SEC AI Governance Guidance

Overview

The SEC's AI governance posture comprises several distinct but interconnected instruments rather than a single unified framework. The most significant is the August 2023 proposed rule on 'Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers' (Release Nos. 34-97990; IA-6383), which would require registrants to identify and neutralize or eliminate conflicts of interest that arise when AI or algorithmic tools optimize for firm interests at the expense of investor interests. The proposal reflects the Commission's concern that AI systems may be designed-intentionally or emergently-to favor firm revenue over investor outcomes, a structural conflict that existing suitability and fiduciary frameworks may not fully capture. In parallel, the SEC's Division of Corporation Finance has issued guidance and Staff Bulletins addressing AI-related disclosures in annual reports, prospectuses, and proxy statements. Public companies are expected to disclose material risks arising from AI use, AI-related cybersecurity exposures, and the governance structures in place to oversee AI systems. The Commission has also scrutinized 'AI washing'-instances where companies overstate AI capabilities in investor communications-bringing enforcement actions grounded in anti-fraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. The SEC's Office of Compliance Inspections and Examinations (now OCIE, reconstituted as the Division of Examinations) has included AI and algorithmic systems among its examination priorities, directing examiners to assess whether registrants have adequate policies and procedures governing AI model development, validation, deployment, and monitoring. The 2022 and 2023 Examination Priorities publications explicitly flag AI governance as an area of heightened scrutiny. Separately, the SEC's 2023 cybersecurity disclosure rule, effective December 2023, indirectly captures AI-related cyber risks by requiring timely disclosure of material cybersecurity incidents and annual disclosure of cybersecurity risk management practices, which must encompass AI systems that process material data or support critical operations. Registrants should also monitor the interplay between SEC guidance and FINRA's ongoing work on algorithmic supervision and AI use in member firm operations.

Key Requirements

• •Identify, document, and neutralize or eliminate conflicts of interest arising from the use of predictive data analytics or AI tools that optimize for firm interests over investor interests (proposed rule obligation, currently under final rulemaking)
• •Disclose material AI-related risks in annual reports (Form 10-K), registration statements, and proxy materials, including risks from AI model failure, bias, and third-party AI dependencies
• •Refrain from making materially misleading statements about AI capabilities in investor communications, marketing materials, or SEC filings (anti-fraud provisions)
• •Maintain written policies and procedures governing AI model development, validation, change management, and ongoing monitoring as part of the adviser or broker-dealer compliance program under the Investment Advisers Act or Exchange Act
• •Include AI systems that process material nonpublic information or support critical operations within the scope of cybersecurity risk management programs disclosed under the 2023 Cybersecurity Disclosure Rule
• •Ensure AI-driven trading, order routing, or portfolio construction systems are subject to governance controls that examiners can review during SEC inspections
• •Document how AI-generated investment recommendations are supervised and reviewed to satisfy best interest and fiduciary obligations
• •Assess third-party AI vendor arrangements for outsourcing risk and ensure vendor due diligence is documented and periodically updated

Effective Date

2023-07-26