The SEC’s Division of Examinations published its 2026 priorities with a notable shift: artificial intelligence is now among the leading examination focus areas alongside digital assets for registered investment advisers and broker-dealers. That ordering is not cosmetic. It signals where examination staff will spend hours, what document requests will look like, and which firms will face follow-up deficiency letters.
This page gives CCOs and CROs a structured view of what the 2026 priorities require, where most firms have governance gaps today, and what a defensible program looks like before an examiner walks in.
What the SEC’s 2026 examination priorities say about AI
The Division of Examinations has consistently used its annual priorities letter to telegraph where it will concentrate resources. In prior cycles, crypto asset compliance dominated the risk narrative. In 2026, the priorities letter names AI use by registrants — including the use of AI in investment advice, trading, compliance monitoring, and client communications — as a primary area of focus.
The practical consequence: examiners arriving at your firm are now trained to ask about AI before they ask about digital assets. If your compliance program has not caught up, the gap will be visible.
Why AI moved ahead of crypto this cycle
Several forces converged to push AI to the top of the examination agenda.
First, adoption accelerated faster than governance. Firms deployed AI tools — for portfolio commentary, client onboarding, trade surveillance, and internal research — without building the supervisory frameworks that Advisers Act and Exchange Act obligations require. Based on recent sweep examination patterns, the SEC appears to view this governance gap as a growing source of risk.
Second, the SEC’s own enforcement posture shifted. In March 2024 the Commission settled charges against Delphia (USA) Inc. and Global Predictions Inc. for materially misleading statements about their AI capabilities — what the press called “AI washing.” Those cases established that AI-related representations are subject to the same antifraud standards as any other material statement.
Third, the intersection of AI with fiduciary duty created a novel compliance surface. When an AI system influences a recommendation, who is responsible for the output? How is that supervision documented? The 2026 priorities signal that examiners want answers, not aspirations.
The three core risk areas examiners will probe
Based on the priorities letter and the SEC’s broader AI-related guidance, examination staff will focus on three clusters:
Accuracy and fairness of AI-assisted communications and recommendations. This includes marketing materials, client-facing chatbots, and any AI-generated investment commentary. Examiners will look for evidence that outputs were reviewed, tested, and supervised before delivery.
Vendor and third-party AI oversight. Most firms do not build their own models. They use third-party tools — from large language model APIs to specialized fintech platforms. The SEC expects registrants to conduct due diligence on those vendors, understand the models being used, and maintain records of that oversight.
Conflicts of interest embedded in AI systems. If an AI system is trained on data that creates a systematic bias toward certain products, strategies, or counterparties, that bias may constitute an undisclosed conflict. Examiners will ask how firms identify and manage these conflicts.
What examiners will actually ask for
Document requests in AI-focused examinations are still evolving, but the pattern from recent sweeps and deficiency letters points to four categories of evidence.
Policies and procedures tied to specific AI use cases
Generic AI policies — “we review all AI outputs before use” — will not satisfy an examiner who wants to understand how your firm supervises a specific tool. Examiners want use-case-level documentation: what the tool does, what data it touches, who approved its deployment, and what controls govern its ongoing use.
If your written supervisory procedures reference AI at all, they likely do so at a level of abstraction that will not hold up under questioning. The 2026 examination cycle is the forcing function to fix that.
Model inventory and vendor oversight records
Examiners will ask for a list of every AI system the firm uses, including third-party tools. For each system, they will want to see:
- The vendor name and model version in use.
- The business function the system supports.
- The due diligence conducted before deployment.
- Ongoing monitoring records.
- Any material changes to the system since deployment.
Firms that cannot produce this inventory quickly will signal to examiners that governance is informal — which invites deeper scrutiny.
Audit trails and agent attribution
This is the area where most firms are most exposed. When an AI system takes an action — generates a document, flags a trade, sends a communication — there must be a record of what happened, when, and under whose authority. That record must be tamper-evident. A log that can be edited after the fact is not an audit trail in any meaningful sense.
Agent attribution is a related concept: if multiple AI systems or models contributed to an output, the record must show which agent did what. This matters for supervision, for error correction, and for demonstrating to an examiner that the firm’s controls actually work.
Supervisory controls and testing evidence
Written procedures are necessary but not sufficient. Examiners will ask for evidence that controls were tested and that testing produced records. This means periodic reviews of AI outputs, documented escalation paths when anomalies are detected, and records of any corrective action taken.
How this intersects with your broader regulatory stack
The SEC’s 2026 AI examination priorities do not exist in isolation. CCOs at RIAs and broker-dealers are managing a converging set of obligations that all touch AI governance.
NYDFS AI guidance and cyber insurance riders
The New York Department of Financial Services issued AI guidance that applies to DFS-regulated entities and has become a de facto benchmark for other state regulators. The guidance emphasizes model risk management, third-party oversight, and board-level accountability — themes that map directly onto the SEC’s examination focus.
Separately, cyber insurance renewals in 2026 have increasingly included AI Security Riders. Underwriters want to know what AI systems you run, how they are governed, and whether you can produce an audit trail in the event of an AI-related incident. The documentation your insurer wants and the documentation your examiner wants are largely the same.
10-K AI risk disclosure cycles
Publicly traded broker-dealers and RIA parent companies face an additional pressure point: the 10-K AI risk disclosure cycle. The SEC’s staff guidance on cybersecurity and AI risk disclosures requires that material AI risks be described with specificity. Boilerplate language about AI risks being “uncertain” is no longer sufficient. Firms need to describe actual risks, actual controls, and actual governance structures — which means those structures must exist and be documented.
CMMC L2 and cross-regulatory overlap
For firms with defense-sector clients or affiliates, the phased rollout of CMMC Level 2 requirements creates an additional governance layer. While CMMC is primarily a cybersecurity framework, its requirements for access control, audit logging, and configuration management overlap substantially with what good AI governance requires. Firms building AI governance programs for SEC examination readiness can often satisfy CMMC audit logging requirements with the same infrastructure.
The four governance gaps most firms cannot close today
After reviewing the examination priorities and the pattern of deficiency letters from recent AI-focused sweeps, four gaps appear consistently at firms that are not ready.
Gap 1: No centralized AI use-case inventory
Most firms have AI tools scattered across business units — a marketing team using a content generation tool, a compliance team using an AI-assisted surveillance platform, a portfolio management team using a third-party research tool. No one has a complete list. When an examiner asks for the inventory, the firm cannot produce it without a multi-week internal survey.
The inventory is the foundation of everything else. Without it, you cannot write use-case-level procedures, conduct meaningful vendor oversight, or demonstrate that your supervisory controls are comprehensive.
Gap 2: Vendor oversight without visibility
Firms often have vendor management programs that were designed for traditional software vendors. Those programs ask whether the vendor has SOC 2 certification, whether the contract includes appropriate data protection terms, and whether the vendor has a business continuity plan. They do not ask what model version is running, how the model was trained, what data was used, or how the vendor handles model updates.
For AI vendors, those questions are material. A model update can change output behavior in ways that affect the accuracy of investment-related communications or the fairness of recommendations. If your vendor oversight program does not capture model versioning and change management, it is not adequate for the 2026 examination environment.
Gap 3: Immutable audit trails that do not exist
This is the most consequential gap. Firms that use AI tools often have logs — but logs stored in systems where they can be modified, deleted, or simply not retained for the required period. An examiner who asks for the audit trail of a specific AI-generated output and receives a spreadsheet export from a mutable database will not be satisfied.
Immutability means the record cannot be altered after the fact. It means the record is signed — cryptographically or through a chain-of-custody mechanism — so that its integrity can be verified. Most firms do not have this today.
Gap 4: No pre-dispatch cost or action cap
This gap is less visible but increasingly relevant as firms deploy AI systems that can take actions — sending communications, executing queries, initiating workflows — without human review of each step. Without a pre-dispatch cap, an AI system can take actions that exceed the firm’s intended scope, create undisclosed costs, or generate outputs that were never reviewed.
A pre-dispatch cap holds a step before it executes if it would exceed a defined threshold — whether that threshold is defined in terms of cost, scope, or action type. This is a control mechanism, and examiners will eventually ask whether one exists.
Building an exam-ready AI governance program
Closing the four gaps above requires a structured program, not a one-time project. Here is a five-step framework that maps to what examiners will look for.
Step 1: Map every AI use case to a business function
Start with a complete inventory. Survey every business unit. Ask what tools they use, what those tools do, and what data they touch. Document each use case with enough specificity to write a procedure: what the tool does, what the output is, who receives the output, and what happens next.
This inventory becomes the backbone of your AI governance program. Every subsequent step depends on it.
Step 2: Assign ownership and attestation responsibility
For each use case in the inventory, assign a named owner — a person, not a team — who is responsible for the tool’s compliance with applicable policies. That owner should attest periodically that the tool is operating within its approved parameters, that vendor oversight is current, and that any material changes have been reviewed and approved.
Attestation records are evidence. They demonstrate that governance is active, not aspirational.
Step 3: Establish a signed, immutable audit trail
For every AI system that touches investment advice, client communications, or compliance monitoring, establish a signed audit trail. The trail should capture what the system did, when, what inputs it received, what output it produced, and who reviewed that output.
The trail must be immutable — stored in a system where records cannot be altered after the fact. It must be retained for the period required by applicable recordkeeping rules. And it must be producible on request, which means it must be organized and searchable, not buried in raw log files.
Brine builds a signed audit trail as standard for every workflow it governs — costing and attributing each action to its agent and model, with a pre-dispatch cap that holds a step before it overspends and a signed record that cannot be altered after the fact.
Step 4: Document supervisory controls with evidence
Write use-case-level procedures that describe how each AI tool is supervised. Then test those procedures and document the testing. Testing records are the evidence that your controls work — not just that they exist on paper.
Testing should include periodic review of AI outputs for accuracy and fairness, escalation path testing, and vendor oversight reviews. Each test should produce a dated record with findings and any corrective action taken.
Step 5: Run a pre-exam readiness review
Before an examiner arrives — or before your next annual review cycle — conduct a structured readiness review against the SEC’s 2026 examination priorities. The review should ask:
- Can we produce a complete AI use-case inventory within 24 hours?
- Can we produce vendor oversight records for every AI tool we use?
- Can we produce a signed, immutable audit trail for any AI-generated output from the past 36 months?
- Can we demonstrate that our supervisory controls were tested and that testing produced records?
- Can we show that our written procedures are use-case-specific, not generic?
If the answer to any of these questions is no, that is a gap to close before the examination, not during it.
What examiners will likely find at unprepared firms
The pattern from recent AI-focused examinations is consistent. Examiners arrive, request the AI use-case inventory, and receive either no response or a partial list assembled under pressure. They then request vendor oversight records and find that the firm’s vendor management program does not capture model-level information. They request audit trails and receive mutable log exports. They request testing evidence and find that procedures exist but testing records do not.
The result is a deficiency letter that covers multiple areas simultaneously — policies and procedures, recordkeeping, and supervisory controls. Multi-area deficiency letters are more difficult to remediate, more likely to result in follow-up examinations, and more likely to escalate to enforcement referrals if the underlying conduct is serious.
The firms that fare best in AI-focused examinations are not necessarily the firms with the most sophisticated AI programs. They are the firms that can produce documentation quickly, demonstrate that governance is active rather than aspirational, and show that someone with authority owns the program.
Frequently asked questions
Does the SEC’s 2026 examination focus apply to all RIAs, or only large ones?
The examination priorities apply to all registered investment advisers and broker-dealers, regardless of size. Smaller firms that use AI tools — even third-party tools — are subject to the same supervisory and recordkeeping obligations as larger firms. The examination staff has indicated that it will prioritize firms where AI use is most extensive, but that does not mean smaller firms are exempt.
What if we only use AI tools built by third parties and do not build our own models?
Third-party AI tools are squarely within the examination scope. The SEC expects registrants to conduct due diligence on the AI tools they use, understand how those tools work, and maintain oversight records. Using a third-party tool does not transfer compliance responsibility to the vendor.
How long must AI-related records be retained?
The applicable retention period depends on the nature of the record. Communications with clients must be retained for the period required by Rule 17a-4 (broker-dealers) or Rule 204-2 (investment advisers). Records of supervisory procedures and testing should be retained for at least three years. Firms should consult with counsel on the specific retention requirements applicable to their AI-related records.
What is the difference between an audit log and an immutable audit trail?
An audit log is a record of events. An immutable audit trail is a record of events that cannot be altered after the fact. The distinction matters because a mutable log can be edited — intentionally or inadvertently — in ways that undermine its evidentiary value. An immutable trail, signed at the time of each event, provides a verifiable record that examiners and courts can rely on.
How does AI governance intersect with our existing compliance program?
AI governance is not a separate program — it is an extension of your existing compliance program. The same obligations that govern human-driven investment advice, client communications, and supervisory controls apply to AI-assisted versions of those activities. The challenge is that most compliance programs were designed before AI tools were widely used and need to be updated to address AI-specific risks.
Next steps
The 2026 examination cycle is already underway. Firms that begin building their AI governance programs now have time to close gaps before an examiner arrives. Firms that wait until they receive an examination notice do not.
The five-step framework above gives CCOs and CROs a structured path: inventory, ownership, audit trail, supervisory controls, and readiness review. Each step produces documentation that is useful both for examination preparation and for ongoing governance.
If your firm has deployed AI tools and has not yet built the governance infrastructure to support them, the time to act is before the examination request arrives — not after.