At this year’s Investment Adviser Association (IAA) Annual Conference, regulators, industry leaders, and compliance professionals gathered to tackle the issues shaping today’s advisor landscape. From AI governance to Regulation S-P readiness, one theme became apparent: our industry is navigating significant change.

Here are the standout takeaways from the sessions we attended:

A Risk-Based Approach from the SEC

In a fireside chat with SEC Commissioner Mark Uyeda, his message was clear: not every firm or behavior warrants the same level of scrutiny. He described the exam process as a form of triage, with resources focused on areas with the highest probability of harm, including fiduciary duty, care, and best interest obligations.

Using a freeway analogy, Uyeda noted that consistent behavior keeps traffic moving, but outliers create the most risk and deserve the most attention.

In other words, where you focus your compliance resources should reflect where your risk actually lives.

On the topic of off-channel communications, Uyeda also signaled a potential shift, noting that enforcement may not be the primary approach to handling these matters in 2026.

SEC Exam Priorities: What’s Drawing Scrutiny in 2026

The SEC’s Division of Investment Management reinforced a “back to basics” exam approach, with examiners focused on products and clients that present the highest risk. That includes complex investments, private funds, higher-cost products, liquidity concerns, and situations where required disclosures may be incomplete or unclear.

Client type continues to matter. Examiners are paying close attention to how advisers serve retail clients, older investors, and newly launched or newly registered firms. For dual registrants, the expectation is clarity, both in disclosures and in consistently applying the correct regulatory framework in each interaction.

Across the board, scrutiny is less about novelty and more about execution.

A few additional areas drawing increased attention:

  • Third-party data access: Firms using outside vendors to access client data are under a closer lens, particularly around oversight and control frameworks.
  • M&A activity: Record levels of firm consolidation are creating integration and oversight risks, particularly around how acquiring firms absorb compliance programs and client relationships.
  • Fraud: Misappropriation of assets, undisclosed conflicts, and prohibited trading remain core enforcement priorities.
  • Emerging areas: Private credit, family wealth, and Advisers Act violations tied to investor protection are gaining attention, with AI expected to feature more prominently in exams heading into 2027.

Regulation S-P: What Firms Need to Get Right

Reg S-P was a major topic across multiple sessions, and the throughline was consistent: regulators are paying close attention, and the expectations are operationally demanding.

Key compliance requirements firms should have in place include:

  • Written, operational policies to detect, respond to, and recover from unauthorized access to nonpublic personal information, including customer-of-customer data.
  • A process to notify affected individuals within 30 days of discovering a breach; if 500 or more individuals are impacted, the FTC must also be notified.
  • Due diligence and ongoing monitoring of service providers, with an expectation of incident notification within 72 hours of discovery.
  • Documentation practices that follow a straightforward “say what you do, do what you say” standard, with records retained for five years.

Where Firms Are Falling Short

Regulators are continuing to see gaps in two key areas: visibility and execution.

First, data awareness. Many firms don’t have a clear picture of where their nonpublic personal information lives, how it flows through their systems, or who has access to it. Without that visibility, detecting unauthorized access or responding effectively becomes extremely difficult.

Second, execution. Firms often have written policies in place but fail to apply them consistently in practice. Reg S-P does not just require documentation; it requires alignment between what is written and what is actually happening day to day.

Data mapping may not be a formal requirement, but it is quickly becoming a practical one.

Without it, demonstrating compliance becomes significantly harder.

AI: Rapid Adoption, Real Oversight Expectations

Artificial intelligence surfaced in nearly every session, both as a tool the SEC is using internally and as a rapidly expanding capability across firms nationwide. Adoption accelerated significantly in 2025 and shows no signs of slowing.

What stood out was not just enthusiasm for AI, but the real concern around control.

Regulators identified several areas firms should be actively managing:

  • AI washing: Overstating or misrepresenting AI use in marketing, client disclosures, or public communications. As AI becomes a selling point, regulators are watching closely for claims that don’t hold up under scrutiny.
  • Agentic AI: Unlike tools that simply assist a human user, agentic AI can take actions, make decisions, and execute tasks with little to no human involvement. That reduced oversight creates real supervision gaps, and regulators expect firms to have controls in place even when AI is doing the work.
  • Shadow usage: When firms prohibit AI tools but don’t enforce or monitor that prohibition, employees often find workarounds anyway. Regulators drew a direct parallel to the off-channel communications problem, where firm policies existed but were widely ignored in practice. The takeaway: a blanket ban without a monitoring strategy is unlikely to hold.
  • AI-generated content in marketing: AI can produce polished, professional-sounding content quickly, but that speed creates risk. Output used in client-facing materials must still go through the same review and approval process as any other marketing content.

The broader takeaway: AI does not change the rules, but it does raise the stakes on how well firms follow them.

Digital Assets and the Regulatory Road Ahead

Digital assets remain a fast-moving and still-evolving space, with firms needing to build both fluency and flexibility as the regulatory framework develops. Four themes dominated the discussion:

  • Taxonomy: What qualifies as a security in the digital asset space remains one of the most unresolved questions, and the answer determines whether the SEC or CFTC has jurisdiction. Until that line is clearer, firms operating in this space face real uncertainty about which rules apply to them.
  • Tokenization: Tokenization is the process of representing ownership of a real-world asset, such as real estate or private equity, on a blockchain. Recent regulatory approvals signal momentum, and firms should be building familiarity with how these structures intersect with existing adviser obligations.
  • Innovation safe harbors: There is growing discussion around formal pathways that would allow startups and early-stage digital asset businesses to operate under SEC oversight while the broader regulatory framework catches up to the technology. Think of it as a structured testing environment with regulatory visibility built in.
  • SEC/CFTC coordination: Because digital assets often blur the line between securities and commodities, both agencies have staked a claim in the space. Sessions reflected a push for more unified oversight to reduce conflicting guidance and duplicative requirements for firms caught in the middle.

Custody remains an open question, and firms operating in or adjacent to this space should expect continued evolution in both expectations and enforcement.

What Compliance Teams Can Do Now

The conversations at IAA pointed to a clear reality: firms that wait for complete clarity will fall behind.

Progress matters more than perfection.

Practical steps compliance teams can take now:

  • Audit your Reg S-P posture: confirm your written policies reflect what your firm actually does, identify where nonpublic personal information lives across your systems, and assess whether your vendor oversight program meets the 72-hour notification expectation.
  • Get ahead of AI governance: if your firm is using AI tools in any capacity, document how, where, and by whom. If you have a prohibition in place, build a monitoring strategy around it; a policy without enforcement is not a policy.
  • Build baseline digital asset literacy: even if your firm has no direct exposure to crypto or tokenized products, clients will have questions. Ensure your team understands the fundamentals of how these assets work and where the regulatory lines are currently drawn.
  • Review your Marketing Rule compliance: with exam scrutiny ongoing, now is a good time to revisit any AI-assisted content in your marketing materials and confirm it has gone through proper review and approval.
  • Don’t wait for perfect to get started: The SEC’s current posture ahead of Reg S-P compliance deadlines is less about catching firms off guard and more about understanding where firms stand. If your cybersecurity resources are limited or outsourced, take a phased approach and prioritize your highest-risk areas first.

Have questions about any of these topics or want to talk through how they apply to your firm? Reach out to our team, we’re here to help.