CISO
Compliance Officer
Board
Legal
Industry relevance
Financial Services
NOVEMBER 17, 2025
SEC examiners are specifically looking at DLP and access controls in 2026 — exactly the controls under stress when AI agents access email, SharePoint, and financial data.
The SEC Division of Examinations published its Fiscal Year 2026 Examination Priorities on November 17, 2025. Under cybersecurity and emerging financial technology, examiners will focus specifically on registrant governance practices, data loss prevention policies, access controls, and account management. The priorities cover investment advisers, investment companies, broker-dealers, and clearing agencies.
GOVERNANCE IMPLICATION
The SEC's 2026 Examination Priorities naming DLP and access controls as specific cybersecurity focus areas is not incidental to AI governance — it is the regulatory framework under which AI governance will be examined. Investment advisers, broker-dealers, and clearing agencies deploying Microsoft 365 Copilot or Agent 365 are granting AI systems access to email, SharePoint, and financial data — precisely the environments the SEC examines for DLP and access control adequacy. An examiner asking about DLP coverage in a regulated firm's AI environment is applying the 2026 priorities directly to the firm's agent deployment.
SCENARIO
A registered investment adviser deploys Microsoft 365 Copilot for its research team in Q3 2025. The SEC examination in Q1 2026 arrives under the 2026 priorities. The examiner requests documentation of DLP policies covering AI-accessible data and evidence that access controls have been reviewed for the Copilot deployment. The compliance team provides the firm's general DLP policy but cannot produce documentation specific to Copilot-accessible data or evidence that the Copilot access control review was ever completed. The examination produces a deficiency finding.
THE GOVERNANCE QUESTION
The SEC's 2026 exam priorities name data loss prevention and access controls as specific examination focus areas for registrants. Both are exactly the controls under direct stress when AI agents are granted access to email, SharePoint, and financial data on behalf of licensed users. If an SEC examiner asked your compliance team today to demonstrate DLP policy coverage and access control documentation for your Copilot or agent deployment, what would that demonstration look like — and is the answer ready before the examiner arrives?
CONTROL GAP
DLP policies at most firms were written to govern human data handling and have not been explicitly extended to govern AI access to the same data. Access control reviews completed for Copilot deployment were typically performed by IT teams and are not in a format defensible to an SEC examiner.
REGULATORY RELEVANCE
SEC Cyber
FINRA
NIST Ai RMF
PRIMARY SOURCE
Fiscal Year 2026 Examination Priorities
SEC Division of Examinations
Read the primary source ->(opens in new tab)CONTINUE READING
MAY 19, 2026
ComplianceOn May 19, 2026, the European Commission published draft guidelines on classifying high-risk AI systems under Article 6 of the EU AI Act and opened a stakeholder consultation running until June 23, 2026 (European Commission, Shaping Europe's Digital Future, May 19, 2026). Issued under Article 6(5), the three-part guidance covers general classification principles, the Annex I product-safety route, and the Annex III use-case route across eight domains including biometrics, employment, and essential services. The draft addresses anti-circumvention for modular and agentic systems and clarifies that human oversight under Article 14 does not by itself remove a system from the high-risk category.
MAY 8, 2026
ComplianceNIST published the final SP 800-70 Revision 5 on May 8, 2026 via CSRC, updating the National Checklist Program for IT Products. Revision 5 introduces expanded coverage for cloud platforms, IoT, and AI systems; enhanced mapping to NIST CSF 2.0 outcomes and SP 800-53 controls; explicit support for automated checklist formats; and detailed guidance for tailoring checklists to stand-alone, enterprise, and legacy environments. The document is intended for both checklist users and developers who participate in the National Checklist Program.
MAY 7, 2026
ComplianceOn May 7, 2026, EU legislators reached political agreement on the Digital Omnibus revisions to the EU AI Act. The agreement introduces a 16-month postponement for most high-risk Annex III AI systems, covering employment screening, credit decisions, biometric identification, education, and law enforcement applications, moving the effective deadline to approximately December 2027. Product-embedded high-risk AI systems receive a 12-month postponement to approximately August 2027. Transparency obligations for AI-generated content shift to December 2026 (three-month delay only). The agreement remains subject to formal adoption by the European Parliament and Council. Source: European Commission digital-strategy.ec.europa.eu, updated May 2026.