SEC · Advisers Act 204-2 · 206(4)-7 · 206(4)-1

The compliance program component for AI use at your RIA.

Capture every prompt your IARs run. Catch Marketing Rule violations before they ship. Hand your SEC examiner the evidence your annual compliance review requires under Rule 206(4)-7.

Book a 15-minute call See the regulatory mapping

Why now

The Division of Examinations is asking about AI.

The SEC has been specific about where it's looking. Your next examination will not treat "we have a policy" as an answer.

2025 SEC Examination Priorities

AI is a named focus area

The Division of Examinations flagged adviser use of AI across advice, marketing, and operations. Expect document requests on how AI is supervised and recorded.

Rule 206(4)-1 — Marketing Rule

AI-drafted client content is in scope

Testimonials, performance claims, hypothetical performance, and substantiation requirements apply to AI-generated client communications the same way they apply to anything else.

Rule 206(4)-7 — Compliance Program

The annual review must cover AI

Your CCO is designated under 206(4)-7. The annual compliance review obligation now extends to AI use — tested, documented, and tied to your compliance manual.

Books and Records · Rule 204-2

What your examiner sees

Every AI interaction your IARs had — timestamped, attributed, and tamper-proof. Filterable by team, IAR group, content category, and disposition. Exportable in the format your compliance manual requires.

Audit Trail — Request Log

Team / IAR group: All ▾

Content: All categories ▾

Disposition: All ▾

Date: Last 7 days ▾

🔍 Search prompts…

Timestamp Team / IAR group IAR Content Model Tokens Disposition

14:32:07 Investment Research j.martinez 10-K research summary GPT-4 2,847 Clean

14:31:44 Client Service a.chen Quarterly client letter GPT-4o 3,420 Marketing Rule Review

14:31:12 Compliance r.johnson Form ADV update draft Claude 4,180 Clean

14:30:38 Wealth Management s.patel Code of Ethics inquiry GPT-4o — Pending Disposition

14:29:51 Compliance r.johnson Form CRS revision Claude 2,610 Clean

Showing 5 of 14,200 interactions · 5-year retention per Rule 204-2

← Prev Export CSV ↓ Next →

Exam packet export · Rule 204-2(j)

One ZIP. Every artifact your document request will ask for.

When the Division of Examinations sends a document request, you don't want to assemble evidence from screenshots and spreadsheets. TinyFox produces a single signed packet, tied to your compliance manual, ready to hand over.

Cover memo from your CCO. Audit trail. Marketing Rule review log. AI use policy and the most recent 206(4)-7 annual review. IAR attestations. Blocked-request incidents. All signed, all tamper-evident, all retained for five years.

tinyfox-sec-packet-2026-Q1.zip

📄 00_cover_memo.pdf

📄 01_summary.pdf

📄 02_audit_trail.csv · 14,200 interactions

📄 03_marketing_rule_review.csv · 47 flagged · 47 disposed

📁 04_compliance_program/

📄 ai_use_policy.pdf

📄 annual_review_206_4_7.pdf

📄 05_iar_attestations.csv · 42 IARs · 100% acknowledged

📄 06_blocked_requests.csv · 23 incidents PII / MNPI

🔒 MANIFEST.sha256 · Signed 2026-04-01 by CCO

Signed by CCO · Tamper-evident · 5-year retention per Rule 204-2.

Compliance Review Queue

Flagged IAR Rule Reviewer Disposition

PII near-miss j.martinez Rule 204-2 / PII CCO r.johnson Resolved

Performance claim a.chen Rule 206(4)-1 Marketing Rule CCO r.johnson Escalated

MNPI keyword s.patel 10b-5 / Code of Ethics pending Pending

47 flagged this week · 44 disposed · 3 pending Open queue →

Compliance review workflow · Rule 206(4)-7

A review queue your CCO can actually work.

Flagged AI interactions surface in a single queue. Each item is tied to a specific rule, a specific IAR, and a specific reviewer — with a clear disposition trail.

Your designated CCO sees what needs eyes, not 14,200 rows of noise. Every disposition is logged with timestamp and reviewer identity, so the annual compliance review under 206(4)-7 has actual evidence to test.

Sensitive data · PII / MNPI

Sensitive data caught and blocked before it reaches the model.

If a client SSN, account number, or piece of MNPI ends up in a prompt, that's a 204-2 violation and a fiduciary breach with no record. No evidence it happened, no proof you tried to stop it, and nothing for your CCO to bring to the next examination.

TinyFox scans every prompt before it reaches the model — SSNs, account numbers, client PII, material non-public information, and credentials. Requests are blocked in real time, and every incident is logged to a tamper-proof audit trail with full context for your compliance team.

Sensitive data detected in prompt

SSN (***-**-4832) found in request · team wealth-management · gpt-4o

Request blocked

Prompt never reached the model · policy: block-pii-critical

Incident documented · Audit log updated

Full context logged · 204-2 evidence preserved · CCO notified

Policies and procedures · Rule 206(4)-7

Your compliance manual is a PDF nobody reads.
TinyFox enforces it.

Every RIA has an AI use policy buried in the compliance manual. Almost none can enforce it. TinyFox does — automatically, at the API layer, before the data ever leaves your network.

Block sensitive data in prompts

Requests containing SSNs, account numbers, client PII, or material non-public information are caught and blocked before they reach the model.

Restrict models by team

Investment Research gets GPT-4. Client Service gets Claude Haiku. Compliance gets read-only. Your IAR groups, your policy — enforced.

Budget guardrails

Set spend limits per team. Get alerts on spikes. No runaway experiments, no month-end surprises hitting the operating budget.

Marketing Rule · Rule 206(4)-1

Catch Marketing Rule violations before they ship.

AI-drafted client communications — quarterly letters, market commentary, prospect emails, pitch decks — checked against the Marketing Rule before they leave the firm.

Testimonials and endorsements

AI-drafted content invoking client experience, peer endorsement, or paid-promoter language is surfaced before it ships. Tied to the disclosure requirements under 206(4)-1.

Performance claims

Gross vs. net, time-period selection, benchmarks, and required disclosures — flagged when the model produces performance language without the supporting context.

Hypothetical performance

Backtested, model, target, or projected returns are caught and routed to your CCO for the policies-and-procedures review the Marketing Rule requires before distribution.

Substantiation gaps

Factual claims in AI-generated client content are checked against the substantiation standard. Anything unsupported is flagged before it goes out, not after a deficiency letter arrives.

Cost attribution by team

Every dollar of AI spend, traced to a team.

When your COO asks how AI spend tracks against the operating budget, you need an answer by team and use case — not a single line item on a vendor invoice.

TinyFox attributes every request automatically. Spend is traceable, anomalies are flagged, and your books reflect what each team actually used AI for.

Spend by team

Feb 2026

Investment Research $1,200

Client Service $640

Operations $380

Compliance (read-only) $180

4 teams · Feb 2026 $2,400

Built for the people who own AI risk at your RIA

Chief Compliance Officer

Designated under 206(4)-7 — with the evidence to back it up

Complete books and records under 204-2, a working review queue tied to your compliance manual, and Marketing Rule checks on every AI-drafted client communication. When the Division of Examinations asks, you have a real answer instead of a deficiency letter waiting to happen.

Managing Partner / President

Protect the firm's fiduciary standing on every client communication

AI-drafted client letters, market commentary, and proposals all flow through one place. Sensitive data caught. Marketing Rule triggers flagged. The fiduciary risk doesn't sit in a dozen private ChatGPT tabs your IARs forgot to mention.

Chief Operating Officer

One source of truth for AI tools, costs, and risk

Spend by team, model, and provider. Policies enforced at the API layer. Vendor sprawl replaced with a single line item, a single audit trail, and a single place your CCO can answer to.

Regulatory mapping

Mapped to your compliance manual.

Each TinyFox capability ties back to a specific obligation under the Advisers Act. So when an SEC examiner asks how you supervise AI, you have a real answer.

TinyFox capability SEC / Advisers Act rule

Tamper-proof audit trail 204-2 — Books and Records

Exam packet export 204-2(j) — Production for examination

Compliance review workflow 206(4)-7 — Compliance Program

Marketing Rule content checks 206(4)-1 — Marketing Rule

Sensitive data blocking (PII / MNPI) 10b-5 — Insider trading; fiduciary duty

Model and team policies 206(4)-7 — Written policies and procedures

Dually registered firm (both BD and RIA)? Book a call — we'll walk through both rule sets together.