaMD) under the Medical Devices Regulations, classified Class I through IV using the IMDRF risk framework. The guidance requires manufacturers to explicitly disclose ML use, demonstrate safety and effectiveness across the lifecycle, adopt Good Machine Learning Practice (GMLP), and build Predetermined Change Control Plans (PCCPs) that pre-authorize planned algorithm changes. Post-market obligations include continuous performance monitoring and risk management updates for adaptive models.

The practical implication of this classification: an AI diagnostic tool that influences treatment decisions lands at the high end of the risk scale (Class III or IV). Health Canada hasn't adopted the EU AI Act's explicit risk-tier language, where certain healthcare AI could be classified as "high-risk" or even "unacceptable risk" depending on the application's severity and the degree of human oversight. But the SaMD Class III-IV requirements produce a similar practical effect for the most consequential devices. For Canadian healthcare leaders watching the EU framework evolve, that classification approach is worth understanding now, because it signals where international standards are heading and where Health Canada may follow.

On the data side, provincial health privacy law is already in force and applies directly when AI accesses, processes, or generates personal health information. Ontario's PHIPA, Alberta's Health Information Act, and equivalent provincial statutes govern health-information custodians. Ontario's Information and Privacy Commissioner has published AI specific guidance for hospitals and custodians, including 2026 guidance on AI scribes that requires privacy impact assessments, data minimization, governance committees, vendor contracts, and breach notification protocols.

AI scribes, clinical decision support tools, and diagnostic aids are entering clinical workflows faster than governance frameworks can absorb them. The IPC's 2026 AI scribe guidance is a direct response to adoption outrunning oversight. Connected care legislation (Bill C-72, which would have mandated health-IT interoperability) died at prorogation. "AI for All" includes an AI health mission for diagnostics, patient care, and system efficiency, but that's strategy, not enforceable regulation.

What a healthcare leader should take from this: If your AI system touches patient data or clinical decisions, you are already regulated through SaMD classification, provincial health privacy law, and IPC guidance. The governance question is whether your internal practices reflect that. If you're deploying AI scribes or clinical decision support tools, the IPC's guidance on PIAs, data minimization, and vendor oversight is the operational standard. Waiting for a federal AI law to tell you what to do means ignoring the obligations you already have.

Cross-cutting: what the pattern reveals

Step back from the sector detail and four patterns emerge across all three industries.

The patchwork is the risk

Canada has no comprehensive AI statute in force. AIDA died when Parliament prorogued in January 2025. The Voluntary Code of Conduct, built on six principles including accountability, creates no legal obligations. A signatory can walk away, and nothing holds them to account. The irony that accountability is the code's first principle while the signatories themselves face zero accountability should not be lost on anyone relying on it.

AI Minister Evan Solomon has signaled new legislation is coming. "AI for All" commits to modernizing legislative frameworks. But until a successor bill is tabled and passed, AI governance in Canada runs on a patchwork of existing privacy law (PIPEDA, Law 25, PHIPA), human rights statutes, sector-specific regulator guidance, and voluntary codes. Each sector faces a different stack of obligations. Each province adds another layer. Quebec is consistently stricter and earlier than the federal baseline.

For organizations operating across sectors or provinces, the compliance burden compounds. The practical default is to operate to the highest applicable standard, which today is Quebec's Law 25 for privacy and automated-decision transparency, OSFI E-23 and the AMF Guideline for financial services AI governance, and Health Canada SaMD requirements for clinical AI.

Bias and data integrity are universal obligations

Every sector-specific framework requires some form of bias testing and data governance, whether it says "AI" in the title or not. OSFI E-23 requires it. The AMF Guideline lists prohibited discriminatory factors. Health Canada's GMLP expects it. The federal Directive on Automated Decision-Making mandates it for government systems. Human rights law makes bias liability strict: under Ontario (Human Rights Commission) v. Simpsons-Sears, a facially neutral policy with discriminatory effects engages the Code. Employers cannot shift liability to a software vendor.

For organizations using external AI systems (vendor models, foundation models, or third-party APIs), this means evaluating those systems for bias in your specific context, testing for data poisoning, and having a plan for when a model produces discriminatory or inaccurate outputs. The evaluation approach depends on the system. For an externally hosted LLM, it might mean adding contextual guardrails, testing outputs against your population's demographics, or maintaining a human review layer for high-stakes decisions. For some use cases, a purpose built model trained on your own validated data is a lower risk path than a general purpose foundation model.

For internal models, the scrutiny falls on your training data. What populations are represented? What historical biases are encoded in the data? How will you detect drift over time? These are not abstract governance questions. They're the questions a regulator, a court, or a privacy commissioner will ask when something goes wrong.

Explainability arrives from every direction

Quebec's Law 25 requires explanation of exclusively automated decisions. OSFI E-23 expects model explainability. Health Canada expects transparency in ML-enabled devices. The federal Directive requires it for government automated decisions. The eXplainable AI (XAI) field is recognized globally as a feature of trustworthy AI deployment, and the EU's ethical guidelines frame it within three pillars: lawful, ethical, and robust AI systems.

The operational challenge is that explainability means different things in different contexts. A credit decision explanation for a consumer (required under Law 25 in Quebec) looks nothing like a model validation explanation for OSFI. A device transparency disclosure for Health Canada looks nothing like either. Organizations operating across sectors or jurisdictions need to build explainability capabilities that can produce different outputs for different audiences, from the same underlying system documentation.

The cyber threat multiplier

The Canadian Centre for Cyber Security's National Cyber Threat Assessment 2025-2026 identifies AI as amplifying cyber threats. Its Ransomware Threat Outlook 2025-2027, released January 2026, warns that ransomware actors are leveraging AI and cryptocurrency while developing new extortion tactics. Attacks are becoming cheaper to execute and harder to detect. Ransomware is the top cybercrime threat facing Canada's critical infrastructure, and the Cyber Centre assesses it will remain a significant threat for the next two years.

This affects all three sectors. Critical infrastructure (energy, healthcare, financial services) is specifically identified as a desirable target because of the pressure to restore services quickly. AI adoption that outpaces security architecture creates a compounding problem: the same AI capabilities that improve operations also expand the attack surface, while adversaries use AI to improve their own capabilities.

The CIREN (Critical Infrastructure Resilience and Escalated Threat Navigation) initiative, launched by the Cyber Centre in April 2026, is a response to this escalation. For regulated industries, the takeaway is that AI security cannot be treated as a separate workstream from AI adoption. They're the same program.

What the data says about what comes next

The regulatory trajectory is toward more obligations, not fewer. The successor AI bill is expected in 2026. "AI for All" commits to privacy modernization, an online safety regime, and expanding the Canadian AI Safety Institute's role. Provincial momentum continues: Ontario's EDSTA (Bill 194) is enacted, and Quebec's Innovation Council has recommended a dedicated AI law.

The practical baseline, for any regulated Canadian organization, is to operate as if AIDA like rules already apply: maintain an AI inventory, implement risk-tiered governance, test for bias and explainability, ensure human-in-the-loop for high-stakes decisions, complete privacy impact assessments, and oversee third-party AI vendors. Every sector regulator is already asking for some version of this through existing authority.

The organizations building this foundation now will absorb new legislation as an incremental adjustment to an existing program. The organizations waiting for the law to be written will absorb it as a scramble.

For financial services leaders: Run a gap assessment against E-23 and, if you operate in Quebec, the AMF Guideline. The deadline is May 1, 2027. The expectation is demonstrable progress now.

For energy and cleantech leaders: Build an AI inventory and prepare for CCSPA obligations. The regulatory gap on AI won't last, and the cybersecurity requirements are coming regardless.

For healthcare leaders: Align ML device submissions with Health Canada's February 2025 guidance. For AI touching patient data, implement the IPC's governance recommendations on PIAs, data minimization, and vendor oversight.

The data across all three sectors points in the same direction. AI adoption is accelerating. Regulatory frameworks are tightening. The window to build governance proactively, before it becomes a compliance exercise, is the window we're in right now.

BluByte helps regulated Canadian organizations build secure AI foundations.

Sources and references consulted for this analysis:

  • Statistics Canada, "The Role of Complementary Capabilities in AI Adoption and Productivity" (April 2026)
  • PMO, "AI for All: Canada's National Artificial Intelligence Strategy" (June 4, 2026)
  • OSFI, Guideline E-23: Model Risk Management (September 11, 2025; effective May 1, 2027)
  • OSFI-FCAC, "AI Uses and Risks at Federally Regulated Financial Institutions" (September 24, 2024)
  • OSFI-GRI, FIFAI II Report: AGILE Framework (March 23, 2026)
  • AMF, AI Guideline (April 7, 2026; effective May 1, 2027)
  • CSA, Staff Notice 11-348 (December 5, 2024)
  • Health Canada, "Pre-market Guidance for Machine Learning-Enabled Medical Devices" (February 5, 2025)
  • Ontario IPC, AI Scribe Guidance (2026)
  • Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025-2026 (October 2024)
  • Canadian Centre for Cyber Security, Ransomware Threat Outlook 2025-2027 (January 28, 2026)
  • Quebec Law 25 (automated-decision provisions in force September 22, 2023)
  • ISED, Voluntary Code of Conduct on Advanced Generative AI Systems (September 27, 2023)
  • AESO, Large Load Integration Program (June 4, 2025)
  • CFIB, "AI Adoption and Workforce Training Investment in Canada" (April 2026)