BastionAI Blog

BastionAI Editorial Team · April 30, 2026 · 8 min read

Three weeks ago, the SEC announced its FY2025 enforcement results. Buried inside the press release was a detail every Chief Compliance Officer at an RIA or broker-dealer should be paying attention to: the Commission’s new Cyber and Emerging Technologies Unit is now actively pursuing cases involving AI misuse, AI-washing, and misrepresentation of AI capabilities.

This is not subtle. The regulators have built the team. They’ve funded the team. They’ve named the priorities. The only question left is which firm gets enforced against first.

If your firm is using ChatGPT, Claude, or any generative AI in client-facing workflows — and you don’t have real-time compliance controls in place — this article is for you.

What the SEC actually said

The April 7 release marked a deliberate shift in tone. While total enforcement actions came down year-over-year, the Division of Enforcement explicitly cited AI-washing among the categories of misconduct it considers exemplary of FY25’s priorities.

Senior Enforcement leaders pointed to a specific case: a private startup that misrepresented AI capabilities to investors. They also flagged ongoing scrutiny of registered firms that overstate, misuse, or fail to supervise AI in their operations.

THE SIGNAL: The SEC is no longer asking whether registrants are using AI responsibly. It is asking how, and demanding the documentation to prove it.

The three rules now in play

If your advisors are using generative AI, three regulatory frameworks are already implicated. Most firms have not connected the dots.

1. SEC Marketing Rule (IA-5653)
Any AI-generated content that touches a prospect or client — performance summaries, market commentary, drafted emails — falls under the Marketing Rule. If an LLM hallucinates a return figure or makes an unsubstantiated claim, the advisor is liable. The model is not.

2. FINRA Rule 3110 (Supervision)
FINRA’s 2026 Annual Regulatory Oversight Report explicitly required member firms to retain GenAI chatbot communications and supervise AI-generated content the same way they would supervise content authored by a registered person. Most firms are not doing this.

3. Advisers Act §206 (Anti-Fraud)
The fiduciary duty doesn’t pause when an LLM enters the workflow. If an AI-generated recommendation is unsuitable, misleading, or fails to disclose conflicts, the firm is on the hook for a §206 violation regardless of whether a human reviewed it.

The compliance gap most firms don’t realize they have

Here’s the operational reality at most firms today. An advisor opens ChatGPT. They paste in client portfolio details. They ask for a market summary. They copy the response into an email. They hit send.

In that workflow, the firm has just:

• Sent client PII to a third-party LLM provider.
• Received and forwarded a marketing communication that no compliance officer reviewed.
• Generated zero supervisory record of the interaction.
• Created exactly the kind of evidence the SEC’s new Unit is staffed to look for.

Banning AI use is not the answer. Studies of every regulated industry that has tried it show employees use unsanctioned tools anyway. The result is shadow AI: the same compliance gap, only now invisible to the firm.

What examiners will actually ask for

Based on the SEC’s 2026 examination priorities and the FINRA 2026 report, expect examiners to request the following from any firm that has acknowledged using generative AI:

• A written AI policy covering acceptable use, prohibited use, and supervisory procedures.
• Evidence of enforcement, not just policy existence. Examiners are asking how the policy is implemented day-to-day.
• Logs of AI interactions involving client-facing content, with timestamps and supervisory review records.
• PII handling procedures, specifically how the firm prevents client information from leaving its environment via LLM prompts.
• Output review procedures showing how AI-generated content is checked before transmission to clients.

What “AI compliance” actually has to do

There are two architectural approaches to the problem, and most firms confuse them.

DETECTIVE CONTROLS	PREVENTATIVE CONTROLS
Comms surveillance, archiving, post-hoc review. Catches violations after they’ve been sent. Useful for audit reconstruction. Problem: by the time a violation is detected, the client has already received the bad communication.	Real-time scanning of every prompt and every response, before transmission. Blocks PII leaks, hallucinated claims, and policy violations at the source. This is what the SEC’s emphasis on “implementation, not just policy” actually requires.

The window is closing

The SEC has built the unit. FINRA has named the priorities. The OCC and FDIC are tightening model governance expectations for banks. And the first enforcement action against an RIA for unsupervised generative AI use is, statistically, only a matter of when.

Firms that deploy AI now with real-time compliance controls will gain the productivity benefits without the regulatory exposure. Firms that deploy without controls — or worse, ban AI and drive it into the shadows — will be the cases the new Cyber and Emerging Technologies Unit is hired to make.

BastionAI is the AI compliance firewall built specifically for SEC- and FINRA-regulated firms. We sit between your team and any AI model, scanning every prompt and response in real time for PII leaks, performance claims, hallucinations, and policy violations — and producing the immutable audit trail your next exam will demand.

Join the waitlist at bastionai.io →

The Convergence

In 2025, LLM quality crossed a threshold. Large language models can now reliably parse complex regulatory text, extract specific obligations, and map changes to business contexts. Regulatory volume hit critical mass—the EBA alone published over 400 regulatory outputs in 2025, ESMA published more than 300. Manual monitoring stopped being a strategy and became a liability. And enforcement got real—compliance failures generated $4.4 billion in documented losses in a single year.

The Market: Size, Shape, and Speed

The AI-powered RegTech platform market was valued at $15.4 billion in 2025 and is projected to reach $93.7 billion by 2034, growing at a 22.6% CAGR. The broader RegTech market was estimated at roughly $13 billion in 2023 and is projected to approach $82.8 billion by 2032. Financial services leads adoption—BFSI accounts for 39% of all AI governance deployments. 71% of financial firms now formally use AI, a 26-point increase from 2024.

RegTech venture investment reached $4.8 billion in 2024, with VC funding up 340% over three years. North America holds 33.6% market share, Europe holds 31.7% and is growing at 22.9% CAGR accelerated by DORA compliance deadlines and the EU AI Act, and Asia Pacific is the fastest-growing region at 25.8% CAGR.

The Incumbents

Large technology and data companies dominate the compliance infrastructure layer. NICE Actimize runs the deepest scenario library for AML, fraud detection, and trade surveillance. Nasdaq Verafin led the Chartis FCC50 2026 ranking with industry-wide deployment across Tier 1 banks. Oracle’s FCCM deploys AI agents in simulation environments that stress-test financial crime programs. SymphonyAI claims up to 80% false positive reduction with pre-built agentic workflows. IBM watsonx.governance provides end-to-end AI lifecycle governance.

The Startups: Where Disruption Is Happening

A new generation of RegTech companies is attacking specific pain points where legacy tools fail. In AML and Financial Crime: Hawk AI (Munich) delivers near-90% alert accuracy with drastic false positive reduction. Lucinity (Reykjavik) built an AI copilot for AML investigators. Flagright (Berlin) ships a full-stack AML platform with no-code rule building for 70+ countries. Silent Eight (Singapore) automates alert disposition at institutions including HSBC and Standard Chartered. Napier AI (London) publishes the AI/AML Index for transparent AI impact ranking.

In AI Governance: Credo AI (San Francisco) pioneered the AI governance category and was named to Fast Company’s Most Innovative Companies 2026. Holistic AI (London) covers end-to-end AI lifecycle governance with EU AI Act risk classification. Centraleyes (Tel Aviv) introduced a hybrid approach embedding AI Governance inside a broader GRC ecosystem.

Source: Convergences by Melvin Manchau on Substack

The Regulatory Shift

FINRA’s 2026 Annual Regulatory Oversight Report marks a turning point for firms using artificial intelligence. For the first time, the regulator explicitly requires the retention of GenAI chatbot communications and mandates supervision of AI-generated client content under Rule 3110.

This is not guidance or a suggestion. It is a documented supervisory obligation that applies to every FINRA-regulated firm deploying AI tools in client-facing or advisory capacities.

What Rule 3110 Now Demands

Rule 3110 has always required firms to establish and maintain a system to supervise the activities of each associated person. The 2026 Report extends this obligation squarely to AI-generated content. Firms must now demonstrate they can supervise AI outputs with the same rigor applied to human communications, retain complete records of AI-generated interactions, produce audit trails that show what AI content was reviewed, approved, or blocked, and implement real-time or near-real-time supervision of AI chatbot communications.

The Compliance Gap

Most RIAs and broker-dealers have adopted AI tools faster than their compliance infrastructure can support. A recent industry survey found that while 70% of financial professionals are using AI tools, virtually none have real-time input/output scanning or immutable audit logs for AI-generated content.

This gap between adoption and supervision is precisely what FINRA is targeting. Firms that cannot demonstrate active implementation of AI supervision controls face increasing examination scrutiny and potential enforcement action.

What Firms Should Do Now

The path forward requires more than updating a compliance manual. FINRA is looking for operational evidence of supervision: real-time scanning of AI inputs and outputs, automated policy enforcement on AI-generated content, immutable audit logs that capture every AI interaction, and documented procedures for escalation when AI content triggers compliance flags.

The firms that move first to implement these controls will not only satisfy regulatory requirements but gain a competitive advantage as AI compliance becomes table stakes in financial services.

Analysis based on FINRA’s 2026 Annual Regulatory Oversight Report, published December 2025. Read the full report at finra.org.

A Pattern Emerges

Over the past twelve months, the Securities and Exchange Commission has pursued enforcement actions against four separate firms for what the market has come to call “AI-washing” — the practice of overstating or fabricating AI capabilities in marketing materials, client communications, or regulatory filings.

These actions signal a clear enforcement priority. The SEC is not waiting for comprehensive AI legislation to act. It is using existing anti-fraud and marketing rules to hold firms accountable for AI-related misrepresentations right now.

What Constitutes AI-Washing

The enforcement actions have targeted several categories of misrepresentation. Firms have been cited for claiming AI-driven investment processes that were actually manual, marketing AI capabilities that did not exist in production, overstating the role of AI in portfolio construction or risk management, and using AI terminology in advertising without substantiation.

The SEC has applied the same standards it uses for any misleading marketing claim under the Advisers Act and the Marketing Rule. AI is not exempt from truth-in-advertising obligations simply because the technology is novel.

The Broader Chilling Effect

These enforcement actions have created a legitimate fear of AI deployment among compliance-conscious firms. The irony is significant: firms that want to use AI responsibly are hesitant to deploy it, while firms that make unsupported AI claims face enforcement risk.

This dynamic creates an opportunity for firms that can demonstrate verifiable, audited AI usage. The ability to prove — through immutable logs and real-time scanning — that AI outputs are compliant, substantiated, and properly supervised becomes a competitive differentiator.

Safely Deployable AI

The SEC’s enforcement posture points to a clear standard: firms must be able to demonstrate what their AI actually does, show that AI-generated content is supervised and compliant, produce audit evidence of AI oversight during examinations, and ensure marketing claims about AI capabilities are substantiated.

Firms that build these controls into their AI infrastructure from day one will navigate the enforcement landscape with confidence. Those that do not are operating on borrowed time.

Analysis based on SEC enforcement actions and Division of Examinations priorities through Q1 2026. For current SEC guidance, visit sec.gov.

From Policy to Proof

The SEC’s Division of Examinations has drawn a line in the sand with its 2026 priorities: the era of checkbox AI compliance is over. For the first time, the examination framework explicitly distinguishes between firms that have AI policies and firms that can demonstrate those policies are actively implemented.

This shift reflects a maturation in regulatory thinking. In the early days of AI adoption, regulators accepted that firms were developing governance frameworks. Now, with AI tools embedded in daily operations across the industry, the expectation has moved from “do you have a policy?” to “show me it’s working.”

What Examiners Will Ask For

Based on the 2026 priorities, examination teams are expected to request evidence of real-time or automated AI supervision controls, logs demonstrating that AI outputs are being monitored and reviewed, documentation of policy enforcement actions — instances where AI content was flagged, modified, or blocked, and proof that compliance teams have visibility into AI-generated communications before they reach clients.

Firms that can produce this evidence from an automated system will have a fundamentally different examination experience than those scrambling to reconstruct AI oversight from scattered records.

The Implementation Gap

Many firms updated their compliance manuals in 2024 and 2025 to reference AI governance. These updates typically included acceptable use policies for AI tools, lists of approved AI platforms, and general statements about supervisory obligations for AI-generated content.

While necessary, these policy documents do not satisfy the 2026 examination standard. The SEC wants to see the controls in action: automated scanning, real-time enforcement, immutable audit trails, and documented escalation procedures with timestamps.

Building Exam-Ready Infrastructure

The firms best positioned for 2026 examinations are those investing in operational compliance infrastructure, not just documentation. This means deploying systems that scan every AI input and output in real time, enforcing compliance rules automatically based on regulatory frameworks, generating immutable records of every AI interaction and policy decision, and providing supervisory dashboards that demonstrate active oversight.

The cost of building this infrastructure now is a fraction of the cost of an adverse examination finding or enforcement action later.

Analysis based on SEC Division of Examinations 2026 Examination Priorities, published December 2025. For current SEC examination guidance, visit sec.gov/exams.

No New Rules — But the Old Ones Still Apply

Despite growing attention to AI across the financial industry, none of the three major U.S. financial regulators have introduced rules written specifically for AI. Instead, each agency has taken a technology-neutral approach, reminding firms that obligations around supervision, recordkeeping, disclosure, and customer protection apply to AI just as they do to any other tool. The message is consistent: if you adopt AI, you are still responsible for what it does.

The SEC: Fiduciary Duty Meets Automation

The SEC has made AI a priority area for examinations. The Division of Examinations has flagged digital advisory services, automated trading, fraud detection, and regulatory technology as areas of focus. Firms using AI in these functions should expect examiners to ask whether adequate policies and procedures are in place to supervise those systems. A recent enforcement action reinforced this point — failure to address known vulnerabilities in automated trading models was treated as a breach of fiduciary duty of care. The SEC has also emphasized that AI-related disclosures may be necessary in risk factor sections and management discussion sections of public filings. Equally important, the agency has pursued enforcement actions against firms that overstated AI capabilities in their marketing — a practice regulators have termed “AI washing.”

FINRA: Supervision at Every Level

FINRA’s guidance underscores that its technology-neutral rules apply fully to AI. Member firms are expected to supervise AI usage at both the enterprise and individual levels, maintain robust technology governance, and assess risks related to accuracy, bias, and data provenance. FINRA’s 2025 oversight report also highlights AI-driven cybersecurity threats and the risks of relying on third-party AI vendors, urging firms to implement strong cyber programs to counter increasingly sophisticated attacks.

The CFTC: Cautious Engagement

The CFTC took a measured step in late 2024 by releasing a nonbinding staff advisory on AI use in derivatives markets. The advisory reminds regulated entities to update their policies and procedures and to exercise particular caution around risk management, recordkeeping, and customer protection. It also encourages ongoing dialogue with CFTC staff about emerging AI use cases. Notably, this advisory was rooted in the Biden-era executive order on AI, which the current administration has since revoked. A new executive order directs agencies to develop plans that prioritize American AI leadership, so the regulatory posture may shift in the months ahead.

What Firms Should Do Now

Regardless of how the political winds shift, the core compliance obligations remain. Firms using AI should take stock of every AI tool in use across the organization, maintain a formal inventory, and implement standard risk-management processes for each one. Preventing employees from accessing unapproved or unmonitored AI tools is equally critical — many publicly accessible AI platforms train on user data, creating uncontrollable privacy and cybersecurity risks. Building a defensible AI governance program today is the best protection against regulatory uncertainty tomorrow.

This analysis draws on regulatory developments discussed by Sidley Austin LLP. For the full legal analysis, see their February 2025 update.

Proposed Rules Are Stuck — But the SEC Is Moving Anyway

The SEC proposed ambitious rules in 2023 that would require broker-dealers and investment advisers to identify and eliminate conflicts of interest created by predictive data analytics, including AI. Those rules drew sharp industry criticism for their breadth — covering technology well beyond AI, applying to institutional and even prospective investors, and requiring firms to document conflicts arising from systems whose outputs are, by the SEC Chairman’s own admission, often unexplainable. With no final vote scheduled, the rules remain in limbo. But the SEC has moved forward on other fronts.

AI Examination Sweeps Are Underway

The Division of Examinations has launched targeted sweeps focused on how investment advisers develop and use AI models. Firms have been asked to describe their models and techniques, identify their data sources and providers, and produce internal reports of any incidents where AI use raised regulatory, ethical, or legal concerns. Examiners are also requesting copies of AI-specific compliance policies, contingency plans for system failures, client profile documents used by AI systems, and all marketing materials that reference AI capabilities.

Enforcement Is Watching for “AI Washing”

The Division of Enforcement has confirmed active investigations into AI-related misrepresentations. The SEC has made clear that firms overstating what their AI can do — a practice the agency calls “AI washing” — face the same scrutiny as any other misleading disclosure. This extends beyond broker-dealers and advisers to public issuers and anyone making AI-related claims in the market.

Existing Law Already Covers AI Risks

Even without new rules, the current regulatory framework reaches AI in several important ways. AI models trained on datasets the firm lacks authority to use could implicate insider trading laws. Outputs that drive investment recommendations may trigger fiduciary duties and Regulation Best Interest obligations. And firms making public statements about their AI capabilities must ensure those disclosures remain accurate over time — including as models “drift” from their original training. The SEC also expects firms to maintain compliance policies that specifically address AI risks, safeguard client data processed by AI systems, and monitor for cybersecurity vulnerabilities that third-party AI tools may introduce.

Why Firms Can’t Afford to Wait

The regulatory posture is clear: whether or not AI-specific rules are finalized, the SEC views existing securities law as sufficient to address the risks AI creates. Firms that treat AI governance as a future problem are exposing themselves to enforcement risk today. Building defensible AI policies, documenting model behavior, and ensuring accurate disclosures are no longer optional — they’re the baseline the SEC already expects.

This analysis draws on regulatory developments discussed by Skadden, Arps, Slate, Meagher & Flom LLP. For the full legal analysis, see their February 2024 publication.