The SEC Division of Examinations released its list of exam priorities for 2026 last month, and to no one’s surprise, emerging financial technologies (such as AI) and information security (including cyber threat protection) were at the forefront.
The Division publishes its annual examination priorities to be transparent about the areas the regulator plans to focus on in the coming year and encourage firms to align their compliance efforts with these potentially higher-risk areas. Among those priorities, this article will focus on the SEC’s interest in Emerging Technologies and Cybersecurity.
Emerging Technologies
The SEC remains focused on the risks associated with certain products and services, such as automated investment tools, AI technologies and trading algorithms or platforms. Exams will review firms that provide automated investment advisory services, recommendations, and related tools and methods.
The assessments around emerging technologies will be intended to ensure that:
- Representations are fair and accurate
- Operations and controls align with disclosures made to investors
- Algorithms generate advice or recommendations consistent with investors’ profiles and SEC rules
- Controls are in place to verify that advice or recommendations from automated tools comply with regulatory obligations, especially for retail and older investors
Artificial Intelligence
The review of AI during these exams will focus on recent advances in this rapidly changing technology, assessing the accuracy of registrants’ claims about their AI capabilities and actual use. This is to determine if a firm is engaging in “AI Washing.”
For example, if a firm claims to use AI for portfolio management, it must show that AI tools genuinely influence investment decisions rather than just provide supplementary research. Consequently, marketing materials, Form ADV disclosures and client communications need to accurately describe a firm’s AI usage.
Examiners will also check whether firms have established adequate policies and procedures to monitor and supervise their AI use, including tasks related to fraud prevention and detection, back-office operations, anti-money laundering (AML) and trading functions, where applicable. Firms will need to demonstrate how they evaluate AI tools before deployment, monitor outputs for accuracy and compliance, maintain human oversight of significant decisions and address any potential biases in AI algorithms.
As firms increasingly rely on regtech partners and tools to improve and expand their compliance efforts, the SEC’s 2026 evaluations will review how a firm integrates regulatory technology to automate internal processes and enhance efficiency.
You cannot outsource compliance to an algorithm.
The bottom line on AI is that regulators have been clear that accountability does not disappear just because AI is involved. If a registered firm uses AI to create advertising, recommendations, or client-facing content, responsibility still sits squarely with the firm and the registered individual. Supervision, governance and controls around AI use matter more than the tool itself. You cannot outsource compliance to an algorithm. If it goes out to the public, you own it.
Cybersecurity
The SEC will also focus on firms’ information security and operational resiliency during their 2026 exams. Cybersecurity remains an ongoing challenge across industries, and wealth management is particularly vulnerable. The SEC will continue to review registrant practices to prevent interruptions to mission-critical services and to protect investor information, records and assets.
The SEC will also focus on firms’ information security and operational resiliency during their 2026 exams.
According to the SEC, “Operational disruption risks remain elevated due to the proliferation of cybersecurity attacks, firms’ dispersed operations, weather-related events, and geopolitical concerns. The Division will also examine registrants’ procedures and practices to assess whether they are reasonably managing information security and operational risks.”
A constant area of concern, the SEC knows that effective cybersecurity remains vital for firms to safeguard their clients’ records, data and information. In 2026, the regulator will pay particular attention to firms’ policies and procedures regarding:
- Governance practices
- Data loss prevention
- Access controls
- Account management
- Responses and recovery to cyber-related incidents
Examiners will also perform deep-dives on firms’ training and security controls to identify and mitigate new cybersecurity risks surrounding AI. These risks include potential vulnerabilities to polymorphic malware attacks and AI-enabled social engineering.
Be Prepared For 2026 Exams
Whether it’s emerging technology, cybersecurity, automated investment tools or operational resiliency, AI oversight will be part of just about every SEC exam going forward. Creating an integrated AI strategy is not something most wealth management firms have the in-house resources, talent and expertise to do on their own. Firms need to partner with experienced providers with the tools, platforms and services to help them pass SEC scrutiny in the new year and beyond.
Sid Yenamandra is the Founder and CEO of SurgeONE.ai, a compliance, cybersecurity and data services platform for wealth management that unifies the offerings of RegVerse, Kovair, Security Snapshot and MGL Consulting.
