Red Oak's Podcast
Red Oak's Podcast
What the SEC Is Asking About AI and What Firms Should Be Ready to Produce
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
So today's deep dive is well, it's about this massive scramble happening right now in the corporate world. We're looking at a stack of recent compliance reports, regulatory filings, and uh industry surveys about the SEC and their highly targeted information requests on how financial firms are integrating AI.
SpeakerYeah. And it's a fascinating situation.
Speaker 1Right. And I want to say right up front, even if you don't work in finance, you really need to hear this because what we're seeing here with you know this whole shadow AI thing, it's forcing a massive corporate reckoning around accountability and tech governance. I know. And it is absolutely coming to your industry next. It's like a like a tsunami warning, right? The wave hasn't hit everyone yet, but the sirens are blaring and companies are panic preparing.
SpeakerThey definitely are. And the really interesting part of these reports is the strategy the regulators are using. I mean, they're following a very classic playbook here.
Speaker 1Oh, targeting the big guys first.
SpeakerExactly. They target a concentrated early group of major firms just to set a precedent. So most compliance professionals, they actually haven't received a request yet.
Speaker 1But word spreads, obviously. You see the heavy hitters getting audited, and suddenly all these adjacent firms are scrambling. They're trying to figure out exactly where AI actually lives inside their own business.
SpeakerRight, which is proving to be incredibly difficult.
Speaker 1Yeah. Looking at these surveys, it sounds like a nightmare. Okay, so let's unpack this.
SpeakerYeah.
Speaker 1Because firms are having to hunt down AI on two distinct fronts, right? External public claims and then the internal system.
SpeakerYeah, let's look at the external side first. Regulators are cracking down on what they call AI washing.
Speaker 1Right, which is essentially just overstating what your tech can actually do, just to sound cutting edge.
SpeakerExactly. So the SEC wants to see every marketing deck, website copy, and even, you know, ADV Part 2 disclosures.
Speaker 1Which, if you aren't in finance, is basically that mandatory brochure financial advisors have to give clients, you know, explaining how they do business and manage risks.
SpeakerTrevor Burrus, Jr.: Right. They are specifically looking for discrepancies between what firms promise the public and what the tech actually delivers.
Speaker 1Okay, but the internal systems side, that seems to be where the real panic sets in. Compliance teams are discovering that AI adoption is just completely decentralized. They're finding random departments using generative AI tools that upper management didn't even know existed.
SpeakerYeah, that's the shadow AI we were talking about.
Speaker 1I just struggle to understand this. How does a modern corporation simply not know what software its own employees are using? I mean, don't IT departments have really strict procurement processes?
SpeakerThey do, but think of shadow AI like employees bringing their own custom-built power tools to a highly regulated construction site.
Speaker 1Oh wow, okay.
SpeakerRight? The workers are getting the job done much faster, which is great. But the site manager has literally no idea if the proper safety guards are installed.
Speaker 1That is terrifying for a compliance officer.
SpeakerIt is. And it's not always rogue employees secretly buying new software either. Often the vulnerability is a hidden vendor risk.
Speaker 1Ah, meaning a platform you already use suddenly gets an AI makeover.
SpeakerExactly. You might have bought a standard, fully compliant project management tool. Then six months later, that third-party vendor pushes a routine software patch that just happens to include, say, an automatic AI meeting summarizer?
Speaker 1Wait, really? Just baked into the update.
SpeakerYeah. And suddenly those due diligence questionnaires, those long security surveys vendors fill out during procurement, they are completely outdated.
Speaker 1Because that hidden vendor update isn't just a visibility problem, it creates a massive data trap. I mean, if that new AI tool automatically summarizes client meetings, what happens to the highly sensitive data the employee typed in to generate that summary?
SpeakerWell, that brings us directly to this concept of prompt retention.
Speaker 1Right. I wanted to ask about that.
SpeakerThe whole expectation around archiving employee communications is shifting. Firms generally aren't expected to save prompts for basic, you know, Google-like searches.
Speaker 1Right, like looking up a stock ticker or whatever.
SpeakerExactly. But for higher risk use cases like generating financial advice or drafting client emails, archiving expectations are rising really fast.
Speaker 1But wait, looking at these filings, the SEC hasn't actually written official rules for AI prompt retention yet. Why are they demanding this if they haven't even drawn the lines? That feels like a trap.
SpeakerWell, it is a regulatory gray zone right now. We are in this awkward transitional period where the technology is just moving way faster than the rule book.
Speaker 1Yeah, no kidding.
SpeakerAnd because the official lines aren't drawn, regulators are basically looking for good faith efforts. Meticulous proactive documentation is literally the only defensible posture a firm can take when the examiners actually show up.
Speaker 1So if you have blurry rules on one hand and then these silent AI updates popping up like weeds on the other, the ultimate question really becomes who is actually in charge of keeping the firm out of trouble?
SpeakerYeah, that is the huge governance gap identified in the surveys.
Speaker 1Because roughly two-thirds of compliance professionals say their firm has formed an AI working group. But in practice, day-to-day ownership defaults almost entirely to IT.
SpeakerYeah, pretty much.
Speaker 1Why IT, though? Just because they manage the software licenses.
SpeakerBasically, yeah. They hold the administrative keys to the network. But you have to remember, IT evaluates tools for network uptime and cybersecurity.
Speaker 1Right. They aren't compliance officers.
SpeakerExactly. They don't evaluate whether a generative AI's financial advice violates a fiduciary duty to a client.
Speaker 1That makes total sense.
SpeakerAnd that is exactly why legal and compliance teams are panicking right now. They're being asked to verify that these AI tools are legally compliant, but they simply don't have the technical access to prove it.
Speaker 1And to survive an exam, you can't just shrug and point to your IT department. You have to produce concrete meeting records, cross-department sign-offs, and proof of AI-specific training. Trevor Burrus, Jr. You really do. So based on the reports we are looking at, there seems to be a pretty clear three-step action plan for companies to get ahead of this. One, inventory every public AI claim to make sure it's accurate. Two, list every operational AI tool internally and check your data policies against it. Right. And three, assign clear cross-departmental governance ownership so IT isn't just left holding the bag.
SpeakerIt sounds so straightforward when you say it like that. But in a decentralized corporate environment, executing those three steps is just a massive operational lift.
Speaker 1Oh, I bet. But the regulatory scrutiny is definitely coming no matter what industry you are in. So before we wrap up this deep dive, here is something to think about for your own career.
SpeakerYeah, I love this point.
Speaker 1If regulators eventually demand a permanent, fully auditable record of every single AI prompt employee's type merge, how will that level of surveillance change the way you psychologically interact with AI at your own job? Will you still brainstorm with it the exact same way? Think about it.