Managing Generative and Agentic AI Compliance Risk in Financial Services
AI is no longer experimental in financial services. It’s quickly moving into day-to-day operations, and the industry is now grappling with a harder question than adoption — governance. As discussed at the 2026 SIFMA Compliance & Legal conference, the focus has shifted from whether to use AI to how to control it, even as regulation continues to lag. Firms that get this right are better positioned to scale AI effectively and reduce enforcement risk. Those that don't face growing exposure across communications, recordkeeping, and supervision.
Key takeaways
- Generative AI failure rates remain high, but targeted use cases in summarization, information extraction, and compliance workflows are delivering real results.
- FINRA Regulatory Notice 24-09 reinforces that existing rules — books and records, supervision, Reg BI — apply fully to AI, with no carve-outs for new technology.
- Shadow AI is already inside your firm. Governance and approved tooling are practical responses, because prohibition isn't working.
- Agentic AI introduces a category of risk that current supervisory models weren't designed to handle, such as autonomous action, unclear accountability, and limited auditability.
- Leading firms are closing governance gaps by capturing and supervising AI-generated communications within existing regulatory frameworks.
Why some generative AI initiatives failed in financial services
The past year delivered a reality check. Most generative AI initiatives failed to achieve their stated objectives, with failure rates reported as high as 50–95%.
The causes were varied: unclear business cases, poor data quality, skill gaps, weak governance, and inadequate workflow integration. Many firms pursued use cases without defining measurable outcomes. Others underestimated the operational cost of scaling AI models across the enterprise. Organizational friction — especially between compliance and technology teams — further slowed progress.
What's also worth noting is that very few firms are still pursuing a blanket prohibition strategy. That ship has sailed.
As Debevoise & Plimpton's Matt Kelly observed at the conference, “Do not get fixated on failure rates.” High failure rates shouldn't be cause for alarm in themselves. Similar patterns played out with earlier waves of technology.
What's actually working
Successful AI deployments clustered around two profiles. The first includes well-resourced firms moving quickly on advanced use cases, including communications surveillance. The second is practical, lower-risk applications that fit into existing workflows without requiring major operational overhaul.
The use cases showing consistent returns are summarization, information extraction, conversational Q&A, and translation. These aren't transformative in the dramatic sense — they're productivity improvements that compliance teams can actually defend and document. That combination of real value and operational fit is what makes them durable.
The lesson isn't to avoid ambition. It's to start with clear scope, fix data quality before scaling, and embed compliance from the design phase rather than retrofitting controls after deployment.
What FINRA and the SEC say about AI-generated communications
Issued in June 2024, FINRA Regulatory Notice 24-09 isn't a new rulebook. It's a reminder that existing rules apply to AI, just as they apply to any other technology. FINRA's framework is intentionally technology-neutral, and the notice makes clear that firms cannot treat AI as a special category exempt from standard supervisory obligations.
The practical scope is broad. The use of AI implicates virtually every area of a member firm's regulatory obligations, from recordkeeping and supervision to customer communications and third-party risk. Firms using generative AI as part of their supervisory systems — reviewing electronic correspondence, for instance — need policies and procedures that address technology governance, model risk management, data privacy, and the accuracy and reliability of AI outputs. This applies whether firms are building proprietary tools or relying on embedded AI features in third-party platforms.
When does AI-generated content become a regulatory record?
This is one of the more contested questions in compliance right now. FINRA Regulatory Notice 25-07, issued in April 2025, raises it directly, asking whether AI-generated content — chatbot interactions, transcript summaries, model outputs — constitutes "business as such" under Exchange Act Rule 17a-4(b)(4).
The answer isn't fully settled. But the safer posture is to treat AI-generated communications conservatively.
As FINRA and the SEC have repeatedly stated, rules are meant to be technology agnostic. If generative AI outputs touch regulated business processes, firms should capture and supervise them in accordance with FINRA and SEC guidelines, such as FINRA Rule 4511 retention standards. The cost of over-retaining is low. The cost of gaps in your recordkeeping is not.
The global regulatory picture
Beyond FINRA, global compliance complexity continues to grow. Regulation remains fragmented and deliberately non-prescriptive at the U.S. federal level — regulators continue to reinforce existing frameworks around books and records, supervision, and risk management rather than issuing AI-specific rules. That sounds straightforward, but in practice it creates ambiguity, especially around whether AI-generated outputs must be retained and supervised as business-related communications.
Global divergence complicates matters further. U.S. federal efforts to centralize AI policy contrast with more aggressive state-level initiatives and comprehensive regimes like the EU AI Act, which imposes explicit risk classification and governance requirements that go well beyond the principles-based approach U.S. regulators have taken so far.
“The issue should not be what is complying with a written rule,” said Ben Marzouk of Eversheds Sutherland at the conference. “It is about broadening the discussion to AI risk management and governance.”
The net effect is uncertainty. Firms cannot rely on regulatory rule clarity. They must interpret obligations conservatively while maintaining flexibility to adapt as enforcement action or guidance develops. Firms operating across jurisdictions increasingly need to harmonize their AI governance framework to the most demanding applicable standard — building adaptable frameworks rather than patchwork policies.
Shadow AI creeps into financial services
Shadow AI is one of the most immediate operational risks firms face today. Employees are already using tools like ChatGPT to draft emails, summarize client interactions, and generate research. Often, these tools are outside any approved system or oversight process. The risk surface spans data leakage, hallucinated outputs, and unmonitored communications that may fall squarely within supervisory scope.
This dynamic mirrors the off-channel communication problem firms spent years trying to solve. Employees access new tools faster than firms can build controls around them.
Tip
Off-channel communications haven't gone away. Get the Smarsh off-channel communications e-book to help you build or bolster your communications compliance strategy.
“AI model providers may not have an understanding of your regulatory obligations,” notes Tiffany Magri, Smarsh Regulatory Compliance Advisor. “They are focused on innovating faster than the other models and may not have built the appropriate data protections suitable for financial services firms.”
Prohibition has proven ineffective. Employees find workarounds. The more productive approach is to provide approved AI tools with appropriate guardrails, implement monitoring and detection controls, and train employees on acceptable use.
Third-party risk management also matters here. Many AI capabilities arrive embedded in vendor platforms, which means vendor AI tools need to be treated as extensions of the firm's own risk environment.
The agentic AI compliance challenge is already here
Agentic AI changes the nature of the risk. Where generative AI produces outputs based on prompts, agentic systems act. They can execute multi-step workflows, make decisions, and interact with other systems autonomously — on behalf of users, without human approval at each step.
Early use cases include automated research, workflow execution, and client interaction support. The efficiency promise is real. So is the compliance challenge.
What makes agentic AI different from generative AI for compliance teams
Traditional supervisory models are built around human intent and human accountability. An employee takes an action; that action is attributable, auditable, and governed by existing supervision frameworks. Agentic AI breaks that assumption.
When an AI agent sends a communication or retrieves and acts on client data, who is accountable? How is that action captured? How does a compliance officer review a multi-step reasoning chain that an agent completed in seconds? These aren't hypothetical questions — they're the operational reality firms will face as agentic deployments move from pilot to production.
FINRA's 2026 Regulatory Oversight Report identifies the specific risk vectors: agents acting without human validation, scope and authority exceeding what users intended, auditability challenges in multi-step reasoning, and the potential misuse of sensitive data. These risks compound the bias, hallucination, and privacy concerns already present in generative AI.
Don’t want to read a 90-page regulatory report?
We have you covered. We cover the key points you need to know about where FINRA sees the most significant supervisory risk heading into 2026.
What FINRA is examining and what isn't guidance yet
“A handful of major banks are moving quickly into agentic AI, while the rest of the industry remains more cautious,” said Kelly at the SIFMA conference. “FINRA is now exploring firm practices related to agentic, so it may be a while before we see any meaningful guidance.”
That gap puts compliance teams in a familiar position. They need to build frameworks without a clear regulatory roadmap. The safest approach is to treat agentic AI the same way you'd treat any other high-risk supervisory area — with clear policies, defined accountability, and robust controls — before deployment at scale.
Human oversight as a compliance control for agentic systems
Human oversight isn't just best practice for agentic AI. It functions as a compliance control. For any agentic system involved in decision-making processes, that means keeping a human in the loop at meaningful checkpoints, not just nominally.
Firms need to define who is accountable for AI-driven actions, what permissions those actions require, and how every step is logged and accessible for review. Audit trails for agentic activity need to be comprehensive enough to reconstruct what happened and why. It’s not just that an action was taken. Firms are expected to know what triggered it and what data the agent accessed along the way.
Access and permission controls matter as well. Agents operating on sensitive client data, firm systems, or external platforms need scoped authorization — the AI equivalent of least-privilege principles already familiar to information security teams.
How leading firms are capturing and supervising AI-generated communications
Firms at the front of AI governance aren't treating compliance as a barrier to adoption. They're treating it as the condition that makes scaling possible. The practical focus is on how AI-generated communications are captured, archived, and supervised within existing regulatory frameworks. Closing the gap between where AI outputs are generated and where oversight infrastructure actually reaches.
Industry guidance and shared best practices are also increasingly valuable here, as firms work through governance decisions in real time without a settled regulatory playbook. Meeting baseline regulatory requirements isn't enough. Firms with more integrated, proactive approaches are better positioned to reduce risk, adapt to regulatory change, and scale AI use effectively.
Learn how Smarsh supports this shift by combining regulatory-grade communications surveillance to capture and supervise AI-generated communications.
Frequently asked questions
FEATURED CONTENT
Share this post!
- Managing Generative and Agentic AI Compliance Risk in Financial Services - April 3, 2026
- RIA Communications Compliance Requirements and SEC Rules for Advisers - March 30, 2026
- What the SEC E-Delivery Rule Could Mean for Firms - February 18, 2026
- The Overlooked Risk of Voice in Financial Services - March 25, 2026
- FINRA’s 2026 Oversight Report Continues to Emphasize Recordkeeping - February 3, 2026
- FINRA’s 2026 Oversight Report Identifies AI as Both Opportunity and Risk - January 27, 2026
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing [email protected].
FOLLOW US