Artificial intelligence (AI) tools are being integrated into asset management in nearly every operational workflow. You may already be fielding questions from investors, due diligence teams, or even regulators about your written policy governing its use. The absence of an AI policy as an integral component of an AI governance program is increasingly being flagged and questioned, sometimes in DDQs and sometimes in more formal reviews. If you’re still thinking this is just a future concern, you may be missing how quickly the landscape is shifting.
Responsible AI adoption is fast becoming a competitive necessity, not just a compliance task. The U.S. Government Accountability Office notes that “AI is now deeply embedded in financial services operations, and regulators expect firms to maintain robust oversight structures to address data privacy, model risk, and information security.”[1] As the CFA Institute points out, the asset management sector is seeing both unprecedented opportunity and increased scrutiny around AI-enabled workflows, with investors expecting not only innovation but also transparency and accountability.[2]
Building a comprehensive AI Governance program, including an AI policy framework would likely be guided by alignment with the NIST AI Risk Management Framework and ISO 42001, as well as compliance with laws like the EU AI Act and Colorado’s AI Act.
Why Do I Need an AI Policy?
Having a formal AI policy is the best practice and demonstrates good governance. For registered Investment Advisers (RIAs), Rule 206(4)-7 under the Investment Advisers Act of 1940 mandates written compliance policies and procedures, including ones that address emerging risks like AI. Exempt Reporting Advisers (ERAs) are generally exempt from the requirement to adopt written compliance policies and procedures under Rule 206(4)-7 Rule 206(4)-7, but ignoring the need for an AI policy isn’t a risk worth taking. For ERAs, a documented policy serves as a practical risk management tool—much like policies for data privacy or business continuity.
The SEC expects compliance programs to evolve with business practices and to be “reasonably designed”. If AI is used in investment decision-making, marketing or client communications, trading or execution, or compliance surveillance, AI then becomes part of your risk landscape and therefore must be addressed under Rule 206(4)-7.
Why Do Generic AI Policies Fall Short?
If your firm is searching for generic, off-the-shelf AI policies to plug into your procedures manual, you’re likely finding them to be more focused on intention than implementation. Many templates boil down to vague statements about responsible use, ongoing oversight, and transparency – with little specificity about what those commitments look like in day-to-day operations. A policy imported from another firm, drafted without reference to your unique AI environment, or, ironically, drafted by an AI tool, creates its own operational risk.
What Should My AI Policy Cover?
Comprehensive Tool Inventory & Approval Process
You can’t supervise what you don’t know exists. An effective policy begins by identifying every AI tool used across the firm and who uses it, including those embedded in mainstream platforms like document editors, email systems, transcription services, and productivity suites. Because AI is often adopted informally, your inventory should capture the full picture, not just tools that were officially approved. The approval process for new tools should be documented and updated regularly.
Permitted and Prohibited Uses
Your policy should spell out what AI tools supervised people can use and how they can be used, and what information and/or data they cannot input into any AI system.
Human Review Requirements, i.e., “Humans in the Loop” Controls
Every AI-assisted output headed for a client, investor, or counterparty should undergo human review before release. The policy should define the review process, distinguishing between a cursory read and a substantive review and detailing how errors or oversights are flagged and corrected.
Disclosure Accuracy
AI-generated content intersects directly with the SEC Rule 206(4)-1, the SEC Marketing Rule. Designate a person (i.e., an attorney or compliance professional) to be responsible for maintaining accurate and up-to-date disclosures about your firm’s AI use. The gap between real-world use and disclosure is arguably the most pervasive AI-related compliance deficiency in the industry today.
“AI washing,” i.e., making exaggerating or making false claims about a firm’s AI capabilities, is an enforcement priority for the SEC. Additionally, using generative AI to draft social media posts, emails, or website copy creates specific compliance risks under the Marketing Rule. Cases have involved both private and public firms, and the agency has signaled it will pursue similar actions whenever it finds a mismatch between claims and actual use of AI technology. This includes not only offering documents and pitch decks but also content on social media and websites. The SEC encourages firms to implement thorough policies, conduct periodic reviews, and ensure disclosure controls and procedures are up to date and tested for accuracy.[3]
Vendor Due Diligence
Many advisers use AI without realizing it, through their use of SaaS tools. If you use third-party AI tools for marketing, you must demonstrate you understand how they handle data and what safeguards they use to prevent misleading content. Accordingly, before adopting a third-party AI tool, consider confidentiality, data ownership, retrieval rights upon termination, and notification obligations if the vendor materially changes the underlying model.
Recordkeeping
Address which AI outputs qualify as records and how they are retained. For RIAs, this connects directly to Rule 204-2, requiring reliable recordkeeping and retrieval processes. ERAs, while not subject to this rule, still need to define what documentation is kept and how it can be produced during an audit or regulatory inquiry.
Training
Employees must be trained in the AI policy when adopted and whenever it is materially updated. Employees need specific guidance, not generic “use responsibly” language. This should include what data can or cannot be entered into tools, when AI output must be verified, and being alert to red flags (i.e., hallucinations, fabricated citations, etc.).
Policy Review
For RIAs, the policy should be assessed during the annual compliance review required by Rule 206(4)-7. Given the pace of change in AI tools and capabilities, however, consider performing more frequent reviews which include new AI tools adopted, incidents or near-misses, effectiveness of controls, and regulatory developments.
How Do I Start the Process to Develop an AI Policy?
The first step is to take an inventory of how AI is actually being used across your firm, then compare that reality to what your policies currently say. That is, define the “gap”. From there, update your procedures to define approved tools, prohibited uses, human review expectations, disclosure controls, vendor due diligence, recordkeeping, and training requirements. Build a policy that reflects today’s workflows, review it regularly, and keep it aligned as tools, risks, and regulatory expectations evolve.
For matters of law, regulatory interpretation, or potential legal exposure, advisors should also consult qualified legal counsel to ensure their AI policies and practices align with current regulations and industry standards.
And remember, while critical, an AI policy cannot stand alone. I must be considered as a integral component of an overall AI governance program.
Next Steps
For more information or a consultation, reach out to a CBIZ professional. The CBIZ CPAs Alternative Investments Group is equipped to guide investment advisers and fund managers through developing, implementing, and reviewing tailored AI policies. We help you assess current AI use, align your policy with operational needs, and support ongoing compliance with evolving regulatory expectations, drawing on the latest research-backed frameworks and best practices.
Sources
1. U.S. Government Accountability Office (GAO), “Artificial Intelligence – Use and Oversight in Financial Services” (May 2025).
2. CFA Institute, “AI in Asset Management: Tools, Applications, and Frontiers” (November 2025).
3. Norton Rose Fulbright, “SEC Heightens Enforcement for AI Related Disclosures” (January 2025)
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.
