The 2026 SEC Exam Playbook for Investment Advisory Firms

SEC examinations in 2026 are placing greater emphasis on how firms manage everyday workflows—not just how policies are written. Regulators are taking a closer look at areas like cybersecurity, vendor oversight and AI governance, with increased focus on documentation, oversight and day-to-day execution.

This shift is tied to how firms actually operate. Most client communication now happens digitally rather than in person, across email, messaging tools and client portals. Documents move between internal systems, cloud storage and third-party platforms, often involving multiple handoffs along the way. And newer tools—especially AI—are increasingly used to automate parts of everyday work. But compliance challenges don’t just stem from systems—they also come from how people use them, where small variations in day-to-day workflows can introduce gaps that regulators are increasingly focused on identifying.

With this shift, most exams center around a common set of questions: How does your firm communicate with clients? Where and how are records stored? And how are the tools your team uses every day supervised?

For many firms—especially those with leaner teams where compliance is one of many responsibilities—the risk now lies in execution. As scrutiny increases across everyday workflows, even small inconsistencies in how teams communicate and manage documents can quickly become regulatory gaps.

Understanding the SEC’s 2026 Exam Playbook

As scrutiny shifts toward day-to-day execution, these priorities begin to form a clear pattern. Rather than evaluating policies in isolation, examiners are increasingly looking at how those policies show up in everyday workflows. Many firms now think of this as a practical SEC exam playbook—the operational practices regulators expect to see during an examination.

While each firm’s structure may differ, most examinations tend to converge on three core questions:

• How firms capture and retain client communications
• How client data and documents are protected
• How emerging technologies such as AI are supervised

Blind spots often appear in how these areas are managed in practice. Many firms focus on whether a communication or document exists, rather than how it was captured, stored and supervised, an area that regulators increasingly scrutinize during examinations.

Priority #1: Recordkeeping and Client Communications

Over the past several years, regulators have repeatedly identified recordkeeping gaps as one of the most common issues uncovered during examinations. In fact, recordkeeping deficiencies appear in nearly 89% of SEC deficiency letters.

This points to a clear execution gap. While these tools are convenient, they are often used outside systems designed to consistently capture, retain and supervise communications.

For many firms, these gaps arise from everyday communication habits. Advisors may send quick client updates via text message, exchange documents through personal email, or store files in personal cloud storage accounts.

While these tools can be convenient, they can also make it difficult to consistently preserve communications and documents.

SEC Rules 17a-3 and 17a-4, for that matter, require firms to keep complete records of their business activities—like transactions, client information and communications—and store them securely for a set period of time. These records must be easy to find, protected from being altered or deleted, and available to regulators when requested.

Without a centralized system, firms risk incomplete records, inconsistent retention and limited visibility. When information is spread across tools and workflows, these gaps become harder to manage—making it more difficult to locate records during regulatory requests.

Priority #2: Cybersecurity and Client Data Protection

Cybersecurity continues to be a major focus during SEC examinations and remains a key theme in 2026 priorities. In fact, approximately 67% of SEC exams now include some form of cybersecurity assessment.

Regulators increasingly review how firms protect sensitive client information and respond to potential security threats, including cybersecurity policies, access controls and incident response procedures. They also might look at how documents are shared externally and what safeguards are in place to prevent unauthorized access to client data.

Cybersecurity compliance is ultimately measured by how well controls are implemented and enforced in practice, not just how they are defined on paper. Without a system that both applies these controls and records evidence of their performance, demonstrating that level of oversight can become difficult during an examination.

Priority #3: Oversight of AI and Emerging Technologies

As publicized in the SEC report, artificial intelligence and automated technologies will be a key focus in upcoming examinations, with examiners reviewing how firms govern these tools and the accuracy of their AI-related representations. As firms adopt new tools to speed up operations and enhance client services, regulators are paying closer attention to how those technologies are used and governed.

Examiners may review whether firms have policies governing the use of automated tools, whether disclosures accurately reflect how those tools are used, and whether outputs are subject to appropriate review. While regulatory expectations in this area are still evolving and remain less prescriptive, firms are expected to demonstrate reasonable oversight. In practice, this can be difficult to manage—especially as these tools are used across multiple workflows, making consistent oversight and documentation harder to maintain.

Where Firms Often Run Into Challenges

For many advisory firms, compliance risk doesn’t come from intentional violations—it builds over time through everyday workflows.

As teams adopt new tools and processes, small inconsistencies in how communications are handled, documents are stored or information is shared can introduce gaps that are difficult to detect in the moment but become visible during an examination.

Much of this risk stems from fragmentation. Teams often rely on a mix of email, messaging tools and cloud-based file sharing to communicate with clients and exchange documents. While each tool may serve a purpose, information becomes distributed across systems, making it harder to maintain a clear, consistent view of what was communicated, where it was stored and how it was supervised.

That lack of visibility is where operational complexity turns into compliance risk. When records are spread across systems, it becomes more difficult to demonstrate that communications were properly captured, retained and reviewed—especially under regulatory scrutiny.

Even client portals can introduce challenges. Documents may be shared securely with clients, but if those files are not consistently archived in a system designed for long-term retention, firms may struggle to retrieve complete records later. In practice, this can lead to situations where a document exists, but there is no clear, auditable record of how it was handled over time.

At a certain point, continuing to rely on a patchwork of tools for the sake of convenience becomes a risk in itself.

This is where the challenge shifts from technical to operational. It’s not just about adding another system—it’s about establishing a consistent, durable framework for how information is captured, managed and supervised across the organization. Without that foundation, proving compliance can become a time-consuming, manual effort rather than a built-in part of how the business operates.

Building Your Own SEC Exam Playbook

Preparing for an SEC examination is ultimately about demonstrating that good policies and processes are working as intended.

For firms operating with fragmented systems, that often means spending significant time pulling together records, reconstructing workflows and locating evidence of good practices—assuming those practices were followed consistently in the first place.

By contrast, when workflows are structured and information is managed consistently from the start, much of that effort is reduced. Instead of preparing for an exam, firms are already operating in a way that makes their processes easier to demonstrate.

Taking a closer look at how communications are supervised, how records are retained, how data is protected and how emerging technologies are governed can help firms better understand where gaps may exist—and how those gaps might appear during an examination.

Until then, we’ve created a 2026 SEC Exam Readiness Checklist to help financial services firms, RIAs, and investment advisers evaluate their practices, identify gaps and strengthen their readiness ahead of an SEC exam.

This simple self-assessment highlights several areas regulators commonly review and can help firms quickly evaluate their readiness.

Ready to see how prepared your firm may be for its next SEC examination?

Download the Checklist