AI governance in financial services is no longer a matter for future planning. For Brian Rubin, a partner at Eversheds Sutherland and former senior official at both SEC Enforcement and NASD — now FINRA — the enforcement clock is already running, and firms that haven’t yet built the governance infrastructure to support their AI deployments are already behind.
According to Red Oak, Rubin, who spent the early years of his career inside regulatory bodies before crossing to the defence side, brings a dual perspective that few can claim. That vantage point informs a clear-eyed read of where the industry currently stands. Speaking with Red Oak chief supervision evangelist James Cella in a recent fireside conversation, he was blunt about the trajectory ahead.
Red Oak recently discussed a key point of what it does mean for AI to be compliance-grade.
Eversheds Sutherland partner Brian Rubin said, “The enforcement cycle is already forming. Someone only on the regulatory side might not fully appreciate how quickly firms are adopting AI. And somebody who’s only been on the industry side might not grasp how regulators are going to dust off their old traditional rules — supervision, record-keeping, communications requirements — and hold firms accountable.”
The pattern regulators always follow
The sequence is familiar to anyone who has watched prior technology cycles play out in financial services. Email arrived, firms adopted it quickly, regulators stayed quiet — then enforcement came using rules already on the statute books. Social media followed the same arc. So did off-channel communications via text and WhatsApp, with firms ultimately penalised under existing record-keeping obligations.
Rubin sees AI heading down an identical path, and the lesson is unambiguous.
Eversheds Sutherland partner Brian Rubin said, “Just because there are no specific AI rules doesn’t mean enforcement isn’t coming. Off-channel communications is a perfect example. Firms were penalized for texting using old record-keeping rules. I expect we’ll be seeing the same kinds of things with AI.”
In his assessment, the industry is firmly in an “existing rules apply” phase. AI-generated communications remain subject to supervision obligations. AI outputs fall within books and records requirements. AI-assisted marketing content is still governed by anti-fraud provisions. The underlying compliance framework has not changed; only the technology producing the output is new.
What examiners are already seeing
Three patterns are showing up in examinations, according to Rubin. The first is AI washing — firms overstating what their AI tools do, using inflated language about capabilities or the centrality of AI to their operations. The SEC has already pursued cases on this basis using its marketing rules and anti-fraud provisions.
The second is operational failure: AI-generated communications leaving the firm without review, records going unretained, surveillance outputs being disregarded. These are not novel compliance breakdowns — they are familiar failures attached to new technology.
Eversheds Sutherland partner Brian Rubin said, “The technology is new, but the compliance risks aren’t really that new.”
The third area drawing examiner attention is unauthorised AI use — employees feeding client data into public AI tools when internal options are inadequate, simultaneously creating confidentiality, record-keeping, and data security exposure. The parallel to off-channel enforcement is intentional and direct.
The governance mandate for CCOs
For chief compliance officers, Rubin’s guidance is unambiguous: governance must precede deployment. Every time, without exception.
Eversheds Sutherland partner Brian Rubin said, “AI isn’t just an IT project. You need governance, you need compliance, legal, technology, and business, all with a documented approval process for use cases.”
The purpose of that governance structure is evidentiary. When an examiner arrives two years after deployment, the firm needs to be able to demonstrate that the right stakeholders were involved, that the process was documented, that outputs were reviewed, and that a clear escalation path existed for issues. Regulators apply a standard of reasonableness, not perfection — but reasonableness still has to be evidenced.
Rubin also addressed CCO personal liability. The NSCP firm and CCO liability framework he co-authored was designed to clarify the boundaries of the CCO role: compliance officers provide advice; they are not operational supervisors. The risk of personal liability increases when there is a material problem, the CCO is aware of it, and fails to act. Documentation is the primary protection — for the firm and for the individual.
What this means for the whole organisation
The governance conversation extends well beyond the compliance function. For supervision teams, the operational questions are concrete: are AI-generated communications being captured, archived, and reviewed before they leave the firm? Are surveillance workflows built to catch AI-produced content, not just human-written output?
For marketing and distribution teams, the implications are equally direct. Deploying AI to accelerate content production without a compliant review workflow does not reduce compliance burden — it increases it. The same examiners reviewing supervision gaps are the ones reviewing AI washing cases, and the documentation standards are identical whether content was written by a person or generated by a model.
Red Oak’s Compliance-Grade AI™ has been built around precisely these requirements. Every AI interaction is captured and stored contemporaneously, every output is tied to the compliance record, and every workflow includes the governance layer necessary to make the process auditable and defensible — not just for the next campaign, but for the next examination.
Culture, not just controls
The firms handling AI adoption well, in Rubin’s view, share a common orientation: they treat AI governance as an organisational and cultural commitment, not a technical checkbox.
Eversheds Sutherland partner Brian Rubin said, “You’ve got to train employees about what AI can do and what it can’t do. Emphasizing that AI is a helper, not a decision maker. It’s not infallible. You have to foster a culture that views technology through a compliance-conscious lens.”
That framing — AI as a tool that strengthens the work of compliance professionals rather than substituting for their judgement — underpins how Red Oak approaches the technology. For 15 years, the firm’s foundation has been compliance outcomes. AI does not change that mandate. It becomes part of the workflow where it genuinely adds value, governed rigorously throughout, and never deployed in a way that forces a choice between speed and defensibility.
Read the full Red Oak post here.
Copyright © 2026 FinTech Global
