At FINRA’s 2026 Annual Conference, one message came through clearly: the industry is entering a new phase of operational modernization.  

Across sessions on AI adoption, cybersecurity, examinations, and rule modernization, one theme surfaced repeatedly: firms are being asked to modernize supervision while maintaining strong investor protections. Artificial intelligence was discussed in nearly every session, not as a future concept, but as a technology firms are already embedding into everyday workflows. 

Another recurring theme was the industry’s shifting regulatory tone. Multiple sessions focused on moving away from “regulation through enforcement” and toward a more risk-based supervisory approach centered on investor harm, material misconduct, and operational effectiveness.  

Here are the biggest takeaways from the sessions we attended. 

AI Has Moved from Experimentation to Everyday Operations 

Artificial intelligence dominated the conference’s agenda. While AI has been a growing topic for several years, the conversation at FINRA 2026 felt notably different. Firms are no longer asking whether they should explore AI. Instead, the discussion has shifted toward how AI can be governed, monitored, and integrated responsibly into operational workflows.  

AI Is Becoming Embedded Into Daily Workflows 

Polls during sessions showed a significant increase in firms actively testing or deploying generative AI tools, with FINRA sharing survey data showing industry participation growing from roughly 125 firms exploring generative AI in 2024 to nearly 800 firms in its latest survey.  

Firms discussed using tools such as Microsoft Copilot, ChatGPT, and Claude across a wide range of workflows, including: 

  • Summarizing large volumes of information  
  • Drafting responses and internal communications  
  • Reviewing policies and procedures  
  • Supporting compliance reviews  
  • Identifying conflicts  
  • Aligning Firm Element training with internal policies  

One firm described supervising more than 7,000 representatives across 100 offices of supervisory jurisdiction (OSJs) and explained how AI dramatically improved internal inspection workflows. Post-audit summaries that previously took eight to 10 weeks to complete can now be generated in approximately two hours using AI-supported processes.  

That operational efficiency theme surfaced repeatedly throughout the conference. AI was consistently framed as an enablement tool, not a replacement for human expertise. One speaker compared AI to the internet, suggesting that refusing to engage with AI today is similar to refusing to adopt the internet decades ago.  

Governance and Oversight Still Matter 

Human oversight remained one of the strongest recurring messages throughout AI-focused discussions. Firms were repeatedly cautioned against relying solely on AI output without validation, testing, or supervisory review.  

Several speakers emphasized: 

  • Configuring tools to cite supporting sources  
  • Testing AI outputs regularly  
  • Preventing unsupported responses and hallucinations  
  • Maintaining documentation around AI usage  
  • Keeping humans involved in supervisory decision-making  

Data privacy and confidentiality concerns also surfaced frequently, particularly around “shadow AI” usage. Multiple sessions discussed the risks associated with employees using non-approved AI tools outside enterprise environments, especially when firms prohibit AI use without implementing meaningful monitoring or governance strategies.  

The broader takeaway was clear: blanket prohibitions are unlikely to work in an environment where AI tools are evolving rapidly and becoming increasingly embedded into day-to-day workflows. 

Vendor Diligence Is Expanding Alongside AI Usage 

Vendor oversight emerged as another major AI-related focus area. Firms discussed adding AI-specific diligence questions to vendor reviews, including:  

  • Whether customer data is used to train models  
  • How anonymization practices function  
  • What security controls exist  
  • How vendors monitor privacy and confidentiality risks  

One of the biggest shifts discussed was moving away from treating AI as a standalone initiative and instead embedding it into existing business and supervisory processes. Policies, governance structures, and supervisory systems now must evolve at the same pace as the technology itself. 

Several speakers noted that policies may need to change far more frequently than firms are accustomed to as AI capabilities evolve month to month.  

The recommendation repeated throughout many sessions was practical: start with a small number of meaningful projects, prioritize governance early, and focus on documenting, testing, and monitoring continuously. 

FINRA Forward and Rule Modernization Continue to Gain Momentum 

Another major theme throughout the conference was FINRA Forward and the broader push toward regulatory modernization. 

Modernization Without Deregulation 

Importantly, the tone around modernization was not framed as deregulation. Instead, the emphasis was on creating rules and supervisory structures that are more practical, operationally sustainable, and aligned with how firms function today. 

Several initiatives were discussed as part of this broader effort, including: 

  • OBA/PST modernization proposals  
  • Electronic delivery modernization  
  • Communications rule updates  
  • Research rule modernization  
  • Potential updates to long-standing thresholds and limitations  
  • Expanded transparency into exam and regulatory processes  

FINRA leadership repeatedly described modernization as “a marathon, not a sprint,” emphasizing that coordination between FINRA, the SEC, and other regulators remains critical. 

Exam Transparency and Operational Efficiency 

One area that generated substantial discussion was FINRA’s continued effort to improve examination transparency and reduce operational strain during exams. 

Sessions highlighted several initiatives intended to make the examination process more collaborative and efficient, including: 

  • Advance notification around upcoming cycle exams  
  • Interactive firm report cards  
  • More real-time visibility into findings  
  • Reduced duplicative requests  

Several of these initiatives are already beginning to reshape how firms interact with FINRA during the examination process. FINRA discussed a process that allows firms to review findings in real time and remediate issues during the exam rather than waiting for a final report. Firms may also choose to opt out and receive findings at the conclusion of the process instead. 

A More Risk-Based Approach to Enforcement 

One of the most talked-about moments of the conference came during discussions around the SEC’s evolving enforcement philosophy. 

Multiple sessions referenced the idea that “regulation through enforcement” is ending, drawing significant audience reaction and reinforcing the broader theme that regulators may be moving toward a more targeted, risk-based approach to oversight.  

Importantly, the discussion was not framed as reducing oversight or softening expectations. Instead, speakers repeatedly emphasized focusing enforcement efforts on: 

  • Investor harm  
  • Fraud  
  • Material misconduct  
  • Significant supervisory failures  
  • Meaningful conflicts and disclosure concerns  

At the same time, several sessions discussed moving away from enforcement actions centered primarily on technical or low-impact violations that do not create clear investor harm.  

Across sessions, the message was consistent: firms operate more effectively when supervisory expectations are clearer, rules are updated more regularly, and resources can be concentrated on actual risk. 

Cybersecurity and Vendor Oversight Remain Front and Center 

Cybersecurity and operational resilience remained major focus areas throughout the conference, particularly as firms continue expanding their use of third-party vendors and AI-enabled technologies.  

Operational Resilience Continues to Evolve 

Sessions focused heavily on operational resilience planning, including: 

  • Third-party outages  
  • Vendor dependencies  
  • Business continuity planning  
  • Clearing firm disruptions  

Rule 3110’s requirement for “reasonably designed” supervisory systems surfaced repeatedly throughout these discussions, particularly as firms become increasingly dependent on outside vendors and interconnected technology ecosystems.  

One phrase repeated multiple times during vendor management discussions captured the overall tone well: 

“You can outsource the function, but not the risk.”  

Cross-functional oversight was heavily emphasized, with firms discussing more collaborative onboarding and review processes involving compliance, IT, legal, operations, and security teams. Some firms also discussed shortening vendor agreement cycles to force more frequent diligence reviews and reassessments. 

AI-Enabled Fraud Is Increasing Cyber Risk 

AI-enabled fraud and phishing risks were another major focus. 

Speakers discussed how AI is making phishing attacks more convincing, scalable, and difficult to identify. One session referenced phishing “packages” now being sold with built-in support services for bad actors. Another statistic discussed during the conference noted an 89% increase in attacks from AI-enabled adversaries.  

Sessions encouraged firms to: 

  • Expand phishing and click-testing programs  
  • Monitor vendor exposure proactively  
  • Use tools such as Google Alerts for vendor monitoring 

As firms continue adopting more AI-enabled technologies, operational resilience and vendor governance are becoming increasingly intertwined. 

What Compliance Teams Should Focus on Now 

The conversations at FINRA 2026 pointed to a broader industry shift already underway. 

Artificial intelligence is rapidly becoming operationalized across firms. Exam processes are evolving to become more transparent and collaborative. And rule modernization efforts continue gaining momentum.  

For compliance teams, that means modernization can no longer be treated as a future initiative. 

Practical areas firms should focus on now include: 

  • Evaluating how AI is currently being used across the organization  
  • Building governance, testing, and monitoring frameworks around approved AI usage  
  • Reviewing vendor oversight programs and operational resilience planning  
  • Preparing for evolving examination processes and more real-time remediation expectations  
  • Reassessing supervisory systems to ensure resources are aligned with meaningful risk areas 

Firms do not need to solve every modernization challenge immediately, but the expectation to begin building governance, oversight, and operational readiness around these areas is already here.