Risk and Compliance Insights | MyComplianceOffice

Building a Practical AI Compliance Framework for RIAs

Written by Benjamin Frenette | Jul 1, 2026 2:00:00 PM

Registered investment advisers weighing artificial intelligence tools face a defining question: can AI be used in our compliance program, and can that use be effectively controlled? 

I recently sat down with Jilbert El-Zmetr, MSP Managing Director at Siepe, for a conversation around how RIAs can develop a framework for managing AI, including identifying the right use cases, rolling out a controlled AI implementation, and establishing defensible best practices to satisfy both regulators and clients. 

Key Highlights

  • Existing regulatory frameworks already apply to AI-enabled compliance tools used by RIAs.
  • Model Risk Management and Responsible AI provide complementary approaches to governance, oversight, and accountability.
  • Human review remains a critical control point in AI-assisted compliance, surveillance, and investment workflows.
  • Strong data governance, auditability, and recordkeeping practices are foundational to responsible AI adoption.
  • Smaller RIAs can implement proportionate AI governance controls without building a dedicated model risk management function.


There is no AI-specific rulebook for financial services. Instead, existing frameworks for model risk management, recordkeeping, and supervisory oversight apply directly to AI-driven tools, and firms are expected to demonstrate the same level of control over AI as they would over any other system touching regulated activity.

Read a white paper on responsible AI in compliance.
 

What Regulatory Frameworks Apply to AI in RIA Compliance? 

Three key sources of guidance shape how RIAs should approach AI oversight:

  • SR 11-7 — the Federal Reserve's guidance on model risk management. It was written for banking institutions but is widely used across financial services as a baseline for model governance: knowing what AI models exist, who owns them, what they're used for, and when they were last validated.
  • FINRA Regulatory Notice 24-09 — places responsibility on the firm for AI-generated outputs used in trade surveillance, communications drafting, or investigation summaries, including supervision, recordkeeping, and downstream consequences.
  • SEC Rule 206(4)-7 — the Advisers Act compliance rule covering conflicts of interest, disclosure, and supervisory controls, which extends to any AI tool that touches those areas.

None of these were written with AI in mind, but all of them apply to it. As I noted in the webinar AI and Compliance: A Practical Framework for RIAs, "regulators aren't going to ask firms whether they have a named responsible AI framework in place. They're going to ask whether the firm can evidence control, oversight, and accountability over the technology affecting its regulated activity

How Do Model Risk Management and Responsible AI Work Together?

Two frameworks help firms structure that evidence.  Firms can use Model Risk Management (MRM) and Responsible AI (RAI) frameworks together to demonstrate governance, accountability, and oversight.


Model Risk Management addresses whether an AI model is performing correctly and is properly controlled, built on three pillars: model development and documented methodology, independent validation by reviewers outside the software provider, and governance controls including model inventories and ongoing monitoring.

Responsible AI addresses whether the model's outcomes can be trusted, organized around six principles:

  1. Fairness and Bias Mitigation

  2. Explainability and Transparency

  3. Accountability and Human Oversight

  4. Robustness and Reliability,

  5. Data Governance and Privacy

  6. Auditability and Traceability

 

In practice, the two frameworks converge: regulators expect bias testing, explainability, and human oversight regardless of which one a firm references, and both require the same underlying evidence — what the AI tool did, who reviewed it, and what data informed the decision.

 

Where Does Human Oversight Fit Into AI-Driven Workflows?

AI can improve efficiency, but human review remains essential.

Every AI use case discussed in the framework retains a human checkpoint. In e-comms surveillance, AI tools can flag likely spam or marketing noise buried in employee communications, reducing false positives, but a human still has to disposition the alert. In market-facing workflows, AI-generated trading signals or portfolio recommendations flow up to a portfolio manager or risk officer for final authority rather than executing autonomously.

Jilbert described this as guarding against the “black box” problem in AI-driven workflows: firms need real-time trade execution controls, hard limits on order flow and position concentration, and rigorous backtesting , so that automation never operates without a human who can explain what happened and why.

Read an article on the importance of minimizing false positive results.

What Does Data Governance Look Like for AI Tools?

Strong data governance is foundational to defensible AI use.

Before an AI tool touches a workflow, firms are advised to address data quality and structure first: tagging, consistent formats, and clear ownership. Sensitive data — PII, counterparty information, proprietary trading strategies — should be segregated, anonymized, or masked before it reaches an AI model. Firms should also document data lineage: where data originates, how it flows through the AI system, and where it lands, particularly for anything tied to regulatory reporting or client performance attribution. Retention policies for AI inputs, outputs, and audit logs should align with existing regulatory recordkeeping requirements.

Read about the importance of taking a centralized approach to compliance data.

How Can Smaller RIAs Scale Responsible AI Without a Full MRM Function?

Smaller RIAs can demonstrate AI governance through practical controls that are aligned with their size, complexity, and risk profile.
 

Smaller and growing RIAs are not expected to replicate the infrastructure of a global bank. Regulators are applying a proportional, risk-based approach: a lightweight governance framework with practical controls, rather than a large-scale policy build-out, is generally sufficient. In practice, that means maintaining a simple inventory of AI tools in use, documenting human review requirements, performing vendor due diligence, and periodically reviewing AI outputs for accuracy and consistency. The goal regulators are looking for is evidence of awareness, oversight, and accountability — not a fully built model risk management department.

RIA Compliance Checklist: SEC Requirements & Key Obligations in 2026

Where AI Compliance for RIAs Goes From Here

For many RIA firms, AI tools are already embedded in workflows used daily, from e-communications platforms to portfolio management systems. The frameworks governing that use aren't new — they're the same model risk management and supervisory principles regulators have applied for years, now extended to a new category of tool. Firms that can inventory their AI use, document human review, and produce an audit trail on demand are positioned to meet regulatory expectations as they stand today.

Watch the full webinar, AI and Compliance: A Practical Framework for RIAs, for the complete regulatory breakdown, framework walkthroughs, and live Q&A with Ben Frenette and Jilbert El-Zmetr.

Ready to learn more about how MCO is using AI to provide faster and better compliance? Contact us for a demo today!

About Siepe

Siepe, founded in 2012 and headquartered in Dallas, Texas, provides cloud-based technology and managed services built for private credit, CLO, and alternative investment managers. The platform supports front-, middle-, and back-office workflows, helping fund managers centralize data, streamline operations, and apply institutional-grade data and compliance practices across their business. Learn more at siepe.com.