The supervisory gap most firms don't see isn't in their AI tools. It's in their evidence chain.
Ask the compliance officer at most independent RIAs whether the firm has an AI governance policy. Most will say yes. Ask them what AI-generated outputs went to clients last quarter, which staff produced them, what review process each output went through, and where the review record is retained. Most cannot answer.
That is the gap. Not the absence of a policy. The absence of an evidence chain.
A governance policy documents the firm's intentions. A governance evidence architecture documents what actually happened. An examiner who asks about AI use is not asking about the policy. They are asking about the evidence.
"A policy is a document. A governance posture is a practice, a record, and an audit trail."
Exam-ready AI governance posture is not about having the most restrictive policy. It is about being able to demonstrate, on demand, that the firm's AI use was consistent with its stated policy and that the outputs that reached clients were reviewed by a qualified person before they did.
Three questions define exam-readiness:
Most firms can answer the first question partially. Few can answer the second consistently. Almost none have an exception log at all.
A current, documented inventory of every AI tool in use — not just the ones IT purchased. Personal-account tools used by staff for firm purposes are the most common governance gap. An inventory that does not include these is not complete.
An approved/restricted/prohibited matrix that defines what data types each tool is permitted to process. Without this, the tool inventory is a list. With it, it becomes a governance framework.
For each workflow that produces client-facing output, a record that a named reviewer examined the output and approved it for use. The record must be retained, not just the output itself.
A documented retention schedule for AI-touched outputs and review records. The schedule must align with the firm's general books-and-records retention requirements — not be developed independently.
A log of instances where AI use deviated from the approved parameters, with date, responsible party, nature of the deviation, and corrective action. The absence of an exception log is itself a finding in an examination.
The three governance activities are distinct, and most firms conflate them.
Client-facing communications where AI generated or materially shaped the content. The AI output and the final output sent to the client. The review record if the output was reviewed before delivery. The retention period is the same as the underlying communication type.
Any AI output that will be used in a client-facing context — written communications, planning summaries, investment commentary, meeting notes shared with clients. Not all AI use requires review before use. Internal drafts, workflow aids, and research assistance do not carry the same review burden as client-facing output.
Exceptions. Uses of AI that deviated from the approved tool inventory, data classification matrix, or review gate requirements. The log does not need to be exhaustive — it needs to be honest. A clean exception log (zero entries) in a firm that has been using AI for 18 months should raise questions, not pass scrutiny.
The governance evidence architecture ThrivAI builds is operational infrastructure. It defines what the firm does, how it records what it did, and how it demonstrates consistency over time. It is not a legal opinion on what the firm must do under applicable law or regulation.
The distinction matters because the boundary between operational governance and legal/compliance advice is where ThrivAI's work ends and the compliance professional's work begins. The AI Supervisory Procedures document ThrivAI produces for a firm is a draft — it requires review, modification, and approval by a qualified compliance professional before it becomes a firm document.
Firms that treat ThrivAI's governance infrastructure as a substitute for compliance counsel are misusing it. Firms that use it as a starting point for compliance counsel review are using it correctly.
The firm's Governance Evidence Score at the start of the engagement was 33 — Exposed band. The two largest contributors to the low score were the absence of a documented tool inventory (four staff were using personal ChatGPT accounts for firm purposes, completely outside the firm's visibility) and the absence of review gate records for client-facing communications.
During the three-week Governance & Compliance Sprint, the firm completed a full tool inventory including the personal-account tools, migrated the four staff members to a firm-managed account with defined data parameters, built an approved/restricted/prohibited data matrix, established review gate assignments for each client-facing workflow, and had an AI Supervisory Procedures draft reviewed and approved by the firm's CCO contractor.
At the end of the sprint, the GES was re-measured at 71 — Defensible band. The firm is not exam-ready. But it can answer the three exam-readiness questions. That is a materially different starting position than it had three weeks earlier.
The remaining gap to Exam-Ready (GES 90+) is primarily in evidence retention documentation — the firm has the right records but has not yet formalized the retention schedule in writing. That is a 90-day post-sprint workstream.
The AI Readiness Snapshot includes a Governance Evidence dimension score in 7 minutes.
Take the Snapshot