SEC Compliance Focuses on AI Oversight and Governance
When Paul Atkins became SEC Chair last year, it ushered in a new era at the SEC. After almost a year under the new leadership, we’ve seen a shift in focus from strict enforcement to one of balanced rulemaking and fostering innovation. While this change impacts the crypto space, it also has far-reaching implications for the wealth management and financial services industries’ use of emerging technologies, including AI and data analytics.
With regulators signaling a move toward principle-based oversight, rather than issuing prescriptive rules for every new technology, they are increasingly emphasizing accountability, reasonableness and evidence of supervision. This creates both opportunity and risk. While RIAs and wealth management firms have more flexibility in how they design compliance programs, there seems to be far less tolerance on the part of regulators for ambiguity when something goes wrong.
For compliance leaders, the implication is clear. The increased flexibility at the SEC does not reduce risk, but it does shift the focus from rule violations to judgment failures. Firms are no longer asked only whether they followed a rule, but whether their choices, controls and oversight reflect a thoughtful and defensible compliance posture.
AI Use Raises Regulator Expectations for Supervisory Control
AI presents a unique supervisory challenge to RIAs and other wealth managers because it is both powerful and accessible. Individual advisors and staff members can adopt tools independently, often with minimal cost and little technical oversight. From a regulatory perspective, this informality is not an excuse for lax supervision.
Regulators expect firms to know how AI is being used within their organizations. If firms do not have this visibility, they are exposing themselves to significant regulatory risk.
This expectation mirrors prior enforcement trends around off-channel communications. Just as firms were held accountable for unauthorized messaging platforms, they are now responsible for unauthorized AI tools. The principle is the same. If a tool is used in the course of business, it falls under supervision and recordkeeping obligations.
Even the use of a firm’s authorized AI technology, like popular notetaking tools, raises questions. The tools are a tremendous time saver for advisors to document client meetings, but are the summaries produced part of a firm’s books and records? That is yet to be seen.
A recurring theme in regulatory commentary is that responsibility cannot be delegated to technology. The human supervisor remains accountable for outputs, decisions and disclosures generated by AI systems.
AI Increases Cybersecurity, Vendor Accountability and Data Fragmentation Risks
AI risk does not exist in isolation. It is deeply interconnected with cybersecurity, vendor management and data governance. Fragmented systems and uncontrolled data flows magnify risk across all three areas.
Cyber threats are becoming more sophisticated as attackers leverage AI to automate phishing, malware development and social engineering. Regulators increasingly view cybersecurity hygiene as a core compliance issue rather than a purely technical concern.
Vendor risk compounds this exposure. Firms are accountable not only for their own systems, but for the practices of third-party providers. This includes understanding how vendors use AI, how they process client data and whether those practices align with contractual obligations and privacy requirements.
Many financial firms struggle simply to inventory their vendors, let alone assess AI usage across them. Regulators are now asking for vendor lists, due diligence records, cybersecurity policies, incident response plans and technology governance procedures as standard exam requests. Compliance teams need to be ready with answers.
Disconnected data systems further complicate compliance. When records are spread across tools, departments and personal devices, firms lose the ability to produce consistent and reproducible evidence. Centralized data governance is becoming a regulatory expectation rather than an operational luxury.
How to Prepare for 2026 Exams with Practical, Defensible Actions
Fortunately, today’s regulators are not expecting perfection. However, they are expecting preparation, awareness and good-faith execution. RIAs and wealth management firms that acknowledge risk and take concrete steps to address it are in a far stronger position than those that delay action in pursuit of ideal solutions.
Based on recent examinations and enforcement experience, firms may want to prioritize the following actions:
-
Review and update written supervisory procedures to explicitly address AI use, cybersecurity and vendor oversight.
-
Establish and document an AI acceptable use policy, including permitted tools, prohibited uses and escalation procedures.
-
Conduct discovery to identify shadow AI, note-taking tools and unapproved applications used by staff.
-
Maintain centralized documentation of vendor due diligence, including AI disclosures and data handling practices.
-
Test cybersecurity and incident response plans through tabletop exercises and retain evidence of those tests.
-
Assign clear ownership for AI governance, whether through a designated officer or cross-functional committee.
AI Adoption Means Accountability
AI adoption is inevitable. Regulatory scrutiny is unavoidable. The defining question for compliance leaders is not whether AI will be used, but whether its use can be explained, supervised and defended.
The move toward principle-based regulation does not reduce regulatory risk. It increases the importance of judgment, documentation and governance. Firms that treat AI as a compliance issue, rather than a purely operational one, will be best positioned to navigate the 2026 exam cycle and beyond.