Your advisors are already using AI. Someone on your team has pasted a client email into ChatGPT to clean up the wording, dropped a meeting recording into a note-taker, or asked a chatbot to summarize a financial plan. It saved them time, and it probably didn't feel like a compliance event. That's exactly the problem.
Regulators, examiners, and your cyber-insurance carrier have started asking a new question: how does your firm govern its use of AI? For most RIAs, the honest answer right now is "we don't, really" — and that gap is what AI governance is meant to close.
What AI governance actually means for an RIA
AI governance is the set of decisions, policies, and controls that determine how your firm uses AI tools with client and firm data — who can use what, what data is allowed in, who reviews the output, and how you prove all of it. It is not a piece of software you buy. It's the documented answer to four questions every advisory firm should be able to answer on demand:
- What AI is being used? Every tool, across every employee — including the ones nobody told you about.
- What data is exposed? What client and firm information actually reaches those tools, and where it goes from there.
- What controls exist? The policies, approvals, access rules, and human-review steps around that use.
- What regulatory and business risk remains? The gaps between what you say you do and what you can actually evidence.
Answer those four honestly and you have the spine of an AI governance program. Most firms can't answer them yet — not because they're careless, but because AI arrived faster than the policies did.
Why this moved up the priority list
A year ago, AI governance for advisory firms was a "we'll get to it" item. Two pressures moved it up.
Examiner attention. Regulators have signaled that how firms use and supervise AI is now part of the conversation during examinations. The questions are practical ones: Do you have an inventory of AI tools? Who approved them? Is there human review before AI-generated content reaches a client? Can you show your supervisory procedures cover AI?
Insurance and vendor pressure. Cyber-insurance applications and partner/custodian relationships increasingly ask about AI use and data handling. A firm that can't describe its controls is a firm that looks like a bigger risk to underwrite.
Neither pressure rewards a policy that sounds good on paper but isn't followed. As we tell every firm we work with: a policy that's aspirational instead of operational is worse than no policy, because it documents the gap between what you claim and what you do.
The shadow-AI problem most firms underestimate
When we run an assessment, the most common surprise isn't the tools leadership knows about — it's the ones they don't. An advisor using a personal ChatGPT account for client research. An assistant who bought a Gemini subscription and never expensed it. A note-taker that quietly joined every Teams meeting months ago and nobody remembers enabling.
This is "shadow AI," and it matters for one reason: you can't govern what you can't see. Client data may already be flowing into tools your firm never reviewed, under terms of service you never read, on accounts you don't control. The first job of governance isn't writing a policy — it's finding out what's actually happening.
The eight domains of a real AI governance program
A complete program covers eight areas. You don't have to perfect all of them on day one, but you should know where you stand on each:
- Inventory — a living list of every AI tool in use, by whom, for what.
- Data exposure — what categories of client and firm data are allowed in each tool, and what is prohibited.
- Policies — a written AI use policy that employees acknowledge, plus a data-handling statement.
- Compliance — how your AI use maps to the obligations you already carry (SEC, FINRA, GLBA, the FTC Safeguards Rule).
- Vendor risk — due diligence on each tool: where data is stored, whether it trains on your inputs, retention, subcontractors, and a process to re-check when terms change.
- Security — access controls, MFA, corporate (not personal) accounts, and how AI fits your written information security program.
- Training — making sure people know approved vs. prohibited use, and the limits of AI output.
- Strategy — why the firm is using AI at all, and how you'll measure whether it's worth it.
The thread running through all eight: bring it back under the firm's umbrella. Right now, for many RIAs, AI use is scattered across personal accounts and individual habits. Governance pulls it back into something the firm can see, control, and stand behind.
The detail that trips firms up: vendor terms change
Here's a point most checklists miss. You might turn off model training in a tool's settings today and be in good shape. Three months from now, that vendor updates its privacy policy, and the setting — or the default — has quietly changed. Your controls didn't fail; the ground moved underneath them.
That's why AI governance isn't a one-time document. It needs a cadence: periodic vendor re-review, policy updates as tools and rules evolve, and a clear owner responsible for keeping it current. A governance program you set and forget is a program that's slowly drifting out of date.
How to put AI governance in place (a practical sequence)
You don't need to boil the ocean. A workable path:
- Inventory first. Find every AI tool actually in use — including shadow AI. You can't govern the invisible.
- Map the data. For each tool, identify what client/firm data reaches it and where that data goes.
- Decide the rules. Pick approved tools (ideally firm-controlled corporate/enterprise accounts), define what data is allowed in each, and set the human-review steps for anything client-facing.
- Write it down. Produce an AI use policy, a data-handling statement, and a human-review standard — in plain language your team will actually follow — and have employees acknowledge them.
- Close the security gaps. Corporate accounts, MFA, access by role, and AI folded into your written information security program.
- Train and assign an owner. Make sure people understand approved vs. prohibited use, and name someone accountable for keeping the program current.
- Set a review cadence. Re-check vendors and refresh the policy on a schedule, because the tools and the guidance keep moving.
That sequence is, in essence, what a structured AI governance assessment walks a firm through — turning four unanswered questions into documented answers you can show an examiner, a carrier, or a partner.
Frequently asked questions
Does an RIA legally need an AI policy? Whether a written AI policy is strictly required depends on how existing obligations are interpreted and applied to your firm. What's clearer is the practical reality: examiners, carriers, and partners are asking how you govern AI, and a documented policy is the most direct way to answer.
Is it safe to put client data into ChatGPT or Claude? It depends entirely on the account, the settings, and the data. Firm-controlled accounts with training turned off behave very differently from personal accounts on default settings. The safe default is to define — in writing — what data is allowed in which tool, and to re-verify those settings periodically, because vendor terms change.
What's the difference between an AI policy and AI governance? The policy is one document — the rules. Governance is the whole program: the inventory, the controls, the vendor reviews, the training, and the ongoing maintenance that keep the policy true over time.
Who should own AI governance at a small firm? A named person, not "the firm generally." It's often a principal or compliance lead. The role matters more than the title — someone has to be accountable for keeping the inventory current and the policy up to date.
How long does it take to get a governance program in place? The first usable version — inventory, core policies, and the key controls — can come together quickly once a firm commits to it. The ongoing part (reviews and updates) is permanent by design, because the tools and guidance keep evolving.
Where to start
If your firm can't yet answer the four questions — what AI is being used, what data is exposed, what controls exist, and what risk remains — that's the place to begin, and it's the gap an examiner or carrier will find first.
Royer Networks runs an AI Governance Assessment built for RIAs and other regulated firms: we inventory the AI actually in use (including the shadow AI), map where client data is going, and produce the documents you need — an AI use policy, a data-handling statement, and a human-review standard — plus a 30-60-90 day plan to close the gaps. The goal isn't a binder that sits on a shelf. It's a program you can stand behind when someone asks how your firm governs AI.
If you'd like to see where your firm stands, book a short AI governance conversation — we'll walk through the four questions together and show you what a complete program looks like for a firm your size.
If you're an RIA in the region, here's how we work with firms locally: AI advisory for RIAs in Maryland and the DC metro
