May 2026 | Cybersecurity for Financial Advisors | AI Tools, Shadow IT & Data Security
AI tools have become genuinely useful for financial advisory work — drafting client communications, summarizing meeting notes, researching topics, preparing presentation narratives. Your advisors and staff are probably using them. The question isn't whether AI is happening at your firm. The question is whether it's happening in a way that protects client financial data, meets your fiduciary obligations, and keeps you on the right side of SEC and FINRA expectations. For most advisory firms, the honest answer is: we're not sure.
The Shadow IT Problem in Advisory Firms
Shadow IT refers to technology that employees use for work purposes without formal approval or visibility from firm leadership or IT. AI tools are the newest and fastest-growing category of shadow IT. According to a 2024 study by CybSafe and the National Cybersecurity Alliance, 38% of employees share confidential data with AI tools without their employer's approval. A separate BlackFog study found that 49% of employees use unapproved AI tools for work tasks.
In a financial advisory context, this is particularly concerning. What counts as 'confidential data'? Client names and account details pasted into a ChatGPT prompt to draft a financial planning summary. Portfolio data copied into an AI tool to generate a client-facing narrative for a quarterly review. Notes from a client meeting entered into an AI assistant to produce a follow-up email. All of this is happening at advisory firms right now.
The AI Hallucination Risk in Client-Facing Work
Beyond the data exposure problem, there's a quality and accuracy problem that carries its own compliance risk: AI hallucination. AI language models confidently produce incorrect information. They cite statistics that don't exist, reference regulations that have been amended, and generate financial projections based on faulty assumptions — all in fluent, authoritative prose.
Imagine an advisor uses an AI tool to draft a financial planning proposal. The AI includes a statistic about average retirement savings rates or expected Social Security benefit changes. The advisor, trusting the output, includes it in a client presentation without verifying it. The statistic is invented. The client makes decisions based on it. This is a real scenario, and it creates material liability for the advisor and the firm.
The fiduciary standard doesn't have an AI exception. You're responsible for the accuracy and appropriateness of advice your firm provides, regardless of whether a human or an AI drafted the first version.
What AI Tools Actually Do With Your Data
Most consumer AI tools — the free or low-cost versions of popular platforms — use input data to train and improve their models. When an employee pastes client account information into a consumer AI tool, that data may be retained, reviewed by the provider's staff, or used to improve the model. The data doesn't stay in your firm's environment.
Enterprise versions of AI tools — Microsoft Copilot with appropriate data handling agreements, enterprise ChatGPT with data opt-outs, and similar products — offer different data handling terms. But your staff probably isn't using the enterprise version. They're using whichever tool is free and fast.
The Compliance Angle
The SEC's cybersecurity rules require advisory firms to have written policies for protecting client records and information. FINRA has issued guidance on technology governance that applies to AI tools. Smarsh and similar email archiving tools capture communications, but they don't capture what an employee feeds into an AI tool from outside the firm's email environment.
If a regulator asks how your firm controls the use of AI tools and what data protection standards apply, do you have a written answer? For most advisory firms, this is a gap that hasn't been addressed yet — but it's increasingly on examiner radar.
Three Things to Put in Place Now
1. AI Drafts, Humans Approve — With Verification
The productive model for AI in advisory work isn't to ban it — that won't work. It's to define it as a drafting and summarization tool, not a source of fact. Every AI-generated output that includes statistics, regulatory references, or specific financial information should be verified against a primary source before it goes to a client or into a compliance-sensitive document.
Build this into your workflow explicitly. 'AI-assisted draft — facts verified' as a step in your client communication process is defensible. 'We used AI and assumed it was accurate' is not.
2. Define What Should Never Go Into an AI Tool
Write it down and communicate it. Client names and account numbers, Social Security numbers, portfolio details, estate planning information, and any data covered by Reg S-P should never be entered into a consumer AI tool. Period. If advisors need AI assistance with client-specific content, that assistance needs to happen through a platform with appropriate data handling agreements.
This doesn't require banning AI — it requires being explicit about the boundary.
3. Inventory What Your Team Is Actually Using
You can't govern what you don't know about. Ask your advisors and staff directly what AI tools they're using for work. Conduct a review of browser-based tools on firm devices. This is the shadow IT audit. What you discover may surprise you, and it gives you a starting point for putting appropriate policies in place.
A Note on Vendor Due Diligence
If you're evaluating AI tools for firm-wide use — or if a software vendor you already use (Orion, Black Diamond, eMoney) is adding AI features — apply the same vendor due diligence you'd apply to any other technology provider. Where does the data go? What are the retention terms? Is there a data processing agreement? Does the vendor's security posture meet the standards your written information security program requires?
What to Do This Month
- Survey your advisors and staff on what AI tools they're currently using for work
- Draft a brief AI acceptable use policy that defines what data cannot be entered into AI tools
- Review whether any AI tool vendors need to be added to your vendor due diligence documentation
- Add AI hallucination verification as a step in your client communication workflow
- Confirm your written information security policy addresses AI and shadow IT
Qual IT Works With Salt Lake City Financial Advisors
We work with Salt Lake City financial advisors to meet SEC/FINRA requirements and protect client data. If you'd like help assessing your firm's AI tool usage and shadow IT exposure, schedule a free discovery call with Qual IT.
Frequently Asked Questions
Does SEC or FINRA have specific rules about AI tool usage?
Both regulators are actively developing guidance in this area. The SEC has signaled that existing rules — including Reg S-P and cybersecurity risk management requirements — apply to AI-related risks. FINRA has published guidance on technology governance that firms should be applying to AI tool usage. Even where specific AI rules don't yet exist, the obligation to protect client data and maintain written policies covers AI-related risks.
Are we liable if an AI tool generates inaccurate financial information we pass on to a client?
Yes. Your fiduciary duty and the suitability obligations that apply to your recommendations don't change based on how content was generated. If inaccurate AI-generated content reaches a client and influences their decisions, liability for that content belongs to the firm and the advisor. This is why a 'verify before you send' policy is essential for any AI-assisted workflow.
What's the difference between consumer AI tools and enterprise AI tools for data protection purposes?
Consumer AI tools typically retain your inputs and may use them for model training. Enterprise versions — such as Microsoft Copilot with appropriate licensing, or enterprise ChatGPT with data opt-out agreements — are contractually bound to handle your data according to specified terms, including not using it for training and limiting access. For any AI tool used with client financial data, you need a data processing agreement that meets the standards your information security program requires.
