The Division of Examinations’ Fiscal Year 2026 priorities, released in November 2025, name compliance with the Reg S-P amendments as a stand-alone priority and call out AI as an examination focus across fraud detection, back-office operations, AML, trading, portfolio management, and customer service. The connecting tissue is information: how it flows, where it sits, who touches it, and what happens when something goes wrong.
What the Reg S-P Amendments Actually Require
For investment advisers – including private fund advisers and, in significant respects, exempt reporting advisers – the amendments impose five new operational obligations:
- A written incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
- Customer notification within 30 days of becoming aware that unauthorized access to or use of sensitive customer information has occurred or is reasonably likely to have occurred. The clock starts at awareness, not at the completion of the investigation.
- Service provider oversight through written contractual commitments, including a requirement that service providers notify the firm within 72 hours of becoming aware of a breach affecting customer information in their environment.
- An updated disposal rule applying to customer and consumer report information regardless of whether it originated with the firm.
- Recordkeeping sufficient to demonstrate compliance with each of the above, including documentation of any decision not to notify customers and the basis for that decision.
Larger advisers ($1.5 billion+ AUM) had to comply by December 3, 2025; smaller advisers have until June 3, 2026. SEC leadership has signaled that examinations conducted in the months following each date will assess preparedness, and that “policies and procedures are implemented and enforced” is the operative standard. Well-drafted policies sitting unread on a shared drive will not satisfy that test.
Where AI Intersects with Reg S-P
Generative AI tools are now embedded in how many advisers draft investor communications, summarize diligence calls, screen pipeline, parse fund documents, and triage email. The productivity gains are real. The compliance surface area has expanded in ways most firms have not yet mapped:
- Data leakage into model training. When personnel paste investor information, deal terms, or fund financials into a public AI tool, that data may be retained, logged, or used in ways inconsistent with the firm’s Reg S-P safeguards obligations. A “free” tier is rarely a “safeguarded” tier.
- Fourth-party risk through model vendors. AI features are being added to existing SaaS tools (CRMs, datarooms, productivity suites) often through subprocessor relationships the firm has not separately diligenced. Reg S-P’s service provider oversight obligation does not stop at the contract counterparty.
- Marketing and Form ADV accuracy. The 2026 priorities expressly flag that representations about AI capabilities will face scrutiny. If a firm tells investors it uses AI to enhance research or screening, examiners will test whether the controls, oversight of outputs, and human review match the description.
- Recordkeeping gaps. AI-generated drafts, meeting summaries, and analyses are books and records when they relate to advisory business. If they live only in a chat history that gets cleared, the firm has a Rule 204-2 problem.
What an Audit-Ready Program Looks Like
A firm that is well-positioned for both Reg S-P and AI scrutiny generally has the following in place. None of this requires building a large compliance organization; it requires deliberate choices and documentation.
- A unified information security program. A single written information security program (WISP) mapping to the Reg S-P safeguards rule, a named Information Security Officer, and an incident response plan covering the 30-day customer notification analysis. Tested at least annually.
- A written AI use policy. A policy that classifies AI tools (sanctioned, restricted, prohibited), specifies what data may and may not be entered into each, and addresses recordkeeping, supervision, and disclosure. Part of the annual employee attestation, not a one-off email.
- A vendor inventory that captures AI subprocessors. The list flags whether each tool processes customer information, whether it has AI features, where data is hosted, and whether the firm has the Reg S-P contractual commitments in place (including the 72-hour breach notification).
- Human-in-the-loop for material decisions. AI is used to draft, summarize, and screen, but a named human reviews and approves before any output is sent to investors, used in a recommendation, or filed with a regulator. The review is documented. “The model said so” is not a fiduciary defense.
- Disclosure that matches reality. Form ADV and marketing materials describe AI use in terms the firm can substantiate during an examination. If the firm does not actually use AI for a stated purpose, it does not say so. If it does, the controls match the claim.
- Books and records discipline for AI outputs. AI-generated content related to advisory business is captured in approved Firm systems on a retention schedule that meets Rule 204-2. Personnel are trained on concrete examples – not pasting investor IDs into a public tool, not using a free transcription service for an LP call, not auto-forwarding email to a personal AI assistant.
Where This Leaves Investment Advisers
The SEC is not asking advisers to stop using AI. It is asking them to use AI the way it expects them to use any other tool that touches client information: deliberately, with oversight, and with documentation an examiner can follow. The Reg S-P amendments raise the floor on what “deliberate” means. An examiner who finds an unmapped AI tool processing customer information, a vendor relationship without the required breach notification language, or a marketing claim the firm cannot substantiate will treat each as an indicator of broader compliance program weakness.
The June 3, 2026 deadline is the easy part to plan around. The harder part is recognizing that a firm’s AI footprint and its Reg S-P footprint are now the same footprint. The firms that fare best in the coming examination cycle will be those that already see them that way.
If you are working through the implementation of Regulation S-P or reassessing your incident response and oversight framework, Silver’s Compliance Team can help. Please reach out to a member of our team or contact us at [email protected].