Closing the Gap Between AI Adoption and Reg S-P Compliance

The amended Regulation S-P carries a compliance date of June 3, 2026 for smaller entities. Its core requirements are well understood: written policies, an incident response program, oversight of service providers, and recordkeeping to evidence all of it. The harder problem sits underneath those requirements.

Reg S-P governs every service provider with access to personal data of customers and investors. Over the past two years, financial services firms have adopted AI tools faster than their compliance programs can track them, and most of those tools meet the rule’s definition of a service provider. They enter the firm through the browser rather than through procurement, producing a widening gap between what a firm uses and what its compliance program has documented. That gap is where Reg S-P exposure now concentrates.

Reg S-P Is Written to Be Technology-Neutral

Reg S-P was first adopted in 2000 and amended in 2024 as a deliberately technology-neutral rule, written to apply regardless of which tools a firm uses. It regulates two things by function: customer information, and the parties that handle it. Firms must safeguard customer information against unauthorized access or use. They must also oversee the service providers that receive it, through due diligence and monitoring designed to confirm those providers protect the information and report a breach within the 72-hour window the rule specifies, so the firm can meet its own 30-day customer notification obligation.

The definition operates on function, not labels. An AI meeting assistant that records a client review call and stores the transcript offsite might receive personal data of investors and customers. A copilot indexed across a drive containing account files, onboarding documents, and other records processes it continuously. An AI feature embedded in the firm’s email client, summarizing threads and drafting replies, handles it with every client message. None of these tools are named in the rule, and none needs to be. Each falls inside a category the rule already covers: a service provider with access to personal date.

Deferring the question until the SEC addresses AI by name is therefore weaker ground than it appears. No dedicated AI rule is required to bring these tools into scope, because the service-provider definition already does. The SEC has also named both Regulation S-P and the use of AI among its 2026 examination priorities. An examiner reviewing both has a direct path from an AI tool to a firm’s service-provider inventory.

Adoption Moves Faster Than Governance

Vendor management was built for a process in which providers arrive on a schedule: proposed, evaluated, contracted, and recorded, typically quarterly or at contract renewal. AI tools bypass that process. They are enabled inside software a firm already licenses, added as browser extensions, or reached through free consumer accounts. Each adoption is a reasonable decision by an employee doing useful work, and each occurs outside the governance cycle.

The 2025 Investment Management Compliance Testing Survey, conducted by the Investment Adviser Association and ACA Group, found that 40 % of investment adviser firms have formally adopted AI tools for internal use, and 44 percent of those firms have no formal testing or validation of the tools’ output. The pattern is adoption outrunning the controls meant to govern it. A vendor inventory prepared for the Reg S-P deadline can be accurate the week it is completed and incomplete by the next review

The Exposure Reaches Beyond Compliance

The pace gap is often treated as a compliance department problem. In practice, it distributes risk across several functions.
Employees who adopt AI tools to work more efficiently become, at the moment client data enters those tools, participants in service-provider relationships the firm never formalized. They take on that role without intending to and without the context to evaluate it.

The chief compliance officer owns a program that is structurally slower than the technology it governs. A periodic vendor inventory cannot capture a tool enabled between review cycles. During an examination, that timing gap is attributed to the compliance function, and the personal accountability now associated with the CCO role raises the stakes of that attribution.

IT and security teams are usually informed of an AI tool after it is already in use, and are then responsible for securing an environment whose perimeter has changed without their involvement.

Clients are affected directly but have the least visibility into it. Their nonpublic information may be processed by model vendors they have not been told about, under retention and training terms the firm has not reviewed.

An examiner encounters the result at the end of this sequence and reconstructs it in reverse: a tool missing from the inventory, an inventory that is out of date, and a program that has not kept pace with the firm it governs. None of these outcomes necessarily reflects negligence; each follows from ordinary adoption decisions made faster than oversight can record them.

Closing the Gap: Discovery, DLP, and Evidence

If the problem is one of pace, the response has to operate at the same speed, which places much of the work in the security domain rather than the legal one.

Counsel can confirm that the service-provider definition reaches AI tools, but identifying which AI tools are running across a firm in a given week is an operational question. Answering it requires discovery: ongoing examination of SaaS usage, browser extensions, and the network traffic leaving the environment for AI services. Discovery converts a general awareness that AI is in use into a current record of where it is and which instances touch customer information. Conducted continuously rather than once, it keeps that record accurate between formal reviews.

Discovery establishes what exists in the environment, and data loss prevention governs the customer data moving through it. The Reg S-P safeguards rule requires firms to protect customer information against unauthorized access or use, and the second term is the operative one. An analyst uploading a client account statement to a public chatbot has not caused a breach in the sense that a ransomware event is a breach, but the transfer is still a preventable, unauthorized use of customer information. DLP, and the secure-access tooling that increasingly accompanies it, monitors customer information in motion and at the point of use. Configured for generative-AI destinations, it can block uploads to unsanctioned applications, permit sanctioned tools under defined conditions, and, at the browser layer, flag sensitive content entering a prompt directly.

DLP also produces what an examination depends on: evidence. The standard the SEC has signaled for the period after the compliance dates is whether a policy is implemented and enforced, not whether it exists on paper. A DLP system generates the record that a control operated— the flagged transfer, the blocked upload, the documented exception. That record is the firm’s answer when an examiner asks how it knows its AI policy functions in practice.

Operating Under Reg S-P

The objective is not to remove AI from the firm. Firms that respond to Reg S-P by prohibiting these tools generally find that use migrates to personal devices and unmonitored accounts, where discovery and DLP cannot reach and no evidence is created. The SEC’s expectation is consistent with its treatment of any technology that handles client information: use it deliberately, oversee it, and document it.

The compliance date is fixed; the AI footprint behind it is not. The firms that manage the examination cycle well will be those whose oversight operates at the speed of their adoption.

Abacus works with SEC-registered firms to close that gap, bringing the AI already in use into view, identifying which tools reach customer information, and keeping that picture current as adoption continues. Because governing AI is an ongoing discipline rather than a one-time project, it usually starts with a conversation about where a firm stands today.

Any firm working through what Reg S-P means for its AI footprint is welcome to reach out to our team to learn more about Abacus’ AI services.