Do you know how many vendors your firm has? Do you know how your broker-dealers, custodians, and other service providers are using artificial intelligence (AI)? And if an examiner asked for proof that your compliance program not only exists but also works, could you show them?
The common thread among many enforcement actions from 2025 isn't a single topic — it's gaps in compliance and risk management programs that went undetected for too long.
Here’s a closer look at the risks shaping your firm’s program in 2026.
Related: Top 5 Takeaways from the SEC's 2026 Exam Priorities
Under Regulation S-P, every individual service provider relationship counts separately. In other words, you have more vendors than you think. This matters because the regulation’s obligations apply across all of them, including your securities counsel, the marketing agency, and even event planners. For "covered" service providers (those with access to nonpublic personal information and other sensitive data), the requirements go further, including 72-hour vendor breach notification and written incident response procedures. And vendor oversight expectations under the 2026 Examination Priorities extend to all third-party relationships, not just covered providers.
But an incomplete inventory goes beyond compliance risk — it creates operational gaps. When a vendor gets breached and isn't in your inventory, it likely doesn’t have contractual notification requirements, and you might not find out for weeks. By then, your 30-day client notification window under Reg S-P has closed.
Vendor oversight also appears across other areas of the SEC's exam priorities — Regulation S-ID, broker-dealer supervision, and emerging financial technology — signaling that the Commission views TPRM as core infrastructure rather than a checkbox.
Takeaway: Start with a real vendor inventory — not a category list, but every individual relationship. Then ensure your contracts, oversight documentation, and incident response procedures can withstand scrutiny when an examiner requests them.
Related: How RIAs Can Manage Vendor and Service Provider Risk
40% of investment adviser firms have implemented AI tools internally, but nearly half of those same compliance professionals have no formal testing or validation of their AI tool outputs, according to a 2025 survey. Regulators realize this gap, so they’re paying attention to how you and your vendors use AI.
The SEC priorities identify "Emerging Financial Technology" as a key examination area. FINRA has launched an enterprise-wide initiative to understand how AI is being used across the industry and published observations on emerging AI agents — autonomous systems capable of executing tasks without human intervention. In February 2026, the U.S. Department of the Treasury announced a public-private initiative to strengthen cybersecurity and risk management for AI in financial services.
Examiners want to ensure you have policies and procedures governing AI for anti-money laundering (AML), fraud prevention, and other functions, and that these policies and procedures are consistent with disclosures and regulatory obligations.
That scrutiny extends to how firms talk about AI. AI washing — or making false or misleading statements about how you're using AI — resulted in enforcement actions in 2024 and 2025. While the current administration is actively encouraging AI use, accuracy, transparency, and documented oversight can’t be overlooked.
Takeaway: Regulators are operating from the assumption that you’re using AI, so inventory all AI usage across your firm, including AI deployed by vendors and affiliates. Create a governance framework for AI decision-making and disclosure, so you’re not caught off guard if asked.
Related: AI Compliance for RIAs: Key Risks and Best Practices
In early 2025, the SEC charged two broker-dealers $45 million for failing to address known vulnerabilities and inadequate identity theft protections. While enforcement measures have shifted under the current administration, the underlying exposure — the lack of documented action in the face of a problem — remains a major risk for firms.
The SEC's priorities make clear that having a cybersecurity policy isn't enough. Examiners want to see that firms have carried out incident response plans, business continuity plans are in place, and that threat intelligence is translated into action. Vendor-supported systems should also be reviewed. If service providers aren't in your incident response plan and don't have contractual notification requirements, a breach at their end could close your client notification window before you even know there's a problem.
Takeaway: A policy no one has tested isn't a plan — it's a document. Test it, include your vendors, and fix what you find.
Related: Incident Response Plan Checklist
Your compliance program says you're meeting your fiduciary obligations, but can you prove it?
In 2025, the SEC settled three separate enforcement actions related to compliance program failures: $60 million against three advisers for inadequate policies and procedures; $90 million against two advisers who knew about investment model vulnerabilities and didn't act — and then impeded employees who tried to raise the issue; and more than $40 million against a broker-dealer whose representatives sent customers misleading bond data.
Firms in transition face the sharpest scrutiny in 2026, as the SEC has explicitly flagged a few key categories for deeper examination: RIAs that have merged, consolidated, or been acquired; newly registered and never-examined advisers; firms that have changed business lines; and advisers to private funds, newly launched funds, or alternative strategies such as private credit or funds with extended lock-up periods. If your firm falls into any of these categories, your exam risk profile may be under scrutiny.
Takeaway: A compliance program is designed to identify red flags, so don’t ignore them. Investigate any potential risks and document your decisions for future reference – for yourself and examiners.
In December 2025, the Division issued a risk alert with additional observations on advisers' compliance with the Marketing Rule under Rule 206(4)-1. Examiners found multiple issues, including testimonials and endorsements that lacked required disclosures, third-party ratings used without proper due diligence, and — notably — advisers that had updated their compliance policies to address the Marketing Rule but weren't actually implementing them.
Takeaway: If your firm uses client testimonials, social media influencers, referral programs, or third-party ratings in its marketing materials, now is the time to review them. Review your advertising practices, ensure disclosures are clear and prominent, and confirm your compliance policies reflect what your firm is actually doing.
Now you know where the gaps are most likely to show up. The next step is making sure your compliance program can close them before an examiner finds them first. The right third-party risk and compliance management solution can help, from vendor management to regulatory change tracking.
Explore how the right software can help you meet SEC requirements for due diligence, ongoing monitoring, and data protection.