AI Is Not a Substitute for SEC Exam Counsel
When the SEC exam email hits, the range of reactions across the industry is wide.
Large, sophisticated institutions generally have established playbooks, dedicated compliance infrastructure, and teams that have lived through the exam cycle many times. They understand the cadence, the pressure points, and the downstream risk.
But we are seeing a growing trend among smaller and mid-sized firms: when the SEC reaches out, the response is increasingly improvised. Requests get forwarded broadly, theories multiply, and teams turn to Google and AI tools to decode what exam staff “really wants” or is “concerned” about.
It feels efficient. It feels modern. It feels proactive.
In practice, it can be one of the fastest ways to create unnecessary regulatory exposure.
The thesis is straightforward: AI is a powerful tool, but it is not a substitute for experienced SEC examination counsel. When firms use AI to drive exam strategy, they often create the very problems they are trying to avoid.
The compliance version of this mistake is familiar. It is the new “Googling your symptoms instead of seeing a doctor.” Except here, the consequences are not a harmless misdiagnosis. The consequences can be expanded scrutiny, credibility erosion, privilege mistakes, books-and-records issues, and in the wrong case, an enforcement referral.
SEC Exams Are Not Random. They Are Risk-Based.
The SEC has been explicit that its examination program is risk-based. Firms are selected for examination for reasons that include statutory mandates, the firm’s risk profile, tips and complaints, referrals, and targeted sweeps focused on specific compliance risk areas.
For SEC-registered investment advisers, there is no rule that exams happen “every four years.” That idea comes from older industry expectations and historical exam cycles, but the SEC’s program is risk-based, not calendar-based. Because there are more than 15,000 SEC-registered investment advisers and limited examiner resources, the Commission is unable to examine every firm frequently. In 2022, the Division examined approximately 15% of registered advisers in that year, which, if applied uniformly to the population, equates to roughly a seven-year cycle — not a four-year one — though that is a simplistic extrapolation and not an official schedule.
That matters because it reframes what the exam request list actually is.
An SEC exam is not simply a request for information. It is a structured inquiry designed to test whether the firm’s conduct matches its disclosures, whether conflicts are managed, whether supervision is real, and whether the firm can substantiate decision-making through contemporaneous records.
And the SEC is increasingly transparent about what it cares about. Its published priorities consistently emphasize areas like:
information security and operational resilience
cybersecurity and cyber-enabled fraud
emerging financial technologies, including crypto-related activity
conflicts, disclosures, and fiduciary compliance
recordkeeping, supervision, and governance
retail investor protection themes and marketing claims
The list is broad by design. That is precisely why firms should not treat an exam notice as a narrow request. The SEC is rarely looking at just one thing.
The Exam Lifecycle: Predictable Phases, Real Consequences
Most exams follow a recognizable arc:
Initial request list and production mechanics
Follow-up questions and targeted document requests
Employee interviews
Supplemental requests
Exit conference(s)
Written conclusion (closure, corrective action, or deficiencies)
The inflection point is often the supplemental request.
Supplemental requests frequently appear narrow: a handful of transactions, a few client files, a request for “documentation supporting the firm’s basis.” But experienced counsel recognizes what they often represent: the Staff is narrowing to a thesis and testing whether the firm can support its position without improvisation.
This is where reactive decision-making becomes dangerous. Because the Staff is not just evaluating what the firm produces. The Staff is evaluating how the firm behaves under scrutiny.
What Exam Staff Is Really Testing
Firms often misread the exam as a document scavenger hunt - or a test they need to make sure they have the “right” answers to. That is a mistake.
In our experience, exam staff is usually testing four things at once:
1. Substantive compliance
Did the firm meet its obligations under the Advisers Act and its fiduciary framework?
2. Controls and supervision
Did the firm have procedures that were actually implemented, and can it prove that through records?
3. Disclosure integrity
Do disclosures match practice, or is there a “say-do gap” between Form ADV language and actual conduct?
4. Credibility under pressure
When scrutiny increases, does the firm respond with discipline, or does it scramble and create inconsistencies?
This fourth category is the one firms underestimate. It is also the category most likely to create exam escalation risk.
The First Unforced Error is Mistaking Activity for Strategy
Some firms respond to an exam request with sheer activity: more meetings, more emails, more internal hypotheses. Often without counsel, creative a non-privileged (discoverable) record of communications that might not be helpful.
But activity is not strategy.
Strategy is understanding, based on recent and past interactions with the SEC:
what the Staff is testing
what facts matter
what records exist (and what do not)
how to produce completely without expanding scope unnecessarily
how to preserve privilege and avoid creating new exposure
how to keep the firm’s story consistent across documents, interviews, and productions
Without that framework, firms default to reactive behavior. And reactive behavior creates record problems.
AI Accelerates the Scramble, It Does Not Replace Judgment.
Ever heard the phrase, “know enough to be dangerous”? AI can be useful in an exam context. It can summarize, organize, draft, and assist with workflow.
But AI cannot serve as your regulator-facing strategy engine, because it does not have what the exam requires: context, judgment, and accountability.
AI probably does not know:
what your firm has already produced
the current tone and priorities at the agency
the personalities and preferences of the specific Staff you’re working with
what your Form ADV says
what the Staff has already flagged internally
how your policies are implemented in practice
what language will be read as an admission
what needs to be said and what should never be said in writing
what advocacy vs. cooperation actually looks like
what is privileged, what is not, and what will be discoverable later
There’s like 2 TB worth of data I failed to mention here, but hopefully you get the picture. AI is a calculator. Counsel is the person who understands the formulas behind the math.
A calculator can produce a clean output while the user misunderstands the inputs. That is exactly how firms create problems with AI: the work product looks polished, but it is unmoored from the human realities of SEC examinations.
How This Goes Wrong in the Real World
The “AI strategy” failure pattern is not usually dramatic. It is subtle.
It looks like:
an internal team drafts a response that is overly expansive, trying to be helpful
the response inadvertently concedes that documentation is missing or weak
the firm rushes to remediate, creating post-exam edits and version-control problems
the firm produces inconsistently, then has to supplement repeatedly
the Staff sees confusion, inconsistency, or retroactive record-building
the exam expands
The firm did not intend to create risk. It created risk by treating the exam like a content problem rather than a legal process.
The Most Dangerous Instinct is “Fixing the File” After the Exam Begins
When exam staff asks for documentation supporting a recommendation, the internal pressure is immediate. People want the file to look clean. They want the rationale to be obvious. They want the story to read well.
So they update notes. They revise narratives. They add context. They backfill.
Even when well-intentioned, that is exactly how firms create the appearance of retroactive documentation.
And once the Staff begins to question file integrity, the inquiry changes. It is no longer just “is this recommendation supportable?” It becomes:
why does this record appear to have been edited?
where is the audit trail?
what changed, when, and by whom?
do the firm’s books and records reflect what actually happened?
At that point, the firm is no longer defending a transaction. It is defending credibility.
And in SEC examinations, credibility is the difference between a manageable review and a widening investigation.
What Early Counsel Engagement Actually Changes
Engaging outside counsel early is not about posturing. It is about imposing discipline on a process that can otherwise spiral.
At a high level, experienced SEC exam counsel will:
1. Identify the Staff’s likely thesis early.
Request lists are not random. They are structured. Counsel can read the requests, understand what the Staff is testing, and help the firm respond intelligently.
2. Build a coherent narrative grounded in evidence.
Regulators reward neutrality and contemporaneous support. They do not reward speculation or conclusory internal language.
3. Run a defensible production process.
Productions must be complete, organized, consistent, and repeatable. A firm should be able to explain how it searched, what it collected, what it culled, and why.
4. Protect privilege and control internal communications.
A counsel-led internal review can preserve privilege where appropriate and prevent damaging internal emails that become discoverable.
5. Prepare witnesses for interviews.
Interviews are not casual. They are part of the record. Unprepared interviews create contradictions that become exam findings.
6. Coordinate remediation in a way that is credible.
Remediation must be real, documented, and aligned with disclosures, not rushed or cosmetic.
This is what “getting ahead of the exam” actually looks like: not frantic action, but controlled execution.
Cooperation Is Strategic.
A cooperative posture is not about overproducing, oversharing, or volunteering conclusions. It is about being responsive, organized, and credible.
That means:
acknowledging requests promptly
communicating realistic production timelines
producing on a rolling basis when appropriate
maintaining consistent document organization and labeling
supplementing thoughtfully when needed
avoiding unnecessary characterization of “issues” before facts are developed
maintaining privilege discipline and record integrity
Firms that do this well often reduce follow-ups, reduce scope creep, and keep exams contained.
A Practical Playbook for Firms Facing an SEC Exam
If your firm receives an exam request, the first 72 hours matter.
A disciplined approach often includes:
Step 1: Engage counsel and centralize communications.
One point of contact. One narrative. One production process.
Step 2: Issue a preservation hold and preserve audit trails.
Email archives, CRM notes, version history, and access logs matter.
Step 3: Map requests to systems and custodians.
Know where the records live and who controls them.
Step 4: Produce with structure, not volume.
Organized productions reduce follow-ups and reduce the risk of inconsistent supplementation.
Step 5: Prepare witnesses and control interviews.
Interview preparation is not coaching. It is risk management.
Step 6: Remediate carefully, and document it properly.
Remediation should be real, measurable, and defensible.
SEC Exams Are All Risk and No Reward
Even when an exam closes “without findings,” it is not a certification of compliance. It does not foreclose future action. It does not mean the SEC blessed the firm’s practices. It means the exam ended.
That is why the goal is not to “win” the exam. The goal is to navigate it without creating new problems and without building a record that later becomes an enforcement roadmap.
The Takeaway
AI can help firms operate more efficiently (and even help lawyers save their clients money). It can also support organization, summarization, and workflow.
But AI is not a substitute for counsel, and it is not an SEC exam strategy.
The firms that handle examinations best do not move fastest. They move most deliberately. They preserve the integrity of the record. They respond with discipline. They engage counsel early, before the exam becomes something else.
Because in SEC examinations, the most expensive mistakes are the ones that were entirely avoidable.
That’s all for now,
Braeden
- - - - - - - - - - - - -
About the author:
K. Braeden Anderson is a Partner at Gesmer Updegrove LLP, where he leads the firm’s Securities Enforcement & Investigations practice, and chairs Mackrell International’s Blockchain & Digital Assets Group and Securities Enforcement & Investigations Group. He is a nationally recognized securities regulatory and enforcement attorney whose practice sits at the intersection of traditional financial regulation and emerging technology. He has been recognized in Best Lawyers: Ones to Watch® in America (2025) for Financial Services Regulation Law and Securities Regulation, and was named the #1 most-read fintech thought leader in the United States in Mondaq’s Spring 2025 Thought Leadership Awards.
Before joining Gesmer Updegrove, Braeden founded a Washington, D.C.–based law firm. He previously served as Assistant General Counsel at Robinhood Markets, Inc. (NASDAQ: HOOD), advising on high-stakes regulatory and enforcement matters, and earlier practiced at Kirkland & Ellis LLP and Sidley Austin LLP in New York and Washington, D.C.
Braeden is a prominent voice in securities and crypto regulation and a leading example of how lawyers can build brand through education and content. He publishes a weekly newsletter reaching more than 20,000 legal and financial professionals, runs a YouTube channel with over 160,000 subscribers, and regularly produces written and multimedia thought leadership through his blog, Anderson Insights. His work focuses on enforcement trends, fintech regulation, and the evolving role of digital assets in capital markets.
