Proxara guide · April 2026

AI governance for RIAs: a practical guide for 2026

Your team is already using AI. The real question is whether you can see it, control where the data goes, and prove it when an examiner asks.

← Back to resources

What FINRA and the SEC expect, what most firms are missing, and what to do about it.

April 2026Proxara12 min read
01The landscape

The gap between adoption and oversight

At Future Proof Citywide in Miami, 86 AI companies competed for demo spots. Most financial advisors walked past them, not because they doubted the value, but because of compliance.

The data supports both sides. Three out of four advisors say AI already helps their practice; more than half use generative AI regularly for meeting notes, CRM updates, client prep, and drafting. The productivity case is settled. What gives advisors pause is the compliance side, and at the conference, they named it as the reason they've slowed adoption.

The 2025 IMCT survey of 577 investment adviser firms found that AI usage is now the leading compliance concern at 57%, surpassing the SEC marketing rule for the first time in three years.

"From a compliance standpoint, we need to know what exposures or risks are being generated."

Joe Haupert, Chief Business Officer, Credent Wealth Management

Hightower CEO Larry Restieri captured the sentiment: "I'm not in a huge rush. The technology is advancing so fast that in two months or so I might meet some other startup and see something even better." That's a defensible position. The problem is that employees aren't waiting.

What's already happening
78%
of employees use AI tools their employer hasn’t approved
Gartner, 2025
47%
of GenAI users rely on personal accounts that bypass enterprise controls entirely
Netskope, 2026
86%
of organizations have no visibility into how data flows to and from AI tools
Reco, 2025

Among firms that have formally adopted AI tools, 44% have no formal testing or validation of AI outputs. Shadow AI isn't a theoretical scenario. It's already running in most organizations. The more pressing question is whether the firm has any visibility into it.

02The regulators

What FINRA and the SEC are asking

Two recent developments matter. FINRA published its first standalone section on generative AI in the 2026 Annual Regulatory Oversight Report (released December 9, 2025, marked "NEW FOR 2026"). And the SEC embedded AI oversight into every examination category for FY2026, not just tech-focused firms. Every registrant.

There is no size carve-out. A 15-person RIA faces the same lines of inquiry as a firm with 500. The SEC stated directly that AI oversight is now "part of virtually all examinations," including firms that don't market AI capabilities.

FINRA's seven focus areas for GenAI

The 2026 report cites Rules 3110 (Supervision), 2210 (Communications), 4511 (Recordkeeping), and Fair Dealing as directly implicated by GenAI. Seven expectations emerge.

01

Enterprise-level oversight

Formal review and approval before GenAI tools are deployed.

02

Model risk management

Adapted to GenAI, not just traditional quantitative models.

03

Pre-launch testing

For accuracy, reliability, privacy, and bias before tools go live.

04

Logging of prompts and outputs

Explicit: "storing prompt and output logs for accountability and troubleshooting; tracking which model version was used and when." Send client data into ChatGPT, and that interaction should have a documented record.

05

Human-in-the-loop review

For AI-assisted decisions that affect clients.

06

Agentic AI as an emerging risk

Autonomous systems that plan and execute tasks require heightened scrutiny.

07

Accurate marketing & disclosures

Firms should not overstate what their AI tools do.

SEC enforcement activity

The SEC charged Delphia ($225,000 penalty) and Global Predictions ($175,000 penalty) for misleading AI claims. In January 2026, another unregistered adviser was charged for fraudulent AI trading claims. The Cyber and Emerging Technologies Unit (CETU), created February 2025, specifically targets AI fraud. Enforcement is already active.

Regulation S-P and the June deadline

Smaller RIAs (under $1.5B AUM), broker-dealers, and investment companies must comply with amended Reg S-P by June 3, 2026. Larger firms were already required to comply by December 2025.

This intersects directly with AI governance. The amended rule requires a written incident response program to detect, respond to, and recover from unauthorized access to customer information, with client notification within 30 days of awareness.

If an employee pastes client portfolio information into an external AI tool, that's a data protection event under Reg S-P. The regulation draws no distinction between a human emailing client data to a personal account and pasting that same data into ChatGPT. The exposure is equivalent, and your incident response plan needs to reflect that.

03The distinction

Where policy ends and governance begins

Most firms have some version of an AI policy, a memo telling employees not to paste sensitive data into public AI tools. That's a reasonable starting point, but it isn't governance on its own.

A policy is a document. Governance is the loop, running.

Governance means being able to answer a specific question: what happened when a given employee used ChatGPT, at what time, with what data in the prompt. Was it reviewed, and is there a record? When those questions can't be answered confidently, the policy document offers limited protection.

AI policyenforcedDetectReviewRecordAUDITABLErecordgovernance = the loop, running

The SEC's posture has shifted. In earlier years, a written policy often demonstrated sufficient good faith. In 2026, examiners want evidence that the policy is actually being followed: the controls, the logs, the review process, documentation of what happens when something is flagged.

The question has moved

It's no longer "do you have an AI policy?" It's "show me how that policy is being enforced." A policy without supporting records of implementation is unlikely to satisfy that inquiry.

This isn't primarily about employees doing something wrong. Most people using AI at work are trying to move faster. The concern is that those prompts often contain the firm's most sensitive data, and right now there's no record of where that data goes.

What it looks like

The record an examiner actually sees

Governance that's operational produces evidence on its own. Each AI interaction is tied to a person, the sensitive fields are redacted before they leave the firm, and every row is signed, time-stamped, and routed to your archive, ready when an exam asks for it.

AI activity
Compliance
17a-4 retained · signed

[Person_3] pasted a client portfolio into ChatGPT. Proxara matched five sensitive fields and redacted them before the request left the firm.

Original
Daniel Reeves · 401-92-… · $1,042,800
Sent to model
[Person_3] · [ID_4] · $1,042,800
Interaction log · today5 OF 41
09:14[Person_3]ChatGPT · Client portfolio pasted, 5 fields redactedREDACTED
10:02[Person_9]Claude · Meeting notes summarisedPASS
11:37[Person_3]Perplexity · SSN matched in draft, held & reviewedREVIEWED
13:21[Person_15]Gemini · Marketing copy draftedPASS
14:48[Person_9]ChatGPT · Account number redacted before sendREDACTED
Every row signed & time-stamped. Model version recorded · routed to your archive.
04The work

Steps for compliance officers

Concrete actions a compliance officer at a small or mid-sized RIA can work through in the near term, ordered by priority.

1Step 1

Map your AI surface and update WSPs

Inventory every AI tool employees actually use, not just approved ones. Check browser activity, expense reports, and ask directly. Then update written supervisory procedures to name specific tools: ChatGPT, Claude, Gemini, Copilot. Generic "technology" language no longer suffices under FINRA Rule 3110.

2Step 2

Categorize risk and implement inline controls

Brainstorming marketing ideas is low-risk. Pasting client portfolio details into a prompt is high-risk. Concentrate controls where they matter, and put them between the employee and the AI tool, detecting sensitive data before it leaves the firm.

3Step 3

Create an auditable record

Produce a log of AI interactions showing what was flagged, reviewed, and acted on. Retain to SEC 17a-4 standards where client data is involved. Run vendor due diligence on every AI platform: data handling, access, storage, SOC 2 status.

4Step 4

Train your team and establish review

Employees need to know what qualifies as sensitive data and what happens when they use AI with client information. Designate who reviews flagged interactions, how fast they respond, and what they document. FINRA’s "human-in-the-loop" means a real person with authority, not just an automated rule.

5Step 5

Prepare your exam response

Be able to produce your AI tool inventory, written procedures, evidence of monitoring, review logs, and vendor due diligence files. Identify gaps before the examiner finds them.

05The exam

What an examiner expects to see

Based on the SEC FY2026 examination priorities and FINRA's 2026 oversight report, this is the evidence likely to be requested during an AI-focused examination.

What they askWhat you need to show
What AI tools does your firm use?A documented inventory of all AI tools, including both approved and discovered shadow usage
How do you supervise AI usage?Written supervisory procedures that name specific AI tools and describe the controls in place
Show me the monitoringLogs showing AI interactions, what was flagged, and what action was taken
Who reviews AI-assisted decisions?Named individuals with documented review responsibilities and a log of reviews conducted
How is client data protected when employees use AI?Technical controls that detect or prevent sensitive data from reaching external AI services
Where are your AI records?An archive meeting SEC 17a-4 retention standards for any AI interaction involving client data
What due diligence have you done on AI vendors?Vendor risk assessments covering data handling, storage, security, and SOC 2 status for each platform

The pattern is consistent: the SEC wants governance that is operational and producing evidence. A policy document without supporting controls and records is unlikely to be sufficient on its own.

06The framing

Productivity and compliance aren't in opposition

A common framing puts AI and compliance at opposite ends of a tradeoff: adopt one at the cost of the other. In practice, that overstates the tension.

Restricting AI use doesn't eliminate the risk; it removes visibility. Employees keep using AI on personal devices and accounts, outside any monitoring. The result is often the worst of both outcomes: no productivity benefit at the firm level, no governance for compliance, and no records for an examiner.

The productivity is real
74%
of financial advisors say AI already helps their practice
Advisor360, Jan 2026
52%
of advisors now use one or more generative AI tools
T3 / Inside Information, Mar 2026

The advisors at Future Proof weren't avoiding AI because they didn't want it. They were avoiding vendors because they hadn't found one that handled compliance adequately. Carson Group CEO Burt White named the concern: he was "fearful that advisors are going to go out and onboard seven different platforms" without appropriate controls in place.

A well-governed setup gives employees the tools that make work faster while giving compliance the oversight and documentation they need. Notes get transcribed faster; CRM records stay current; client prep takes less time, and every interaction is logged, reviewed where required, and retained. Operational and compliance benefits don't have to be in conflict.

The central question

The central question isn't whether employees should be using AI. Most already are. It's whether the firm has visibility into that usage, can control what data flows out, and can demonstrate it to a regulator when needed.

07The calendar

Key deadlines

DeadlineWhat it coversWho it affects
Active nowSEC FY2026 examination priorities. AI oversight embedded in every exam category.All SEC registrants
June 3, 2026Regulation S-P compliance deadline for smaller firms. Data protection requirements extend to AI tools accessing client data.Smaller RIAs, broker-dealers, investment companies
August 2, 2026EU AI Act high-risk system requirements take effect. Covers credit scoring, loan approval, insurance pricing.Firms operating in the EU or serving EU clients
Summer 2026FCA Mills Review recommendations expected. UK regulatory approach to AI in financial services.UK-regulated firms

For US-based RIAs, the SEC examination priorities and Reg S-P are the most immediately relevant. Because the SEC doesn't announce examination targets in advance, the preparation here applies ahead of whenever the next exam occurs.

08The criteria

Evaluating AI governance tools

For firms assessing tools to support this work, six questions are worth working through before deciding.

01

Coverage

Does it work across all the AI tools employees use, or only a subset? People rarely limit themselves to one platform, and governance coverage should reflect that.

02

Detection method

Keyword matching, or context? A client’s name is sensitive; the word "client" isn’t. Pattern matching alone tends to miss too much or fire too often to be useful.

03

Data residency

Does client data pass through the vendor’s servers, or stay inside your environment? For regulated firms, this carries both compliance and vendor due diligence weight.

04

Employee experience

Does it require people to change how they work? Controls that add friction get worked around. The best tools are invisible unless something is flagged.

05

Audit trail

Does it produce records an examiner can actually review? Alerts alone aren’t enough. The trail needs to show what happened, when, and what action was taken.

06

Archive integration

Can it route records to your existing compliance archive, or does it create a separate silo that needs its own management?

A governance tool should reduce regulatory risk and produce auditable evidence of oversight. If it does only one of those, or neither, it's worth continuing to evaluate options.

From the team

This is what we built Proxara to do.

Proxara sits between employees and the AI tools they use, detects sensitive data before it leaves the firm, and maintains a complete audit trail, the governance described in this guide. We're currently running pilots with RIAs.

Talk to us