Your team is already using AI. The real question is whether you can see it, control where the data goes, and prove it when an examiner asks.
What FINRA and the SEC expect, what most firms are missing, and what to do about it.
At Future Proof Citywide in Miami, 86 AI companies competed for demo spots. Most financial advisors walked past them, not because they doubted the value, but because of compliance.
The data supports both sides. Three out of four advisors say AI already helps their practice; more than half use generative AI regularly for meeting notes, CRM updates, client prep, and drafting. The productivity case is settled. What gives advisors pause is the compliance side, and at the conference, they named it as the reason they've slowed adoption.
The 2025 IMCT survey of 577 investment adviser firms found that AI usage is now the leading compliance concern at 57%, surpassing the SEC marketing rule for the first time in three years.
"From a compliance standpoint, we need to know what exposures or risks are being generated."
Joe Haupert, Chief Business Officer, Credent Wealth Management
Hightower CEO Larry Restieri captured the sentiment: "I'm not in a huge rush. The technology is advancing so fast that in two months or so I might meet some other startup and see something even better." That's a defensible position. The problem is that employees aren't waiting.
Among firms that have formally adopted AI tools, 44% have no formal testing or validation of AI outputs. Shadow AI isn't a theoretical scenario. It's already running in most organizations. The more pressing question is whether the firm has any visibility into it.
Two recent developments matter. FINRA published its first standalone section on generative AI in the 2026 Annual Regulatory Oversight Report (released December 9, 2025, marked "NEW FOR 2026"). And the SEC embedded AI oversight into every examination category for FY2026, not just tech-focused firms. Every registrant.
There is no size carve-out. A 15-person RIA faces the same lines of inquiry as a firm with 500. The SEC stated directly that AI oversight is now "part of virtually all examinations," including firms that don't market AI capabilities.
The 2026 report cites Rules 3110 (Supervision), 2210 (Communications), 4511 (Recordkeeping), and Fair Dealing as directly implicated by GenAI. Seven expectations emerge.
Formal review and approval before GenAI tools are deployed.
Adapted to GenAI, not just traditional quantitative models.
For accuracy, reliability, privacy, and bias before tools go live.
Explicit: "storing prompt and output logs for accountability and troubleshooting; tracking which model version was used and when." Send client data into ChatGPT, and that interaction should have a documented record.
For AI-assisted decisions that affect clients.
Autonomous systems that plan and execute tasks require heightened scrutiny.
Firms should not overstate what their AI tools do.
The SEC charged Delphia ($225,000 penalty) and Global Predictions ($175,000 penalty) for misleading AI claims. In January 2026, another unregistered adviser was charged for fraudulent AI trading claims. The Cyber and Emerging Technologies Unit (CETU), created February 2025, specifically targets AI fraud. Enforcement is already active.
Smaller RIAs (under $1.5B AUM), broker-dealers, and investment companies must comply with amended Reg S-P by June 3, 2026. Larger firms were already required to comply by December 2025.
This intersects directly with AI governance. The amended rule requires a written incident response program to detect, respond to, and recover from unauthorized access to customer information, with client notification within 30 days of awareness.
If an employee pastes client portfolio information into an external AI tool, that's a data protection event under Reg S-P. The regulation draws no distinction between a human emailing client data to a personal account and pasting that same data into ChatGPT. The exposure is equivalent, and your incident response plan needs to reflect that.
Most firms have some version of an AI policy, a memo telling employees not to paste sensitive data into public AI tools. That's a reasonable starting point, but it isn't governance on its own.
Governance means being able to answer a specific question: what happened when a given employee used ChatGPT, at what time, with what data in the prompt. Was it reviewed, and is there a record? When those questions can't be answered confidently, the policy document offers limited protection.
The SEC's posture has shifted. In earlier years, a written policy often demonstrated sufficient good faith. In 2026, examiners want evidence that the policy is actually being followed: the controls, the logs, the review process, documentation of what happens when something is flagged.
It's no longer "do you have an AI policy?" It's "show me how that policy is being enforced." A policy without supporting records of implementation is unlikely to satisfy that inquiry.
This isn't primarily about employees doing something wrong. Most people using AI at work are trying to move faster. The concern is that those prompts often contain the firm's most sensitive data, and right now there's no record of where that data goes.
Governance that's operational produces evidence on its own. Each AI interaction is tied to a person, the sensitive fields are redacted before they leave the firm, and every row is signed, time-stamped, and routed to your archive, ready when an exam asks for it.
[Person_3] pasted a client portfolio into ChatGPT. Proxara matched five sensitive fields and redacted them before the request left the firm.
Concrete actions a compliance officer at a small or mid-sized RIA can work through in the near term, ordered by priority.
Inventory every AI tool employees actually use, not just approved ones. Check browser activity, expense reports, and ask directly. Then update written supervisory procedures to name specific tools: ChatGPT, Claude, Gemini, Copilot. Generic "technology" language no longer suffices under FINRA Rule 3110.
Brainstorming marketing ideas is low-risk. Pasting client portfolio details into a prompt is high-risk. Concentrate controls where they matter, and put them between the employee and the AI tool, detecting sensitive data before it leaves the firm.
Produce a log of AI interactions showing what was flagged, reviewed, and acted on. Retain to SEC 17a-4 standards where client data is involved. Run vendor due diligence on every AI platform: data handling, access, storage, SOC 2 status.
Employees need to know what qualifies as sensitive data and what happens when they use AI with client information. Designate who reviews flagged interactions, how fast they respond, and what they document. FINRA’s "human-in-the-loop" means a real person with authority, not just an automated rule.
Be able to produce your AI tool inventory, written procedures, evidence of monitoring, review logs, and vendor due diligence files. Identify gaps before the examiner finds them.
Based on the SEC FY2026 examination priorities and FINRA's 2026 oversight report, this is the evidence likely to be requested during an AI-focused examination.
| What they ask | What you need to show |
|---|---|
| What AI tools does your firm use? | A documented inventory of all AI tools, including both approved and discovered shadow usage |
| How do you supervise AI usage? | Written supervisory procedures that name specific AI tools and describe the controls in place |
| Show me the monitoring | Logs showing AI interactions, what was flagged, and what action was taken |
| Who reviews AI-assisted decisions? | Named individuals with documented review responsibilities and a log of reviews conducted |
| How is client data protected when employees use AI? | Technical controls that detect or prevent sensitive data from reaching external AI services |
| Where are your AI records? | An archive meeting SEC 17a-4 retention standards for any AI interaction involving client data |
| What due diligence have you done on AI vendors? | Vendor risk assessments covering data handling, storage, security, and SOC 2 status for each platform |
The pattern is consistent: the SEC wants governance that is operational and producing evidence. A policy document without supporting controls and records is unlikely to be sufficient on its own.
A common framing puts AI and compliance at opposite ends of a tradeoff: adopt one at the cost of the other. In practice, that overstates the tension.
Restricting AI use doesn't eliminate the risk; it removes visibility. Employees keep using AI on personal devices and accounts, outside any monitoring. The result is often the worst of both outcomes: no productivity benefit at the firm level, no governance for compliance, and no records for an examiner.
The advisors at Future Proof weren't avoiding AI because they didn't want it. They were avoiding vendors because they hadn't found one that handled compliance adequately. Carson Group CEO Burt White named the concern: he was "fearful that advisors are going to go out and onboard seven different platforms" without appropriate controls in place.
A well-governed setup gives employees the tools that make work faster while giving compliance the oversight and documentation they need. Notes get transcribed faster; CRM records stay current; client prep takes less time, and every interaction is logged, reviewed where required, and retained. Operational and compliance benefits don't have to be in conflict.
The central question isn't whether employees should be using AI. Most already are. It's whether the firm has visibility into that usage, can control what data flows out, and can demonstrate it to a regulator when needed.
| Deadline | What it covers | Who it affects |
|---|---|---|
| Active now | SEC FY2026 examination priorities. AI oversight embedded in every exam category. | All SEC registrants |
| June 3, 2026 | Regulation S-P compliance deadline for smaller firms. Data protection requirements extend to AI tools accessing client data. | Smaller RIAs, broker-dealers, investment companies |
| August 2, 2026 | EU AI Act high-risk system requirements take effect. Covers credit scoring, loan approval, insurance pricing. | Firms operating in the EU or serving EU clients |
| Summer 2026 | FCA Mills Review recommendations expected. UK regulatory approach to AI in financial services. | UK-regulated firms |
For US-based RIAs, the SEC examination priorities and Reg S-P are the most immediately relevant. Because the SEC doesn't announce examination targets in advance, the preparation here applies ahead of whenever the next exam occurs.
For firms assessing tools to support this work, six questions are worth working through before deciding.
Does it work across all the AI tools employees use, or only a subset? People rarely limit themselves to one platform, and governance coverage should reflect that.
Keyword matching, or context? A client’s name is sensitive; the word "client" isn’t. Pattern matching alone tends to miss too much or fire too often to be useful.
Does client data pass through the vendor’s servers, or stay inside your environment? For regulated firms, this carries both compliance and vendor due diligence weight.
Does it require people to change how they work? Controls that add friction get worked around. The best tools are invisible unless something is flagged.
Does it produce records an examiner can actually review? Alerts alone aren’t enough. The trail needs to show what happened, when, and what action was taken.
Can it route records to your existing compliance archive, or does it create a separate silo that needs its own management?
A governance tool should reduce regulatory risk and produce auditable evidence of oversight. If it does only one of those, or neither, it's worth continuing to evaluate options.
Proxara sits between employees and the AI tools they use, detects sensitive data before it leaves the firm, and maintains a complete audit trail, the governance described in this guide. We're currently running pilots with RIAs.
Talk to us