SEC Examiners Are Asking RIAs About AI Governance Now

The Securities and Exchange Commission is not waiting for new rules to examine how investment advisors govern artificial intelligence. Examiners are already walking into Registered Investment Advisor offices requesting documentation on AI tools, vendor oversight, and supervisory procedures. The firms without these materials are receiving compliance findings before substantive conversations even begin.

The SEC Division of Examinations released its 2026 examination priorities in November 2025, explicitly naming AI governance as a focus area. This announcement signals where examiners will direct their attention, not because new regulations compel them to, but because existing investment advisor oversight frameworks already cover these risks. The official SEC press release confirms the Division will examine compliance with new rules including the 2024 amendments to Regulation S-P.

Here is what examiners are actually asking for during examinations. First, a written AI Acceptable Use Policy that defines permitted tools, prohibited uses, and supervisory approval requirements. It must specify which categories of client data may or may not be processed by AI systems. Most firms lack this document entirely. For those that have one, most have not updated it since the AI landscape looked entirely different twelve months ago.

Second, vendor oversight documentation for every third-party AI tool in the firm's stack. Not a list of tools. Documentation showing someone at the firm evaluated the tool before advisors started using it with client data. What does the vendor do with that data? Where is it stored? What are the retention policies? What security representations has the vendor made in writing? If you are using an AI meeting tool, an AI email assistant, or an AI proposal generator, you have vendor oversight obligations under the 2024 Regulation S-P amendments. The compliance deadline for smaller advisor firms is June 3, 2026. That deadline is not hypothetical. It is on the calendar.

Third, documentation showing AI-assisted recommendations undergo human supervisory review before reaching clients. This is called the human in the loop. Firms need evidence the review is actually happening, in the form of records that survive an examination. The physical reality: examiners want to see signed review sheets, timestamps, or audit trails. Not promises.

The risk most principals have not fully mapped is shadow AI. Your advisors are using AI tools the firm has never reviewed, approved, or documented. Consumer AI tools are free, capable, and available on every personal device. Advisors use them for meeting prep, client communication drafts, research summaries, and portfolio commentary. The data flowing into those tools—client names, account details, portfolio positions, full client addresses—leaves the firm without a trace. The principals who believe this is not happening at their firm are misguided. The question is not whether shadow AI exists inside your walls. The question is whether you will surface it and govern it before an examiner or a data breach surfaces it for you.

An AI tool inventory is not just a governance best practice. It is the foundational step without which none of the rest of the program works. You cannot write an Acceptable Use Policy for tools you do not know about. You cannot document supervisory review of AI-influenced recommendations if you do not know which recommendations were influenced by AI. You cannot train staff on policies that do not address the tools they are actually using (a problem that has plagued compliance teams for years, frankly).

The Wealth Management publication details five specific items firms should build before June 2026. The first is a complete AI tool inventory surveying every tool in use across the firm, including tools used informally by staff on personal devices. The second is a written AI acceptable use policy classifying tools into approved, limited use, and prohibited categories. The third is vendor due diligence documentation addressing data handling practices, storage locations, retention periods, and security posture. The fourth is a supervisory procedure update addressing how AI-assisted recommendations are reviewed before client delivery. The fifth is staff training records showing employees understand the policies and procedures.

Let me be direct about the regulatory timeline. The SEC is not producing new artificial intelligence-specific rules for investment advisors anytime soon. The commission is shorthanded, the chair is deregulatory by conviction, and the Administrative Procedure Act sets a floor on rulemaking timelines that no amount of political will can compress below 18 months. You are looking at 2029 at the earliest. That is not a reason to relax. It is a reason to pay attention to the risk you are already carrying under the frameworks that exist right now.

The examination is already happening. Firms without documentation on AI tools, vendor oversight, and supervisory procedures are handing examiners compliance findings before conversations even begin. The gap between what most RIAs have and what examiners expect is larger than most principals realize. The physical experience of an examination: examiners will ask for documents. You will either hand them over or explain why you do not have them. The latter option creates findings.

Whether firms actually build these programs before the June 2026 deadline remains the real question. Many will wait until the last quarter, hoping the examination wave passes them by. That is a gamble with client data and regulatory standing. The tools exist. The requirements are clear. The only variable is whether principals will act before examiners force the issue.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn