Blog

SEC AI Examination Readiness: Checklist for CCOs and CROs

SEC examination preparation for investment advisers now includes AI governance. This checklist helps CCOs and CROs document AI programs, validate models, and pass exams.

12 min read

SEC examination preparation investment adviser programs have changed materially over the past two years. Examiners who once focused on trading practices, fee disclosures, and cybersecurity controls now arrive with specific questions about how firms govern artificial intelligence — what models are running, who approved them, how they are monitored, and what happens when they fail. If your AI governance program exists only in a slide deck or a vendor contract, you are not ready. This post is written for CCOs and CROs at registered investment advisers and broker-dealers who need a concrete, examiner-facing readiness posture before the next cycle. It covers the documentation you need on file, what model validation evidence looks like in practice, and how to reconcile SEC requirements with NYDFS obligations if you operate in New York.


What SEC Examiners Are Actually Looking For in AI Programs

The SEC’s Division of Examinations has signaled, through its annual examination priorities and risk alerts, that AI governance is no longer a peripheral concern. Examiners are not conducting academic reviews of machine learning architecture. They are applying a compliance lens: Is there a policy? Is it followed? Is there evidence? The examination focus areas that CCOs should anticipate include:

  • Use-case identification. Examiners want to know which AI and machine learning tools the firm uses and for what purposes — portfolio construction, trade surveillance, client communication, marketing, compliance monitoring. Firms that cannot produce a current inventory of AI applications will struggle from the first request.
  • Governance accountability. Who owns AI risk at the firm? Is there a named individual or committee with documented authority over AI adoption decisions? Examiners are looking for governance structures that parallel what they already expect for cybersecurity and third-party risk.
  • Disclosure accuracy. If a firm’s Form ADV or marketing materials describe how investment decisions are made, those descriptions must accurately reflect the role AI plays. Misleading or incomplete disclosure about algorithmic tools is a direct enforcement risk.
  • Conflict identification. AI tools that optimize for outcomes that benefit the firm — fee generation, trading volume, product placement — require documented conflict analysis. Examiners will ask whether conflicts were identified and how they were mitigated.

For a detailed breakdown of what the Division of Examinations has prioritized heading into the next examination cycle, see SEC AI Examination Priorities 2026: What Investment Advisers Need to Know.


AI Governance Documentation Requirements: What You Must Have on File

AI governance documentation requirements under SEC examination standards are not codified in a single rule. They emerge from the intersection of existing obligations — the Advisers Act, Regulation S-P, the Marketing Rule, and the fiduciary standard — applied to AI contexts. Examiners use document requests to test whether firms have operationalized governance or merely described it. The documentation artifacts that CCOs should have ready include:

  • AI use-case inventory. A living register of every AI or algorithmic tool in production, including vendor-provided tools embedded in third-party platforms. Each entry should identify the use case, the data inputs, the decision or output the tool produces, and the business owner.
  • AI governance policy. A written policy that covers AI adoption approval, ongoing monitoring, incident response, and annual review. An AI governance policy template for financial services should address risk tiering (not every chatbot carries the same risk as an algorithmic trading model), escalation paths, and board or senior management reporting.
  • Change management records. Documentation of material changes to AI models or vendor tools, including who approved the change and what testing occurred before deployment.
  • Training records. Evidence that relevant personnel — portfolio managers, compliance staff, client-facing employees — have received training on AI-related policies and the firm’s specific tools.
  • Incident and exception logs. Records of AI-related failures, anomalies, or policy exceptions, including how they were resolved. Examiners treat the absence of any incident log as a sign that monitoring is not actually occurring.

The CCO AI examination preparation posture that survives scrutiny is one where documentation is current, version-controlled, and retrievable within hours of a request — not reconstructed after the fact. For a broader view of how CCOs and CISOs should divide AI governance responsibilities, the CCO and CISO Guide to AI Governance Responsibilities Under NYDFS covers role delineation in detail.


AI Model Validation and Third-Party Vendor Evidence

AI model validation compliance is an area where many investment advisers have significant gaps. Validation is not simply testing that a model produces outputs — it is a structured process of confirming that the model performs as intended, that its limitations are understood, and that it continues to perform appropriately over time as market conditions and data inputs change. Examiners expect to see:

  • Initial validation documentation. For proprietary models, this means records of pre-deployment testing, including backtesting methodology, out-of-sample performance, and any known failure modes. For vendor-provided models, it means the due diligence conducted before adoption.
  • Ongoing performance monitoring. Evidence that someone is watching model outputs against expected behavior on a defined schedule. This includes drift detection — identifying when a model’s outputs begin to diverge from its validated behavior — and the process for escalating anomalies.
  • Model governance ownership. A named individual or function responsible for each model’s ongoing validation. In smaller firms, this may be the CCO or CRO. In larger firms, a dedicated model risk function is expected.

Third-party AI vendor risk management deserves particular attention. Many investment advisers use AI capabilities embedded in portfolio management systems, CRM platforms, or compliance tools without recognizing that they have adopted AI. Examiners will ask about vendor due diligence regardless of whether the AI is proprietary or third-party. The documentation standard for vendor AI includes: pre-contract due diligence records, contractual provisions covering data use and model transparency, ongoing vendor monitoring evidence, and a process for evaluating material changes the vendor makes to its models. For firms evaluating the platforms and tools available to support this work, AI Governance Tools and Platforms for NYDFS-Regulated Banks covers the vendor landscape in depth.


The Pre-Exam Readiness Checklist for CCOs and CROs

This SEC exam readiness checklist for AI governance is organized by examination domain. Work through each section before an exam cycle opens — not after you receive the document request.

Governance Structure

  • Named AI governance owner (individual or committee) with documented authority
  • Board or senior management briefed on AI risk at least annually, with meeting minutes
  • Written AI governance policy reviewed and approved within the last 12 months
  • AI risk tiering framework in place (distinguishing high-risk from low-risk use cases)

Use-Case Inventory

  • Current AI use-case inventory covering all production tools, including vendor-embedded AI
  • Each entry includes: use case, data inputs, output type, business owner, risk tier
  • Inventory reviewed and updated on a defined schedule (quarterly recommended)
  • Inventory includes tools used by third parties that process firm or client data

Documentation and Policies

  • AI governance policy covers adoption approval, monitoring, incident response, and review
  • Change management records exist for all material model or tool changes in the past 24 months
  • Training records confirm relevant personnel have completed AI-related training
  • Incident and exception log maintained with resolution documentation

Model Validation

  • Pre-deployment validation records exist for all proprietary models
  • Ongoing performance monitoring schedule defined and followed, with evidence
  • Drift detection process documented and tested
  • Model governance owner named for each production model

Third-Party Vendor Oversight

  • Pre-contract due diligence records for all AI vendors
  • Contracts include provisions on data use, model transparency, and change notification
  • Ongoing vendor monitoring evidence (periodic reviews, questionnaires, SOC reports)
  • Process documented for evaluating vendor-initiated model changes

Disclosure and Conflicts

  • Form ADV descriptions of investment process accurately reflect AI’s role
  • Marketing materials reviewed for accuracy regarding algorithmic or AI-driven claims
  • Conflict analysis documented for any AI tool that could benefit the firm at client expense
  • Conflict mitigation measures implemented and recorded

Exam-Day Readiness

  • Document retrieval process tested — all items above accessible within 24 hours
  • Designated exam coordinator identified and briefed
  • Exam response protocol documented, including escalation path for unexpected requests

This bank examiner AI governance checklist maps directly to the workflow examiners follow when reviewing AI programs. Firms that can produce evidence against each item are in a materially stronger position than those reconstructing documentation after the request arrives.


Multi-Regulator Considerations: Where NYDFS and SEC Requirements Overlap

Investment advisers that are also licensed or regulated under New York Department of Financial Services authority face a dual compliance burden that, managed well, can actually reduce total documentation effort. The NYDFS vs. SEC AI governance requirements share enough structural overlap that a single documentation architecture can satisfy both. The areas of alignment are substantial. Both regulators expect a written AI governance policy, a use-case inventory, third-party vendor oversight documentation, and evidence of ongoing monitoring. Both treat AI governance as an extension of existing cybersecurity and risk management obligations rather than a separate regulatory regime. Both expect senior management accountability. The areas of divergence require attention. NYDFS guidance, issued under its cybersecurity regulation framework, places particular emphasis on AI as a cybersecurity risk vector — adversarial inputs, model manipulation, data poisoning. The SEC’s focus is more concentrated on investor protection, disclosure accuracy, and conflicts of interest. A firm subject to both should maintain documentation that speaks to both risk frames without treating them as entirely separate programs. The practical approach: build one AI governance policy that addresses both the cybersecurity risk framing NYDFS expects and the investor protection framing the SEC applies. Maintain one use-case inventory that captures the data fields both regulators care about. Run one annual review that produces evidence usable in both examination contexts. For implementation guidance on the NYDFS side of this equation, the NYDFS AI Compliance Checklist and Implementation Roadmap for Banks provides a parallel structure to the SEC checklist above. The broader compliance framework for firms navigating both regulators is covered in the canonical guide to NYDFS AI Cybersecurity Guidance Compliance.


Get Exam-Ready Before the Request Arrives

The firms that handle SEC AI examinations well are not the ones with the most sophisticated AI programs. They are the ones with the most organized documentation. Examiners work from what they can see — policies, inventories, logs, and records. A well-governed AI program with thorough documentation fares significantly better than a technically impressive program with gaps in its paper trail. If you are not certain your current AI governance documentation would hold up to an examiner’s document request, the time to find out is before the exam, not during it.

  • Request a readiness assessment to identify documentation gaps against the checklist above, ordownload our AI governance policy template for financial services to accelerate the policy drafting process. Both are available through our compliance advisory team — reach out to schedule a working session.
Brine

Build, hire, and govern every AI system in your environment.

Describe a workflow in plain English and Brine builds it, runs it on your data, and governs every step — costing and attributing each action to its agent and model, with a pre-dispatch cap that holds a step before it overspends and a signed audit trail as standard.

Scope a pilot More resources