SEC probes RIAs on AI governance

SEC exams for registered investment advisers have quietly turned AI into a real compliance issue. Not a future rulemaking issue. Not a “we should probably think about this” issue. A right-now exam issue. The shift matters because RIAs have spent the last two years experimenting with AI across note taking, proposal generation, marketing copy, portfolio commentary, and client service — but a lot of them still treat those tools like harmless software add-ons instead of regulated parts of the business. Recent exam requests show the SEC staff is not treating them that way anymore. (wealthmanagement.com) ### What’s actually new here? The news is not that the SEC passed a brand-new AI rule for advisers. It didn’t. The news is that the Division of Examinations has now made AI governance an explicit exam topic for 2026, and firms are getting asked for the paperwork you would expect in any other compliance area — written policies, supervision procedures, vendor diligence, and training records. That turns AI from a vague best-practices conversation into something examiners can test and write up. (wealthmanagement.com) ### Why does “exam topic” matter so much? Because for RIAs, exams are where soft expectations become operational reality. A firm can ignore conference-panel chatter. It cannot ignore a document request list from the SEC. Once exam staff asks for evidence that a firm reviewed an AI vendor, limited what client data can go into tools, or supervised AI-assisted recommendations, the absence of that evidence stops being theoretical. It becomes a deficiency risk. That is the practical lever here. (wealthmanagement.com) ### What are examiners asking for? The core asks are pretty basic — but that’s exactly why they matter. Firms are being pressed for an AI acceptable-use policy, records showing which tools are approved or prohibited, documentation of vendor review, procedures for supervising AI-assisted outputs, and proof that staff were trained on the rules. In plain English, the SEC wants to know who approved the tool, what data went into it, what the firm thinks can go wrong, and who checks the output before it reaches a client. (wealthmanagement.com) ### Why are vendors such a big part of this? Because most RIAs are not building models from scratch. They are buying software with AI features embedded inside it — meeting assistants, CRM tools, marketing platforms, portfolio software, email helpers. That creates a third-party risk problem. If client information flows into one of those systems, the firm still owns the compliance risk. The vendor’s marketing page is not due diligence. Examiners want to see what the adviser actually reviewed — data handling, storage, retention, and contractual security promises. (wealthmanagement.com) ### Is this just about data security? No — it is also about truthfulness and fiduciary duty. The SEC already showed in March 2024 that it will bring AI-related cases against advisers that exaggerate what their technology does. Delphia and Global Predictions settled charges over allegedly false and misleading statements about their AI use and paid $400,000 in combined penalties. So the agency is coming at this from two directions: don’t misuse the tools, and don’t oversell the tools. (sec.gov) ### Didn’t the SEC already try to regulate this? Yes, in a broader way. In July 2023, the SEC proposed rules aimed at conflicts of interest from predictive analytics and similar technologies used with investors. That proposal was about firms using technology in ways that could steer investors toward outcomes that favor the firm. But even without a final AI-specific rule, the current exam approach lets the SEC use existing adviser obligations — compliance programs, disclosures, supervision, and fiduciary duties — to police the same terrain. Basically, the rulebook may be old, but the staff is applying it to new tools. (sec.gov) ### What’s the catch for firms? The catch is that many advisers adopted AI bottom-up. Individual teams started using tools before compliance built an inventory, a policy, or a review process. That works fine until an examiner asks for a list of every AI-enabled system touching client information or investment communications. Then the gap shows up fast. The problem is less “the SEC banned something” and more “the firm cannot prove it is in control of something.” (wealthmanagement.com) ### So what does this mean now? AI governance for RIAs has entered the same bucket as cybersecurity, marketing review, and vendor management — ordinary compliance plumbing, but with real exam consequences. The firms most exposed are not necessarily the ones using the most AI. They are the ones using AI without documentation, supervision, and a clean story about how the tools fit inside existing securities-law obligations. That is the change. The SEC does not need a flashy new AI rule to make this painful. It just needs to keep asking for the receipts. (wealthmanagement.com)