The SEC's Division of Examinations included AI in its 2024 and 2025 examination priorities. The 2026 examination cycle continues that focus. For registered investment advisers (RIAs), this is not an abstract regulatory development. Examiners are actively reviewing AI governance programs — or the absence of them — during routine inspections.
$225K
Delphia Penalty
SEC AI washing, March 2024
$175K
Global Predictions
SEC AI washing, March 2024
$1.6M
Rockwell Capital
Disgorgement + penalties
$8.2B
Total SEC Fines FY2024
Record enforcement year
This article covers what the examination program is looking for, where RIAs are most exposed, and what a defensible AI governance structure looks like under existing securities law.
The Regulatory Framework Is Already in Place
The SEC has not issued AI-specific regulations. It does not need to. The existing regulatory framework applies fully to AI:
Investment Advisers Act of 1940. Section 206 prohibits fraudulent or deceptive practices. The SEC's AI washing enforcement actions (Delphia, Global Predictions, Rockwell Capital) were brought under Section 206 and the Marketing Rule — not new AI regulations.
Regulation S-P. Governs the safeguarding of customer financial information. If AI tools process client data, Reg S-P applies. Examiners will ask whether client information is being submitted to AI platforms without appropriate safeguards.
Books and Records Rules (Rule 204-2). If AI tools generate or assist in creating client communications, investment recommendations, or research, those outputs may be required books and records. Most RIAs have not updated their recordkeeping policies to address AI-generated content.
Marketing Rule (Rule 206(4)-1). All AI-generated marketing content is subject to the same substantiation, fair and balanced presentation, and anti-testimonial requirements as human-generated content. This is the specific rule under which AI washing penalties were assessed.
What SEC Examiners Are Reviewing
Based on SEC examination priority letters and enforcement actions through early 2026, examination staff are specifically reviewing:
1. AI Representations vs. Reality
The first AI washing cases established that examiners will verify whether firms actually use AI the way they claim. If your ADV, marketing materials, website, or client presentations describe AI-driven portfolio management, automated rebalancing, or AI-enhanced research — examiners will ask for technical documentation that the AI does what you say it does.
Firms that cannot substantiate their AI claims face Marketing Rule violations. The Delphia penalty was $225,000; Global Predictions paid $175,000. These were settled without admission of wrongdoing. Litigated cases carry substantially higher exposure.
2. Written Supervisory Procedures Covering AI
FINRA Rule 3110 (for broker-dealers) and the general supervisory framework for RIAs under the Advisers Act require firms to supervise all business activities of supervised persons. This obligation does not stop at AI-generated content or AI-assisted decision-making.
Examiners will ask whether your WSPs address:
3. AI Vendor Due Diligence
If your firm uses third-party AI tools — including tools embedded in your portfolio management software, CRM, or communications platforms — you are responsible for governance of those tools. Examiners will ask what vendor due diligence you performed, whether you understand how client data is handled, and whether your contractual arrangements adequately protect client information.
4. AI Inventory
A recurring theme in SEC examination requests is a demand for an inventory of all technology systems in use. AI tools — whether licensed, subscribed, or embedded — must be in that inventory. Firms that cannot produce one face examination criticism even before substantive compliance issues are assessed.
Where RIAs Are Most Exposed Right Now
Shadow AI. Employees using personal AI accounts (ChatGPT Plus, Claude Pro, Google One AI) to perform client-related work. These tools are outside the firm's supervisory framework, generate no recordable audit trail, and frequently involve submission of client information to third-party platforms without appropriate data handling agreements.
⚠️ Warning
Unapproved AI in client communications. Advisers using AI to draft emails, letters, or reports to clients without disclosure or supervisory review. If those communications contain investment recommendations or performance information, they are subject to the Marketing Rule.
AI in marketing without substantiation files. Websites and marketing materials referencing AI capabilities without a contemporaneous record of the factual basis for those representations. This is the exact pattern that triggered the 2024 AI washing enforcement actions.
Missing or outdated CCO policies. Chief Compliance Officers who have not updated their compliance programs to address AI since 2023 have a documented gap. Examiners who identify it will cite it as a failure of the firm's compliance program under the Compliance Rule (Rule 206(4)-7).
What a Defensible AI Governance Program Looks Like
A defensible AI governance program for an SEC-registered investment adviser has five components:
AI Inventory
Document every AI tool in use — by employees and embedded vendors. Review quarterly.
AI Policy
Written policies: authorized tools, prohibited uses, client data handling, disclosure requirements, supervisory review.
Updated WSPs
Written Supervisory Procedures explicitly addressing AI tool usage and AI-assisted processes.
Marketing Review
Documented pre-approval workflow for AI-generated content with substantiation files for all capability claims.
Annual Review Documentation
Evidence AI governance is included in the Rule 206(4)-7 annual compliance program review.
AI Policy. Written policies addressing authorized AI tools, prohibited uses, client data handling, disclosure requirements, and supervisory review of AI-generated content. Incorporated into the firm's overall compliance policies.
Updated WSPs. Written Supervisory Procedures that explicitly address AI tool usage, AI-generated communications review, and AI-assisted investment processes.
Marketing Review Process. A documented review workflow for any AI-generated marketing content, with substantiation files maintained for any AI-related capability claims.
Annual Review Documentation. Evidence that AI governance is included in the firm's annual compliance program review required under Rule 206(4)-7.
Why Infrastructure Control Matters
Most compliance consultants can write the policies. What they cannot do is enforce them. A WSP that says employees must not use unapproved AI tools is unenforceable without technical controls that block access to unapproved platforms.
Centience builds AI governance programs on managed infrastructure. Your endpoints, network, and cloud environment are under our management — which means DLP rules blocking unauthorized AI access are technically active, not aspirational. When an examiner asks whether controls are in place, the answer is documented in system logs, not just policy documents.
Is your RIA ready for an AI governance examination?
Schedule your AI Governance Assessment. We identify gaps before the examiner does.
