AI governance in financial services is not a problem waiting to happen. According to Brian Rubin, a partner at Eversheds Sutherland and former SEC enforcement attorney, it is unfolding right now — and the firms best positioned to weather it are those that established compliance infrastructure before deploying a single AI tool.
According to Red Oak, Rubin’s perspective carries unusual weight. He spent the early part of his career inside SEC enforcement and served as deputy chief counsel of enforcement at NASD, now known as FINRA. Today, he represents firms on the other side of that equation, navigating examinations and investigations. That dual vantage point — regulator turned defender — gives him a clear-eyed view of where the current moment is heading.
Red Oak recently discussed a key point of what it does mean for AI to be compliance-grade.
Speaking with Red Oak chief supervision evangelist James Cella in a recent fireside conversation, Rubin was direct about what is already taking shape. “The enforcement cycle is already forming,” he said. “Someone only on the regulatory side might not fully appreciate how quickly firms are adopting AI. And somebody who’s only been on the industry side might not grasp how regulators are going to dust off their old traditional rules — supervision, record-keeping, communications requirements — and hold firms accountable.”
A familiar pattern playing out again
For those paying attention, the dynamic is not new. Rubin draws a direct line between AI and earlier enforcement cycles that reshaped how financial firms operate — email, social media, and off-channel communications via text and WhatsApp. Each time, the sequence was the same: rapid adoption, regulatory silence, and then enforcement anchored to rules that had existed all along.
“Just because there are no specific AI rules doesn’t mean enforcement isn’t coming,” he said. “Off-channel communications is a perfect example. Firms were penalized for texting using old record-keeping rules. I expect we’ll be seeing the same kinds of things with AI.”
In Rubin’s assessment, AI now sits firmly in what he describes as the “existing rules apply” phase. Supervision obligations extend to AI-generated communications. Books and records requirements apply to AI outputs. Anti-fraud provisions govern AI-assisted marketing content. The technology may be novel; the compliance obligations are not.
What examiners are already finding
Rubin is specific about the patterns surfacing in examinations. The first is exaggerated AI claims — so-called AI washing, where firms overstate what their tools do or how central AI is to their operations. The SEC has already brought enforcement actions under its marketing rules and anti-fraud provisions. This is not theoretical.
The second pattern involves operational gaps: AI-generated communications leaving the firm without review, records going unretained, and surveillance outputs being overlooked. These are familiar compliance failures attached to an unfamiliar technology. “The technology is new,” Rubin observed, “but the compliance risks aren’t really that new.”
A third area attracting examiner scrutiny involves unauthorised AI use — employees feeding client data into public AI tools because internal alternatives fall short — creating simultaneous exposure around confidentiality, record-keeping, and data security. The parallel to off-channel communications enforcement is deliberate and direct.
Governance must come first
For chief compliance officers, Rubin’s message is unambiguous: build governance infrastructure before any AI tool goes live, not after.
“AI isn’t just an IT project,” he said. “You need governance, you need compliance, legal, technology, and business, all with a documented approval process for use cases.”
That infrastructure serves a specific purpose: giving examiners — potentially arriving two years after deployment — the evidence they need to conclude the firm acted reasonably. The standard regulators apply is reasonableness, not perfection. But reasonableness must be demonstrable.
Rubin also addressed CCO personal liability directly. The NSCP firm and CCO liability framework he co-authored was designed to clarify what compliance officers are — and are not. CCOs provide compliance advice; they are not operational supervisors. Personal liability risk rises when there is a material problem, the CCO is aware of it, and fails to act. Documentation is the primary protection, for the firm and for the individual.
Implications across the organisation
The governance imperative does not stop at the compliance function. For supervision teams, the operational questions are immediate: are AI-generated communications being captured, archived, and reviewed before they leave the firm? Are surveillance workflows designed to catch what AI produces, not just what people write?
For marketing and distribution teams, the stakes are equally concrete. AI that accelerates content production without a compliant review workflow does not reduce the compliance burden — it amplifies it. The documentation requirements are the same whether content was drafted by a person or generated by a model.
Red Oak’s Compliance-Grade AI™ is built with precisely these requirements in mind. Every AI interaction is captured and stored contemporaneously. Every output is tied to the compliance record. Every workflow includes the governance layer required to make the process auditable and defensible — not just for the next campaign, but for the next examination.
Culture is the competitive advantage
The firms navigating AI adoption well, in Rubin’s view, share a common characteristic: they treat governance as an organisational commitment rather than a technical checkbox.
“You’ve got to train employees about what AI can do and what it can’t do,” he said. “Emphasising that AI is a helper, not a decision maker. It’s not infallible. You have to foster a culture that views technology through a compliance-conscious lens.”
That framing — AI as a tool that enhances compliance professionals’ judgement rather than replacing it — sits at the heart of how Red Oak has approached Compliance-Grade AI™. The mandate has been consistent for fifteen years: compliance outcomes first. AI enters the workflow where it genuinely helps, governed rigorously throughout, and never deployed in a way that forces firms to choose between speed and defensibility.
Read the full Red Oak post here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
