This article was originally published on Law360 and is republished here with permission as it originally appeared on June 23, 2026.

On May 1, the Investment Company Institute and Investment Adviser Association submitted a joint letter to the U.S. Securities and Exchange Commission urging the SEC to modernize the books and records rule under the Investment Advisers Act.[1] The letter pointed to the so-called off-channel enforcement actions of 2022-2025 as evidence that the books and records rule is ill-suited to the types of technologies used by investment advisers today.

But a single sentence in the letter belies a greater goal for regulatory modernization: “The increasing use of AI and other technologies adds to the challenges due to the proliferation and types of data generated.” Any regulatory modernization effort must account for artificial intelligence.

AI is transforming how investment advisers research markets, construct portfolios, interact with clients and run their businesses. Nevertheless, an adviser’s obligations under the Advisers Act remain — as yet — unchanged. In considering whether and how to integrate AI into their businesses, investment advisers must consider the substantive and compliance implications of AI under the Advisers Act.

This article discusses certain principal Advisers Act considerations in relation to AI: fiduciary duties, books and records, client confidentiality, and marketing.

Fiduciary Issues: Duty of Care and Duty of Loyalty

Duty of Care: Understanding, Testing and Monitoring AI Tools

The fiduciary duty of care requires advisers to provide advice in each client’s best interest, based on a reasonable understanding of the client’s objectives and a reasonable investigation into recommended investments.[2] The use of AI does not diminish or alter this obligation; rather, AI may change the manner in which this obligation is satisfied.

First, advisers must understand their AI tools, including what data is used, what assumptions are made and what limitations exist. Supervised persons need not be data scientists, but firms must be able to explain, in plain English, what a model does and why it is fit for its use. This is referred to as explainability.[3]

Second, advisers should establish a reasonable basis for relying on AI-generated output. The methods and rigor of AI output validation will vary depending on whether an AI platform is developed internally or purchased from a third-party vendor, and ought to depend on the scale of an organization’s AI deployment and its intended use.

For deployments in operations and business support functions, output testing, repeatability and phased adoption before broad implementation may be appropriate. For use in investment processes, validation may include the foregoing in addition to backtesting, benchmarking, stress testing or sandbox deployment.

Direct human oversight — a human in the loop — remains appropriate in circumstances where the scale or use of AI creates meaningful risk, for example, in nonroutine client communications.

Third, the duty of care is ongoing. Advisers should monitor model performance, investigate anomalous results, and adjust or decommission tools that are no longer performing as expected. Firms should have policies to identify affected clients, correct the issue and document remediation.

Duty of Loyalty: Conflicts, Disclosures and AI Washing

The duty of loyalty requires advisers to eliminate or fully disclose all conflicts of interest and obtain informed client consent.[4]

AI introduces novel conflict scenarios; for instance, a model may optimize for an adviser’s revenue generation, prioritize trades with particular counterparties or otherwise subordinate client interests to the adviser’s own. These examples underscore the critical importance of explainability.

Practically, advisers should identify AI-related conflicts, ensure they are eliminated or mitigated, and provide clear disclosures where conflicts are not eliminated.

For internally developed models, this means scrutinizing embedded algorithmic biases. For purchased models, conflicts may become evident through testing and output validation.

Boilerplate statements that the firm “may use AI” are unlikely to suffice where AI plays a material role in an adviser’s workflows. Appropriate disclosure can be made in offering documents, an adviser’s brochure, client agreements or elsewhere, provided the adviser maintains a record that disclosure was actually delivered.

Substantive Compliance Requirements

Operationalizing an adviser’s fiduciary duties is accomplished, in large part, through an adviser’s compliance program.

Rule 206(4)-7 under the Advisers Act — the compliance rule — requires advisers to adopt and implement policies and procedures reasonably designed to prevent a violation by the adviser and its supervised persons of the Advisers Act and the rules thereunder.[5]

The compliance rule is central to the discussions that follow regarding books and records, client confidentiality, and marketing. In fact, it was failures of the compliance rule that underpinned the so-called AI washing settlements in 2024.

And since 2024, the SEC Division of Examinations’ annual priorities have explicitly referenced emerging financial technologies, including AI, as an exam focus.[6] Advisers should therefore expect to receive questions relating to their AI use and policies during exams.

The first step in developing an appropriate, risk-based AI policy is to determine the existing and intended AI use cases within an organization. AI use in investment processes or nonroutine client communication may present more risks than its use in other functions, such as building forms or templates for investor reporting or compliance checklists.

Moreover, AI-generated output — i.e., output generated with minimal human interaction or oversight — may appropriately be differentiated from AI-assisted output, i.e., output as to which human judgement, expertise and oversight will be brought to bear. Understanding the manner in which AI is deployed will inform the appropriate breadth and depth of an adviser’s policies.

Books and Records

SEC Rule 204-2 requires advisers to maintain true, accurate, and current books and records.[7] The use of AI does not alter the adviser’s fundamental books and records obligations, but it does raise questions about what must be retained and in what form.

At a baseline, AI output constituting the books and records to be maintained should be captured to the same extent as human-generated books and records.

Advisers may wish to capture additional material, including prior iterations of such output, prompts and other inputs — e.g., referenced documents — depending on the use and nature of such output. It is also sensible to capture relatively more information where the output is used for relatively riskier applications.

It is therefore essential to ensure that an investment adviser’s AI platform provides for record retention and audit capabilities.

In addition, the required records must be maintained in the adviser’s office for two years and an additional three years in an easily accessible place.[8]

Where AI processing occurs locally on user devices, firms must ensure that data feeds back to a central repository, whether automatically or through periodic manual exports.

Client Confidentiality and Regulation S‑P

Regulation S-P requires investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.[9]

AI amplifies long-standing concerns about the protection of nonpublic personal information, or NPI, under Regulation S‑P. Imprudent use of AI may inadvertently expose client information to external systems or allow it to be used in ways that are inconsistent with an adviser’s privacy policies or applicable privacy laws.

Broadly, advisers should treat publicly available AI interfaces as untrusted environments for client data. More sophisticated deployments can mitigate some of these risks but still require careful configuration and oversight.

Firms might adopt data minimization principles and policies for AI use, limiting inputs to what is necessary for the use case and, where feasible, redacting, anonymizing or aggregating data. In these ways, AI platforms are much like other service providers that handle NPI.

Part of the promise of AI is its ability to update its models based on user inputs. This model training raises serious concerns under Reg S-P beyond those that apply to other service providers.

A model trained on NPI, even if anonymized, may result in NPI being used in unexpected and unknown ways, and could result in unauthorized access to such NPI, in violation of Reg S-P.

All advisers should understand how their inputs are being used beyond the immediate AI output. Commercial or enterprise-grade AI may provide users with the ability to opt out of model training. Investment advisers should have policies prohibiting the use of NPI or other firm information for model training.

Marketing, Advertising and AI Washing

The use of AI raises at least two concerns where adviser marketing is concerned.

First, AI-generated and AI-assisted advertisements are subject to the marketing rule to the same extent as other advertisements, including the general prohibitions of that rule.[10]

Second, disclosures about an adviser’s use of AI should fairly describe its use, risks and limitations, without overstating its capabilities, and adhere to the marketing rule’s other requirements.

Other Compliance Matters

Use of AI by investment advisers has other implications, including but not limited to the following.

• Proxy voting: If AI tools are used to assist with proxy voting decisions, advisers may have obligations under Rule 206(4)-6 — the proxy voting rule — to disclose such use in their proxy voting policies, which are available to clients and included in an adviser’s brochure.
  
• Cybersecurity: Advisers should (1) review a vendor’s model documentation; (2) review System and Organization Controls 2 Type 2 reports or equivalent independent assurance reports; and (3) evaluate a vendor’s representations regarding data handling, model training practices and known limitations.
  
• State law: Some states have enacted their own laws relating to AI use, including by investment advisers; for example, Colorado law seeks to protect Coloradans against algorithmic discrimination in consequential decision-making, including in the provision of financial services, by requiring disclosure where AI is used and providing other safeguards.[11]

Practical Road Map for Chief Compliance Officers and Legal Teams

For many advisers, the challenge is not recognizing that AI raises compliance issues but knowing where to start. The following steps can help.

Conduct an AI inventory and risk assessment.

Identify what counts as AI for purposes of the firm’s policies. Then, catalog AI uses across the organization and classify them by assessed risk.

Align governance structures.

Designate accountable owners for AI policy and risk, whether through an AI steering committee or an extension of existing governance or compliance teams. Assign responsibility for procurement, testing, documentation, monitoring and oversight of AI. Ensure key AI and technology policy stakeholders are represented.

Update policies and procedures.

In addition to creating a stand-alone AI policy, it may be beneficial to incorporate AI explicitly into existing frameworks, too.

AI policies should be informed by, and have buy-in from, key stakeholders in the organization. Policies should be tailored to the use and scale of AI deployment in an adviser’s business.

Embed AI into compliance testing and monitoring.

Annual reviews and compliance testing should consider identified AI-related risks, adherence to AI policies by supervised persons and the effectiveness of the adviser’s policies. Periodic compliance certifications completed by supervised persons may include certifications as to compliance with a firm’s AI policies.

Prepare for regulatory and client scrutiny.

Development of a concise and accurate narrative, supported by documentation, that explains the firm’s AI strategy, risk management and compliance controls allows firms to control their own AI narrative, making regulatory and diligence conversations more efficient and constructive.

Conclusion

AI offers genuine promise for investment advisers while at the same time magnifying familiar risks: fiduciary duties, books and records, client confidentiality, and marketing. While books and records modernization may be forthcoming, foundational compliance principles are likely to remain.

Legal and compliance professionals ought to engage with AI stakeholders at their firms to develop tailored approaches to satisfying their obligations under the Advisers Act.

---

Theodore D. Edwards is a partner at Troutman Pepper Locke LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] https://www.ici.org/comment-letter/joint-comment-letter-to-the-sec-on-recordkeeping-requirements-for-investment-advisers.

[2] Commission Interpretation Regarding Standard of Conduct for Investment Advisers (July 12, 2019). https://www.sec.gov/files/rules/interp/2019/ia-5248.pdf (Fiduciary Interpretation).

[3] Renieris et. al, AI Explainability, MIT Sloan Management Review (June 12, 2025) available at https://sloanreview.mit.edu/article/ai-explainability-how-to-avoid-rubber-stamping-recommendations/.

[4] Fiduciary Interpretation.

[5] Rule 206(4)-7.

[6] The 2026 Examination Priorities Report is available here: https://www.sec.gov/about/reports-publications/2026-examination-priorities.

[7] Advisers Act Section 204 and Rule 204-2.

[8] Rule 204-2(e)(1).

[9] Rule 30, Regulation S-P.

[10] Rule 206(4)-1.

[11] See, e.g., https://coag.gov/ai/.