Chevron Left
ALL RESOURCES
July 14, 2026

RIAs Need Practical AI Governance Before Regulators Demand It

This blog is part of our Defensible AI series for RIAs, focused on how existing compliance obligations apply to artificial intelligence use.

This article explains why AI governance is already a compliance priority across supervision, privacy, fiduciary duty, records, and investor protection.

We also look at why vendor oversight is now central to AI governance as third-party platforms add AI features that impact firm data and workflows.

Read Chapter: 1 | 2 | 3 | 4 | 5

Chapter #4 Introduction

One of the biggest mistakes firms can make with AI is assuming regulatory expectations will only begin once new AI-specific rules are introduced. In reality, most of the risks created by AI already fall within existing compliance, supervision, privacy, fiduciary, and recordkeeping obligations.

For RIAs, this means AI governance should not be treated as a future problem or a separate technology initiative. Whether AI is used to support client communications, investment analysis, surveillance, compliance reviews, marketing, or operational workflows, regulators are still likely to evaluate outcomes through the same core principles that already apply today: investor protection, supervision, accuracy, transparency, privacy, and accountability.

AI governance starts with visibility.

Before your firm can supervise AI use, it needs to know where AI exists, what data it touches, and which workflows may create regulatory exposure.

See how SurgeONE helps RIAs build defensible AI oversight.

As firms continue adopting AI tools across the organization, the focus should be on whether the firm has reasonable controls around how the technology is being used, what risks it creates, and how those risks are being monitored over time.

Regulators May Not Need New AI Rules to Enforce AI Failures

A common misconception is that firms can wait for specific AI rules before building governance. That is a risky assumption. The absence of AI-specific rules does not mean the absence of regulatory exposure.

A useful comparison is algorithmic and high-frequency trading. When algorithmic trading accelerated, regulators did not need an entirely new framework to bring enforcement actions. They applied existing rules related to manipulation, supervision, and firm responsibility.

The same logic applies to AI. If AI contributes to a misleading recommendation, a privacy breach, deficient supervision, inaccurate records, fraudulent representation, or failure to follow procedures, regulators can evaluate the conduct under existing obligations.

For RIAs, this means AI governance should be mapped to existing compliance categories rather than treated as a separate technology issue.

AI and Investor Harm

Regulatory scrutiny will focus heavily on investor harm or potential investor harm. This can arise in several ways.

AI may generate inaccurate client communications. It may summarize investment risks incorrectly. It may produce a recommendation or analysis based on outdated or incomplete data. It may expose client information. It may create biased outputs. It may be used in workflows that affect trading, supervision, or client service without adequate review.

The key issue is not whether the firm intended harm. The issue is whether the firm had reasonable controls to prevent, detect, and correct foreseeable risk.

If AI is used in any process that touches investor outcomes, firms should apply heightened scrutiny. That includes client communications, recommendations, portfolio reviews, risk assessments, financial plans, account surveillance, complaint analysis, trade monitoring, and marketing materials.

AI and Reg BI, Fiduciary Duty, and Recommendations

AI can create issues if its output constitutes or supports a recommendation to buy or sell particular securities.

For RIAs, the analysis should be tied to fiduciary duty. If an AI tool contributes to advice, recommendations, portfolio construction, or client-specific analysis, the firm must ensure the output is appropriate for the client’s circumstances and consistent with the firm’s obligations. AI should not be allowed to generate client-facing advice without qualified review.

Firms should be careful not to let productivity tools drift into advice functions. A tool originally approved for summarization may later be used to draft recommendations. A tool approved for research may later be used to produce client-ready commentary. A tool approved for internal analysis may become part of a client deliverable.

This is why use-case boundaries matter. AI governance should specify not only which tools are approved, but what those tools are approved to do.

AI and Privacy

Non-public personal information and client data exposure are among the most serious AI risks. Privacy risk is especially acute when employees use public AI tools or personal accounts. If client data is entered into an open AI system, the firm may lose control over where that data goes, how it is stored, whether it is retained, and whether it can be retrieved or deleted.

The firm’s AI policy should include bright-line rules about data entry. These rules should be practical enough that employees understand them. For example:

  • Do not enter client names, account information, financial data, or personally identifiable information into unapproved AI tools.
  • Do not upload client files, statements, reports, agreements, or compliance records into unapproved AI tools.
  • Do not use personal AI accounts for firm business.
  • Do not use AI note-taking tools for client or internal meetings unless approved.
  • Do not use AI-generated output in client-facing communications without required review.
  • Do not rely on AI for final compliance, legal, investment, or supervisory judgment.

The firm should then test whether employees are following those rules.

AI and Recordkeeping

AI also creates recordkeeping issues. If employees use AI to generate content, summarize meetings, draft communications, or analyze records, the firm must determine whether prompts, outputs, approvals, edits, and final versions need to be retained. If AI tools operate outside approved systems, the firm may lose records that should have been preserved.

This is another reason personal AI accounts are problematic. Even if no client data is exposed, the firm may not be able to retain or supervise the activity.

A defensible AI framework should define recordkeeping standards for each use case. For high-risk uses, the firm should preserve enough information to reconstruct what happened. That may include:

  • Prompt or instruction
  • Data source used
  • AI-generated output
  • Human edits
  • Reviewer name
  • Approval date
  • Final version
  • Related client or account context, if applicable
  • Exception notes
  • Testing results

The goal is not to retain unnecessary noise. The goal is to preserve evidence of supervision and decision-making where regulatory risk exists.

AI and Hallucinations

AI hallucinations are not just a technical issue. They are a compliance issue when AI output is used in regulated contexts.

A hallucination in a public blog draft may create reputational risk. A hallucination in a client report, compliance procedure, regulatory response, or supervisory review can create regulatory risk. The firm should assume AI output requires validation, especially when it involves legal, regulatory, investment, or client-specific content.

Testing should be ongoing. AI tools change. Vendor models update. Data sets become stale. Software changes may alter outputs. A control that worked six months ago may not work today.

Conclusion

AI may be evolving quickly, but the expectations around supervision and accountability have not changed. Regulators are unlikely to view AI as an exception to existing compliance responsibilities, especially when investor harm, inaccurate communications, privacy failures, or weak oversight are involved.

That is why firms should approach AI governance as an extension of their broader compliance framework rather than as a standalone technology issue. The goal is not to eliminate innovation or avoid using AI altogether. It is to make sure AI is being used in a way that remains consistent with the firm’s fiduciary duties, supervisory responsibilities, and operational controls.

The firms that will be strongest from a regulatory and operational standpoint are the ones building governance early and applying existing compliance principles thoughtfully and consistently in an ever-changing technological environment.

Author:  
SurgeONE Team