AI Regulation Tracker / Global standard-setter
IOSCO Issues Its Final AI Supervisory Toolkit for Capital Markets
On May 25, 2026, IOSCO, the global body of securities regulators, published its final Supervisory Toolkit for AI Use in Capital Markets. It is a set of practical, non-binding tools for supervisors, not a rule. It signals how securities regulators worldwide, including in the US, will examine AI in firms.
On May 25, 2026, IOSCO published the final version of a document it had put out for consultation in 2025: the Supervisory Toolkit for AI Use in Capital Markets. IOSCO is not a regulator that writes rules you file against. It is the international body where securities regulators coordinate, and what it produces is guidance and tools its members choose to use. This one is aimed squarely at those members, giving them a structured way to look at how the firms they supervise are actually using AI.
What the toolkit actually is
The toolkit is built for supervisors, not for compliance filings. IOSCO frames it as a set of practical, non-binding, non-prescriptive tools that work across different regulatory models, and A and O Shearman's read is that it is meant to complement, not replace, national frameworks. In plain terms, it is a shared checklist that a securities regulator in London, Toronto, Tokyo, or Washington can pick up and apply to its own market without anyone changing a statute. In the interest of transparency, the IOSCO Final Report PDF was inaccessible at the time we published; the report's existence, title, catalogue number (FR/02/2026), and date are confirmed through IOSCO's own publication listing, and the summary of its content here is drawn from independent legal analyses of the report rather than a direct read of the full document.
It is deliberately broad in what it covers. The toolkit spans the full lifecycle of an AI system and applies to every type, from traditional machine learning to generative AI and the newer agentic AI techniques where a model takes actions rather than just producing text. That range matters because it means a regulator is not limited to the flashy generative use cases when it comes asking questions.
The detailed tools sit in four areas of focus. IOSCO describes them as "governance and risk management; third-party and outsourcing risk management; disclosure; and recordkeeping and reporting." Those four headings are the spine of the whole document, and they map cleanly onto the things a supervisor can inspect: who is accountable, how you control your vendors, what you tell clients and the market, and what you can show after the fact.
What supervisors are being handed
Under governance and risk management, the toolkit points supervisors toward coordination and accountability for AI risk across the firm, timely reporting of material AI risk issues to the board, and human oversight of how AI systems get introduced and run. The theme is that someone senior owns the risk and that the board is not in the dark. That is a familiar refrain if you have followed how regulators talk about model risk generally.
Under third-party and outsourcing risk, the focus is on adequate controls around vendors. Most firms do not build their own models. They buy them, or they buy tools with models inside, and the toolkit treats that dependency as a risk the firm still owns. A regulator using this toolkit will want to see that you can answer for a model you did not build.
Disclosure and then recordkeeping and reporting round it out. The first is about what gets communicated, to clients and to the market, about AI use. The second is about whether the firm can produce a record: how the system was assessed, who signed off, what controls were in place. IOSCO also pairs this with a risk-mapping approach, so a supervisor can classify AI systems along a spectrum of risk and match the level of scrutiny to the stakes.
Jean-Paul Servais, who chairs the IOSCO Board, put the purpose this way: "The increasing integration of artificial intelligence into capital markets requires supervisors to have practical and proportionate tools to assess emerging risks while supporting innovation and safeguarding market integrity and investor protection."
What this is, and what it is not
I want to be precise here, because it is easy to over-read a global regulator's name on a report.
This is a supervisory toolkit. It is non-binding by design. IOSCO cannot impose a duty on your firm, and nothing in a US adviser's or broker-dealer's legal obligations changed on May 25 because this came out. The document itself says it is non-prescriptive and built to work alongside existing national frameworks, not on top of them.
What it does is set the agenda. When IOSCO finalizes a toolkit, it is telling its members, including the SEC and the CFTC, here is a common way to examine AI in the firms you oversee. Regulators do not have to adopt it, but they helped write it, and toolkits like this may influence supervisory convergence and can show up later in examination priorities and sweep letters. It is a weathervane for where securities supervision is heading. It is not a wind you are legally required to turn into today.
So if someone points at this and says IOSCO now "requires" AI governance controls, that is wrong. IOSCO required nothing. It handed supervisors a lens, and the firms that read that lens early are the ones that will not be scrambling when their own regulator picks it up.
What this means for US firms and finance teams
For US asset managers, broker-dealers, and registered advisers, the direct legal weight is zero, but the practical signal is strong, and it is strongest for anyone operating across borders. If you have EU, Canadian, or Japanese clients or operations, you are already dealing with more than one supervisor, and IOSCO's whole point is to give those supervisors a shared frame. That means the questions you get in a US exam and the questions you get from a host-country regulator are converging on the same four areas.
The cross-border angle is the real story. A US firm with a European or Canadian arm cannot assume its home approach travels. But a toolkit built to work "across different regulatory models" makes it more likely that a clean answer in one jurisdiction is a clean answer in another, provided you organize around the four headings IOSCO chose. Governance and accountability, vendor control, disclosure, and records are the common denominator.
The practical thread is governance and evidence. The barriers that turn into findings are the same ones the toolkit targets: can you name who owns AI risk, can you show the board was told, can you answer for a vendor's model, and can you produce the record. IOSCO does not order you to build those controls. It tells you that this is the grid supervisors will use, and that the firms with EU or Canada or Japan exposure have the least room to wait.
What to do now
Read the toolkit for its four areas, not for a mandate, since it is a supervisory aid and not a rule. Map your AI systems against governance and accountability, third-party and vendor risk, disclosure, and recordkeeping, because those are the exact lenses a securities regulator has now been handed. Keep a named senior owner for AI risk and make sure the board actually hears about material issues. Tighten what you can show about the models you bought rather than built. And if you operate across the EU, Canada, or Japan, treat this as the common examination frame your home and host regulators are moving toward, then align your controls to it on your own terms and with your own counsel, not because IOSCO told you to.
Questions professionals are asking
Did IOSCO issue a new rule requiring AI controls?
No. IOSCO is the global coordinating body for securities regulators, not a rule-maker for individual firms. This is a final supervisory toolkit, published May 25, 2026, that IOSCO describes as non-binding and non-prescriptive. It gives supervisors tools to assess AI use. It does not create, change, or remove any legal duty. Any obligation would come only if a national regulator adopts something through its own process.
What are the four areas the toolkit covers?
IOSCO organizes its detailed tools around governance and risk management, third-party and outsourcing risk management, disclosure, and recordkeeping and reporting. The toolkit spans the full AI lifecycle and applies to all AI types, from traditional machine learning to generative and agentic AI.
Does this affect US asset managers, broker-dealers, or advisers?
Not as a matter of binding law today. But the US SEC and CFTC are IOSCO members, and toolkits like this tend to shape examination priorities and later rulemaking. The signal is strongest for firms with EU, Canadian, or Japanese clients or operations, because IOSCO is deliberately building a common frame that home and host supervisors can share.
Why does the cross-border angle matter here?
Because the toolkit is built to work across different regulatory models. A firm operating in the US plus the EU, Canada, or Japan answers to more than one supervisor. IOSCO's shared four-area frame makes it more likely that controls organized around governance, vendor risk, disclosure, and records satisfy multiple regulators at once, rather than needing a separate answer in each.
Should we change our AI governance because of this toolkit?
Only on your own terms. The toolkit is a useful benchmark and a strong preview of how securities supervisors will examine AI, but any change to your controls or disclosures should rest on your applicable rules and your counsel's advice, not on a non-binding IOSCO document.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal, accounting, or audit advice. Confirm how any standard or requirement applies to your situation with qualified professionals in the relevant jurisdiction.