Red Oak's Podcast

What the SEC Is Asking About AI and What Firms Should Be Ready to Produce

Red Oak

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 6:49
Speaker 1

So today's deep dive is well, it's about this massive scramble happening right now in the corporate world. We're looking at a stack of recent compliance reports, regulatory filings, and uh industry surveys about the SEC and their highly targeted information requests on how financial firms are integrating AI.

Speaker

Yeah. And it's a fascinating situation.

Speaker 1

Right. And I want to say right up front, even if you don't work in finance, you really need to hear this because what we're seeing here with you know this whole shadow AI thing, it's forcing a massive corporate reckoning around accountability and tech governance. I know. And it is absolutely coming to your industry next. It's like a like a tsunami warning, right? The wave hasn't hit everyone yet, but the sirens are blaring and companies are panic preparing.

Speaker

They definitely are. And the really interesting part of these reports is the strategy the regulators are using. I mean, they're following a very classic playbook here.

Speaker 1

Oh, targeting the big guys first.

Speaker

Exactly. They target a concentrated early group of major firms just to set a precedent. So most compliance professionals, they actually haven't received a request yet.

Speaker 1

But word spreads, obviously. You see the heavy hitters getting audited, and suddenly all these adjacent firms are scrambling. They're trying to figure out exactly where AI actually lives inside their own business.

Speaker

Right, which is proving to be incredibly difficult.

Speaker 1

Yeah. Looking at these surveys, it sounds like a nightmare. Okay, so let's unpack this.

Speaker

Yeah.

Speaker 1

Because firms are having to hunt down AI on two distinct fronts, right? External public claims and then the internal system.

Speaker

Yeah, let's look at the external side first. Regulators are cracking down on what they call AI washing.

Speaker 1

Right, which is essentially just overstating what your tech can actually do, just to sound cutting edge.

Speaker

Exactly. So the SEC wants to see every marketing deck, website copy, and even, you know, ADV Part 2 disclosures.

Speaker 1

Which, if you aren't in finance, is basically that mandatory brochure financial advisors have to give clients, you know, explaining how they do business and manage risks.

Speaker

Trevor Burrus, Jr.: Right. They are specifically looking for discrepancies between what firms promise the public and what the tech actually delivers.

Speaker 1

Okay, but the internal systems side, that seems to be where the real panic sets in. Compliance teams are discovering that AI adoption is just completely decentralized. They're finding random departments using generative AI tools that upper management didn't even know existed.

Speaker

Yeah, that's the shadow AI we were talking about.

Speaker 1

I just struggle to understand this. How does a modern corporation simply not know what software its own employees are using? I mean, don't IT departments have really strict procurement processes?

Speaker

They do, but think of shadow AI like employees bringing their own custom-built power tools to a highly regulated construction site.

Speaker 1

Oh wow, okay.

Speaker

Right? The workers are getting the job done much faster, which is great. But the site manager has literally no idea if the proper safety guards are installed.

Speaker 1

That is terrifying for a compliance officer.

Speaker

It is. And it's not always rogue employees secretly buying new software either. Often the vulnerability is a hidden vendor risk.

Speaker 1

Ah, meaning a platform you already use suddenly gets an AI makeover.

Speaker

Exactly. You might have bought a standard, fully compliant project management tool. Then six months later, that third-party vendor pushes a routine software patch that just happens to include, say, an automatic AI meeting summarizer?

Speaker 1

Wait, really? Just baked into the update.

Speaker

Yeah. And suddenly those due diligence questionnaires, those long security surveys vendors fill out during procurement, they are completely outdated.

Speaker 1

Because that hidden vendor update isn't just a visibility problem, it creates a massive data trap. I mean, if that new AI tool automatically summarizes client meetings, what happens to the highly sensitive data the employee typed in to generate that summary?

Speaker

Well, that brings us directly to this concept of prompt retention.

Speaker 1

Right. I wanted to ask about that.

Speaker

The whole expectation around archiving employee communications is shifting. Firms generally aren't expected to save prompts for basic, you know, Google-like searches.

Speaker 1

Right, like looking up a stock ticker or whatever.

Speaker

Exactly. But for higher risk use cases like generating financial advice or drafting client emails, archiving expectations are rising really fast.

Speaker 1

But wait, looking at these filings, the SEC hasn't actually written official rules for AI prompt retention yet. Why are they demanding this if they haven't even drawn the lines? That feels like a trap.

Speaker

Well, it is a regulatory gray zone right now. We are in this awkward transitional period where the technology is just moving way faster than the rule book.

Speaker 1

Yeah, no kidding.

Speaker

And because the official lines aren't drawn, regulators are basically looking for good faith efforts. Meticulous proactive documentation is literally the only defensible posture a firm can take when the examiners actually show up.

Speaker 1

So if you have blurry rules on one hand and then these silent AI updates popping up like weeds on the other, the ultimate question really becomes who is actually in charge of keeping the firm out of trouble?

Speaker

Yeah, that is the huge governance gap identified in the surveys.

Speaker 1

Because roughly two-thirds of compliance professionals say their firm has formed an AI working group. But in practice, day-to-day ownership defaults almost entirely to IT.

Speaker

Yeah, pretty much.

Speaker 1

Why IT, though? Just because they manage the software licenses.

Speaker

Basically, yeah. They hold the administrative keys to the network. But you have to remember, IT evaluates tools for network uptime and cybersecurity.

Speaker 1

Right. They aren't compliance officers.

Speaker

Exactly. They don't evaluate whether a generative AI's financial advice violates a fiduciary duty to a client.

Speaker 1

That makes total sense.

Speaker

And that is exactly why legal and compliance teams are panicking right now. They're being asked to verify that these AI tools are legally compliant, but they simply don't have the technical access to prove it.

Speaker 1

And to survive an exam, you can't just shrug and point to your IT department. You have to produce concrete meeting records, cross-department sign-offs, and proof of AI-specific training. Trevor Burrus, Jr. You really do. So based on the reports we are looking at, there seems to be a pretty clear three-step action plan for companies to get ahead of this. One, inventory every public AI claim to make sure it's accurate. Two, list every operational AI tool internally and check your data policies against it. Right. And three, assign clear cross-departmental governance ownership so IT isn't just left holding the bag.

Speaker

It sounds so straightforward when you say it like that. But in a decentralized corporate environment, executing those three steps is just a massive operational lift.

Speaker 1

Oh, I bet. But the regulatory scrutiny is definitely coming no matter what industry you are in. So before we wrap up this deep dive, here is something to think about for your own career.

Speaker

Yeah, I love this point.

Speaker 1

If regulators eventually demand a permanent, fully auditable record of every single AI prompt employee's type merge, how will that level of surveillance change the way you psychologically interact with AI at your own job? Will you still brainstorm with it the exact same way? Think about it.