AI GOVERNANCE
AI Governance Guide for Regulated Organizations
A practical framework for governing AI tools under SEC, FINRA, and HIPAA requirements.
Select your regulated body below to see requirements tailored to your obligations.
SEC-regulated firms — investment advisers, broker-dealers, and public companies — face specific AI governance obligations under the Investment Advisers Act, Regulation S-P, and the SEC's 2023 AI/predictive analytics proposed rules. This guide covers what the SEC expects.
1. Regulatory Landscape for AI Under SEC
The SEC has signaled aggressive oversight of AI use in financial services. Key frameworks include: • Investment Advisers Act §206: AI-driven recommendations may constitute investment advice subject to fiduciary duty. • Proposed Rule on Predictive Data Analytics (August 2023): Would require advisers and broker-dealers to evaluate and neutralize conflicts of interest in AI/predictive models. • Regulation S-P: Requires safeguarding client data used by AI systems. • Regulation S-ID (Identity Theft Red Flags): AI authentication and fraud detection must meet program standards. • Form ADV Disclosure: Firms must disclose AI use in investment decision-making and associated risks. Risk signal: The SEC has already charged firms for AI-washing — claiming AI capabilities that don't exist. Your governance posture must be defensible, documented, and consistent with public disclosures.
2. AI Inventory and Classification
Every AI tool your firm uses must be catalogued before it can be governed. Build and maintain: • AI Asset Register: Tool name, vendor, version, deployment date, use case, data inputs, decision outputs. • Risk Classification: Classify each tool as Low / Medium / High based on: (a) whether it touches client assets or recommendations, (b) whether it processes regulated data (PII, financial records), (c) whether outputs are autonomous vs. human-reviewed. • Vendor Due Diligence: For third-party AI, obtain vendor AI governance documentation, SOC 2 Type II, and data processing agreements. SEC exam readiness: Examiners will ask for your AI inventory on Day 1. If you can't produce it, you're starting from a deficit.
3. Conflict of Interest Analysis
Under the proposed Predictive Data Analytics rule, firms must: • Identify any AI model that could place firm interests ahead of client interests (e.g., models that optimize for fee revenue rather than suitability). • Document the conflict analysis methodology. • Implement neutralization measures — configuration changes, human override requirements, or model replacement. • Maintain records of the analysis and remediation for examination. This is the highest-stakes AI governance obligation currently facing SEC-registered advisers. Even if the rule is not finalized in its current form, the underlying fiduciary duty obligation is already enforceable.
4. Recordkeeping for AI Systems
SEC recordkeeping rules (Rules 17a-3, 17a-4, and adviser equivalents) apply to AI-generated outputs when those outputs constitute records: • Communications: AI-drafted client communications are books and records. • Trade Recommendations: If AI generates or influences trade recommendations, the basis for those recommendations is a required record. • Surveillance Outputs: AI surveillance alerts, dispositions, and escalations must be retained. • Audit Logs: Retain AI model version history, configuration changes, and retraining events. Retention minimum: 3 years accessible / 6 years total for most broker-dealer records. Adviser records: 5 years.
5. Supervision Framework
Your written supervisory procedures (WSPs) must be updated to address AI: • Designated AI Supervisor: Assign a named individual responsible for AI governance (often CCO or CTO). • Review Cadence: Establish periodic review of AI outputs for accuracy, bias, and regulatory compliance. • Escalation Path: Define what triggers human review of AI-generated outputs. • Testing Protocol: Annual testing of AI systems for conflict of interest and suitability alignment. • Change Management: Any material change to an AI system (new version, new data inputs, new use case) triggers a fresh governance review.
6. Exam Preparation Checklist
Before an SEC examination, confirm you can produce: ☐ Current AI asset inventory with risk classifications ☐ Written AI governance policy signed by senior management ☐ Conflict of interest analysis for each client-facing AI tool ☐ Updated WSPs referencing AI supervision ☐ Vendor agreements with AI/data governance provisions ☐ Records of AI training, configuration, and version changes ☐ Evidence of periodic AI review (testing results, meeting minutes) ☐ Disclosure documents (Form ADV, client agreements) reflecting AI use
Get this guide as a formatted PDF.
Download the complete SEC edition to keep on file and share with your compliance, security, and leadership teams.
The Centience Governance Program
A guide tells you what’s required. The program makes it real — and keeps it that way.
Centience builds and operates the governance program behind these requirements — continuously, with audit-ready evidence. Start with a Governance Readiness Review.
Request a Governance Readiness Review