Managing the Risk of AI | 7 Tips for Compliance Professionals

June 18, 2026

---

If there’s one issue that’s top of mind for investment adviser compliance professionals, it’s artificial intelligence.

It’s not only that AI technology is developing rapidly. The latest advances are “almost obsolete with a new release,” observed Cissie Citardi of William Blair at the Investment Adviser Association’s Investment Adviser Compliance Conference, held in Washington, D.C., in March 2026. Citardi spoke on a panel titled “Regulating Intelligence: Navigating Compliance in the Age of AI” alongside fellow panelists Charu Chandrasekhar of Debevoise & Plimpton and Carlo di Florio of ACA Group. The session was moderated by Sanjay Lamba of the IAA.

With each new release, AI technology is becoming more autonomous and increasingly akin to human intelligence, di Florio noted. As a result, Chandrasekhar added, AI is quickly moving from the back office to the front office.

As AI’s capabilities have grown, so has demand throughout investment advisory firms. “Every single stakeholder is coming with questions and looking for approvals,” Citardi noted. Yet the process for granting those approvals is far from simple, given the many types of risk involved and the number of stakeholders who must participate in the review process.

Clearly, AI presents a significant challenge for compliance professionals—one that, Citardi argued, they must “approach pragmatically.”

In that spirit, the panelists offered seven practical tips for managing AI compliance risk.

Recognize the risk of prohibiting AI use. Compliance professionals should begin by acknowledging that outright bans on AI are unlikely to be effective, Citardi argued, because they may simply drive “shadow AI” usage.

Inventory current uses of AI. A strong starting point is to develop an inventory of where AI is currently being used across the organization and for what purposes.

Create an authorized use policy. A key risk-mitigation strategy is to establish an overarching policy governing AI use, di Florio explained. What types of use will be permitted? What is the process for approving new uses of AI? And who is responsible for overseeing AI use?

Start with a pilot. Advisers should consider beginning on a small scale with a pilot program, Chandrasekhar suggested, and then “systematically and deliberately expand.”

Establish guardrails. At the same time, organizations should develop policies and processes to ensure AI is being used as intended. Most critically, di Florio argued, there must always be a “human in the loop” monitoring AI output. Another important risk-mitigation strategy is a robust model-testing and validation protocol, he added. It is also essential to confirm that data is being used appropriately, Citardi noted. Is the data protected against cybersecurity risks? More broadly, is it being used in a manner consistent with the authorized use policy?

Review statements about AI. Advisers should be careful not to overstate their use of AI, Chandrasekhar stressed. The SEC may scrutinize advisers’ AI-related claims in public-facing materials such as pitch books and social media, and it has already brought enforcement actions where it believed advisers misrepresented ordinary automation as AI.

Keep pace with the regulatory environment. Just as AI technology is evolving rapidly, so too is the regulation governing its use, Chandrasekhar noted. While the current SEC is, in her words, “innovation forward,” advisers must also monitor developments at the state level, where there is “no uniform standard.” Many advisers will also need to track changes outside the United States, particularly in the European Union – which, according to Chandrasekhar, has the “most overarching framework” – and across Asia.

AI adoption undoubtedly poses significant challenges for compliance professionals. But as Citardi noted, it is also a technology that offers advisers the opportunity to operate with greater “scale and efficiency.” By applying core compliance principles pragmatically, compliance teams can help their organizations realize that potential.