Video by FINOS via YouTube
Mark Paulsen (Head of the Open Source Program Office at TD Bank) and Harry Toor explore how financial institutions can leverage generative AI and machine-readable policies to automate OSPO risk management. They deliver a live demonstration showing how AI can pinpoint compliance red flags, end-of-life dependencies, and licensing conflicts in seconds.
🇬🇧 Join us in London! Catch the latest on OSPO Strategy and Risk Management at OSFF London on June 25, 2026: https://hubs.ly/Q041YV9Z0 (Use Code: 26YTOSFFLN20C)
🕒 Timestamps:
0:00 Introduction: Managing OSPO Risk via AI
0:59 TD Bank’s Scale and Open Source Footprint
1:30 Three Key Questions: OSPO, Risks, and AI
1:44 What is an OSPO? Right-Sized Governance
2:31 Understanding Complex Corporate Software Risks
3:07 Leveraging Open Sourced Corporate Policies
3:45 Ingress, Egress, and Internal Control Points
4:45 How AI Comprehends and Problem-Solves Policy
5:37 Inside Control Point: SBoM and Dependency Decisions
6:25 Egress Control Point: Automated Code and Contribution Reviews
7:10 License Classification and Sheldon Cooper’s Dilemma
7:55 Practical Step: Translating Bank Policies into Machine-Readable Formats
10:12 Live Demo: Appeasing the Demo Gods
11:06 Live Walkthrough: Reviewing Open Source Licenses with AI
13:35 Analyzing the Output: Red Flags and Archived Repositories
15:00 Case Study: Kamunda 7 and the End-of-Life Tracking Problem
16:57 Audience Q&A: Overcoming AI Hallucinations via Human-in-the-Loop Architecture
📊 The Problem: The Manual License Review Bottleneck Open source software is inside every modern bank, whether leadership realizes it or not. However, managing compliance at banking scale involves handling massive volumes of Software Bills of Materials (SBOMs), complex license classifications, and security reviews. Relying purely on manual checks means multiple cross-departmental alignment sessions with compliance, legal, and cyber security, which drastically slows down engineering velocity.
🏗️ The Solution: Machine-Readable Policies & Automated Reviews
Mark Paulsen demonstrates how to apply generative AI to bridge the gap between high-level policy and automated execution:
* The Three-Point Framework: Constructing specialized AI automated guardrails at the three critical bank touchpoints: Ingress (code entering), Egress (contributions going out), and Internal (code already inside).
* Machine-Readable Taxonomy: Converting prose-heavy legal text into structured formats (like JSON) that LLMs can accurately parse against external open-source codebases.
* Automated Risk Triaging: Giving AI clear policy guidance to automatically highlight critical non-compliance indicators, such as unmaintained or archived GitHub repositories.
⚙️ Why This Matters for Financial Engineering
* Deterministic Audit Trails: By forcing the AI to output its explicit rationale alongside its decision, banks generate a clear, documented audit trail that satisfies internal risk and regulatory compliance bodies.
* Superpowered Efficiencies: Moving from weeks of review meetings to a multi-second initial screening allows risk teams to focus exclusively on highly nuanced edge cases.
🌐 More about FINOS: https://www.finos.org/
📧 Join our newsletter: https://www.finos.org/sign-up
🎙️ Listen to our Open Source in Finance Podcast: https://www.youtube.com/@FINOS/podcasts
LinkedIn: https://www.linkedin.com/company/finosfoundation
#FINOS #OSFFToronto #TDBank #OSPO #RiskManagement #OpenSource #OpenAI #FinTech #AICompliance #DevSecOps