On November 17, 2025, the SEC’s Division of Examinations released its priorities for the year. For the first time, artificial intelligence got its own treatment: a dedicated section, and a clear message. Examiners now want to know how your firm governs its use of AI.
Here is the problem. To answer that question, you have to know how AI is actually being used across your firm. And at most firms, the honest answer is: nobody knows. Your advisors and staff are already using AI tools that nobody approved, with client financial information, and the firm cannot see it, document it, or supervise it.
That is shadow AI, and it just went from an IT concern to an exam-room question. We manage IT and security for firms across Southwest Florida, so here is the straight version: what the SEC is now looking for, why shadow AI is the thing that makes an AI exam go badly, and what to do about it before an examiner asks.
Let me be precise here, because the details matter and the headlines tend to overstate things. The 2026 priorities are not a new rule with a compliance deadline. They are the list of topics examiners will focus on. But on AI, the list is specific.
The priorities directly address AI technologies in financial services. The Division says it will examine whether firms have implemented adequate policies and procedures to monitor and supervise their use of AI technologies. It will also review for accuracy any representations a firm makes about its AI capabilities. And this applies beyond just client-facing advice. It reaches back-office operations, anti-money-laundering work, and other functions.
Here is the line that should get a compliance officer’s attention. Across the priorities, the SEC repeats one theme: it wants policies that are implemented and enforced, not just written. A well-drafted AI policy sitting in a binder is not enough. Examiners want evidence that governance, vendor oversight, and data handling are documented, tested, and defensible.
Now connect that to shadow AI. You cannot enforce a policy over AI tools you cannot see. You cannot document governance of usage you do not know is happening. Shadow AI is precisely the gap between the policy on paper and what is actually going on at the desk. It is the thing that turns “yes, we have an AI policy” into a difficult conversation with an examiner.
This is not a hypothetical risk for some future firm. The timeline and the expectations are already on the record.
The date is fixed: the priorities came out November 17, 2025, and the fiscal year they cover is already underway. AI supervision is named directly. The expectation is not that you have banned AI, it is that you can show how you govern it.
The catch is that AI adoption inside firms has run well ahead of AI governance. Staff reach for these tools because they are genuinely useful under deadline pressure. The tools are easy to access, free, and everywhere. The governance to match almost never exists yet. That gap is the exposure, and it is the gap an examiner is now trained to look for.
If you are a registered investment adviser or a broker-dealer, this is aimed squarely at you. The SEC examines you directly, and the AI priorities are written for your world. The exam-readiness question is immediate.
But do not assume you are off the hook just because the SEC does not examine you directly. The same underlying expectation, that a firm handling sensitive client financial information can demonstrate documented control over how that data is used, runs through the whole sector. CPA firms, insurance agencies, and any firm holding client financial data face the same basic logic from their own regulators, their carriers, and their clients. The SEC is simply the clearest and most current example of where the bar is being set.
The point is not the specific regulator. The point is that “we did not know our staff were doing that” is no longer an acceptable answer about client data, from anyone who might ask.
If “shadow AI” still sounds abstract, here is where it shows up. It is rarely one reckless person. It is small, reasonable shortcuts spread across roles.
An advisor pastes a client portfolio into a free chatbot to draft a quarterly update. A client service associate drops account details into a public tool to write a letter. Someone in compliance runs a client email through ChatGPT to clean up the wording. Operations uses an unapproved tool for a back-office task.
Every one of those is legitimate work. And every one of them, done in a free public tool, sends protected client financial information to a system the firm cannot supervise, document, or defend in an exam. The tasks are fine. The tool is the problem, and so is the fact that the firm has no record any of it happened.
Here is the good news, and it is genuinely good news: this is solvable, and the answer is not “ban AI and fall behind.” In fact a ban is the move most likely to fail an exam, because a ban nobody can enforce is exactly the “policy on paper” the SEC says is not enough.
The fix is to replace scattered, unmanaged consumer tools with one secure AI platform the whole firm uses. This is an infrastructure decision, the same way your recordkeeping system or your email archiving is an infrastructure decision. It is what turns “we have a policy” into “we can show you the controls.”
A secure, organizationally managed AI platform answers the examiner’s questions before they are asked:
And here is the part firms miss when they are stuck in “AI is a compliance risk” mode: done right, this is also a productivity gain. The same platform that closes your governance gap gives your team secure, pre-built workflows for the work that eats their time, client communications, research, document summarization, all inside guardrails. AI here is not about cutting headcount. It is about giving your people a safe way to do what they are already trying to do.
One more thing worth saying plainly: this is not a six-figure enterprise project. Pricing scales with how your firm actually uses it, and most firms start with one use case and expand from there once they see it work.
You do not have to solve all of this before the next exam cycle. If AI governance is a blind spot right now, here is a sane order of operations.
Most firms we talk to have no documented picture of how AI is being used across their staff, and no policy that would survive the “implemented and enforced” test. The first step is simply finding out where you stand.
We built a short Shadow AI Risk Self-Assessment for exactly this. It takes a few minutes, it is free, and there is nothing to download or sign up for. You answer a handful of straight questions about how your firm handles AI, and you get a clear read on your exposure.
If you would rather just talk it through, that works too. Call us at (941) 315-2380 and we will give you an honest picture of where you stand. No pressure, no pitch.
The 2026 examination priorities are not a standalone rule, but they make clear that examiners will look at whether firms have adequate policies and procedures to monitor and supervise their use of AI. In practice, that means a firm should expect to demonstrate AI governance, and a written, enforced AI acceptable use policy is the baseline starting point.
Shadow AI is staff using AI tools the firm never approved, secured, or monitors, often with client financial information. It is a governance problem because you cannot supervise, document, or defend AI use you cannot see, which is exactly what examiners are now asking firms to be able to do.
A ban is usually the weakest option. Staff tend to keep using AI on personal devices, which removes what little visibility the firm had, and a policy that is not actually enforced is exactly the “policy on paper” the SEC says is not enough. A more defensible approach is one secure, supervised AI platform plus a written, enforced policy.
A secure, organizationally managed platform keeps firm data isolated, logs every interaction for an audit trail, supervises usage centrally, and comes from a vetted vendor you can document. Independent validation such as SOC 2 audits and penetration testing adds to the picture. Together that gives you documented, tested, defensible governance instead of a blind spot.
Start by asking, without making it punitive, since most staff use these tools to keep up with the workload. From there, an organizationally managed AI platform gives the firm real visibility into who is using AI and for what. Our Shadow AI Risk Self-Assessment is a quick, free way to gauge your firm’s current exposure.
Dylan Borden runs operations at Four Winds IT, a managed IT company headquartered in Sarasota, Florida. Four Winds serves financial firms and businesses across Southwest Florida with a focus on transparent pricing, security that fits the size of your firm, and actually answering the phone. Connect with Dylan →