Brief
What examiners are asking about AI in 2026
A field guide for compliance leaders: the questions regulators now open with when a firm uses generative AI — and what evidence answers them.
Two years ago, "do you use AI?" was a yes/no question. In 2026 it's the opening of a structured line of inquiry. Examiners have moved from curiosity to expectation: if you run generative AI in a regulated workflow, they assume the same controls apply that apply to everything else — and they ask for the evidence.
This brief collects the questions we hear most, grouped by the control they probe, with notes on what a credible answer looks like.
1. "Which models are you running, and who approved them?"
The inventory question is first because it's load-bearing. SR 11-7 expects a complete model inventory, and an examiner who finds a model in use that isn't on your list will reasonably assume the rest of your controls are just as incomplete.
A credible answer is an inventory drawn from live traffic rather than a manually maintained spreadsheet — because a model genuinely in use cannot be missing from it.
2. "How do you supervise what the AI does?"
FINRA Notice 24-09 reaffirmed that supervision (Rule 3110) applies to generative AI. Examiners want to see that AI activity is governed by policy and that a supervisor can review it.
The strong answer pairs inline policy enforcement with a reviewable record: the policy that was in force, the decisions it produced, and the findings a supervisor dispositioned.
3. "Show me the records."
Recordkeeping (Rule 4511, SEA 17a-4) and audit-trail requirements (NYDFS 500.06) converge here. The expectation is durable, tamper-evident records retained to the regulatory floor.
Screenshots and exported spreadsheets read as reconstruction. A hash-chained audit trail with an integrity hash the examiner can recompute reads as evidence.
4. "What stops sensitive data from leaking through a model?"
PII and MNPI controls are increasingly probed directly. The examiner wants to know that sensitive data can't silently leave in a prompt or arrive in a response.
Inline detection that redacts or blocks at the request boundary — with each finding attributable to a team — is the answer that holds up.
What good looks like
The through-line across all four is the same: evidence produced as a byproduct of running, not assembled before the exam. Firms that treat governance as something the system does — inline, continuously, on the record — answer these questions in minutes rather than scrambling for weeks.
That's the bar examiners are setting in 2026, and it's the bar worth building to.