Asset Managers Need Written AI Policies Now, Not Later
Investment advisers are facing a shift from optional to required governance around artificial intelligence. Regulators, investors, and due diligence teams are now flagging the absence of formal AI policies as a compliance gap-sometimes in questionnaires, sometimes in formal reviews.
For registered investment advisers (RIAs), SEC Rule 206(4)-7 mandates written compliance policies that address emerging risks, including AI. Exempt Reporting Advisers (ERAs) face no such requirement, but the SEC expects all compliance programs to evolve with business practices and be "reasonably designed" to address the tools firms actually use.
The regulatory environment is tightening. The U.S. Government Accountability Office states that "AI is now deeply embedded in financial services operations, and regulators expect firms to maintain robust oversight structures to address data privacy, model risk, and information security." The SEC has made "AI washing"-exaggerating or misrepresenting AI capabilities-an enforcement priority.
Why Generic Templates Don't Work
Many firms search for off-the-shelf AI policies. Most boil down to vague commitments about responsible use and transparency, with little guidance on actual implementation. A policy imported from another firm or drafted without understanding your specific AI environment creates operational risk rather than reducing it.
An effective policy must reflect how your firm actually uses AI today, not how you hope to use it in the future.
What Your Policy Should Address
Tool inventory and approval process. You cannot supervise what you don't know exists. Start by identifying every AI tool used across the firm-including those embedded in mainstream platforms like document editors, email systems, and productivity suites. Many AI tools are adopted informally. Your inventory must capture the full picture, not just officially approved tools. Document the approval process for new tools and update it regularly.
Permitted and prohibited uses. Define what AI tools employees can use, how they can use them, and what information or data cannot be entered into any AI system.
Human review requirements. Every AI-assisted output headed to a client, investor, or counterparty should undergo human review before release. Your policy should distinguish between a cursory read and a substantive review, and detail how errors are flagged and corrected.
Disclosure accuracy. The gap between how your firm actually uses AI and what you disclose about that use is the most pervasive compliance deficiency in the industry. The SEC Marketing Rule (Rule 206(4)-1) applies to AI-generated content in offering documents, pitch decks, social media posts, emails, and website copy. Designate a person-typically an attorney or compliance professional-to maintain accurate, up-to-date disclosures about your firm's AI use. The SEC has pursued enforcement actions against both private and public firms for misrepresenting their AI capabilities.
Vendor due diligence. Many advisers use AI without realizing it, through third-party SaaS tools. Before adopting a third-party AI tool, understand how the vendor handles data, what safeguards prevent misleading content, and what happens to your data if the vendor changes the underlying model or if you terminate the relationship.
Recordkeeping. Define which AI outputs qualify as records and how they are retained. For RIAs, this connects to Rule 204-2, which requires reliable recordkeeping and retrieval processes. ERAs should still document what is kept and how it can be produced during an audit or regulatory inquiry.
Training. Employees need specific guidance when the policy is adopted and whenever it is materially updated. Generic "use responsibly" language fails. Training should cover what data can or cannot be entered into tools, when AI output must be verified, and how to recognize red flags like hallucinations or fabricated citations.
Policy review. For RIAs, assess the policy during the annual compliance review required by Rule 206(4)-7. Given the pace of change in AI tools and capabilities, consider more frequent reviews that track new tools adopted, incidents or near-misses, control effectiveness, and regulatory developments.
How to Start
Take an inventory of how AI is actually being used across your firm. Compare that reality to what your policies currently say. Identify the gap.
From there, update your procedures to define approved tools, prohibited uses, human review expectations, disclosure controls, vendor due diligence, recordkeeping, and training requirements. Build a policy that reflects today's workflows.
Review it regularly and keep it aligned as tools, risks, and regulatory expectations change. For legal interpretation or potential exposure, consult qualified legal counsel to ensure your AI policies align with current regulations.
An AI policy cannot stand alone. It must be part of a broader AI governance program that addresses how your firm identifies, assesses, and manages AI-related risks across all operations.
Learn more about AI Compliance and Governance or explore resources for AI for Management.
Your membership also unlocks:
