There is no SEC rule with "AI" in the title, but four rules you already follow reach how your firm uses it. Here is what an examiner actually looks for in your AI governance policy, the sections that hold up under exam, and the mistakes that turn a policy into a finding.
Published
June 5, 2026
Here is the part most firms miss. You do not get a pass on AI because the SEC has not written a rule with "AI" in the title. The rules you already live under reach it anyway. So if your team is using AI and you have nothing in writing about how, you are not operating in a gray area. You are operating in a documented one, and the document is missing.
An AI governance policy is just the thing that fills that gap. It tells your people, and an examiner who comes knocking, how AI gets approved, used, watched, and recorded at your firm. For an RIA that is no longer a someday project. AI has already worked its way into client emails, research, marketing copy, the back office. All of it sits under rules the SEC has enforced for years.
What follows is the working version: the sections an examiner looks for, the four rules that already put you on the hook, and the mistakes that turn a policy into a finding. Written for RIAs and investment firms in Dallas, Houston, and the rest of Texas who would rather build this right than paper over it the week before an exam.
The whole thing comes down to a few points.
A governance policy is your written framework for approving, controlling, monitoring, and documenting AI use. In 2026, examiners expect to see one.
There is no SEC "AI rule," and there does not need to be. Four rules you already follow, the Compliance Rule, Regulation S-P, the Marketing Rule, and the Books and Records Rule, already reach how you use AI.
A policy that holds up runs about a dozen sections, from the tool inventory through human review, recordkeeping, and annual testing.
Your CCO owns it. A small group helps carry it.
And the thing that sinks firms fastest is shadow AI, the tools nobody approved and nobody is watching.
A governance policy sets who may use AI, which tools are allowed, what data is allowed near them, how the output gets checked, and how the whole thing is recorded. It takes the informal, everyone-figuring-it-out-themselves reality and turns it into something supervised. You already do this for email and trading. AI is the same problem, newer.
Three forces turned this from a back-burner item into a now item.
First, the AI is already inside your firm, and almost none of it is supervised. Advisers are pasting meeting notes into a chatbot to get a summary. Someone in ops is running portfolio data through a free tool to save an hour. Most principals badly underestimate how many of these tools are already in the building, because nobody asked and nobody had to tell.
Second, the SEC has put AI on its exam radar. The Division of Examinations has called out how advisers use AI and what they say about it, and the enforcement actions that have landed show the agency will act when the AI story and the reality do not match.
Third, and this is the one with a date on it, Regulation S-P's amended safeguards are now in force for smaller firms. Advisers under roughly $1.5 billion in assets under management had to be compliant as of June 3, 2026. That deadline brought written incident response and vendor oversight obligations that land directly on any AI vendor touching your data. If you have not mapped your AI tools against those obligations yet, that is not a future risk. It is a present one.
The math is simple. No policy means every AI interaction is an unmanaged compliance event. A policy turns the same activity into something you can stand behind in a room with an examiner.
Technically, no. There is nothing in the rulebook called an AI governance policy. Practically, yes, because four rules you already answer to require one in everything but name. An examiner does not need a fresh regulation to ask how you control AI. They have the tools below.
The Compliance Rule, 206(4)-7, says registered advisers must adopt and review written policies reasonably designed to prevent violations. AI now reaches enough of what you do that "reasonably designed" quietly started including it.
Regulation S-P wants written safeguards for customer information, an incident response program, and oversight of your service providers. An AI vendor that can see firm data is a service provider. Full stop.
The Marketing Rule, 206(4)-1, bars false or misleading claims. Talking up AI you do not really use, the thing people have started calling AI washing, whether in a pitch deck or on your Form ADV, is squarely in enforcement territory.
The Books and Records Rule, 204-2, makes you keep your ads and client communications. An AI-drafted client email is a record. It has to be captured like any other.
A governance policy is how you show, in one place, that you are meeting all four where they touch AI. If you want a scaffold for it, the NIST AI Risk Management Framework is the standard most firms reach for, and it lines up well with what the SEC is looking for.
One caveat, and it matters: this is general education, not legal advice. Your obligations are specific to your firm. Run them past your compliance counsel.
A policy that survives a real exam covers roughly a dozen areas. Each one answers a question an examiner, or honestly a client, could put to you on a Tuesday. Treat the list as a checklist, then write each section against how your firm actually works, not how a template says it should.
Purpose and scope. Say why the policy exists, who it covers, and what counts as AI here. Generative chatbots, yes, but also the AI features quietly baked into software you already pay for, and anything that runs firm or client data through a model. Pin this down and you close the favorite loophole: "I didn't think that one counted."
Roles and responsibilities. Name actual people. The CCO owns it. A small group, compliance plus IT or security plus one business-side leader, approves tools and handles incidents. Write down who greenlights a new tool, who keeps the inventory current, and whose signature goes on the annual review.
The tool inventory. Keep a living list of every approved tool, who makes it, what it is for, and what data it is cleared to touch. Then a second list of what is flat-out prohibited, usually the free consumer chatbots. Default rule: not on the approved list means not allowed. Examiners look at this inventory harder than almost anything else in the file, so it is worth getting right.
Data classification and handling. Sort your data into tiers, public, internal, confidential, client or material nonpublic, and then state plainly which tier is allowed near which tool. Where most firms land: no client personal data and no portfolio data into anything that is not contractually locked down and tenant isolated.
Vendor due diligence. Reg S-P wants you watching your service providers. Before you approve an AI vendor, the policy should require a contract that says your data will not train their models, real tenant isolation, a current SOC 2 Type II, breach notification terms, and clear answers on where data lives and how it gets deleted. Document the review. Then do it again next year.
Human oversight. AI assists. A qualified person stays on the hook. Anything the AI produces that reaches client communications, advice, or a recommendation gets reviewed and signed off by a licensed professional before it leaves the building. The model is never the decision maker of record. You cannot hand your fiduciary duty to software, and no examiner will let you pretend otherwise.
Recordkeeping. AI-generated client communications and ads are records under 204-2. Route them into the same retention and archiving setup you already use for email, and decide up front how prompts and outputs get preserved when they rise to the level of a record.
Marketing and Form ADV. Handle AI washing head-on. Describe your AI the way you actually use it, no more. Put a review step on any AI claim that goes into advertising. And figure out when AI use is material enough to land on your Form ADV. The SEC has already fined advisers for overstating this, so it is not hypothetical.
Acceptable use. This is the section your staff will actually read, so keep it short and human. What they can do, what they must never do, how to ask for a new tool, and what happens if they go rogue and use one that is not approved.
Training. Run AI governance training at onboarding and at least once a year, and keep the attendance records. Cover the approved tools, the data rules, how to catch a wrong or made-up AI answer, and the no-shadow-AI rule. Those training records are some of the cleanest evidence you have that the program is real.
Incident response. Define what an AI incident even is, client data dropped into an unapproved tool, a bad output that reached a client, a breach at one of your AI vendors, and then how you contain, assess, notify, and document it. Critical detail: this has to plug into your Reg S-P incident response program, not sit in its own little silo beside it.
Testing and annual review. The Compliance Rule wants an annual review, so spell out how you test the policy. Spot-audit the inventory. Watch for shadow AI. Run a tabletop. Do a documented annual review with real findings, not a rubber stamp. A policy nobody ever tests reads, to an examiner, like a policy that was never really there.
The CCO owns the policy and answers to the SEC for it. That part is not negotiable. But no single person can see compliance, technology, and the business all at the same time, which is why the CCO needs a small bench behind them.
The CCO owns it and signs the annual review. An IT or security lead, or a virtual CISO, vets the tools, runs the vendor due diligence, and keeps an eye out for shadow AI. And one business-side leader keeps the whole thing realistic enough that people can still get their jobs done inside the rules.
For most firms the hard part is that middle role. Vendor review and security monitoring are tough to staff in house at the size where a $1.5 billion threshold is even in view. That is usually where bringing in an outside security partner pays for itself, giving the CCO the technical coverage the role needs without another full-time hire.
Most AI governance problems are not a missing policy. They are a policy that says one thing while the firm does another. An examiner reads the document, then looks at reality, and writes up the gap. The usual suspects:
Shadow AI is the big one. Your policy names three approved tools, a scan turns up a dozen in active use, and now the whole inventory looks like fiction.
A policy with nothing behind it. No training records, no logs, no annual review memo. If you cannot produce the evidence, the examiner treats the control as if it never existed.
Generic, copied language. A template that never names your real tools, your real data, your real workflow reads as exactly what it is, unconsidered. Which is the opposite of "reasonably designed."
A vendor nobody checked. An approved tool with no SOC 2, no no-training clause, no documented review. That is a Reg S-P finding sitting in plain sight.
An incident plan that does not connect to anything. If your AI incident section does not tie back into your Reg S-P incident response program, the seam shows, and examiners notice seams.
And the slow killer, set and forget. A policy dated a year and a half ago, never tested, no review on file. AI shifts month to month. A frozen policy ages like milk.
The fix for every one of these is the same move. Build it around your actual tools and workflow, back it with evidence, and review it on a real schedule.
The written policy itself, a few weeks. A policy that actually holds up under examination, with the controls and the evidence standing behind it, runs more like 45 to 90 days. The work tends to fall into three stretches. First you find out what AI is already in use and where the holes are. Then you write the policy and stand up the controls. Then you operationalize it with training, recordkeeping, and a first review you can point to.
If you are a smaller firm that watched the June 3 Reg S-P deadline come and go without finishing, do not wait around for the next milestone to force the issue. The vendor oversight and incident response work inside an AI policy overlaps almost entirely with what Reg S-P already wants from you. Build the one and you close both gaps at once. That is the rare case where doing the harder thing is also the efficient thing.
Is this legally required for RIAs?Not by that name. But the Compliance Rule requires written policies reasonably designed to prevent violations, and Reg S-P, the Marketing Rule, and the Books and Records Rule all reach AI use. So an RIA using AI is expected to govern it in writing, and examiners will check.
How is this different from an acceptable use policy?Acceptable use is one piece of the bigger policy. It tells employees what they may and may not do. The full governance policy also covers roles, the tool inventory, vendor due diligence, recordkeeping, incident response, and testing, the firm-level controls an examiner reviews.
Can we use ChatGPT, Claude, or Gemini under a policy like this?Maybe, but only the enterprise tiers with a contract saying your data will not train their models, and only for the data your policy actually clears. Free and consumer versions should be off limits for anything client or firm confidential. A lot of firms just standardize on one tenant-isolated platform so the rules enforce themselves instead of relying on everyone to remember them.
How often does it need reviewing?Annually at minimum, per the Compliance Rule, and documented. Because the tools move so fast, plenty of firms also revisit the approved inventory quarterly and update the policy any time a meaningful new tool or risk turns up.
Do we have to disclose AI use on Form ADV?Depends on materiality. If AI is integral to your advice, research, or operations, disclosure may be warranted, and whatever you disclose has to match what you actually do. Overstating it has already drawn enforcement. Your counsel should make the call on specifics.
What exactly is shadow AI?Staff using tools the firm never approved, inventoried, or secured, usually free chatbots getting fed client data. You fight it with a clear approved-and-prohibited list, training, some technical monitoring, and a good approved option so people have no reason to go around the rules in the first place.
If your firm is running AI with no written governance policy, or with a generic one that does not match what your people are actually doing, that gap is worth closing before an examiner closes it for you. None of this is exotic when it is built around your real tools and your real workflow, and the same work knocks down your Reg S-P exposure on the way through.
There is no SEC rule with "AI" in the title, but four rules you already follow reach how your firm uses it. Here is what an examiner actually looks for in your AI governance policy, the sections that hold up under exam, and the mistakes that turn a policy into a finding.