Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
While your compliance team debates whether to allow the latest Large Language Model (LLM) within your compliance framework, most of your advisors are already using it on their personal phones. They may be entering client data, portfolio ideas, and internal research into AI applications that your firm has never reviewed. Even some paid AI subscriptions carry PII and cybersecurity risks. The real question is not whether shadow AI exists inside your walls. It is whether you will take control of it before regulators and cybercriminals do.
The Invisible Organization Inside Your Firm
A parallel organization now exists inside many wealth management firms. It is a workforce powered by unapproved AI tools that IT teams cannot see or manage. Employees are not doing this maliciously. They are simply trying to keep up with client expectations and administrative volume. Consumer AI is fast, helpful, and available on every personal device. That convenience has created an environment where nearly every company reports some level of AI use from personal accounts, while less than half offer sanctioned alternatives.
The result is a perfect storm. Advisors face pressure to produce more, faster. They have access to highly capable AI tools at low cost. Bring-your-own-device (BYOD) policies make monitoring difficult, if not impossible.
Cyberhaven reports that corporate data pasted into public AI tools grew almost fivefold over the past year. In wealth management, that often includes client profiles, investment commentary, performance notes, and documents containing personally identifiable information.
The scale of adoption would be a manageable problem if the tools were safe by default. The reality is far different. The real risk lies in the type of information that is leaving the firm, often without anyone realizing it.
What Your Team Is Actually Sharing and Why It Matters
Once information is entered into a consumer AI platform, it becomes part of an opaque data life cycle. It may be stored, used to train models, or retained in ways the firm cannot control. More than half of employees who use personal AI tools say they have supplied sensitive information. For wealth management firms, this means far more than basic confidentiality issues.
Advisors often input portfolio strategies, client cash flows, proposed trades, Social Security numbers, account details, and even early drafts of regulatory filings. In other words, exactly the type of information the SEC, FINRA, and state regulators expect firms to protect at all costs.
Recent public incidents show how easily things can go wrong. A technology firm accidentally exposed source code. A legal team submitted fabricated case law generated by an AI tool.
Wealth managers face an even greater downside. A single misstep can create violations of Regulation S-P, failures in recordkeeping, and potential breach-notification obligations. Understanding what is leaving the firm is the first step in recognizing why traditional “do not use AI” policies have completely failed.
Why the “Just Say No” Approach Makes the Problem Worse
Banning AI tools feels like a clean solution, but the data show it does not work. Nearly half of employees say they would continue using personal AI accounts even if their firm banned them. The individuals who are most capable and most productive tend to be the ones who adopt AI first. They are also the least likely to be stopped by basic filters or network restrictions.
The industry has seen similar patterns before. When firms tried to restrict personal devices, employees forwarded emails to their personal accounts. When Wi-Fi controls were tightened, employees used hot spots. When file sharing was blocked, USB drives quickly appeared. Attempts to block consumer AI tools simply repeat this pattern.
In wealth management, the problem is even more acute. Given your top producers are likely the fastest adopters of AI, if you remove tools that increase their productivity, you risk losing them entirely. Prohibition does not reduce risk. It moves the risk into places you cannot see.
Modern governance requires a different approach.
A Governance Framework That Actually Works
Firms that are successfully managing shadow AI are using a three-part model. The parts work together and must be implemented in the correct order.
First, create visibility.
Firms need tools that identify where AI is being used, which data are moving, and how often it occurs. SaaS management platforms, security brokers for cloud applications, and user behavior analytics can provide this visibility without creating a culture of blame. You cannot manage what you cannot detect.
Second, establish a modern AI Acceptable Use Policy.
This policy should classify tools into three categories: fully approved, limited use, and prohibited. It should also define which types of data can and cannot be used in AI systems. The policy must be updated regularly. Annual updates are the minimum. Quarterly is far more realistic given the pace of AI innovation.
Third, provide enterprise grade alternatives.
Shadow AI exists because employees have unmet needs. Enterprise AI tools solve that issue by offering the same capabilities with proper security. These systems provide audit trails, administrative controls, data residency assurance, and most importantly, do not train on your data. Once firms offer competitive, secure tools, the use of personal accounts drops quickly.
The sequence matters. Assess current usage. Educate teams on risks and approved tools. Enable them with secure alternatives. Only then should enforcement begin. Firms that reverse the order often see shadow AI use intensify.
The Regulatory Reality
The SEC has already made its expectations clear. The 2025 exam priorities include explicit attention to AI oversight. Regulators are focused on data privacy, accuracy of AI-generated content, and whether firms are overstating the capabilities of their technology. Record keeping remains in the spotlight. The SEC has imposed more than $1 billion in fines tied to unmonitored communication channels. AI-generated notes, summaries, and client correspondence fall under the same rules.
State-level regulations add further complexity. Colorado, Utah, and California have all implemented frameworks that touch AI usage and data privacy. Wealth managers must prepare for a world where AI governance is a core component of compliance programs.
Building the Right Internal Coalition
AI governance fails when it is treated as an IT project. It requires the involvement of compliance, legal, operations, and business leadership. CTOs should facilitate — but not own — every dimension of the program. Advisors must also be involved, because they understand the practical use cases better than anyone else.
Training is essential. Leaders often believe staff understand the risks, yet employees report a very different experience. Designating AI champions in each business unit is an effective way to bridge the gap between policy and daily practice. Firms that demonstrate competence with AI governance attract stronger talent and build more resilient cultures.
Future Proofing for Continuous Change
AI is evolving too quickly for static governance. Firms should avoid vendor lock-in and adopt flexible architectures that allow rapid tool changes. Quarterly reviews of the AI landscape, internal usage, and overall risk profile help maintain alignment. Most firms today are still in a reactive posture. The goal is to move toward proactive management and ultimately predictive governance.
Firms that take AI governance seriously will operate faster and with more confidence than competitors who are still debating whether to permit the technology at all. The firms that learn to govern shadow AI will be the ones who turn today’s risk into tomorrow’s advantage.
John O’Connell is founder and CEO of The Oasis Group, a leading consultancy for the wealth management industry that specializes in helping wealth management and technology firms solve their most complex challenges. The Oasis Group offers award-winning consulting services, industry-leading research, and compelling on-demand training for wealth management firms and the service providers who serve the wealth management industry.
John O’Connell will be speaking at the Exchange conference March 15–18 in Las Vegas. You can register for the conference here.
A message from Advisor Perspectives and VettaFi: Discover something new! Click here to register for our upcoming webcasts.
Read more articles by John O’Connell
Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
