Perspective

Governance Evidence Architecture
for AI in RIAs

The supervisory gap most firms don't see isn't in their AI tools. It's in their evidence chain.

ThrivAI Advisory  ·  10 min read  ·  This is not legal or compliance advice

The Supervisory Gap Most Firms Don't See

Ask the compliance officer at most independent RIAs whether the firm has an AI governance policy. Most will say yes. Ask them what AI-generated outputs went to clients last quarter, which staff produced them, what review process each output went through, and where the review record is retained. Most cannot answer.

That is the gap. Not the absence of a policy. The absence of an evidence chain.

A governance policy documents the firm's intentions. A governance evidence architecture documents what actually happened. An examiner who asks about AI use is not asking about the policy. They are asking about the evidence.

"A policy is a document. A governance posture is a practice, a record, and an audit trail."

What Exam-Ready AI Governance Posture Actually Means

Exam-ready AI governance posture is not about having the most restrictive policy. It is about being able to demonstrate, on demand, that the firm's AI use was consistent with its stated policy and that the outputs that reached clients were reviewed by a qualified person before they did.

Three questions define exam-readiness:

Most firms can answer the first question partially. Few can answer the second consistently. Almost none have an exception log at all.

The Five Layers of Governance Evidence

What to Retain, What to Review, What to Log

The three governance activities are distinct, and most firms conflate them.

What to retain

Client-facing communications where AI generated or materially shaped the content. The AI output and the final output sent to the client. The review record if the output was reviewed before delivery. The retention period is the same as the underlying communication type.

What to review

Any AI output that will be used in a client-facing context — written communications, planning summaries, investment commentary, meeting notes shared with clients. Not all AI use requires review before use. Internal drafts, workflow aids, and research assistance do not carry the same review burden as client-facing output.

What to log

Exceptions. Uses of AI that deviated from the approved tool inventory, data classification matrix, or review gate requirements. The log does not need to be exhaustive — it needs to be honest. A clean exception log (zero entries) in a firm that has been using AI for 18 months should raise questions, not pass scrutiny.

Why This Is Not Legal Advice — And Why That Matters

The governance evidence architecture ThrivAI builds is operational infrastructure. It defines what the firm does, how it records what it did, and how it demonstrates consistency over time. It is not a legal opinion on what the firm must do under applicable law or regulation.

The distinction matters because the boundary between operational governance and legal/compliance advice is where ThrivAI's work ends and the compliance professional's work begins. The AI Supervisory Procedures document ThrivAI produces for a firm is a draft — it requires review, modification, and approval by a qualified compliance professional before it becomes a firm document.

Firms that treat ThrivAI's governance infrastructure as a substitute for compliance counsel are misusing it. Firms that use it as a starting point for compliance counsel review are using it correctly.

Case Study — $750M Pacific Northwest RIA

From Governance Evidence Score 33 to 71 in Three Weeks

33
GES Baseline
(Exposed)
71
GES After Sprint
(Defensible)
21
Days to Complete
+38
Point Improvement

The firm's Governance Evidence Score at the start of the engagement was 33 — Exposed band. The two largest contributors to the low score were the absence of a documented tool inventory (four staff were using personal ChatGPT accounts for firm purposes, completely outside the firm's visibility) and the absence of review gate records for client-facing communications.

During the three-week Governance & Compliance Sprint, the firm completed a full tool inventory including the personal-account tools, migrated the four staff members to a firm-managed account with defined data parameters, built an approved/restricted/prohibited data matrix, established review gate assignments for each client-facing workflow, and had an AI Supervisory Procedures draft reviewed and approved by the firm's CCO contractor.

At the end of the sprint, the GES was re-measured at 71 — Defensible band. The firm is not exam-ready. But it can answer the three exam-readiness questions. That is a materially different starting position than it had three weeks earlier.

The remaining gap to Exam-Ready (GES 90+) is primarily in evidence retention documentation — the firm has the right records but has not yet formalized the retention schedule in writing. That is a 90-day post-sprint workstream.

Governance Evidence Score — Dimension Breakdown

Tool Inventory
80/100 ↑ from 30
Workflow Classification
70/100 ↑ from 40
Review Gate Coverage
75/100 ↑ from 20
Evidence Retention
60/100 ↑ from 30
Exception Handling
65/100 ↑ from 25
Reviewer Attestation
70/100 ↑ from 35
Training Documentation
75/100 ↑ from 50
Important — This is not legal or compliance advice. This perspective describes operational governance infrastructure concepts developed by ThrivAI Advisory. It does not constitute legal advice, regulatory guidance, or a compliance opinion. Every firm's regulatory obligations depend on its specific facts, registration status, and applicable law. Qualified compliance professionals should review, modify, and approve any governance documentation before adoption. ThrivAI's work is a starting point for compliance review, not a substitute for it.

Assess your governance posture

The AI Readiness Snapshot includes a Governance Evidence dimension score in 7 minutes.

Take the Snapshot