On December 9, 2025, the Financial Industry Regulatory Authority (FINRA) published its 2026 Annual Regulatory Oversight Report (2026 Report). While FINRA scarcely mentioned artificial intelligence (AI) in its 2025 Annual Report beyond the fact that it was an emerging technology, FINRA now dedicates an entire section of the new 2026 Report to the fact that Generative AI is no longer a novelty—it is a supervised technology that demands the same compliance rigor as any critical system.
In its recent guidance, FINRA emphasizes that firms should move from experimentation to disciplined implementation. For registered representatives, RIAs, and broker-dealers, the priority now is execution: implement clear governance, robust supervision, disciplined testing and monitoring, and comprehensive documentation to satisfy regulatory expectations and manage risk.
Actionable Governance and Supervision: What to Implement Now
Firms should be looking into establishing formal AI governance programs with clear ownership (business, compliance, technology, and risk). Programs should include requirements for pre‑approval of use cases, including a written purpose, data sources, model/provider selection, and specific control design, and implement human‑in‑the‑loop validation for any customer‑facing or decision‑influencing output, with documented sign‑offs and defined supervisory owners.
FINRA now expects firms to create and maintain supervisory procedures that cover the full lifecycle, addressing critical questions like:
- Who may use AI tools?
- What data can be ingested?
- How are outputs reviewed?
- When is escalation required?
The 2026 Report also highlights the importance of maintaining prompt and output logging, version tracking, and accessing controls for human and non‑human (service) accounts. For "AI agents" that can act or transact, the 2026 Report further recommends a narrow scope, permissions, audit trails of actions, and explicit human checkpoints before execution.
Practical Implications and Mitigation Strategies
Communications and sales: Treat AI‑assisted content as firm communications—require pre‑use approvals, disclosures where appropriate, review/archiving, and prohibition of off‑channel tools. The 2026 Report reaffirms that technology‑assisted communications remain subject to content standards and supervision.
Books‑and‑records: Classify prompt/output logs as records when used in supervision, recommendations, or customer interactions, consistent with the 2026 Report's emphasis on logging and auditability.
Reg BI/fiduciary duty: Use AI to inform—not replace—representative/adviser judgment. Require documented consideration of reasonably available alternatives and human sign‑off on recommendations generated or summarized by AI, aligning with the 2026 Report's human‑in‑the‑loop expectations.
Vendor management: Update contracts for AI usage, training data rights, security controls, sub‑processors, logging access, model change notifications, and incident reporting. Perform ongoing due diligence and control testing, as reflected in the 2026 Report's vendor and third‑party risk guidance.
Cybersecurity and fraud: Address AI‑enabled phishing/deepfakes and internal misuse. Train business users and supervisors on AI risks and escalation paths—the 2026 Report highlights both external threat vectors and guardrails for internal AI use.
Executed well—and consistent with the 2026 Report's expectations—these considerations can reduce operational, compliance, and conduct risk while enabling responsible AI adoption in a regulated environment.
If you would like more information on compliance with FINRA's new AI guidance, please free to contact Justin Senior.
Whether you are implementing AI tools, creating governance programs, or adapting existing policies and procedures, Shumaker’s Technology, Data Privacy, Cybersecurity & AI Service Line provides seasoned legal advice that leaves you in the best possible position.