Senior-led AI governance for registered investment advisers using AI in portfolio construction, client communications, and marketing. When an SEC examiner asks how an AI-driven recommendation was made, or whether Form ADV reflects your AI use, we get your AI to a place you can defend as a fiduciary.
An adviser's AI exposure runs through the fiduciary duty, the Marketing Rule, the compliance-program rule, and Form ADV all at once. We build one program that holds at each of those points.
An RIA does not sit under model-risk guidance the way a bank does. It sits under a fiduciary duty and an SEC examination program that has turned its attention to how advisers use AI, disclose it, and oversee it.
The clearest signal is the set of SEC AI examination priorities and the 2024 Risk Alert themes that came with them. Three concerns recur. The first is the accuracy of Form ADV on AI: if a firm uses AI in its advisory process, the disclosure should reflect that honestly, and an adviser that markets itself as AI-driven while doing little, or uses AI heavily while disclosing nothing, is exactly what the examiners are looking for. The second is AI performance claims under the Marketing Rule: advertised results produced or selected by AI are still advertisements subject to the same substantiation and fair-and-balanced standards. The third is AI portfolio-management oversight: the SEC wants to see that the adviser, not a black-box model, is exercising judgment and that there is a human accountable for AI-influenced investment decisions.
Those priorities land on specific rules. The SEC Marketing Rule, 206(4)-1, governs every advertisement, including AI-generated content and AI performance figures, and prohibits untrue or unsubstantiated statements and the cherry-picking of favorable results. SEC Rule 206(4)-7, the compliance-program rule, requires written policies and procedures reasonably designed to prevent violations, and an adviser materially using AI needs those policies to actually address the AI rather than be silent on it. Form ADV Part 2A, particularly Items 8 and 12 covering methods of analysis and investment strategies and brokerage practices, is where the use of AI in the advisory process and in selecting or recommending tools belongs in plain language for clients.
Beneath the conduct rules sits the data-protection layer. The Reg S-P 2024 amendments apply to SEC-registered advisers as well as broker-dealers, requiring a written incident-response program and customer breach notification. The notification clock runs as soon as practicable but no later than 30 days from the firm's determination that unauthorized access has occurred and that sensitive customer information is reasonably likely to be misused in a way that would harm the client, not from mere discovery, and because the precise trigger turns on the statutory wording we confirm it against the SEC adopting release as part of the legal-review pass. The SEC 2023 cybersecurity risk-management proposals sit over the whole stack. And above all of it is the fiduciary duty, which does not bend for a model: an adviser owes duties of care and loyalty whether a recommendation came from a human or from an AI the human deployed.
These are the recurring failure modes a CCO or founder-CCO at an advisory firm sees first. They are the gaps an SEC exam surfaces fastest.
Defending AI-driven portfolio construction to the SEC. When AI influences allocation or security selection, the adviser has to show that a person exercised judgment, that the model's role is understood and bounded, and that the firm can explain why a client's portfolio looks the way it does. An adviser who cannot reconstruct the basis for an AI-influenced decision has a fiduciary problem, not just a documentation gap.
Robo-adviser explainability. Automated advice platforms have to deliver suitable, well-disclosed advice at scale, and the firm needs to show the algorithm's logic, its limits, and the disclosures clients receive. Opacity that might be tolerated in a consumer app is a real exam risk for a fiduciary.
Third-party AI vendor due diligence. Most advisers consume AI through a CRM, a research tool, a planning platform, or a model marketplace. The adviser still owns the duty of care over advice those tools shape, and a vendor's assurances are not the adviser's controls. Diligence that names what the vendor's AI does, what data it touches, and how it can fail is the missing piece.
Form ADV that has not caught up with the AI. Firms adopt AI tools quarter over quarter while Form ADV is updated annually, so the disclosure drifts out of sync with what the firm actually does. An examiner who finds material AI use that the brochure does not describe has an easy finding.
Small RIAs with no dedicated compliance staff. A firm with $25M to $100M in AUM and a founder who is also the CCO faces the same rules as a large adviser with fewer hands to meet them. These firms need a right-sized program that produces real evidence without pretending to be an enterprise compliance department, which is exactly what the Beachhead and Anchor tiers are built for.
The same five-step method runs every engagement, scaled to the tier and to the size of the firm. For an adviser it is built to produce exam evidence and a clean Form ADV story.
Discovery. We map your registration, your AUM band, whether you run discretionary or non-discretionary mandates or a robo platform, and where AI already touches advice, marketing, and client communications. AI use-case inventory. We name every AI tool in the practice, including the CRM and planning-software AI that the firm did not think of as AI and the model-marketplace tools embedded in a vendor stack. Control mapping. We map each system onto the SEC AI examination priorities, the Marketing Rule, Rule 206(4)-7, the relevant Form ADV items, and Reg S-P, and we crosswalk that onto your existing compliance program. Testing. We test what the SEC tests: whether AI-influenced decisions are explainable and human-owned, whether AI performance claims are substantiated and fair, whether Form ADV matches actual AI use, and whether your incident-response program can make a Reg S-P determination on a clock. Remediation roadmap. We sequence the fixes so the most examinable gap, usually a Form ADV or Marketing Rule mismatch, closes first, and you leave with a defensible inventory and a roadmap your CCO can run.
Most advisers start with a fixed-fee exam-readiness checklist, then decide whether to review the investment process or build the full governance program. You choose the depth.
A fixed-fee SEC AI exam-readiness checklist plus a Form ADV AI disclosure gap analysis mapped to Reg S-P: where your brochure understates or overstates AI use, where the Marketing Rule reaches your AI performance claims, and where your incident-response obligations sit. You leave knowing what an examiner would ask about first.
A review of the AI-enabled investment process for explainability and human ownership, paired with a Rule 206(4)-7 policy refresh that makes your written compliance procedures actually address the AI you use: portfolio-construction oversight, Marketing Rule controls on AI content, and Form ADV alignment.
A holistic AI governance, vendor-risk, and disclosure program across the advisory practice: a governed AI inventory, third-party vendor due-diligence standards, a fiduciary-grade oversight regime for AI-influenced advice, and disclosure that keeps Form ADV honest as the firm's AI use evolves.
A small firm of senior practitioners, established 2026, that builds the tools it governs with.
Engagements run on a senior-only bench. There is no junior hand-off. The person who scopes the work is the person reviewing your investment process and the person answering your CCO's hardest question about an exam. For a small advisory firm that depth matters more, not less, because you do not have an internal team to backstop a thin answer.
The firm also ships authored open-source IP. mcp-warden is DSE's public supply-chain integrity gate for AI tooling: it pins a tool surface, fails on drift, and inspects what a third-party tool actually returns at runtime. That is exactly the discipline an adviser needs to vet the third-party AI tool surfaces inside the CRM, research, and planning platforms it relies on but does not build. We govern AI by building the controls that govern AI, not by reselling someone else's framework. Established 2026, operator-led, and accountable on paper under a signed SOW or MSA.
Do I need to update Form ADV if I use an AI CRM for client communications? It depends on whether the AI is material to the advisory relationship. An AI feature that drafts routine scheduling messages is different from an AI that shapes the substance of advice or client interactions. The test is whether a reasonable client would consider the AI use material to how the firm provides advice, and whether the relevant Form ADV items, especially methods of analysis and strategies, accurately describe what the firm does. We assess materiality firm by firm rather than apply a blanket rule, and where it is a close call we flag it for your counsel.
Are AI-generated performance figures testimonials under the Marketing Rule? Performance figures are not testimonials, but they are advertisements, and the Marketing Rule governs both. AI-generated or AI-selected performance results are subject to the same requirements as any other advertised performance: they must be substantiated, presented fair-and-balanced, and free of cherry-picked or misleading results. Testimonials and endorsements are a separate category with their own disclosure and oversight requirements. If your AI surfaces or summarizes client statements, that can implicate the testimonial and endorsement rules, which is a distinct analysis we run alongside the performance-claim review.
Does Rule 206(4)-7 require a written AI policy? The rule does not name AI, but it requires written policies and procedures reasonably designed to prevent violations of the Advisers Act. If your firm materially uses AI in advice, marketing, or client data handling, a compliance program that is silent on AI is hard to call reasonably designed. In practice that means your written procedures should address AI oversight, disclosure, and the controls that keep AI-influenced advice within your fiduciary duty. We build that into the Rule 206(4)-7 refresh in the Anchor tier.
We are a dual registrant. Does Reg S-P apply once or twice? The Reg S-P obligations apply to you in each capacity in which you are registered, so a firm registered as both an adviser and a broker-dealer has to satisfy the rule across both registrations rather than treat it as a single obligation. In practice that usually means one well-designed incident-response and customer-protection program built to cover both sides, with the documentation and reporting paths that each registration expects. The compounding is real, and it is why dual-registrants often need the RIA and the broker-dealer programs designed together rather than separately.
Can a small RIA realistically meet these expectations without a compliance team? Yes, with a right-sized program. The rules apply regardless of headcount, but the evidence an examiner wants, an honest AI inventory, a Form ADV that matches reality, substantiated marketing, and a working incident-response process, can be produced by a small firm with the right structure. The Beachhead and Anchor tiers are built precisely for the founder-CCO who needs real readiness without standing up an enterprise compliance department.
What does a typical engagement actually look like? A typical Anchor engagement for an $80M-AUM advisory firm would inventory the AI across the CRM, research, and planning stack, reconcile Form ADV with actual AI use, put Marketing Rule controls around AI-generated content and performance figures, refresh the Rule 206(4)-7 policies to address AI oversight, and deliver a remediation roadmap the founder-CCO can run. That illustration is hypothetical and meant to show shape and sequence, not a specific client.
A combined compliance guide for investment advisers covering GLBA obligations, the 2024 Reg S-P cybersecurity amendments, and SEC exam expectations for AI systems used in advisory functions. Enter your work email and we will send the PDF.
GLBA, the 2024 Reg S-P amendments, and SEC exam expectations for AI in the advisory process, in one guide built for the founder-CCO.
More workbooks in the full Financial Services Compliance Resource Library →
Regulatory content last reviewed: June 2026 · Maintained by DSE · Next review on material change to the SEC AI examination priorities.
DSE provides AI governance and compliance readiness consulting and AI security testing for registered investment advisers. We are not an accredited certification body and do not issue ISO/IEC 42001 certificates or certify SEC, Reg S-P, or NIST AI RMF compliance. Only the relevant regulator or an accredited certification body can attest to that.
We cannot guarantee passing an SEC exam or avoiding enforcement, and we do not provide legal advice. We work alongside your counsel and your CCO. Where we describe mapping to the SEC AI examination priorities, the Marketing Rule 206(4)-1, Rule 206(4)-7, Form ADV, Reg S-P, or the NIST AI RMF, that means advisory alignment, not certification, and the precise Reg S-P notification trigger is confirmed against the SEC adopting release with your counsel.
All engagements are governed by a signed SOW / MSA that includes a limitation of liability.