SEC examiners do not arrive at an investment adviser’s office asking vague questions about artificial intelligence. They arrive with document request lists. Firms that have not built a paper trail around their AI systems — policies, risk assessments, validation records, decision logs — find themselves scrambling to reconstruct documentation that should have existed from the moment a model went into production. The SEC AI governance examination investment adviser community has learned this the hard way: what distinguishes a clean exam from a deficiency letter is not whether policies exist, but whether they are specific, current, and supported by model-level evidence.
This post translates the SEC’s stated examination priorities into a concrete documentation framework. It covers written policies, model-level risk records, audit trail standards, and the most common deficiencies CCOs and CROs encounter when they finally look at their AI governance files through an examiner’s eyes.
What SEC Examiners Actually Request: The AI Documentation Checklist
The SEC’s Division of Examinations has been explicit that AI governance is a priority area. The 2025 and 2026 examination priorities letters both identified how firms use AI in investment decision-making, trading, and client interactions as a focus, and staff have signaled that documentation quality — not just the existence of policies — is what distinguishes a clean exam from a deficiency letter.
For a full picture of the regulatory landscape driving these requests, see SEC AI Examination Priorities for Investment Advisers.
When examiners arrive, an SEC examination manual AI governance document request for an investment adviser or broker-dealer typically covers the following categories:
- Inventory of AI and algorithmic tools — a complete list of models and automated systems used in investment advice, trading, surveillance, client communications, or compliance functions
- Written policies and procedures governing AI development, deployment, and oversight
- Board or senior management approval records for material AI systems
- Risk assessments for each model, including pre-deployment and periodic reviews
- Validation and testing records, including back-testing results and third-party vendor assessments
- Ongoing monitoring logs showing how model performance is tracked after deployment
- Change management records documenting modifications to models in production
- Decision logs or output records for AI systems that influence client recommendations or trading activity
- Vendor due diligence files for third-party AI tools
- Training records showing that staff who use or oversee AI systems understand their limitations
The SEC exam documentation requirements for AI are not codified in a single rule, but they flow from existing obligations under the Investment Advisers Act (Rule 206(4)-7, the compliance rule), FINRA Rule 3110 for broker-dealers, and the SEC’s broader books-and-records requirements. Examiners apply these existing frameworks to AI systems the same way they apply them to any other operational or investment process.
For a broader look at how the 2026 examination cycle frames these expectations, see SEC 2026 Examination Priorities: What Investment Advisers and Broker-Dealers Need to Know About AI.
Written AI Governance Policies and Procedures: What Must Be on Paper
The compliance rule requires investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. For firms using AI, that obligation extends to the AI systems themselves. The AI governance documentation requirements for a written program typically include several distinct components.
An AI use policy that defines what constitutes an AI or algorithmic system for the firm’s purposes, which business functions are permitted to use AI tools, and what approval process applies before a new tool is deployed. Without a definition, examiners have no baseline against which to evaluate whether the firm has identified all relevant systems.
A development and deployment standard covering how models are built or procured, what testing is required before go-live, and who has authority to approve deployment. For broker-dealers, AI governance procedures must address how algorithmic systems interact with order management and execution functions, and how supervisory controls are applied.
A vendor management section specific to AI. Many investment advisers use third-party AI tools — portfolio analytics platforms, natural language processing tools for research, robo-advisory engines — and the SEC expects firms to conduct due diligence on those vendors and retain records of that diligence. A vendor’s SOC 2 report is not a substitute for the firm’s own assessment of how the tool is used and what risks it introduces.
An AI governance policy template for financial services should also address conflicts of interest. If an AI system is used to generate client recommendations, the firm needs written procedures addressing how the system’s outputs are reviewed for conflicts, how those conflicts are disclosed, and how the firm ensures the AI is not systematically favoring products that benefit the adviser.
Senior management and board involvement needs to be documented. Examiners look for evidence that AI governance is not purely a technology function — that compliance, legal, and senior leadership have reviewed and approved material AI systems and that there is a clear accountability structure.
For a framework-level view of how these elements fit together, see AI Governance Framework for Investment Advisers: Meeting SEC Examination Standards.
AI Risk Assessment Documentation: Model Inventory, Validation Records, and Ongoing Monitoring
Written policies are necessary but not sufficient. Examiners also want to see that the firm has applied its policies to specific models and can produce model-level documentation. AI risk assessment documentation for investment advisers needs to operate at two levels: the portfolio level (what models does the firm use, and how are they categorized by risk?) and the individual model level (what does the firm know about this specific model’s performance, limitations, and failure modes?).
The model inventory is the foundation. It should capture, at minimum: the model name and version, the business function it supports, the data inputs it relies on, the outputs it produces, the date of initial deployment, the date of last validation, and the owner responsible for ongoing oversight. A spreadsheet can satisfy this requirement for smaller firms; larger firms with dozens of AI systems typically need a purpose-built register.
Pre-deployment validation records document what testing was done before a model went live. For investment-related models, this includes back-testing against historical data, out-of-sample testing, and stress testing under adverse market conditions. For models used in client communications or suitability determinations, it includes testing for bias and fairness — a topic covered in more depth in AI Bias, Fairness, and Algorithmic Testing Requirements for Financial Services.
AI model governance documentation at the individual model level should include pre-deployment validation records, periodic revalidation, and ongoing monitoring logs. Periodic revalidation records show that the firm is not treating model validation as a one-time event. Models drift. Market conditions change. Data inputs shift. Examiners expect to see evidence that models are reviewed on a defined schedule — typically annually for lower-risk models, more frequently for models that influence investment decisions or client recommendations — and that the results of those reviews are documented.
Ongoing monitoring logs are the day-to-day record that a model is performing within expected parameters. This might include performance dashboards, exception reports, or alert logs that flag when a model’s outputs fall outside defined thresholds. Examiners will ask directly: how would the firm know if a model started producing bad outputs, and what evidence exists that someone is watching?
For a deeper treatment of model risk management standards and how they map to SEC expectations, see AI Model Risk Management and Validation: Compliance Requirements for Financial Services.
Audit Trail Requirements: Logging, Decision Traceability, and Version Control
The AI governance audit trail requirements that SEC examiners apply are an extension of the books-and-records framework. The core question is whether the firm can reconstruct, after the fact, what an AI system did, why it did it, and whether anyone reviewed the output before it affected a client.
Decision logging means capturing, at the transaction or recommendation level, that an AI system was involved in generating the output. For a robo-advisory platform, this means retaining records of the inputs the system received, the recommendation it generated, and the client’s response. For an algorithmic trading system, it means retaining order records that identify which orders were generated or modified by an algorithm. These records need to be retained in accordance with the firm’s standard books-and-records schedule under Advisers Act Rule 204-2 — generally five years total, with the first two years in an easily accessible location.
Model version control is the technical counterpart to change management procedures. Examiners expect firms to be able to identify which version of a model was in production on any given date. This matters when a deficiency or client complaint is traced back to a specific time period — the firm needs to be able to say "version 2.3 was running from March 15 to July 8, here are the parameters it used, here is the validation record for that version." Without version control, this reconstruction is impossible.
Change management records document every material modification to a model in production — parameter changes, retraining on new data, changes to input variables, updates to the underlying algorithm. Each change should be logged with a date, a description of the change, the reason for the change, who approved it, and whether any re-validation was performed. The SEC’s concern is that firms are not making silent changes to AI systems that affect client outcomes without appropriate oversight and documentation.
Explainability records are an emerging expectation. For AI systems that influence investment recommendations or suitability determinations, examiners are beginning to ask whether the firm can explain, in plain terms, why the system produced a particular output. This does not require that every model be fully interpretable, but it does require that the firm have documented the model’s decision logic at a level sufficient to support supervisory review.
Closing the Gaps: Common Documentation Deficiencies and How to Fix Them Before an Exam
The most common AI governance documentation gaps CCOs encounter when preparing for examination fall into a predictable pattern.
No formal model inventory. Firms often discover, when asked to produce a list of AI systems, that different business units have deployed tools independently and no one has a complete picture. The fix is a structured inventory exercise — interview business unit heads, review vendor contracts, and catalog every system that uses machine learning, algorithmic logic, or automated decision-making. Firms that wait until an examiner requests this list are already behind.
Policies that predate the firm’s current AI footprint. A compliance manual updated in 2021 that references AI in a single paragraph does not satisfy the SEC exam documentation requirements for AI in 2025. Policies need to reflect the actual systems in use, the specific risks those systems present, and the controls the firm has implemented to address them.
Validation records that exist for initial deployment but not for subsequent versions. Firms that validated a model at launch and then made multiple updates without re-validating have a documentation gap examiners will find. Establish a change management trigger: any material change to a model requires a documented assessment of whether re-validation is needed.
No audit trail for AI-assisted recommendations. If a client receives a recommendation generated or influenced by an AI system and the firm cannot produce a record showing that, the firm has a books-and-records problem. Order management and client record systems need to capture AI involvement at the point of recommendation.
Vendor files that are incomplete. Third-party AI tools require the same documentation discipline as internally built models. Due diligence records, the vendor’s own model governance documentation, and evidence that the firm assessed the tool’s limitations — all of it needs to be on file.
The AI governance policy template for financial services that addresses all of these areas needs to be a living document — reviewed at least annually, updated when new systems are deployed, and tested against the actual document request list an examiner would send.
For a role-specific view of how CCOs and CROs should divide these responsibilities and build exam readiness into their operating model, see CCO and CRO Guide to AI Governance: Roles, Responsibilities, and SEC Exam Readiness. For a step-by-step preparation process, see How to Prepare for a SEC AI Governance Examination: Checklist for Investment Advisers and Broker-Dealers.
The full context for where AI documentation fits within the SEC’s broader examination agenda is covered in SEC AI Examination Priorities for Investment Advisers.
If you want to see exactly where your AI documentation program stands before an examiner does, download the AI governance documentation checklist or request a platform demo to walk through your current controls against the SEC’s examination framework.