Yes, RIAs can use AI without violating compliance and recordkeeping rules, but only if you treat AI output as a regulated record from the moment it exists. The Advisers Act marketing rule, the books-and-records rule, and Reg S-P already govern anything AI drafts, summarizes, or sends on your behalf. The firms that get in trouble are the ones that forgot AI does not get its own softer rulebook.
Last updated: July 16, 2026
Does AI have its own set of rules for advisory firms?
No, and that is the whole thing most firms get wrong. AI does not create a new regulatory regime. It runs your existing obligations faster. Whatever your firm is already required to do around accuracy, substantiation, recordkeeping, and client data, AI is now doing at scale, which means it can create a violation at scale too.
The SEC made this concrete in its first AI-washing cases, penalizing two registered investment advisers a combined $400,000 for overstating their use of AI in marketing, under the same marketing rule that governs everything else you tell the public (SEC Press Release 2024-36). Notice what got them in trouble. Not the technology. The claims about it, judged against the rule they already lived under. That is the pattern for every AI compliance risk an RIA faces. The old rule still applies, and the machine just gave you a faster way to break it.
What does the books-and-records rule mean for AI output?
It means AI-generated content can become a record you are legally required to keep, and you should decide that on purpose rather than discover it during an exam. Under the books-and-records rule, advisers must retain a wide range of communications and materials that relate to their advisory business. An AI meeting summary that ends up in the client file, an AI-drafted email that goes to a client, AI-generated marketing copy on your website, these do not escape retention just because a model wrote the first draft.
Here is the trap I see. An advisor turns on an AI note-taker for client meetings because it is genuinely helpful. The transcript and the summary get generated automatically and live inside the tool. Now you have created records of client interactions, and if you cannot produce them, retain them, and supervise them the way you retain everything else, you have quietly opened a hole in your compliance program. The tool did not warn you. It just did what it does. The fix is not to ban the note-taker. It is to decide, before you scale it, what is a record, where it is retained, who reviews it, and how long you keep it. Boring. Load-bearing.
What is the real compliance risk with AI at an RIA?
The real risk is not using AI, it is using it invisibly. The dangerous pattern is desktop tools running outside your compliance program, doing regulated work that nobody has supervised, tested, or written a policy for.
The data shows how common this is. Across financial services, 84% of firms report using AI somewhere, but fewer than one in five compliance functions have actually embedded it in a governed, auditable way, and most usage is individual staff running desktop tools like ChatGPT or Copilot outside the real workflow (ACA Group survey). That is shadow AI, and in a regulated firm it is where the exposure lives. Your advisor is not trying to break a rule. They are trying to save an hour. But they are pasting client information into a tool your CCO has never reviewed, generating communications outside your supervision, and creating records outside your retention. Multiply that across a team and you have a compliance program with a blind spot the size of your whole staff.
So what does it actually take to use AI compliantly?
It takes three things done before you scale, not after. First, a written policy that says which tools are approved, what data may go into them, and what a human must review before anything reaches a client. Second, a retention answer for every kind of AI output that touches the advisory business, so the record exists where your books-and-records process expects it. Third, substantiation for any AI claim you make in marketing, because the marketing rule does not care that a model helped you write it.
None of that is exotic. It is your existing compliance program extended to cover a new author. The reason firms skip it is that AI arrives one helpful tool at a time, from the bottom up, and the compliance conversation never happens until an examiner forces it. Do it in the other order. Write down how the work runs, decide where AI fits, then turn it on. That is exactly the map an AI Readiness Audit produces.
Compliance obligations AI does not exempt you from
| Obligation | What it means for AI |
|---|---|
| Marketing rule (Advisers Act Rule 206(4)-1) | AI-drafted marketing must be fair, balanced, and substantiated, exactly like anything else you publish |
| Books-and-records rule | AI-generated communications and summaries can be required records you must retain and produce |
| Supervision and compliance program (Rule 206(4)-7) | You must have written policies for how AI is used, reviewed, and monitored |
| Reg S-P / client data privacy | Client information pasted into an unvetted tool can breach your safeguarding duties |
| Fiduciary duty | The advice is still yours. A confident wrong answer from a model is your responsibility, not the vendor’s |
Your next step
If compliance is your first worry about AI, that instinct is correct, and the answer is to map your exposure before you scale, not after. The AI Readiness Audit reads your firm the way an examiner and an AI both would, and tells you where your workflows, your records, and your policies are ready and where they are not. It is $750 and credits toward the build.
For the bigger picture, read the RIA landing page on where to start with AI, the deeper cut on whether AI creates SEC risk for your firm, and the thesis under all of it, AI only amplifies what it can read.