I work as a fractional CISO for private equity firms and regulated broker-dealers. One of the first things I do in every engagement is ask how the firm handles AI-generated content from a records retention standpoint. The answer is almost always one of two things: "We capture everything" or "We haven't figured that out yet." Both answers create legitimate regulatory exposure.
Deal teams are using ChatGPT Enterprise, Microsoft Copilot, and Claude to accelerate due diligence, draft investment memos, model financial scenarios, and synthesize market intelligence. Operating partners are deploying AI tools across portfolio companies for management reporting, performance analysis, and operational improvements. A 2025 PwC survey found that 78 percent of organizations were using AI in at least one business function, up from 55 percent the year before.¹ The adoption curve inside PE firms has tracked the same trajectory.
The compliance infrastructure has not kept up. When a principal uses Copilot to research a potential acquisition target or model a portfolio company's EBITDA trajectory, a straightforward question comes up: is that a required regulatory record? If it is, how long does it need to be preserved, under what conditions, and what does the cost of getting it wrong look like in both directions?
Most PE and Registered Investment Advisor compliance teams, shaped by years of watching the SEC's off-channel enforcement campaign against broker-dealers, default to capturing everything. That instinct is rational given their battle scars. It is also based on a misunderstanding of the applicable regulatory framework, and it is expensive in both directions. Some firms retain too little and cannot produce records when examiners ask. Others retain too much and build a massive, discoverable, costly corpus of data they were never required to keep. There is a better path, and it starts with reading the right rule.
The foundational mistake I see in PE compliance programs on AI retention is the assumption that PE firms are governed by the same recordkeeping standard as broker-dealers. They are not.
Broker-dealers are subject to SEC Rule 17a-4 under the Securities Exchange Act of 1934. That rule requires retention of all communications "relating to business as such." It is intentionally broad. Every email, instant message, and internal memo connected to operations must be preserved for six years in WORM (write once, read many) format.
PE firms registered as investment advisers operate under a different statute with a materially narrower standard. The governing authority is the Investment Advisers Act of 1940. The applicable recordkeeping rule is SEC Rule 204-2, codified at 17 CFR § 275.204-2.² This is not a technicality. It is the central fact that should drive every AI governance decision your firm makes.
The industry's largest trade associations agree. In February 2023, SIFMA, the Managed Funds Association, the American Investment Council, and seven additional trade associations submitted a formal joint letter to the SEC arguing that the investment adviser recordkeeping standard under Rule 204-2(a)(7) covers only external communications within four enumerated categories, not all business communications, not all internal discussions, and not all AI-generated content.³ In October 2025, SIFMA followed up with a petition to SEC Chair Paul Atkins requesting the SEC narrow the scope of retained electronic communications, explicitly exclude AI-generated meeting transcripts and collaborative platform inputs from retention requirements, and provide safe harbors for good-faith compliance efforts.⁴ The consensus from the people who represent this industry to regulators is that PE firms are being held, incorrectly, to a standard that does not apply to them.
Rule 204-2(a)(7) requires investment advisers to maintain originals of all written communications received and copies of all written communications sent that relate to four specific categories.² If your AI interaction does not touch one of these four categories, it is not a mandatory record under your governing rule.
Recommendations and advice. Any recommendation made or proposed to be made, and any advice given or proposed to be given. For a PE firm, this means communications that convey specific investment recommendations to LPs, portfolio company boards, or co-investors. It does not mean the internal analytical work that precedes the communication.
Funds and securities movement. Any receipt, disbursement, or delivery of funds or securities. This covers transaction-related communications involving capital flows, distributions, drawdowns, and securities transfers at the fund level.
Order execution. The placing or execution of any order to purchase or sell any security. This applies most directly to PE firms with public market exposure or secondary trading activity.
Performance reporting. The performance or rate of return of any or all managed accounts or securities recommendations. This covers LP communications, quarterly reports, and anything that conveys performance data for managed funds.
Communications outside these four categories are not subject to mandatory retention under Rule 204-2(a)(7). The retention period for communications that do fall within scope is five years, with the first two years required to be maintained in an easily accessible location.⁵ There is no WORM format requirement for investment advisers.
The practical consequence: the vast majority of AI interactions inside a PE firm, including desktop research, competitive intelligence gathering, document formatting, deal screening, market analysis, and financial modeling, do not independently trigger a retention obligation under this rule.
A September 2024 analysis from Skadden Arps established the clearest framework for applying SEC recordkeeping rules to AI-generated content.⁶ The distinction matters: AI-generated content that exists within an application or cloud environment does not constitute a "written communication sent or received" for purposes of Rule 204-2(a)(7). Generating information inside a tool is not the same as sending or receiving a communication.
The obligation triggers at the point of transmission. When an AI output is emailed, shared through a client portal, incorporated into an LP report, or delivered to a co-investor through any channel, that transmitted content becomes a required record, but only if its subject matter falls within one of the four categories above.⁶ If it does not touch recommendations, fund movement, order execution, or performance reporting, no retention obligation is created even by transmission.
Here is what that looks like in practice. A deal team principal uses Copilot to build a ten-tab financial model of a target company. That model, sitting in the firm's internal systems, is not a required record. When that principal emails the model's summary outputs to a co-investor with a recommendation to proceed, the email is a required record because it contains advice and falls within the first enumerated category. The model itself is not independently required to be preserved as a regulatory communication. And since emails are typically already retained by compliance archiving and digital communication governance platforms like Smarsh and Global Relay, firms already comply in this example.
Beyond Rule 204-2(a)(7), PE firms must also maintain records under other provisions of Rule 204-2 that apply regardless of how AI content is communicated.²
AI-generated marketing content, including pitch materials, fund descriptions, and anything distributed to prospective investors, must be retained under Rule 204-2(a)(11) governing advertisements. AI-assisted performance calculations, financial models, and working papers supporting performance presentations to LPs must be retained under Rule 204-2(a)(16). Compliance policies and procedures, including AI governance policies and annual review documentation, must be retained under Rule 204-2(a)(17). Code of ethics records must be preserved under Rules 204-2(a)(12) through (a)(13).
These parallel obligations mean certain AI output categories require retention even where the communications analysis under 204-2(a)(7) would not.
If you are tempted to treat recordkeeping as a lower-priority compliance item, the SEC's April 2024 enforcement action against Senvest Management should recalibrate that thinking.
Senvest was the SEC's first standalone enforcement action against an investment adviser for off-channel communication recordkeeping failures. Not a dually registered firm. A registered IA operating solely under the Advisers Act.⁷
Senvest agreed to a $6.5 million penalty after the SEC found that senior personnel conducted business communications through personal devices and unapproved messaging applications without preserving them.⁷ The SEC found violations specifically where messages related to matters within the scope of Rule 204-2(a)(7), confirming that the enforcement standard for investment advisers is tied to the four enumerated categories, not to all business communications. This is a meaningful limitation, but it only protects firms that understand it and apply it correctly.
Two elements from the Senvest order that I flag for every PE client:
First, the SEC applied a dual-charge approach: a substantive recordkeeping violation under Rule 204-2(a)(7) and a compliance-program failure under Rule 206(4)-7, the Compliance Rule.⁸ This is critical for AI retention design. If your firm voluntarily adopts an AI retention policy broader than the statutory minimum and then fails to enforce that policy consistently, you face compliance-program liability even where the underlying AI content would not have been required to be preserved. A policy that exists in writing but is not operationalized is not a defense. It is an additional exposure vector.
Second, the SEC explicitly credited Senvest's remedial actions and cooperation in determining the penalty amount. That credit for proactive remediation, documented good-faith compliance efforts, and cooperative engagement reflects the posture the SEC has signaled under Chair Paul Atkins, who has stated that examinations should enable constructive dialogue, not function as exercises designed to catch firms out.⁹
The broader context: since 2021, the SEC has assessed more than $2.2 billion in combined penalties against financial firms for recordkeeping failures related to off-channel communications.⁴ The majority targeted broker-dealers and dually registered firms under the broader Rule 17a-4 standard, but Senvest confirmed that standalone investment advisers are within scope. The question is not whether PE firms face enforcement risk. It is which standard applies and whether your framework is built around the right one.
The compliance conversation inside most PE firms focuses exclusively on the risk of retaining too little. That risk is real. But it is only half of the equation, and for many PE firms operating under the narrower investment adviser standard, over-retention may be the larger practical exposure.
In Tremblay v. OpenAI (2024), a federal court ruled that AI prompts and outputs, including those generated during pre-litigation testing, are subject to civil discovery, treated as part of the evidentiary record comparable to traditional documents.¹⁰ Every AI interaction your firm has retained is potentially producible in any litigation, regulatory examination, LP dispute, employment proceeding, tax inquiry, or co-investor disagreement.
PE firms operate in environments with broad litigation exposure across the investment lifecycle, from acquisition due diligence disputes through portfolio company management controversies and fund wind-downs. The categories of proceedings that could generate discovery requests sweeping in an AI interaction archive are extensive.
The average eDiscovery case now exceeds $2 million in total cost, with document review at $1 to $3 per document comprising approximately 70 percent of that figure.¹¹ These costs scale directly with data volume.
To put this in context, a PE firm with 100 employees generating an average of 20 AI interactions per day accumulates approximately 2.2 million additional discoverable records over a three-year period. Each requires preservation, indexing, search, and potential attorney review in any discovery proceeding. The incremental legal cost of that archive, spread across a few litigation matters, could dwarf the cost of a proportionate retention architecture many times over.
FTI Consulting has documented cases where global financial institutions struggled to manage decades of accumulated archived data, noting that firms face significant legal and regulatory risk related to over-retention alongside their obligations to retain certain records for specified periods.¹² DLA Piper has stated that best practice requires records to be destroyed when no longer needed for any business, legal, or regulatory purpose, citing unnecessary storage costs, increased litigation exposure, greater discovery expense, and enhanced cybersecurity risk as direct consequences of over-preservation.¹³
The legal framework for systematic deletion of AI interaction data is well-established. Federal courts have consistently held that systematic deletion pursuant to a documented, consistently applied policy does not constitute evidence spoliation.¹⁴ The 2015 amendments to Federal Rule of Civil Procedure 37(e) reinforced this by requiring a showing of intent to deprive another party of information before courts may impose the most severe sanctions for lost evidence.¹⁵ A well-documented deletion schedule provides robust protection against spoliation claims.
One additional risk: privilege. AI interactions used in connection with legal analysis, deal structuring, compliance research, or internal investigations may contain attorney-client privileged or work-product material. Retaining that content in a compliance archive designed for regulatory inspection creates inadvertent privilege waiver risk. A selective retention architecture that limits the volume of potentially privileged content stored in examiner-accessible platforms is not just permissible. It is prudent.
Given the regulatory framework under Rule 204-2 and the real litigation risks of indiscriminate retention, what does a defensible AI retention architecture look like? Three models have emerged, each with distinct tradeoffs.
All AI prompts and responses captured into the compliance archive. AI-powered surveillance tools triage the archive to surface risk-relevant interactions. Smarsh offers dedicated integration for ChatGPT Enterprise through OpenAI's Compliance API, and Global Relay has launched similar capabilities for Microsoft Copilot.¹⁶
Full capture eliminates under-retention risk entirely. It also maximizes the discoverable corpus, creates a target-rich environment for opposing counsel and regulators, may chill candid internal AI use, and for most PE firms, significantly exceeds what the Investment Advisers Act requires. This model makes sense for firms with complex dual-registration structures or specific regulatory postures that warrant the overhead. For most PE firms, it is overkill.
An AI layer evaluates each interaction against a defined taxonomy and routes content to the appropriate retention tier. Interactions touching the four Rule 204-2(a)(7) categories go to the compliance archive. Working files go to intermediate retention. Transitory content is scheduled for systematic deletion after a defined period.
Classification signals include client names, fund identifiers, LP references, deal terms, and keywords associated with the four categories. This model significantly reduces the discoverable corpus while maintaining compliance, but requires investment in classification technology and ongoing tuning to manage misclassification risk.
The model I recommend most often for PE firms balances regulatory compliance, litigation risk management, and operational practicality. The default state is non-retention. AI content is held in a temporary buffer of 60 to 90 days before automatic deletion. Metadata is retained on a longer schedule for supervisory review. Employees designate AI sessions containing content within the four enumerated categories for archival.
Contextual prompts at session initiation. Remind users of the categories that require retention with concrete examples mapped to your firm's actual business activities. This reduces genuine confusion and eliminates post-hoc rationalization about why a session was not designated.
Keyword-triggered escalation. Automatically flag sessions involving high-signal terms, including LP names, fund identifiers, deal names, transaction keywords, and performance-related language, and surface a more prominent retention prompt with the user's response logged for audit.
Output-level capture as a backstop. Any AI content transmitted via email, document management systems, deal rooms, or LP portals is automatically archived through existing communication infrastructure regardless of session designation. Transmission is the trigger point for the regulatory obligation, and this backstop catches it.
Periodic supervisory review. Sample non-retained sessions during the buffer period to validate designation accuracy and generate documentation of compliance-program effectiveness, which is what Rule 206(4)-7 requires.
This model fits the PE operating environment, with small, senior teams of 30 to 200 professionals with high trust and direct supervisory relationships. The SIFMA joint letter specifically noted that overbroad recordkeeping interpretations discourage good governance by incentivizing firms to adopt only the statutory minimum rather than more thoughtful, selective policies.³
Regardless of which architecture you select, the Compliance Rule under Rule 206(4)-7 imposes requirements that must be satisfied for any AI governance framework to be defensible.⁸
Written policies and procedures. Document the framework in the compliance manual with enough specificity to be operationalized. Define classification criteria or designation standards, retention schedules for each content tier, supervisory review protocols, and exception-handling procedures. Provide concrete examples of AI interactions that do and do not require archival, mapped to the firm's actual activities.
Training with documentation. Personnel must receive documented training on AI retention obligations at onboarding and on a recurring schedule. A policy without a training record does not constitute a functioning compliance program. FINRA addressed this directly in Regulatory Notice 24-09, noting that existing supervisory obligations apply to AI tools regardless of the technology involved.
Legal hold integration. The retention platform must support custodian-level legal hold capabilities that suspend scheduled deletion when litigation is reasonably anticipated. The hold process must be documented and tested.
Annual compliance review. Rule 206(4)-7 requires annual review of compliance policies and procedures. That review must cover the AI retention framework, covering usage metrics, designation or classification accuracy, regulatory developments since the prior review, and gaps identified through supervisory sampling.
Documentation of your reasoning. Maintain records of why you chose your retention model, including any legal memoranda, outside counsel opinions, regulatory guidance reviewed, and the rationale for your approach. This demonstrates informed, good-faith decision-making when an examiner asks. The SEC's credit to Senvest for remediation efforts underscores that documented good faith matters.
The SEC Division of Examinations released its FY2026 priorities in November 2025.⁹ The priorities address AI governance, cybersecurity, and compliance program effectiveness. They do not contain channel-specific retention mandates, do not reference any AI-specific recordkeeping requirements, and make no reference to capturing all AI interactions. The emphasis is on demonstrating compliance program effectiveness, having adequate governance policies for AI tools, and being able to substantiate representations made about AI use.
Goodwin Procter's analysis confirmed that the Division's focus is on AI governance frameworks and compliance program quality, not on maximizing retained AI data volume.¹⁷ As of March 2026, neither the SEC nor any self-regulatory organization has promulgated a rule specifically requiring retention of AI prompts and responses as a categorical matter. All current guidance affirms that existing rules apply to AI content in a technology-neutral manner.¹⁸
The regulatory environment supports a proportionate, well-documented approach. That is not a license for complacency. It is the window to get the analysis right and document your reasoning before any AI-specific rulemaking changes the landscape. The firms that build calibrated frameworks now will demonstrate compliance program effectiveness when examiners arrive. The firms that default to indiscriminate full capture without a documented rationale will have built a large, expensive, discoverable data problem in exchange for regulatory safety they did not need.
Enterprise AI tools are embedded in PE operations. Due diligence, LP communications, portfolio monitoring, and operational improvement initiatives all involve AI at some level in most mid-market and upper-middle-market firms. The question is not whether to govern AI retention. It is whether your governance framework is calibrated to the correct regulatory standard.
The firms that get this right share common characteristics. They have read the applicable rule and understood that it is Rule 204-2, not Rule 17a-4. They have mapped the four enumerated categories to their actual business activities and built a retention model proportionate to what the rule requires. They have documented the analysis, trained their people, built supervisory review into the process, and reviewed the framework annually. They have consulted qualified legal counsel and made an informed decision.
The firms that get it wrong fall into two categories. Some retain nothing and cannot produce a coherent compliance program when an examiner asks about AI governance. Others retain everything and discover, when litigation materializes, that they have built a massive corpus of discoverable data at a cost measured in millions of dollars of review time.
A third path exists. It is legally defensible, operationally manageable, and available to every PE firm willing to do the analysis. The time to build it is before the examination letter arrives.