Using AI with confidence inside an RIA

A withdrawn rule is not a green light

Last June, the SEC withdrew its proposed rule on predictive data analytics — the one piece of rulemaking that would have spoken directly to how advisers use AI. It went out alongside thirteen other proposals, and a lot of advisers read the withdrawal as a reprieve.

It wasn't. A specific rule is a checklist you can satisfy and close out. What sits in its place is examiner discretion, and discretion is the harder thing to prepare for. You can't point to a line you cleared. You can only show the posture you kept.

AI never got its own exemption

The absence of an AI rule doesn't put AI outside the rules. The obligations you already operate under reach it directly:

• Fiduciary duty. You answer for the advice, not the model that helped produce it.
• The Marketing Rule. Any claim about your use of AI has to be true and substantiated.
• The Compliance Rule. Your written policies have to address AI specifically, not by implication.
• Reg S-P and recordkeeping. The moment AI touches client data, the safeguarding and retention rules are in play.

None of these are new. All of them already apply to what your staff did this morning.

Two RIAs paid for AI they couldn't prove

The SEC settled its first two AI-washing cases against Delphia and Global Predictions, both registered investment advisers. The violation wasn't using AI badly. It was describing AI capabilities they couldn't back up. The lesson travels: the distance between what you claim and what you can document is the thing being examined.

What a 2026 exam actually checks

Examiners aren't auditing whether you use AI. They're testing three things, and all three come down to evidence.

1. Disclosure. Does your Form ADV describe how you use AI in plain terms? "We use technology" won't hold.
2. Supervision. Can you show a person reviewed the output instead of forwarding it? The reviewer has to leave a trace.
3. Marketing. Does what you say in public match what you actually do? Examiners compare the two directly.

And then there are agents

The newest exposure is agentic AI — tools that don't just answer but act, taking steps on their own. The SEC has said plainly it hasn't issued specific guidance yet on supervising them.

FINRA has gone further, publishing the first concrete account of where agents go wrong: acting without a human check, drifting past their intended scope, reaching decisions that can't be traced after the fact. FINRA doesn't regulate RIAs, so none of it binds you. Read it anyway. It's the closest thing available to a preview of the questions your own examiner will eventually ask.

"Defensible" is smaller than you think

A defensible AI posture doesn't take a model-risk department or an enterprise program. For most firms it comes down to five things:

• An inventory of every AI tool actually in use, including the notetaker nobody thinks to list.
• A written AI policy that states what's allowed and what isn't.
• A record of prompts, outputs, and who reviewed them.
• A human in the loop on anything that touches a client.
• A Form ADV that describes your AI use honestly.

This deadline already passed

The amended Regulation S-P — vendor oversight, a written incident-response program, documented controls — took effect for smaller advisers that day. Building AI in properly and meeting that standard are the same project. Most firms have started neither.

The same posture makes AI an ally

Everything above treats AI as exposure to manage. It's also the most patient auditor you'll ever put on staff. The same controls that keep you defensible — outputs logged, a person signing off on anything client-facing, entries that reach the CRM instead of living in someone's memory of a meeting — are the ones that catch what people let slip.

Handled that way, AI stops being the thing you brace for in an exam and becomes part of how you pass it.