When the SEC Asks About Your AI Review Process, What Will You Show Them?
With the Regulation S-P compliance deadline now PASSED, the harder question starts now.
I practiced as a securities enforcement attorney, representing firms through SEC examinations. I know what examiners look for. That experience shapes how I read this moment, and why I think firms that believe they are ready are not.
Firms have spent months preparing: inventorying AI tools, drafting incident response programs, updating vendor contracts, revising written supervisory procedures. That work matters. But finishing it does not mean the governance problem is solved. It means the documentation exists.
Those are not the same thing, and the difference is where the risk lives.
What the Deadline Requires, and What It Doesn't
The 2024 amendments apply broadly to broker-dealers, investment companies, and transfer agents, as well as registered investment advisers, with smaller entities across all categories subject to a June 3, 2026 compliance deadline. This piece focuses on the governance implications for smaller RIAs, those with under $1.5 billion in assets under management, where the supervisory framework around AI-assisted recommendations creates the most acute behavioral risk.
For smaller RIAs, the amendments require, at minimum: a written incident response program; vendor oversight documentation for every third-party tool that handles client data, including AI tools embedded in portfolio construction platforms, CRM systems, meeting transcription services, and client communication tools; 30-day breach notification procedures; and supervisory procedures addressing how AI-assisted recommendations are reviewed before they reach clients. Larger firms were required to comply by December 3, 2025.
What the rule does not prescribe is how firms should govern AI-assisted outputs. That gap is where regulatory risk is concentrating.
The SEC's 2026 examination priorities signal that examiners will look beyond the documents to whether the programs behind them are operational. Firms should expect questions about whether supervisory processes around AI-assisted recommendations, client memos, and allocation rationales are functioning in practice, not just reflected in policy.
That distinction deserves more attention than the compliance conversation has given it.
why compliance infrastructure isn’t enough
The compliance conversation around this deadline has been procedural. Build the policy. Map the vendors. Update the WSPs. This is necessary work. But procedural compliance and behavioral compliance are different things, and that gap has not been fully reckoned with.
Two behavioral patterns explain why organizations with functioning compliance infrastructure still fail at oversight.
The first is what I have called the quiet drift: the gradual normalization of AI outputs that happens after deployment, with no single decision marking the moment scrutiny stopped. Reviewers engage carefully at first, flagging edge cases, questioning outputs that seem off. Over time the outputs feel familiar. The system has been running for months without a visible failure. Flags become less frequent. Escalations stop. No one decides to reduce oversight. It recedes through repetition, while the governance infrastructure remains exactly as documented.
The second is what I have called the loop that was never real: the supervisory review that appears in the record, satisfies the written procedure, and produces no meaningful human judgment. The reviewer sees the AI output, notes it falls within expected parameters, and approves it. The record reflects that a human reviewed the recommendation before it reached the client. What the record does not reflect is whether the reviewer understood what the system was optimizing for, had the information needed to evaluate the output independently, or had enough time to do anything beyond scan and sign.
These two patterns compound each other. Quiet drift erodes review quality over time. The loop that was never real means the review began without substance. Together they describe a situation where an organization has all the governance architecture in place and none of the governance functioning.
The Questions Examiners Will Ask
Adding more procedural layers to a review process that is already producing rubber-stamp approvals does not make the approvals more substantive. It makes the record look more complete while the underlying behavioral problem goes unaddressed.
Examiners will ask to see AI tool inventories and vendor documentation. They will review supervisory procedures. And then they will ask the questions that matter:
What does the review look like in practice?
How long does it take to review an AI-assisted recommendation or client communication?
What happens when a reviewer flags a concern?
Can you show examples where the review changed the outcome?
How do you know the review is happening as documented?
The firms that come out of examinations cleanly are the ones that can answer those questions with evidence, not policy language.
The behavioral mechanisms that break oversight
When I work with firm leaders on AI governance, the conversation that matters is behavioral. Does the person responsible for reviewing AI-assisted recommendations have the skills to evaluate what the system is producing? Can they interrogate the reasoning behind an output, or are they assessing whether it looks reasonable?
Three behavioral mechanisms make this harder than it appears. The first is scope blindness: AI systems surface outputs, not the reasoning behind them. A reviewer can only evaluate what they can see, and in advisory contexts, the logic driving a recommendation is rarely visible. The second is motivated reasoning: when an AI output aligns with what the reviewer expected, scrutiny drops. The review becomes confirmation rather than evaluation. The third is outcome invisibility: in advisory settings, the consequences of a poor recommendation rarely surface immediately. Without visible feedback loops, reviewers never learn whether their approvals were sound, and the judgment required for genuine oversight never develops.
Oversight requires someone who knows what to probe, what to question, and when to push back, and who operates in a culture that expects that from them. A written supervisory procedure cannot create that. It can only assume it already exists.
Governance maturity is about whether your organization has developed the judgment to govern systems it did not build and does not fully understand. Calling a documentation review an assessment is the easier work. The harder assessment is about the people and the culture behind it.
That is the gap quiet drift lives in. That is the condition that makes the loop that was never real so easy to sustain without anyone noticing.
The floor has been set. now what?
This compliance milestone establishes the floor. What it does not define is whether what firms have built will protect their clients and their organizations when something goes wrong. When it does, regulators and clients will want to know whether the oversight was real, and whether the record reflects that.
Firms that treat this moment as the endpoint have met the minimum. The firms that treat it as the starting point for building oversight that functions will be in a different conversation when the next examination cycle arrives, and when institutional clients, who are asking about AI governance with increasing frequency in due diligence conversations, need a substantive answer.
If you want to know whether your AI oversight is functioning rather than just documented, schedule a conversation. That is what we assess.