SEC Guidance on AI: Rules, Alerts, and Enforcement Signals
·
20 min read
Key Takeaways
The SEC does not have a standalone AI rule, but existing securities laws fully apply to how firms develop, market, and use AI.
The SEC evaluates AI based on what it does in practice, including its impact on investor communications, recommendations, disclosures, supervision, and recordkeeping.
AI tools that influence investor decisions, such as robo-advisors, personalization engines, and chatbots, generally receive the highest level of regulatory scrutiny.
Firms can face enforcement action when they overstate AI capabilities, make unsupported performance claims, or fail to align marketing statements with how their systems actually work.
Using AI does not change obligations related to fiduciary duty, Reg BI, anti-fraud rules, supervision, data protection, or books and records requirements.
A strong AI compliance framework starts with identifying AI use cases, mapping them to regulatory requirements, implementing governance and change controls, and maintaining clear documentation for examinations.
Artificial intelligence is now part of daily operations across broker-dealers, RIAs, fintech platforms, and digital asset firms. When people search for “sec ai,” they are usually trying to understand one thing: how the SEC views the use of AI in regulated financial services.
AI is not regulated through a single rule. Instead, the Securities and Exchange Commission (SEC) applies long-standing securities laws to firms deploying AI across investor communications, trading systems, compliance workflows, and operational infrastructure.
While AI-focused rule proposals were introduced, they were ultimately withdrawn. Since then, regulatory focus has been expressed through examination programs and enforcement activity.
This article breaks down what actually matters: the SEC’s stance on AI, the withdrawn predictive analytics proposal, current examination focus areas, relevant staff guidance, and enforcement signals.
At InnReg, we help broker-dealers, RIAs, and innovative fintech firms design, implement, and manage compliance programs that account for evolving technologies like AI. From registration and licensing to supervisory frameworks and day-to-day compliance operations, our team works as your compliance department or an extension of it.
SEC Stance on AI
The SEC’s view of artificial intelligence is practical. The SEC has stated that they do not intend to treat artificial intelligence separately from all other types of regulation. Rather, they will evaluate each firm using artificial intelligence as part of its business practices, and assess the application of existing US securities laws related to those practices.
From a regulatory perspective, technology does not change the underlying obligation. When AI is involved in making recommendations, tailoring client messages, routing orders, supporting AML reviews, or preparing marketing materials, firms remain subject to the same anti-fraud, supervision, disclosure, and recordkeeping obligations.
Learn more about SEC Rule 17a-4 (recordkeeping obligations) →
SEC Regulation of AI Used by Firms
For broker-dealers, RIAs, ATS platforms, and fintech firms, the SEC’s focus is functional.
The key question is simple: Is the firm’s use of AI consistent with its regulatory obligations and public representations?
AI used in front-end investor interactions tends to draw the most scrutiny, and that includes robo-advisory engines, personalization tools, chatbots, and predictive analytics. Back-office AI, such as surveillance or AML monitoring, also falls within scope if failures could impact customers or market integrity.
Why There Is No Single “SEC AI Rule”
Many fintechs expect a dedicated SEC AI framework, which does not exist. Instead, the SEC applies established statutes such as:
Regulatory Area | How It Applies to AI |
|---|---|
Anti-fraud, supervision, books, and records | |
Investment Advisers Act | Fiduciary duty, compliance program requirements |
Best interest obligations for broker-dealers | |
Accuracy of AI-related claims | |
Data protection and safeguarding requirements |
This approach reflects a consistent theme in SEC AI oversight: AI is treated as a tool, not a separate regulatory regime.
Note that the lack of an explicit rule does not provide firms with "free passes." Regulatory agencies will continue to assess their use of AI in accordance with traditional standards (Are you making truthful disclosures? Are you managing conflict of interest? Are you providing adequate supervisory oversight? Are you protecting your investor base?)
For fintech companies developing new models, this can be uncomfortable. AI may sit at the core of the product, while the regulatory review still relies on long-standing securities concepts. The practical challenge is connecting what the system does to the obligations that already exist.
Learn how InnReg helps regulated fintechs develop regulatory and product strategy →
SEC AI Rulemaking: What Was Proposed and What Was Withdrawn
The most significant attempt at formal SEC AI rulemaking came in 2023. It did not result in a final rule. Understanding what was proposed and why it was later withdrawn is critical for compliance strategy.
The 2023 Predictive Data Analytics Proposal
In July 2023, the SEC proposed rules addressing conflicts of interest associated with the use of predictive data analytics and similar technologies by broker-dealers and investment advisors.
The proposal focused on situations where firms use technology to:
Analyze investor data
Predict behavior
Personalize recommendations or prompts
Optimize engagement in ways that could benefit the firm
The SEC’s concern was that if a system is designed to increase revenue, trading frequency, or product uptake, it may create conflicts with investor interests.
Under the proposal, firms would have been required to:
Identify conflicts arising from certain technology uses
Eliminate or neutralize the effect of those conflicts
Maintain written policies and procedures addressing those risks
The rule was broad. It captured not only AI, but also algorithms, machine learning models, and other analytical tools. In practice, it would have applied to many fintech business models.
At its core, the proposal signaled that technology-driven personalization could raise structural conflicts that disclosure alone may not address.
The 2025 Withdrawal: What It Means for Firms
In 2025, the SEC formally withdrew the predictive data analytics proposal, and no substitute rule followed. The Commission did not move forward with the proposed framework.
That decision did not signal a retreat from concerns about AI-related conflicts. It simply reflected a choice not to finalize that particular approach.
As a result, there is no standalone SEC AI conflicts rule in force, and firms are not bound by the proposed “eliminate or neutralize” requirement. Instead, existing securities laws continue to govern how AI-related risks are assessed.
This withdrawal means that compliance departments do not have to establish procedures relative to a new standard. But now there’s a greater burden placed on how firms interpret and enforce existing regulations and perform examinations.
What Replaced It (Exams and Enforcement)
After the withdrawal, the SEC’s attention did not disappear. It shifted.
AI-related issues now surface primarily through:
Examination priorities
Targeted information requests
Enforcement actions involving misleading AI claims
Reviews of supervisory controls and marketing practices
In other words, SEC AI oversight currently operates through existing rules applied in exams and enforcement, not through new rule text.
For fintech firms, this creates a different risk profile. Instead of preparing for a new compliance regime, firms must be prepared to defend how their AI systems align with current obligations.
That requires documentation. It requires supervisory clarity. And it requires consistency between how AI works, how it is described publicly, and how it is governed internally.
SEC AI Through the Lens of Existing Rules
Firms can not use an SEC rule that specifically addresses AI until one is created. As such, firms have to evaluate how they're using artificial intelligence in light of current SEC rules. This includes identifying where the firm's use of AI falls within current regulatory definitions rather than developing an entirely new regulatory framework around AI.
Anti-Fraud Provisions (Advisers Act and Exchange Act)
Fraud prohibitions are still the core of all SEC enforcement. Whether it be by humans or models, anti-fraud provisions will always be applicable. As long as AI affects investment decisions and client communication, you should expect that the SEC will scrutinize your transparency and truthfulness. The questions are: does what you represent about your AI process match reality, and are there unrepresented conflicts with the structure underlying the AI process?
The anti-fraud provisions remain the backbone of SEC enforcement. They apply regardless of whether decisions are made by a human or supported by a model.
If AI influences investment decisions or client communications, regulators will likely evaluate transparency and truthfulness. The key issue is whether representations match reality and whether the structure of the AI-driven process creates undisclosed conflicts.
Problems tend to emerge when firms describe their tools in aspirational terms or leave out important operational limits that would matter to an investor evaluating the service.
In the SEC AI context, the central question is whether investor-facing representations align with how the system actually functions.
Learn more about the Securities Exchange Act →
See also:
The Marketing Rule and AI-Related Claims
The Marketing Rule does not carve out an exception for emerging technology. If a platform is promoted as algorithmic, predictive, or machine learning-based, the same standards apply.
What matters is alignment. Does the marketing language match the system’s actual capabilities? Are performance references based on live results, or on testing environments and assumptions that investors may not fully appreciate?
Regulatory bodies have begun to pursue companies that have exaggerated their AI-based narrative beyond what the supporting technological foundation actually supports. This is typically when risk surfaces, not because of the use of artificial intelligence per se, but because of how the company represented it.
Firms need to apply similar discipline in describing AI-related products or services as they have historically applied to performance advertising. Firms need to clearly describe the capabilities of their systems, accurately limit statements made regarding those systems' abilities, and validate internally that any claims made can be substantiated.
Built based on InnReg’s experience of working with 100+ fintechs, Regly’s marketing compliance module helps firms flag potential risks using AI-powered tools →
Need help with broker-dealer compliance?
Fill out the form below and our experts will get back to you.
Fiduciary Duty and Best Interest Obligations
An advisor’s fiduciary duty is tied to the advice itself, not the method of delivery. Automated systems do not change that baseline.
Under Reg BI, broker-dealers must also place the retail customer’s interest first when making recommendations. That standard applies whether the suggestion originated from a representative or an algorithm.
If AI is used to generate recommendations or steer investor actions, firms should review how client data is collected, how the AI model interprets the risk tolerance and investment objective(s) of each client, and whether or not the AI model is influenced internally by revenue drivers that may lead to presenting alternative scenarios.
Ultimately, the outcome still hinges on the fact that all recommendations made must comply with the best interest or fiduciary requirement.
Additional Resources: | |
|---|---|
| |
Supervision and Compliance Program Requirements
Rules 206(4)-7 under the Advisers Act and supervisory requirements under the Exchange Act require firms to maintain policies and procedures reasonably designed to prevent violations.
When AI supports onboarding, message review, surveillance, or trading activity, it cannot operate outside the firm’s supervisory structure. These systems must be treated like any other controlled function.
That means someone is accountable for how the model evolves, tracks changes to its logic, and periodically reviews its outputs. There should also be a defined path for raising concerns if results appear inconsistent or unexpected.
Supervisory responsibility extends into the technology itself. It does not end once a process becomes automated.
Learn how InnReg supports fintech by helping them establish supervision processes →
Regulation S-P and Data Protection in AI Systems
AI systems typically depend on significant amounts of customer information. That reality brings Regulation S-P and related data protection requirements into play.
Firms need to think carefully about who can access that data, how it moves between internal teams and third-party vendors, and what happens if something goes wrong. Controls around incident response and employee awareness become especially important when AI tools are layered into existing systems.
As firms expand their use of AI, expectations around privacy and cybersecurity tend to rise alongside it.
Books and Records Implications for AI Tools
When AI influences regulated activity, it often creates records that fall within existing retention frameworks. Communications drafted with automated assistance, recommendations generated by models, and alerts triggered by surveillance systems can all carry recordkeeping implications.
Firms should consider how long those records are maintained, where they are stored, and whether changes to system logic are documented. A regulator reviewing SEC AI practices will not distinguish between human and automated processes for retention purposes.
If the system affects the outcome, the related documentation may need to be preserved.
Built based on InnReg’s experience of working with 100+ fintechs, Regly helps firms centralize and manage data using AI-powered tools →
Rule / Obligation | What Regulators Focus On in an SEC AI Review | Where Risk Commonly Emerges |
|---|---|---|
Anti-Fraud (Advisers Act and Exchange Act) | Whether statements about AI tools are accurate, and whether any AI-driven structure creates undisclosed conflicts | Marketing that overstates capabilities or omits material limitations |
Marketing Rule | Consistency between how AI capabilities are described and how the system actually operates, along with support for any stated performance results. | AI-washing, reliance on backtested or hypothetical results without context |
Fiduciary Duty / Reg BI | Whether AI-generated recommendations meet best interest or fiduciary standards | Models that do not properly reflect client objectives, risk tolerance, or economic incentives |
Supervision Requirements | Integration of AI tools into policies, procedures, and oversight structures | Lack of documented governance, unclear ownership, and weak model change controls |
Regulation S-P | Protecting customer data that AI systems use | Poorly defined data access restrictions, limited monitoring of third-party providers, and gaps in breach response preparation. |
Books and Records Rules | Retention of AI-driven communications, recommendations, and supervisory documentation | Missing audit trails, undocumented model updates, and incomplete retention practices |
SEC Examination Priorities: How AI Is Being Reviewed Today
Not every AI-enabled firm will be examined solely because of its technology stack. However, the SEC’s stance does suggest that examiners may focus more on AI where it influences regulated operations.
AI in the SEC’s 2026 Exam Priorities
The SEC’s 2026 exam priorities highlight technology-driven risks, investor protection concerns, and conflicts of interest tied to digital engagement practices.
While the document may not create new obligations, it signals where examiners are likely to focus.
The theme is consistent. If AI affects investor decision-making, it becomes an exam priority issue.
Learn more about the SEC's 2026 exam priorities →
What Examiners Are Likely to Request
During an exam involving AI-driven systems, staff may request documentation that connects technology to compliance controls.
Examiners typically want to understand three things: what the system does, who oversees it, and how risks are identified.
Firms that cannot clearly explain their AI workflows tend to face longer, more detailed follow-up requests.
AI Sweeps and Information Requests
The SEC has, on several occasions, launched targeted outreach efforts aimed at firms using digital engagement features and automated advice systems. These sweeps are designed to gather industry data and identify risk patterns.
Even if a firm is not subject to enforcement, receiving a technology-focused request can require significant internal coordination. Firms using AI in client-facing tools should expect that regulators may ask detailed operational questions.
Sweep letters often function as early warning signals. They indicate where the Commission sees potential systemic risk.
Investor-Facing vs. Back-Office AI Scrutiny
Models influencing client decisions often present a more immediate risk profile than back-end automation. But internal systems are not overlooked. If a breakdown in surveillance or AML technology results in harm or regulatory breaches, it will attract scrutiny.
In short, attention increases as the potential for investor harm increases.
For fintech firms, this means exam preparation should include a clear inventory of AI use cases, mapped to regulatory obligations and supervisory controls. Being able to explain that structure in a concise way can significantly shape the tone of an exam.
SEC Risk Alerts and Staff Guidance Relevant to AI
Beyond rule proposals and exam priorities, SEC AI expectations are also shaped by staff guidance and risk alerts. These documents do not create new laws. They do, however, signal how the Division of Examinations and other SEC staff interpret existing obligations in technology-driven environments.
See also:
Robo-Advisor Guidance and What It Still Teaches
Robo-advisor guidance from prior years still frames much of the current SEC AI analysis.
Staff focused on clarity. Firms were expected to explain how their algorithms functioned, what assumptions shaped the outputs, and where the limits of automation began. Investors needed enough detail to understand what the system was actually doing.
That framework applies just as much to modern AI platforms. Automating advice does not reduce disclosure responsibilities. If anything, it raises the need for a precise explanation.
For advisors and fintech firms, the practical takeaway is simple. Public descriptions of the technology should reflect how the system truly operates.
Electronic Investment Advice Risk Alert
Risk alerts from the Division of Examinations have addressed online advisory models and digital interaction tools.
Across those alerts, regulators identified similar issues. Firms often failed to clearly describe how their algorithms operated, did not sufficiently test the logic behind their models, or lacked meaningful oversight of automated processes.
The message is consistent. Technology must be supported by governance. Firms that deploy AI-driven advisory systems should expect exam staff to ask how those systems are tested, reviewed, and updated
Digital Engagement Practices and Behavioral Prompts
The SEC has raised questions about digital features that influence how investors act. This can include prompts that encourage more frequent trading, spotlight specific products, or create a sense of urgency through design choices.
When AI is used to tailor or refine those prompts, regulators may look closely at the intent and effect. The central issue becomes whether the feature supports the investor’s interests or primarily drives firm revenue.
This is an area where conflict analysis becomes central. If personalization increases engagement but also increases costs or risk to investors, staff may question how those trade-offs were evaluated.
Issuer Disclosure Expectations for AI Claims
The SEC has also focused on public company disclosures related to artificial intelligence.
Issuers that describe AI as a core part of their strategy must present those statements in a balanced way. Boilerplate language or vague references to “advanced AI capabilities” can invite scrutiny if not grounded in operational reality.
In the broader SEC AI landscape, this reinforces a simple principle. Statements about AI, whether made by advisors, broker-dealers, or issuers, must be specific, supportable, and consistent with actual practices.
SEC Enforcement Signals: What Firms Have Already Been Charged For
The clearest signals around SEC AI risk come from enforcement activity. To date, the SEC has not treated AI itself as a violation. The focus has been on how firms describe their technology, how conflicts are managed, and whether supervisory structures kept pace with deployment.
AI-Washing Cases (Delphia and Global Predictions)
The SEC has brought actions against firms that inflated their use of artificial intelligence in promotional materials and disclosures.
In those matters, companies portrayed their platforms as powered by sophisticated AI when the underlying technology did not match the claims. The problem was not the pursuit of innovation. It was the accuracy of the representations.
Regulators compared public statements about machine learning and predictive systems with how the tools actually operated. Where the story exceeded the substance, enforcement followed.
The broader lesson is straightforward. Labeling a product as AI-driven creates exposure if the claim cannot be supported.
Misleading AI Marketing and Performance Claims
Enforcement activity has also addressed performance narratives built around artificial intelligence.
If a firm positions its models as superior, more efficient, or more predictive than conventional methods, staff may request evidence. Claims based on simulations, narrow timeframes, or incomplete data sets can invite scrutiny.
Regulators do not apply a separate standard simply because AI is involved. Marketing that connects technology to returns or risk reduction is assessed like any other performance advertising.
Any assertion that AI improves results should be supported by defensible analysis.
See also:
AI-Enabled Fraud and Deepfake Concerns
Regulators have highlighted the role AI can play in fraudulent activity. Fabricated emails, cloned voices, and scaled outreach powered by automation are no longer theoretical risks.
Firms face a dual challenge. They need safeguards to protect clients from AI-driven scams, and they must review their internal systems to confirm that those tools cannot be used in ways that distort or misrepresent information.
These developments may not always result in charges against the platform provider, but they shape expectations around governance and monitoring.
—
Enforcement Theme | What Triggered Scrutiny | Core Regulatory Concern |
|---|---|---|
AI-Washing | Public claims overstating AI sophistication or proprietary capabilities | Misleading statements and inaccurate disclosures |
AI-Linked Performance Claims | Statements suggesting that artificial intelligence enhances returns or meaningfully reduces investment risk | Unsupported or misleading performance representations |
AI-Enabled Fraud Risks | Use of AI in impersonation, fabricated communications, or scaled deceptive outreach | Supervisory and risk management weaknesses |
The enforcement record suggests a practical takeaway. The SEC is unlikely to pursue firms simply for adopting AI. It is far more likely to pursue firms that misstate capabilities, fail to manage conflicts, or lack adequate supervision.
This aligns with the broader SEC AI framework discussed earlier. Existing anti-fraud, marketing, and supervisory rules remain the foundation.
Where SEC AI Intersects With Other Regulators
As many fintech firms operate under multiple supervisory regimes at the same time, SEC oversight is only one part of the regulatory landscape. Broker-dealers are subject to FINRA rules. Derivatives businesses may fall under CFTC and NFA authority. Bank partnership models bring OCC or FDIC expectations into play. Consumer data practices can also draw attention from the FTC or CFPB.
FINRA Guidance on Generative AI
Financial Industry Regulatory Authority (FINRA) has issued guidance reminding member firms that the use of generative AI tools must comply with existing supervisory, communications, and recordkeeping rules.
If registered representatives use AI to draft communications, analyze markets, or support recommendations, firms remain responsible for supervision and retention. FINRA has emphasized that automation does not dilute a firm’s obligations under FINRA rules governing communications and supervision.
For broker-dealers, SEC AI expectations and FINRA supervision standards tend to reinforce each other rather than conflict.
Learn more about FINRA Supervision Rule (3110) →
CFTC and Responsible AI in Trading
Firms involved in futures, swaps, or forex markets may fall under CFTC and NFA oversight in addition to SEC jurisdiction.
Where AI drives trading strategies, order routing, or risk modeling, regulators may examine model governance, validation, and controls designed to prevent market disruption.
The theme is consistent across agencies. If automation influences trading behavior, governance and risk controls must be demonstrable.
Bank Partnership Model Risk Expectations
Where fintech companies operate through a bank partner, model risk management becomes part of the compliance equation.
Bank regulators expect financial institutions to evaluate and monitor external models that affect consumer outcomes. AI-driven underwriting, fraud detection, or customer profiling can trigger those oversight obligations.
The exposure is higher when the system directly affects lending outcomes or requires customer disclosures.
Global Considerations (EU AI Act and Cross-Border Impact)
Firms with international operations face additional complexity.
The EU AI Act introduces risk-based requirements for certain AI systems, including governance, documentation, and oversight obligations. While the SEC does not enforce the EU framework, multinational firms may need to reconcile US securities compliance with European AI governance standards.
For global fintech platforms, this creates a layered compliance environment. SEC AI oversight may be only one part of the broader regulatory picture.
Practical Compliance Framework for SEC AI Risk
Understanding SEC AI expectations is only the starting point. The next question is how to translate those expectations into internal controls.
1. Build an AI Use-Case Inventory
Start by identifying where AI is actually used.
In many fintech firms, AI touches more areas than leadership initially assumes. It may influence recommendations, marketing content, onboarding workflows, fraud detection, or internal analytics. Without a centralized view, regulatory mapping becomes fragmented.
At a minimum, firms should know which systems are investor-facing, what data they rely on, and who is accountable for oversight. Visibility is the foundation of SEC AI compliance.
A simple internal register that links each use case to a responsible owner is often sufficient.
2. Map AI Functions to Regulatory Obligations
Identifying AI applications is only the first layer. The next task is regulatory alignment.
Each function should be assessed against current legal standards. Advice-related tools invoke fiduciary or Reg BI analysis. Communication-focused systems raise advertising and anti-fraud questions. Data-driven models introduce privacy oversight.
This mapping exercise grounds innovation in accountability. Meaningful AI features should not exist in isolation from compliance requirements.
3. Supervision, Testing, and Change Management
Artificial intelligence tools develop over time. Models are retrained as new data becomes available. External providers adjust logic. Product teams iterate based on user feedback and performance metrics.
Compliance frameworks should anticipate that evolution. Firms should know who is accountable for the tool, how significant changes are assessed before implementation, and how ongoing performance is measured. There also needs to be a structured response if outputs raise questions or create unexpected outcomes.
Supervision is continuous. It does not end once the technology is live in production.
4. Marketing and Disclosure Controls
A recurring enforcement theme is a mismatch between description and reality.
Before promoting a platform as AI-driven, firms should confirm that external language accurately reflects system capabilities. If performance benefits are mentioned, there should be support behind those statements. If limitations exist, they should not be obscured.
Based on 10+ years of InnReg’s experience, Regly’s marketing compliance module helps fintech manage reviews and flag potential risks using AI-powered tools →
5. Vendor Oversight and Contractual Protections
Many AI capabilities are sourced from third parties.
That does not transfer regulatory responsibility. Firms remain accountable for how those tools function within their platform.
Vendor due diligence should address model governance, data handling, and oversight rights.
Regly’s vendor management module helps fintechs organize, track, and assess vendor relationships →
6. Documentation for Exam Readiness
When exam staff ask about AI, they are usually looking for coherence.
Firms should be able to explain what each system does, how it is supervised, and how related risks were evaluated. The documentation does not need to be complex. It needs to be consistent with how the product actually operates. Clear articulation of governance often shapes how an SEC AI review unfolds.
—
SEC AI oversight is not developing as a standalone compliance regime. It is developing through the application of existing securities laws to new technology, with a growing emphasis on disclosure accuracy, supervision, and documentation.
For broker-dealers, RIAs, and fintech firms, the practical question is no longer whether AI is regulated. It is whether the firm can explain how its AI tools operate, how risks are managed, and how those systems fit within its broader compliance framework.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with broker-dealer compliance, reach out to our regulatory experts today:
Related Articles
Featured LinkedIn Posts
