Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
Advisors have largely made up their minds about AI. Advisor360’s 2026 Connected Wealth Report, a survey of 300 advisors across RIAs, broker-dealers, and banks, found that 74% now treat AI as a help to their practice rather than a threat, up from 64% two years earlier. But adoption is messier than the numbers suggest: Some of that use also runs through personal accounts and consumer chatbots that the firm never approved and cannot see.
What advisors have not settled is governance: 55% named compliance, cybersecurity or regulatory hurdles as the main thing slowing their adoption, and 93% said they want the final say over anything an AI tool produces, with only 8% willing to let one rebalance a portfolio or place a trade without review. Adoption ran ahead of policy, the way it usually does, and the gap between the two is where the trouble starts.
Wanting the final say, though, is a different thing from being able to show two years later that you exercised it. The question regulators will ask is narrower and harder than whether AI was used: When an AI tool helps form a client recommendation, what does the file actually show? In most firms today the honest answer is “not much.”
Certainly, the recommendation lands in the client record fully formed. However, the path it took to get there leaves no trace — not the reasoning, not the tool that helped, not what was weighed and set aside along the way, not whether anyone checked the work before it went in.
Regulators Aren’t Sleeping on the Issue
That gap is unlikely to withstand sustained regulatory scrutiny. The SEC’s examination priorities have named the use of artificial intelligence as a focus area two years running, and the Commission has already brought enforcement actions against advisers for misrepresenting it. The Delphia and Global Predictions settlements in March 2024 came to $400,000 in combined penalties — small in dollars but large in signal. Statements about AI now draw the same scrutiny as statements about performance.
On the brokerage side, FINRA’s Regulatory Notice 24-09 carried the same message to member firms and dual registrants: Existing supervision and recordkeeping obligations apply in full to AI-assisted work. None of this turns on a new rule. The obligations that already govern advice are broad enough to reach AI-assisted advice, too, which is why the exposure is real, even though nothing in the rulebook has changed.
What follows are three hypothetical scenarios. None describes a real firm or a real enforcement action; each is assembled from failure modes any compliance officer will recognize as plausible under the rules as they stand today.
Failure 1: The Tax Answer Nobody Can Stand Behind
In this scenario, an advisor is helping a client decide whether to exercise incentive stock options before a liquidity event. Busy and conscientious, the advisor asks a consumer AI chatbot to model the alternative minimum tax impact. The model returns a confident, detailed, wrong answer that misses the AMT crossover math. The client exercises, and at the next filing season the real tax bill lands six figures above the number estimated in the meeting notes.
The client complains, and the file gets reconstructed. The meeting notes contain a number with no derivation. The advisor recalls using “an AI tool” but cannot say which model version, what the prompt was, or what the full output said, because the conversation happened in a personal account and was deleted or aged out. The firm’s policies and procedures say nothing about off-platform AI use or reasoning evidence, so there is no documented review step to point to.
The regulatory failure here has nothing to do with whether AI was used. The problem is that the duty-of-care analysis behind the recommendation — the thing an adviser must have a reasonable basis for under the Investment Advisers Act’s fiduciary standard — was outsourced to a tool and left no record behind. Rule 204-2 requires advisers to retain written communications relating to recommendations and advice, and a chat session that no longer exists satisfies none of that. The firm ends up defending a six-figure error with an empty folder.
Failure 2: The Rebalancing Logic That Walked Out the Door
In this instance, a portfolio manager at a midsized RIA leans on a generative AI tool to help rebalance a book of accounts across sectors and geographies, and to draft the rationale behind each move. The work itself is good, and entirely unsupervised: No one else at the firm knows the tool is in the workflow, and the compliance program, which Rule 206(4)-7 requires to be reasonably designed for the firm’s actual business, has no policy, no training, and no review procedure that touches it.
Then the manager leaves. A client disputes a series of trades from the prior year, and the firm discovers that the rationale documents in the file were AI-drafted, that nobody reviewed them before they were filed, and that the departed employee’s prompts are gone with the account.
An examiner asks to see the firm’s supervision of the workflow and there is nothing to show, because the firm never had a policy for something its own people were using every day. The deficiency is one of supervision under 206(4)-7, and the AI is incidental to it.
Failure 3: The Record That Cannot Be Reproduced
This scenario’s problems are less obvious than those of the other two. A firm does everything by the book: It adopts an enterprise AI solution, writes the policies, trains the staff. A client questions a recommendation from two years prior, and the firm pulls the file with some confidence. Inside are the recommendation and a note that the firm’s approved AI tool assisted the analysis.
Then the harder questions start. Which model produced the analysis? The vendor has upgraded four times since, and the version in question no longer exists. What did the tool actually output, as distinct from what the advisor concluded from it? That was never retained. Can the firm reproduce the analysis to show it was reasonable at the time it was made? It cannot, and rerunning the question against the current model only makes things worse, because it returns a different answer that the firm now has to account for.
This firm did almost everything right and still cannot show what its own process was. Advice that cannot be reconstructed is advice the firm cannot defend, even when the advice was sound to begin with. Books-and-records rules were written for letters and emails, formats in which the document and the thinking behind it are effectively the same thing. Once AI enters the workflow, the two pull apart, and they stay apart unless someone has deliberately tied them back together.
The Framework: 3 Properties of a Defensible Record
What links the three failures is not bad technology or bad intent. In each case, the people involved were competent and well-meaning. The common thread is that nothing in the workflow produced a durable record of how the judgment was formed.
Most of the systems firms already run were built for a different job: CRMs, email archives, and compliance suites capture documents and messages well enough, but none was designed to record how an AI-assisted judgment was actually reached, and that is increasingly what an examiner will ask to see. A firm that wants to keep using AI can close most of the gap by insisting on three properties for any AI-assisted judgment that touches a client.
First, a documented rationale, captured at the time and retained under the firm’s control. The substance of the analysis, the inputs that were considered, and the conclusion reached should land in the client file as the work happens, inside a system the firm retains under its existing 204-2 obligations. A personal chatbot account does not qualify, and reasoning that lives somewhere the firm cannot provide documentation for should be treated, for compliance purposes, as if it never occurred.
Second, a documented challenge or second review before the judgment is adopted. A single model’s confident answer is one of the riskiest artifacts in the file, precisely because an AI tool tends to sound most authoritative on exactly the questions where it is wrong.
A reasonable-basis file should show the conclusion was tested in some way: a second analysis, a written counter-argument, a human reviewer pushing back, or some combination thereof. If that testing turns up a credible objection, the file should keep the objection and the reasoning if the firm went the other way anyway. An examiner reading a record of genuine disagreement that was worked through is in a very different position from one reading a record of unanimous agreement that was never examined.
Third, an audit trail that binds the advice to the analysis, to a named human, and to the specific tool. The record should note which AI tool and which version assisted the work, when it did so, and which person reviewed and adopted the result.
The human signature is the part that matters most, more than any of the technical metadata, because the fiduciary standard leaves no room for the tool to be the accountable party. The advisor decides and signs; the tool’s contribution is documented alongside that decision so the whole thing can be reconstructed years later, on whatever system the firm happens to be running by then.
None of these three properties depends on a regulation that has not been written yet. Reasonable basis, supervision, compliance programs matched to actual practice, retained records of the analysis behind a recommendation — all of it is current law already. The three failures are simply what those familiar rules look like when they collide with an AI workflow that left no record.
The Window
There is a familiar arc in advisory compliance: A practice spreads quietly, an enforcement action makes an example, and the industry converts overnight from “interesting question” to “mandatory agenda item.” AI-assisted advice is in the quiet phase now, with the examination infrastructure already announced and the first AI-adjacent enforcement actions already on the books.
Firms get to choose which side of that arc they want to be on. A firm that builds documentation discipline now will read the eventual headline as confirmation of something it already handled. A firm that waits is more likely to read it as the opening of a remediation project run against a deadline it did not set.
The uncomfortable part of all three scenarios is that the advisors were trying to do right by their clients, and mostly did. What let them down was the missing record. In a regulated profession, the analysis and the documentation of it were never really two separate things. A recommendation a firm cannot account for is, to an examiner, a recommendation that was never adequately supported.
AI has not rewritten that expectation. It has just made the underlying record far easier to lose, which is exactly why the discipline of capturing one is worth putting in place before an examiner asks.
The scenarios above are hypothetical illustrations, not descriptions of actual firms or proceedings. This article is educational commentary, not legal or compliance advice; firms should consult their own counsel and compliance professionals about their specific obligations.
About the author
Dan Zimon is the founder of Teranode AI. He spent 14 years across institutional finance, including nine years at Millennium, and most recently worked as a wealth-channel investment consultant before going full time on decision-documentation infrastructure for advisors. He has passed the Series 7 and 66 examinations.
A message from Advisor Perspectives and VettaFi: Discover something new! Click here to register for our upcoming webcasts.
Read more articles by Dan Zimon
Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
