Research Note

An Examiner Walks In. Here Is What Happens.

This is not a hypothetical. Every regulated financial firm using AI will encounter a version of this sequence. The SEC 2026 Examination Priorities name AI oversight as a component of virtually all examinations going forward, not only examinations of firms marketing AI capabilities. The question is not whether the examiner will ask about your AI. The question is what your team produces when they do.

Research Area7 topicsGovernance & Security

Topics in this research area

Accountability & Agents

Who is responsible when an AI agent makes a wrong decision at scale.

→02

Regulatory Compliance

EU AI Act, NIST AI RMF, and sector requirements on Microsoft 365.

→03

Data Protection

Classifying and monitoring sensitive data before AI can reach it.

→04

AI Foundations

Governance architecture before agents proliferate across your environment.

→05

The Microsoft Control Plane

How Microsoft is becoming the control plane for enterprise AI governance.

→06

The Examiner Scenario

What an examiner will ask when your AI governance posture is tested.

→07

Governance Readiness Snapshot

A concise view of whether controls, ownership, and oversight are keeping pace.

→

The scenario

Scenario: a registered investment adviser using Microsoft 365 Copilot and two Copilot Studio agents in its compliance and client communication workflows.

This scenario is written from inside federal regulatory environments. The texture is specific because the situations were specific.

The examination sequence

Examiner requests and what they expose

Active request

Tap a request card to update this panelChoose a request to compare details

Request 1 of 4

First request

“Provide documentation of your firm's policies and procedures for the use of artificial intelligence tools, including automated investment tools, generative AI, and AI agents.”

Most firms produce

A PDF titled "AI Acceptable Use Policy" drafted by IT six months ago. It describes what employees may and may not do with ChatGPT. It does not mention Copilot. It does not mention agents. It has never been reviewed by compliance.

What the examiner is looking for

Evidence that the policy governs the specific tools in use, was reviewed by compliance and approved by appropriate leadership, is current as of the date AI tools were deployed, and has been communicated to and understood by employees who use those tools.

The gap

A policy that predates the AI tools it is supposed to govern is evidence of a compliance program that is reactive rather than proactive. The examiner notes this. It is not a deficiency letter yet. It becomes context for what comes next.

Before the examiner arrives

What should have existed before the examiner arrived

Active checklist item

Tap a checklist card to update this panelChoose a checklist item to compare details

Checklist item 1 of 4

Before any AI tool was deployed:

A compliance risk assessment. A documented review of what data the tool can access and whether that access is appropriate. A decision record showing that compliance and appropriate leadership reviewed and approved deployment.

The pattern

The underlying pattern

The examiner is not trying to find a violation. They are trying to understand whether the firm's compliance program has kept pace with the technology the firm deployed. When it has not, the exam observation is that the firm's compliance program is not reasonably designed to address the risks the firm has taken on.

That observation does not require that anything has gone wrong. It requires only that the governance infrastructure is not proportional to the operational exposure.

The organizations that navigate this well are not the ones with the most sophisticated AI implementations. They are the ones where the accountability question was answered before the examiner asked it.

Based on SEC Division of Examinations Fiscal Year 2026 Examination Priorities published November 17, 2025, and twelve years of practitioner experience inside SEC, CFTC, and NIH federal regulatory environments.