CCO AI governance responsibilities and CRO AI risk management obligations have converged on the same problem — AI systems embedded in investment advice, trade execution, and client communications — but they require fundamentally different answers. As the SEC’s 2026 examination priorities place AI governance at the top of the agenda for RIAs and broker-dealers, the firms that struggle most are those where the CCO and CRO are still negotiating who owns what. Each executive’s distinct obligations, and how those obligations map to what SEC examiners will ask, are defined in the sections that follow.
Where CCO and CRO Mandates Diverge Under SEC AI Examination Standards
AI has created two distinct categories of obligation that, if conflated, leave material gaps in a firm’s governance structure.
The chief compliance officer AI governance mandate centers on regulatory adherence: written policies, supervisory procedures, and the accuracy of disclosures made to clients and regulators. The CRO’s mandate centers on risk integrity: whether AI models perform as intended, whether their outputs are reliable, and whether failures are escalated before they become regulatory events.
A model can be technically sound — validated, well-documented, performing within tolerance — and still generate a disclosure that misrepresents how it influences investment recommendations. Conversely, a disclosure can be accurate while the underlying model has drifted in ways that materially affect client outcomes. Both failures are exam findings. They just belong to different executives.
The SEC has been explicit that AI governance roles and responsibilities must be assigned, documented, and tested. The SEC 2026 Examination Priorities: What Investment Advisers and Broker-Dealers Need to Know About AI makes clear that examiners will probe whether firms have defined accountability at the individual executive level — not just at the program level. "We have an AI governance program" is not a sufficient answer. "Our CCO owns policies and disclosures; our CRO owns model validation and risk escalation" is.
The CCO’s Core AI Governance Responsibilities: Policies, Supervision, and Disclosure
Chief Compliance Officer AI responsibilities under SEC examination standards fall into three categories: written policies and procedures, supervisory controls, and client-facing disclosure.
Written policies and procedures. Under Rule 206(4)-7 for RIAs and FINRA Rule 3110 for broker-dealers, CCOs are required to maintain written policies reasonably designed to prevent violations. For AI, this means policies that specifically address: which AI systems are in use, what decisions they influence, how those systems are reviewed for regulatory compliance, and what triggers a policy update when a system changes. Generic technology policies that predate the firm’s AI deployments do not satisfy this standard.
Supervisory controls. The CCO’s compliance officer AI risk assessment function includes reviewing whether supervisory procedures actually govern AI-assisted activities. If a model generates client-facing recommendations or filters trade alerts, the supervisory framework must account for that. Examiners will ask whether supervisory procedures were updated when AI tools were deployed — and whether those updates were tested.
Client-facing AI disclosures. This is where chief compliance officer AI governance intersects most directly with investor protection. The SEC has signaled concern about firms that use AI in ways that are not adequately disclosed in Form ADV, client agreements, or marketing materials. The CCO owns the accuracy and completeness of those disclosures. That includes ensuring that descriptions of AI use are not so vague as to be misleading, and that material conflicts of interest introduced by AI systems — such as optimization for firm revenue — are disclosed.
For a structured approach to building these components, the AI Governance Framework for Investment Advisers: Meeting SEC Examination Standards provides a practical starting point for CCOs mapping their current documentation against examination expectations.
AI compliance broker-dealer requirements add a layer of complexity: FINRA’s supervisory framework requires that broker-dealers treat AI-assisted recommendations with the same supervisory rigor as human-generated ones. The CCO must ensure that the firm’s written supervisory procedures (WSPs) reflect this.
The CRO’s AI Risk Management Framework: Model Validation, Risk Assessment, and Escalation
CRO AI risk management investment adviser obligations differ from compliance obligations in one fundamental way: the CRO is accountable for whether AI systems work correctly, not just whether they are disclosed correctly.
Model validation. Chief risk officer AI compliance work begins with a validation framework that establishes how models are tested before deployment, how they are monitored in production, and how often they are re-validated. For investment advisers, this means defining acceptable performance thresholds, identifying the metrics that indicate drift or degradation, and establishing who conducts validation — internal teams, third-party validators, or both. The CRO AI governance framework should document each of these decisions and create an auditable record of validation outcomes.
Ongoing risk assessment. The compliance officer AI risk assessment function that sits within the CRO’s domain is not a one-time exercise. Models trained on historical data can behave differently as market conditions change. The CRO must maintain a cadence of risk reviews that is proportionate to the materiality of each model’s influence on client outcomes. A model that screens for ESG compliance in a portfolio carries different risk than one that generates real-time trade recommendations — and the review cadence should reflect that difference.
Escalation paths. Chief Risk Officer AI governance requires more than identifying risks — it requires defined paths for escalating material findings to the board and, where required, to regulators. The CRO must document what constitutes a material AI risk event, who is notified, within what timeframe, and what remediation steps are required. Examiners will look for evidence that escalation paths exist on paper and that they have actually been used.
The AI Model Risk Management and Validation: Compliance Requirements for Financial Services post covers the technical standards for model validation in more depth, including the documentation examiners expect to see.
Board Oversight and the CCO–CRO Accountability Structure SEC Examiners Expect to See
AI governance board oversight carries direct examination consequences. The SEC expects that boards of RIAs and broker-dealers are receiving regular reporting on AI risk and that the accountability structure connecting the CCO and CRO to the board is documented.
What does that structure look like in practice? At minimum, it includes:
- A defined reporting cadence. The board should receive AI governance updates at a frequency that reflects the firm’s AI risk profile. For firms with material AI deployments, quarterly reporting is a reasonable baseline. That reporting should cover both compliance status (CCO) and risk status (CRO).
- Clear ownership of board-level escalation. AI governance roles and responsibilities must specify which executive escalates which category of finding. Compliance failures — policy gaps, disclosure deficiencies, supervisory breakdowns — escalate through the CCO. Model failures, risk limit breaches, and validation findings escalate through the CRO. Overlap is expected; ambiguity is not.
- Documented board engagement. Examiners will ask whether the board has been informed of material AI risks and how it has responded. Board minutes, written reports, and formal acknowledgments of AI governance updates are the evidence that supports this. Chief Compliance Officer AI responsibilities include ensuring that disclosures and compliance findings are presented to the board in a form that supports informed oversight. Chief Risk Officer AI governance responsibilities include ensuring that model risk findings are translated into terms the board can act on.
AI compliance broker-dealer requirements impose additional obligations here: FINRA expects that broker-dealer boards and senior management are engaged in the oversight of AI systems that affect customers. The accountability structure must be visible to examiners — not reconstructed after the fact.
SEC Exam Readiness: What Examiners Will Test the CCO and CRO On
Exam readiness for AI governance comes down to documentation — and the ability to produce it quickly. Examiners are not looking for perfection; they are looking for evidence that the firm has thought carefully about AI governance and assigned accountability at the executive level.
What examiners will ask the CCO:
- Produce your written AI governance policies and procedures. When were they last updated? What triggered the update?
- Show us your Form ADV disclosures related to AI use. How do they describe the role of AI in investment recommendations?
- Walk us through your supervisory procedures for AI-assisted activities. How are those procedures tested?
- Has your compliance officer AI risk assessment process identified any gaps in the past 12 months? What remediation was taken?
What examiners will ask the CRO:
- Produce your model inventory. What AI systems are in production, and what decisions do they influence?
- Show us your validation documentation for each material model. When was the last validation? What were the findings?
- Walk us through your escalation framework. What constitutes a material AI risk event, and what happened the last time one was identified?
- How does CRO AI risk management investment adviser reporting reach the board? Show us the last board report on AI risk.
The documentation gap most firms have. The most common finding is not that firms lack policies — it is that policies exist but have not been updated to reflect the AI systems actually in use, or that validation documentation exists but is not organized in a way that survives an exam request. The How to Prepare for a SEC AI Governance Examination: Checklist for Investment Advisers and Broker-Dealers provides a documentation checklist mapped to the specific requests examiners are likely to make.
For the specific documentation and audit trail standards examiners apply, What SEC Examiners Will Ask About Your AI Controls: Documentation and Audit Trail Requirements covers the evidentiary standards in detail.
If you are evaluating platforms to support your AI governance program, the AI Governance Platforms for Investment Advisers and Broker-Dealers: Buyer’s Guide outlines the capabilities CCOs and CROs should require.
Is your AI governance documentation ready for an SEC examination? If you are not certain whether your current policies, validation records, and board reporting would satisfy an examiner’s request, a structured readiness assessment can identify the gaps before they become findings. Request a governance readiness assessment to see where your CCO and CRO documentation stands against current examination standards.
This post is part of the cluster supporting the pillar: SEC AI Examination Priorities for Investment Advisers — covering the full scope of what the SEC is examining, how to prepare your program, and the documentation standards examiners apply.