AI Governance Exam Files: The Three Documents an SEC Examiner Now Asks RIAs to Produce
Bindingness: Binding Law · Scope: Federal · Finance
The exam conversation for registered investment advisers changed this year. The SEC's 2026 examination priorities emphasize cybersecurity and third-party vendor oversight, and examiners are applying them directly to AI governance, walking into RIA offices and asking for paperwork that did not exist on most small advisers' desks twelve months ago. The request is specific. Show me your written AI acceptable-use policy. Show me how you vetted each AI tool that touches client data. Show me proof that a person reviewed the AI-assisted recommendation before it reached the client.
If you run a smaller advisory practice, this is the briefing that turns those three asks into three documents you can build before your next exam cycle. None of them require a compliance department. All of them make your firm look more fiduciary, not less, when you hand them over.
Key takeaways
- The exam question is now explicit. The SEC's 2026 exam priorities emphasize vendor oversight and cybersecurity, and examiners are applying them to AI governance. They ask RIAs for a written AI acceptable-use policy, vendor-oversight files for each embedded-AI tool, and records showing AI-assisted recommendations get human supervisory review.
- Regulation S-P made it enforceable for everyone. As of June 3, 2026 the amended Regulation S-P compliance date passed for smaller advisers, those under 1.5 billion dollars in assets under management. Large firms hit their date on December 3, 2025. Incident-response plans and third-party AI vendor oversight are now enforceable for every SEC-registered adviser.
- Three files cover most of the ground. A written acceptable-use policy, a one-page vendor-oversight sheet per AI tool, and a human-review log are the artifacts an examiner is most likely to ask a small RIA to produce.
- Clean files are a trust moat. A firm that hands the examiner organized governance documents signals control and care. The advisers who look exposed are the ones who use AI and cannot show a single page describing how.
What changed, and why your AUM no longer protects you
For a while, the smaller adviser could reasonably assume the heavy AI and data rules were aimed at the large firms first. That window has closed. The amended Regulation S-P set two compliance dates. Large firms were on the hook as of December 3, 2025. Smaller advisers, those under 1.5 billion dollars in assets under management, hit their final compliance date on June 3, 2026. As of that date, the rule's incident-response and third-party service-provider oversight requirements are enforceable for every SEC-registered adviser, regardless of size.
That matters for AI specifically because the AI tools embedded in a modern advisory stack are third-party service providers, and many of them touch client data. A meeting-notes assistant, a portfolio-analysis copilot, a drafting tool that handles client letters: each one is a vendor with access to nonpublic personal information. Regulation S-P now expects you to oversee that access. The SEC's 2026 exam priorities then take the next step and ask, in plain language, how you govern the AI itself.
The examiner is not asking whether you use AI. They are asking for three files you may not have written yet.
Reporting from WealthManagement.com, in its piece on SEC examiners asking RIAs about AI governance, describes the shift firsthand: examiners are no longer treating AI as a future topic. They are asking about it on current exams. Holland and Knight's May 2026 guidance on the Regulation S-P amendments framed the smaller-entity deadline the same way, as a near-term obligation rather than a distant one. The practical conclusion is the same in both. Build the files now.
The three exam files, one at a time
Here is what an examiner is most likely to ask a small RIA to produce, what each document has to contain, and where an AI tool like Claude can take the first pass for you.
| Exam file | What it must contain | Can AI draft it? |
|---|---|---|
| 1. AI acceptable-use policy | Which AI tools the firm permits; what client data may and may not be entered; the rule that AI-assisted recommendations get human review before reaching a client; who owns the policy and how often it is reviewed. | Yes, as a first draft. Claude can produce a clean policy skeleton you edit to match your actual tools and your judgment. You own the final wording and you adopt it. |
| 2. Vendor-oversight one-pager (per tool) | The tool name and use; who at the firm vetted it and when; exactly what client data it touches; whether a data-protection or service agreement is in place; what happens to data after processing. | Partly. Claude can build the template and help you summarize a vendor's documentation, but the vetting judgment and the facts about each agreement come from you. |
| 3. Human-review log | A dated record that, before an AI-assisted recommendation reached a client, a named person reviewed and signed off. Short entries are fine; the point is a person, a date, and an approval. | No, not the sign-off itself. The review is the human control the rule is asking for. AI can format the log; only a person can be the reviewer in it. |
File one: the written AI acceptable-use policy
This is the document that says, on paper, how your firm uses AI. It names the tools you allow, draws the line on what client information may be entered into them, and states the rule that any AI-assisted recommendation passes a human before it goes to a client. It also names an owner and a review cadence so the policy does not go stale. For a small practice this is one or two pages, not a binder. The value at exam time is that it exists, it is dated, and it matches what your staff actually does.
File two: the vendor-oversight one-pager
For each AI tool embedded in your workflow, you want a single sheet that answers the questions an examiner will ask: who vetted this, what client data does it touch, and is there an agreement covering that data. This is the artifact Regulation S-P's third-party oversight expectation points at most directly. When you adopt a new AI tool, the one-pager gets written before the tool touches client work, not after a problem surfaces.
File three: the human-review log
This is the proof that the policy is real. The exam priorities specifically reach AI-assisted recommendations and whether a person supervised them. A short, dated log showing that a named reviewer signed off before advice reached a client is what turns "we review our AI output" from a claim into a record. It does not need to be elaborate. It needs to be consistent.
What stays on your desk, and what Claude can carry
The honest division of labor matters here, because handing the wrong part to a tool is exactly the exposure the rules are built to catch. Claude is genuinely useful for the drafting weight. It can produce a first version of your acceptable-use policy, build a clean vendor-oversight template, and structure your review log so entries are quick to add. That is real time back.
What does not move is the judgment. You decide which tools the firm trusts and on what work. You confirm the facts on every vendor sheet, including whether a data agreement actually exists. And you are the named human in the review log, because the entire point of that file is that a person, not a model, signed off before advice reached a client. The supervisory review is the control the SEC is asking you to evidence. A tool cannot be the supervisor.
Guardrail: keep client data out of unvetted tools
Before you paste anything into an AI tool to draft these files, remember the same rule the files describe. Do not enter identifiable client information into any tool that is not covered by a data agreement and on your approved list. You can draft a governance policy with generic examples. You do not need a single real client name to do it. Keep the drafting work and the live client data on separate tracks.
What AI does not replace
AI does not hold your registration. It does not owe a fiduciary duty to your client. It cannot be the supervisory reviewer the exam priorities are asking about, and it cannot vouch for a vendor it has never assessed. Every governance file here exists to show a human made a decision. The tool can speed the paperwork. It cannot be the person accountable for it. That accountability is the part of your practice an examiner is actually checking.
A practical order to build all three before your next exam
You do not need a project plan. You need to write three documents in the right sequence and then keep one of them current.
1. Inventory your AI tools first. List every tool in your stack that could touch client data, including the ones that arrived quietly inside software you already pay for. You cannot oversee what you have not named.
2. Write one vendor-oversight one-pager per tool. Work down the inventory. For each tool, capture who vetted it, what data it touches, and whether an agreement covers that data. Where an agreement is missing, that gap is now visible and you can act on it.
3. Draft the acceptable-use policy. With the inventory in front of you, the policy almost writes itself. State the allowed tools, the data line, and the human-review rule. Let Claude produce the first draft, then edit it to match reality and adopt it with a date.
4. Start the human-review log on day one. The moment the policy is live, begin logging. Each time an AI-assisted recommendation goes out, a named person records that they reviewed it. The earliest dated entry is the most valuable one, because it shows the control has been running, not retrofitted.
Done in that order, the three files reinforce each other. The inventory feeds the vendor sheets, the vendor sheets feed the policy, and the policy gives the log its rule. When an examiner asks, you are not assembling anything under pressure. You are pulling a folder.
Our methodology, honestly
This briefing reports what the named sources say about the 2026 SEC exam posture and the Regulation S-P deadlines. It does not include survey data on how many RIAs already hold these files, because we do not have a verified number to cite. The dates and the exam-priority language are sourced below. The build sequence is our practical reading of those obligations, not a claim about industry adoption.
- Regulation S-P: What Client Data Advisors Can Feed an AI Tool. The data-input side of the same rule.
- The AI Oversight Gap Advisors Cannot Ignore. Why human supervision is the trust line that holds.
- AI and the Board's Fiduciary Duty. How governance expectations reach all the way up.
Frequently asked questions
What AI files do SEC examiners ask RIAs to produce in 2026?
The SEC's 2026 exam priorities emphasize cybersecurity and third-party vendor oversight, and examiners are applying them directly to AI governance. They ask RIAs for a written AI acceptable-use policy, vendor-oversight files for each embedded-AI tool showing who vetted it and what client data it touches, and records proving AI-assisted recommendations receive human supervisory review before reaching a client.
Does Regulation S-P now apply to smaller advisers?
Yes. The amended Regulation S-P final compliance date for smaller advisers, those under 1.5 billion dollars in assets under management, passed on June 3, 2026. Large firms reached their date on December 3, 2025. Incident-response plans and third-party AI vendor oversight are now enforceable for every SEC-registered adviser.
Can I use AI to write my firm's AI governance documents?
For drafting, yes. A tool like Claude can produce a first draft of an acceptable-use policy and build vendor-oversight and review-log templates. The vetting judgment, the facts on each vendor sheet, and the human sign-off in the review log must come from a person at your firm. Keep identifiable client data out of any unvetted tool while you draft.
Does using AI make my firm look less fiduciary to an examiner?
The opposite, when it is governed. A firm that hands an examiner organized files, a clear policy, vetted vendors, and a real review log, signals control and care. The exposure is using AI with no documentation describing how. Clean governance files are a trust moat, not a liability.
Sources: WealthManagement.com, "SEC Examiners Are Asking RIAs About AI Governance Now" (https://www.wealthmanagement.com/artificial-intelligence/sec-examiners-are-asking-rias-about-ai-governance-now). Holland and Knight, "Regulation S-P Amendments: Compliance Deadline Approaching for Smaller Entities," May 2026 (https://www.hklaw.com/en/insights/publications/2026/05/regulation-s-p-amendments-compliance-deadline-approaching). Corroborating: ncontracts, "AI Compliance for RIAs 2026"; Advisorpedia, "June 2026 Is Coming."