CSA 11-348 and AI Agents: Enforcement Evidence for Capital Markets Workflows

The practical CSA question is not whether a firm has an AI policy. It is whether the firm can prove how a specific AI agent action in a capital markets workflow was controlled before it affected a client, order, recommendation, report, marketplace system, or regulated record.

CSA Staff Notice and Consultation 11-348 is explicit about the frame: securities laws are technology-neutral, but different technology may require different actions to meet the same legal requirements. For AI agents, that means model lifecycle controls, testing, disclosure, explainability, and supervision all matter. They still do not automatically prove that policy was evaluated before an agent acted.

That is the enforcement evidence gap. A firm may have an AI inventory, a model review, a testing program, and a policy document. If the agent can still execute a client-impacting action without a pre-execution decision record, the firm has controls on paper but not proof at the execution boundary.

Source Scope

This mapping uses CSA Staff Notice and Consultation 11-348, Applicability of Canadian Securities Laws and the Use of Artificial Intelligence Systems in Capital Markets, published December 5, 2024.

The relevant sections are the overarching themes on technology-neutral securities regulation, AI system lifecycle, governance and oversight, explainability, disclosure, conflicts of interest, registrant systems of controls, outsourcing, advisers and dealers, trade execution, limited automated decisions, marketplaces, marketplace participants, and automated order systems.

This article does not treat CSA 11-348 as a new AI-specific rulebook. The notice says the guidance is based on existing securities laws and does not create or modify legal requirements. The useful mapping is narrower: when those existing obligations apply to an AI agent, what execution-layer evidence should a technology risk or platform engineering lead expect to produce?

Where Lifecycle Governance Ends

CSA 11-348 describes AI system lifecycle considerations: design, data and models, verification and validation, deployment, operation, and review. That lifecycle frame is necessary. It is not sufficient for agent execution.

Lifecycle governance can show that a system was planned, tested, validated, deployed, and reviewed. It can show that the firm considered risks, data quality, explainability, supply chain, and human oversight. It can also show that a model or workflow was approved for use.

It does not, by itself, prove that a specific agent action was authorized under the policy version in force at the moment of execution.

For a capital markets firm, that distinction matters whenever an AI agent can affect client records, KYC data, suitability inputs, trade execution, order routing, exception handling, reporting, or marketplace access. The lifecycle tells you the system was governed. The enforcement evidence chain tells you whether this action was governed before it ran.

Technology-Neutral Does Not Mean Evidence-Neutral

CSA 11-348 emphasizes that securities laws generally apply based on the activity conducted, not the technology used. That is the right starting point. If an AI agent supports trading, advice, KYC collection, client reporting, marketplace access, or records creation, the underlying securities-law expectation still attaches to the activity.

But technology-neutral does not mean evidence-neutral.

A human decision can be evidenced through notes, approvals, records, and accountable supervision. A rules-based algorithm can often be explained through its deterministic rule set. An AI agent needs an execution-layer record that binds the request, model or agent context, policy decision, parameters, approval, and outcome.

Without that record, the firm may know the activity was regulated, but it cannot prove how the AI-mediated action satisfied the relevant control before execution.

Mapping CSA Themes to Evidence Artifacts

AI governance and oversight. CSA 11-348 expects policies and procedures to account for the features and risks of AI systems. For AI agents, the evidence artifact is the policy version evaluated at execution time, plus the workflow definition and agent identity bound to the action.

Testing before and after adoption. CSA 11-348 repeatedly points to testing, validation, and review. For AI agents, the evidence artifact is not only a test report. It is observed fail-closed behavior: DENY records for missing approval, policy misses, expired approvals, malformed parameters, unavailable services, and direct access attempts.

Human-in-the-loop. The notice describes human involvement where humans can effectively review input or output before use. For AI agents, the evidence artifact is the approval envelope: who approved the action, which parameters were approved, how long the approval was valid, and whether the executed parameters matched.

Explainability. CSA 11-348 connects explainability to transparency, accountability, recordkeeping, and auditability. For AI agents, explainability must include the decision record: what inputs were considered, what policy evaluated them, what decision was produced, and what action followed.

Registrant systems of controls. Registered firms must maintain controls and supervision reasonably designed to support compliance. For AI agents, the evidence artifact is the enforcement boundary: the agent cannot reach the client record, order workflow, reporting path, or execution endpoint unless the pre-execution policy decision permits it.

Records demonstrating compliance. CSA 11-348 notes that registered firms must maintain records demonstrating compliance, including KYC and suitability contexts. For AI agents, the evidence artifact is parameter binding: the exact KYC field, suitability input, trade parameter, client attribute, or recommendation input evaluated before execution.

Outsourcing and third-party systems. The notice reminds registrants that they remain responsible and accountable for outsourced functions. For AI agents, the evidence artifact is the infrastructure reliance boundary: the vendor or enforcement layer may produce verifiable evidence, but the regulated entity remains responsible for reviewing and retaining it.

Trade execution. CSA 11-348 recognizes AI uses in trade execution and direct market access contexts. For AI agents, the evidence artifact is the pre-execution decision record that shows the action did not compromise a bounded trading control, client instruction, market access policy, or manipulation-prevention rule.

Limited automated decisions. CSA 11-348 treats automated decisions with human oversight and narrow constraints as a distinct area. For AI agents, the evidence artifact is the constraint set: the exact bounds the agent was allowed to operate within, the action denied when it moved outside those bounds, and the human approval required when the action exceeded them.

Marketplace participants and automated order systems. CSA 11-348 maps AI use to NI 21-101, NI 23-101, and NI 23-103 expectations around supervisory controls, marketplace access, order entry, testing, reliability, security, and business continuity. For AI agents, the evidence artifact is the access-control and order-path record: the agent's authority, allowed destination, parameter envelope, pre-execution validation, and ability to terminate or deny access when required.

The Evidence Chain a CSA Reviewer Can Test

For a CSA 11-348 review of AI agents in capital markets workflows, the evidence chain should include:

System and workflow lineage: agent identifier, workflow definition version, model or provider selection, tool definition, and deployment state.

Actor and authority: human actor, service identity, delegated authority, approver identity, and any role or desk on whose behalf the agent acted.

Input and parameter record: client record, KYC field, trade parameter, order context, recommendation input, reporting field, or marketplace access parameter presented to the agent.

Policy decision: policy version, rule identifier, outcome, reason, denial state, and required approval status.

Approval envelope: bounded action, bounded parameters, approver identity, issue time, expiry time, validity window, and signature or equivalent integrity marker.

Execution comparison: approved parameters, executed parameters, and any declared deterministic narrowing rule.

Failure behavior: denied requests, expired approvals, replay attempts, service unavailability, signature mismatch, malformed input, direct access rejection, and bypass attempts.

Continuity and verification: stable identifiers, ordering, request hashes, previous-hash or equivalent tamper-evidence, and exportable records an internal reviewer can inspect without operator mediation.

The point is not to create a larger compliance archive. The point is to preserve the attributable chain proving policy was evaluated before execution.

What Enforcement Evidence Does Not Prove

Enforcement evidence does not prove that a recommendation was suitable, that a conflict was fully addressed, that disclosure was legally complete, or that a trade was compliant with every applicable securities-law requirement. Those remain legal, compliance, supervisory, and business determinations.

Enforcement evidence does not prove model output correctness. It proves the action path: what was requested, what policy evaluated, what was approved, what parameters were bound, and what ran or was denied.

Enforcement evidence does not replace CSA 11-348 lifecycle work. Firms still need lifecycle governance, testing, validation, explainability analysis, disclosure review, conflicts review, outsourcing diligence, and supervisory procedures appropriate to the activity.

Enforcement evidence does not cover paths outside the enforcement boundary. If a desk, vendor tool, integration, administrator, or direct provider route can change workflow state without passing through the boundary, that path remains outside the claim.

Enforcement evidence is not a legal opinion. It is a control artifact that shows what happened before execution and whether the system denied action when required conditions were absent.

The Internal Review Question

For a capital markets technology risk team, the CSA 11-348 question can be made operational:

For each AI agent workflow touching client information, KYC, suitability inputs, trade execution, marketplace access, reporting, or records, can the firm export evidence that policy was evaluated before the action ran, with actor identity, approval binding, parameter comparison, and fail-closed denial behavior?

If the answer depends on a model inventory, a test report, a dashboard, or a later explanation, the firm has lifecycle material but not execution proof.

If the answer includes an independently verifiable enforcement evidence chain, the firm can connect CSA's AI lifecycle and supervision expectations to a control a reviewer can actually test.

Frequently asked questions

Does CSA Staff Notice 11-348 create new AI rules?

No. CSA 11-348 states that it is based on existing securities laws and does not create or modify legal requirements. It explains how existing obligations apply when market participants use AI systems in capital markets.

How does CSA 11-348 map to AI agent enforcement evidence?

CSA 11-348 frames lifecycle governance, testing, explainability, disclosure, supervision, and records. AI agent enforcement evidence supplies the execution-layer proof that a specific action was policy-evaluated, parameter-bound, and approved before it ran.

Is explainability enough for AI agent compliance?

No. Explainability helps a firm understand an AI output. Enforcement evidence proves the separate execution question: whether the action produced from that output was authorized under the policy version in force before execution.

How should human-in-the-loop controls be evidenced?

The evidence should be an approval envelope: approver identity, bounded action, bounded parameters, validity window, issue time, expiry time, and comparison between approved and executed parameters.

What does enforcement evidence not prove under CSA 11-348?

It does not prove suitability, legal sufficiency, model correctness, full disclosure compliance, or conflict resolution. It proves the narrower control artifact: what was requested, which policy evaluated it, what was approved, what ran, and what was denied before execution.

Key takeaway: CSA Staff Notice and Consultation 11-348 applies existing securities law expectations to AI systems in capital markets. For AI agents, the evidence question is whether the specific action was policy-evaluated before execution.