SEC examination preparation every investment adviser undertakes has always demanded rigorous documentation and clear accountability structures. Add artificial intelligence to the picture, and the stakes rise considerably. The SEC’s Division of Examinations (EXAMS) has made AI-related risks a standing examination priority, and firms that treat AI governance as a technology problem rather than a compliance obligation are the ones that generate deficiency letters. This guide gives CCOs, CROs, and compliance officers at registered investment advisers and broker-dealers a concrete, sequenced checklist for getting examination-ready — and staying that way.
What SEC Examiners Are Actually Looking For in an AI Governance Review
Before building a checklist, you need to understand the examination scope. EXAMS does not show up asking generic questions about "your AI strategy." Examiners arrive with targeted requests tied to specific regulatory obligations — and AI surfaces across several of them simultaneously.
The core areas of SEC examination scope for AI at investment advisers include:
- Fiduciary and suitability obligations. When AI tools influence investment recommendations, examiners want to know whether the firm has assessed whether those outputs are consistent with each client’s investment profile. The question is not whether you use AI — it is whether you can demonstrate the output was appropriate.
- Conflicts of interest disclosure. If an AI system optimizes for outcomes that benefit the firm (higher-fee products, affiliated securities), examiners will look for evidence that conflicts were identified, disclosed, and managed. This maps directly to Advisers Act Section 206 and Regulation Best Interest for broker-dealers.
- Supervision and written supervisory procedures (WSPs). EXAMS expects firms to have updated their WSPs to address AI tools. A WSP that predates your firm’s AI adoption is a red flag.
- Books and records. AI-assisted communications, recommendations, and decisions may constitute records subject to Rule 17a-4 (broker-dealers) or Rule 204-2 (investment advisers). Examiners will ask whether those records are captured and retrievable.
- Vendor and third-party risk. Most firms use third-party AI tools. Examiners want to see due diligence documentation, contractual protections, and ongoing monitoring — not just a signed vendor agreement.
Understanding these focal points shapes everything that follows. For a broader view of what EXAMS has signaled for the current cycle, see SEC 2026 Examination Priorities: What Investment Advisers and Broker-Dealers Need to Know About AI.
Pre-Examination Readiness: The AI Governance Documentation Checklist
This is the core of SEC exam readiness for AI. Examiners typically issue a document request list before an on-site visit. Firms that can respond completely and quickly signal maturity; firms that scramble signal risk. Organize your preparation around these categories.
1. AI System Inventory
- A complete inventory of all AI and machine learning tools used in investment decision-making, client communications, trading, surveillance, or compliance functions
- For each system: vendor name, version, deployment date, use case, and the business unit responsible
- Documentation of any AI tools that were evaluated and rejected, and why
2. Policies and Procedures
- An AI-specific policy or a clearly AI-inclusive update to existing compliance policies
- WSPs that address AI tool supervision, including escalation paths when AI outputs are questioned
- A documented process for approving new AI tools before deployment
3. Model Risk and Validation Records
- Evidence of pre-deployment testing and validation for each AI system
- Ongoing performance monitoring records (accuracy, drift, bias assessments)
- Records of any model failures, unexpected outputs, or incidents — and how the firm responded
4. Conflict of Interest Analysis
- A written conflicts analysis specific to each AI tool that touches client-facing functions
- Evidence that identified conflicts were disclosed in Form ADV, Form CRS, or other client-facing documents
- Records showing conflicts were presented to and approved by senior management or a committee
5. Vendor Due Diligence Files
- Initial due diligence questionnaires and responses for each AI vendor
- Contractual provisions addressing data security, model transparency, and audit rights
- Annual or periodic re-assessment records
6. Training and Supervision Records
- Training logs showing which personnel were trained on AI tools and when
- Supervisory review records for AI-assisted recommendations or communications
- Any escalations or overrides of AI outputs, with documentation of the rationale
7. Audit Trail and Records Retention
- Confirmation that AI-generated records are captured in your books-and-records system
- Retention schedules that account for AI outputs
- Evidence that records are retrievable in the format examiners require
For a detailed breakdown of what examiners specifically request around documentation and audit trails, see What SEC Examiners Will Ask About Your AI Controls: Documentation and Audit Trail Requirements.
Common Deficiency Patterns and How to Close the Gaps Before Examiners Arrive
SEC examination findings related to AI governance cluster around predictable failure modes. Knowing these patterns lets you run a targeted gap analysis before examiners do it for you.
Gap 1: Policies that predate AI adoption. The most common SEC exam deficiency in AI controls is a compliance manual that simply does not mention AI. Firms updated their technology faster than their policies. Fix: conduct a line-by-line review of your WSPs and compliance manual against your current AI inventory. Every tool in the inventory should have a corresponding policy reference.
Gap 2: No conflict analysis for AI-driven recommendations. Firms often complete a conflict analysis at the firm level but fail to run one for each specific AI application. An AI tool that surfaces higher-margin products more frequently than lower-margin alternatives creates a conflict that needs to be analyzed and disclosed at the tool level. Fix: document a conflicts analysis for each AI system separately, not just as a footnote to your general conflicts policy.
Gap 3: Vendor files that stop at contract signing. Initial due diligence is necessary but not sufficient. Examiners expect ongoing monitoring. Fix: build a calendar-based re-assessment process for each AI vendor, with documented outputs.
Gap 4: Incomplete records retention for AI outputs. Many firms capture the final recommendation or communication but not the AI-generated input that shaped it. Fix: work with your technology team to confirm that AI outputs feeding into client-facing functions are captured in your records system, not just the downstream human decision.
Gap 5: Training records that do not reflect actual use. If your AI tool is used by portfolio managers but your training records show only compliance staff completed the training, that inconsistency will surface. Fix: map training requirements to the actual user population for each AI system.
CCO and CRO Roles: Owning the Examination Response Process
CCO AI examination preparation is as much about process design as it is about documentation. Examiners will interview personnel, not just review documents. Knowing who owns what — and who speaks to examiners about what — prevents contradictions and signals organizational control.
The CCO’s role centers on compliance program ownership. The CCO should be the primary point of contact for EXAMS, coordinate the document production response, and be prepared to explain the firm’s AI governance framework, how it was designed, and how it is tested. The CCO should not be learning about AI tools during the examination that they did not know existed before it started.
The CRO’s role (where the function exists separately) covers model risk, vendor risk, and operational risk associated with AI. In an examination, the CRO or a designated model risk officer should be prepared to walk examiners through the model validation process and explain how the firm monitors for model drift or degradation.
Technology and legal play supporting roles. Technology should be prepared to demonstrate records retrieval and explain data flows. Legal should review all written submissions before they go to examiners.
Coordination protocol: Establish a single point of contact for all examiner requests. Route all requests through the CCO or a designated examination coordinator. Do not allow examiners to make ad hoc requests directly to business units without compliance visibility.
For a full breakdown of how to structure these roles across the organization, see CCO and CRO Guide to AI Governance: Roles, Responsibilities, and SEC Exam Readiness.
Maintaining Ongoing Exam Readiness: From One-Time Prep to Continuous AI Governance
A checklist completed once is a checklist that goes stale. The firms that consistently perform well in SEC examination preparation treat exam readiness as an operational posture, not a pre-examination sprint.
The shift from reactive to continuous requires three structural changes:
1. Embed AI governance into your annual compliance review. Rule 206(4)-7 requires investment advisers to review their compliance policies annually. That review should explicitly address AI: new tools adopted, changes to existing tools, updated conflicts analyses, and training completion rates. Document the review and its findings.
2. Build a living AI inventory. Your AI system inventory should not be a spreadsheet that gets updated when an examiner asks for it. Assign ownership of the inventory to a specific role (often the CCO or a compliance analyst), set a review cadence (quarterly works for most firms), and require business units to notify compliance before deploying any new AI tool.
3. Run internal mock examinations. Once a year, have compliance conduct a mock document request using the categories in the checklist above. Identify gaps before EXAMS does. This is especially valuable for broker-dealers operating under FINRA oversight as well, where examination questions around AI governance are increasingly parallel to SEC expectations. Notably, federal banking supervisors have signaled increasing scrutiny of AI governance through model risk management examination procedures — making this framework directly relevant to any dually-regulated firm or holding company subsidiary.
For a framework that ties these elements together into a coherent program, see AI Governance Framework for Investment Advisers: Meeting SEC Examination Standards. And if you are evaluating technology to operationalize these controls, AI Governance Platforms for Investment Advisers and Broker-Dealers: Buyer’s Guide covers what to look for in a purpose-built solution.
The logic is simple: an AI governance framework that is working continuously produces examination-ready documentation as a byproduct. Firms that treat governance as a compliance exercise produce documentation that looks like it was assembled under pressure — because it was.
Get Your AI Governance Examination Readiness Assessment
The checklist above covers the core categories, but every firm’s gaps are different. A readiness assessment maps your current documentation, policies, and controls against what EXAMS is likely to request — and produces a prioritized remediation plan before examiners arrive.
Schedule a readiness assessment with our compliance team to identify your highest-priority gaps and build a defensible AI governance posture for your next SEC examination.
This post is part of the SEC AI Examination Priorities for Investment Advisers resource series.