Blog
AI Can’t Sign Your Form ADV: What AI Changes in Compliance, and What It Doesn’t
Alex Woodcock | 23 June 2026
Artificial intelligence has moved quickly from experimentation to everyday use across the investment management industry. Advisers, fund managers, and service providers are increasingly incorporating AI into their workflows and relying on it to summarize information, draft documents, conduct research, and improve operational efficiency. As adoption accelerates, many firms are left wondering how AI can deliver meaningful value while maintaining appropriate oversight, governance, and accountability.
Regulators have noticed the trend. The SEC's FY2026 Examination Priorities identify advisers' use of AI and other emerging technologies as an area of focus, with exam staff expected to review firms' governance practices, employee training, and AI-related disclosures as well as ensure that a firm's actual use of AI aligns with the representations it makes to clients and regulators.
The Commission has withdrawn a slate of Gensler-era rule proposals, including several tech related regulatory changes, and current Chair Atkins has publicly signaled that it is not currently looking to issue AI-specific rules, which means existing obligations, not a new AI rulebook, govern. Meanwhile, FINRA has reiterated that its regulatory framework remains technology-neutral: firms may adopt new technologies, but they remain responsible for complying with existing obligations.
Taken together, these developments point to an important reality for compliance and operations professionals alike. AI may change how work gets done, but it does not change who is accountable for it. That distinction is likely to shape how regulators, boards, investors, and industry professionals evaluate AI adoption in the years ahead.
The benefits of AI are real and worth acknowledging.
AI can summarize lengthy regulatory releases, organize information, identify patterns, draft first versions of policies and disclosures, accelerate research, and reduce time spent on repetitive administrative tasks; shifting time spent gathering information to analyzing it.
Used appropriately, AI can make experienced compliance and operations professionals significantly more efficient. But efficiency is not the same thing as accountability.
No matter how capable AI becomes, certain responsibilities remain attached to people and firms.
AI cannot register as an investment adviser. It cannot serve as a Chief Compliance Officer. It cannot sign a regulatory filing, answer examination findings, certify disclosures, or appear before a board to explain why a decision was made. More importantly, it cannot assume fiduciary responsibility for the outcome.
Regulators, boards, auditors, and investors do not hold technology accountable. They hold firms and individuals using it accountable.
That distinction matters because compliance is ultimately a function of judgement. The right answer often depends on firm-specific facts, operational realities, historical context, and risk considerations that extend beyond the information that is typically available to an off-the-shelf, general-purpose AI model. If anything, that moves the human contribution up the value chain, and now lies in the judgment, context, and accountability layered on the output produced.
AI can support the process, but regulators still expect firms and individuals to stand behind the result.
The greatest risk is not that firms use AI. The risk is that firms use AI without governance.
AI can produce inaccurate information, omit relevant facts, rely on outdated sources, or generate conclusions that sound more authoritative than they are. In a regulated environment, those mistakes can create real exposure if AI-generated content is accepted without scrutiny.
From an examiner's perspective, the question is rarely whether AI was used. The question is whether the firm using it maintained control over the process and can explain how the result was reached.
A compliance conclusion that cannot be defended, documented, or supervised remains a compliance risk regardless of how efficiently it was produced.
Much of the current discussion concerns AI tools that summarize and draft content. The harder questions arrive as AI begins to act. In a widely reported 2025 incident, an AI coding agent deleted a customer's live production database during an active code freeze, despite explicit instructions not to make changes. It then generated fabricated records and initially misreported what it had done. The data lost belonged to real businesses.
It is not difficult to translate that scenario into a regulated context. Consider an AI tool with access to a firm's books and records, client data, or filing systems that takes an unintended destructive action, or quietly populates a regulatory filing with fabricated figures. The firm would still own the consequences: a potential books-and-records failure, a possible client-data issue under Regulation S-P, a business continuity event, or a supervision question about how an unsupervised tool was granted that access. A vendor's apology would not resolve any of it.
This is the direction of travel. So-called AI agents, which complete multi-step tasks with limited human input, are already drawing regulatory attention, and FINRA's most recent annual oversight report addresses them directly. As tools move from assisting to acting, the human-in-the-loop question becomes harder, not easier, and defining where review, approval, and access limits sit becomes more important.
Regardless of what a firm’s AI tools are used for, good AI governance is ultimately about maintaining control over the process. That discipline is part organizational and part personal.
When you run something through an AI tool and notice how quickly and easily it produced a result, challenge yourself to name what you are adding to the process: the judgment, the firm-specific context, the verification, and the willingness to stand behind the result. If you cannot answer that, the work is likely not finished.
That same instinct scales into a set of controls. At the firm level, it means clear guidance on which tools may be used, what information may be entered into them, and which tasks are appropriate for AI assistance, with principles that might include:
None of this is procedure for its own sake. It is increasingly what examiners will be looking for: when regulators review AI use, they will focus on whether the firm can demonstrate oversight, supervision, and accountability for the technology they choose to adopt.
For most firms, AI risk does not stop at their own employees. Advisers and funds rely on any number of third parties, including administrators, sub-advisers, marketing firms, and other service providers, many of which are adopting AI in the tools and services they deliver. Existing third-party oversight obligations do not pause because a vendor has introduced AI. Firms are expected to understand how their providers use AI, what information those tools process, and how the resulting work is reviewed.
Practically, that means asking service providers the same questions a firm should ask internally: what tools are in use, on what data, with what human review, and who is accountable for the output. A firm that cannot answer those questions about its provider chain has a gap regardless of how well it governs its own desks.
AI will keep changing how compliance and operations teams work. The framework of accountability that governs regulated businesses is unlikely to change with it.
That is why oversight becomes more valuable, not less. As the tools inevitably continue to improve and become more capable, they raise the baseline expectation of what can be achieved. In turn, this sharpens the question of who can exercise judgment, explain a decision, and answer for the result. AI can draft an ADV filing. It still cannot sign it.
If you'd like to discuss AI oversight, compliance controls, or governance best practices, reach out to the PINE team.
Regulators have noticed the trend. The SEC's FY2026 Examination Priorities identify advisers' use of AI and other emerging technologies as an area of focus, with exam staff expected to review firms' governance practices, employee training, and AI-related disclosures as well as ensure that a firm's actual use of AI aligns with the representations it makes to clients and regulators.
The Commission has withdrawn a slate of Gensler-era rule proposals, including several tech related regulatory changes, and current Chair Atkins has publicly signaled that it is not currently looking to issue AI-specific rules, which means existing obligations, not a new AI rulebook, govern. Meanwhile, FINRA has reiterated that its regulatory framework remains technology-neutral: firms may adopt new technologies, but they remain responsible for complying with existing obligations.
Taken together, these developments point to an important reality for compliance and operations professionals alike. AI may change how work gets done, but it does not change who is accountable for it. That distinction is likely to shape how regulators, boards, investors, and industry professionals evaluate AI adoption in the years ahead.
What AI Does Well
The benefits of AI are real and worth acknowledging.
AI can summarize lengthy regulatory releases, organize information, identify patterns, draft first versions of policies and disclosures, accelerate research, and reduce time spent on repetitive administrative tasks; shifting time spent gathering information to analyzing it.
Used appropriately, AI can make experienced compliance and operations professionals significantly more efficient. But efficiency is not the same thing as accountability.
What Doesn't Transfer
No matter how capable AI becomes, certain responsibilities remain attached to people and firms.
AI cannot register as an investment adviser. It cannot serve as a Chief Compliance Officer. It cannot sign a regulatory filing, answer examination findings, certify disclosures, or appear before a board to explain why a decision was made. More importantly, it cannot assume fiduciary responsibility for the outcome.
Regulators, boards, auditors, and investors do not hold technology accountable. They hold firms and individuals using it accountable.
That distinction matters because compliance is ultimately a function of judgement. The right answer often depends on firm-specific facts, operational realities, historical context, and risk considerations that extend beyond the information that is typically available to an off-the-shelf, general-purpose AI model. If anything, that moves the human contribution up the value chain, and now lies in the judgment, context, and accountability layered on the output produced.
AI can support the process, but regulators still expect firms and individuals to stand behind the result.
The Real Risk: Ungoverned AI
The greatest risk is not that firms use AI. The risk is that firms use AI without governance.
AI can produce inaccurate information, omit relevant facts, rely on outdated sources, or generate conclusions that sound more authoritative than they are. In a regulated environment, those mistakes can create real exposure if AI-generated content is accepted without scrutiny.
From an examiner's perspective, the question is rarely whether AI was used. The question is whether the firm using it maintained control over the process and can explain how the result was reached.
A compliance conclusion that cannot be defended, documented, or supervised remains a compliance risk regardless of how efficiently it was produced.
When AI Acts, Not Just Drafts
Much of the current discussion concerns AI tools that summarize and draft content. The harder questions arrive as AI begins to act. In a widely reported 2025 incident, an AI coding agent deleted a customer's live production database during an active code freeze, despite explicit instructions not to make changes. It then generated fabricated records and initially misreported what it had done. The data lost belonged to real businesses.
It is not difficult to translate that scenario into a regulated context. Consider an AI tool with access to a firm's books and records, client data, or filing systems that takes an unintended destructive action, or quietly populates a regulatory filing with fabricated figures. The firm would still own the consequences: a potential books-and-records failure, a possible client-data issue under Regulation S-P, a business continuity event, or a supervision question about how an unsupervised tool was granted that access. A vendor's apology would not resolve any of it.
This is the direction of travel. So-called AI agents, which complete multi-step tasks with limited human input, are already drawing regulatory attention, and FINRA's most recent annual oversight report addresses them directly. As tools move from assisting to acting, the human-in-the-loop question becomes harder, not easier, and defining where review, approval, and access limits sit becomes more important.
What Good Governance Looks Like
Regardless of what a firm’s AI tools are used for, good AI governance is ultimately about maintaining control over the process. That discipline is part organizational and part personal.
When you run something through an AI tool and notice how quickly and easily it produced a result, challenge yourself to name what you are adding to the process: the judgment, the firm-specific context, the verification, and the willingness to stand behind the result. If you cannot answer that, the work is likely not finished.
That same instinct scales into a set of controls. At the firm level, it means clear guidance on which tools may be used, what information may be entered into them, and which tasks are appropriate for AI assistance, with principles that might include:
- Defined guardrails. Employees should understand when and how AI may be used.
- Required human review. AI-generated content should not move directly into production for regulatory filings, disclosures, compliance analyses, or other controlled outputs. A qualified professional should review and approve the work.
- Documented rationale. Firms should be able to explain how conclusions were reached, particularly when AI contributes to the process.
- Named accountability. Every material work product should have a clearly identifiable owner responsible for the outcome.
None of this is procedure for its own sake. It is increasingly what examiners will be looking for: when regulators review AI use, they will focus on whether the firm can demonstrate oversight, supervision, and accountability for the technology they choose to adopt.
Governance Extends to Service Providers
For most firms, AI risk does not stop at their own employees. Advisers and funds rely on any number of third parties, including administrators, sub-advisers, marketing firms, and other service providers, many of which are adopting AI in the tools and services they deliver. Existing third-party oversight obligations do not pause because a vendor has introduced AI. Firms are expected to understand how their providers use AI, what information those tools process, and how the resulting work is reviewed.
Practically, that means asking service providers the same questions a firm should ask internally: what tools are in use, on what data, with what human review, and who is accountable for the output. A firm that cannot answer those questions about its provider chain has a gap regardless of how well it governs its own desks.
Oversight Becomes More Valuable, Not Less
AI will keep changing how compliance and operations teams work. The framework of accountability that governs regulated businesses is unlikely to change with it.
That is why oversight becomes more valuable, not less. As the tools inevitably continue to improve and become more capable, they raise the baseline expectation of what can be achieved. In turn, this sharpens the question of who can exercise judgment, explain a decision, and answer for the result. AI can draft an ADV filing. It still cannot sign it.
If you'd like to discuss AI oversight, compliance controls, or governance best practices, reach out to the PINE team.