StratiFi Blog — Insights for RIAs and Broker-Dealers

AI Investment Policy Statement Software for RIAs

Written by Akhil Lodha | 5/20/26 6:26 AM

Last updated: May 13, 2026 · By Akhil Lodha

For most RIAs and broker-dealers, the investment policy statement is the first document an examiner asks to see — and the one most likely to be out of date when they do. The policy was written at onboarding. The portfolio drifted with the market. The household added a 529 and a trust account. Three years later, nobody can prove the IPS was reviewed, let alone that the portfolio still matches it. AI investment policy statement software closes that gap by treating the IPS as a continuously supervised commitment, not a PDF dusted off the week before an exam.

This guide is written for the CCO at a mid-market RIA or broker-dealer — the person who has to defend the IPS supervision record in an exam. The framing reflects the SEC Division of Examinations' 2026 priorities, where AI, cybersecurity, and Regulations S-P and S-ID were named as cross-cutting risk areas for all registrants.

TL;DR AI investment policy statement software has to do four things manual review cannot: generate the IPS at the advisor stage off real client data, extract the Suitability fields (Investment Objective, Risk Tolerance, Investment Experience, Asset Allocation) from intake paperwork into structured records, monitor the policy-to-portfolio gap continuously, and produce the version-controlled evidence trail expected under Rules 206(4)-7 and 204-2. The strongest implementations run all four on one data lineage — advisor sales workflow into firm-level Suitability extraction into compliance supervision — without re-keying between systems.

Why investment policy statement supervision keeps surfacing in 2025-2026 exams

SEC examiners are no longer reading the manual — they are testing whether the firm did what the manual says. The IPS is the most common place that test fails.

The IPS is not a marketing document. Under Rule 206(4)-7 of the Investment Advisers Act, every registered firm must adopt written policies reasonably designed to prevent violations of the Act, reviewed at least annually. The IPS is where those firm-wide policies become client-specific commitments — allocation bands, security restrictions, rebalancing thresholds, distribution rules, liquidity needs, and standard of care. When policy and portfolio drift apart and nobody documents it, the IPS becomes evidence of failure rather than evidence of supervision. We walk through this pattern in IPS drift, style drift, and policy breach and in our review of SEC enforcement actions tied to IPS supervision failures.

Recent enforcement reinforces the point. In March 2025, the SEC charged Upright Financial Corporation and its adviser over the Upright Growth Fund's breach of its disclosed 25% concentration policy across multiple years — a policy-supervision case, not just a portfolio one. In September 2025, the Atkins-led SEC brought its first compliance-program action under the Marketing Rule against Meridian Financial, LLC, citing Rule 206(4)-7 because the manual committed to annual reviews while the actual reviews were a cursory Form ADV check and a refresh of an outdated manual. Examiners are not just reading the manual; they are testing whether the firm did what the manual says.

Three supervision realities make this harder than it sounds:

  • The IPS sits in a different system than the portfolio (custody, OMS, CRM).
  • Annual reviews compress 12 months of supervision into one quarter.
  • Manual review does not scale past a few hundred households without a CCO team most mid-market firms do not have.

AI closes this gap not by replacing advisor judgment but by making the policy continuously verifiable.

What the SEC's 2026 priorities say about AI and per-client supervision

The 2026 Examination Priorities, released November 17, 2025, treat AI, cybersecurity, and Regulations S-P and S-ID as cross-cutting risk areas for all registrants. The Division said it will examine whether AI-capability representations are accurate, whether controls match disclosures, and whether algorithms produce advice consistent with investors' stated strategies. That last clause is doing the real work: AI-driven recommendations have to be reconcilable with the per-client policy on file. The parallel FINRA AI guidance for broker-dealers reaches the same conclusion: oversight evidence has to live alongside the AI use, not bolted on after.

Two further 2026 priorities reshape the IPS conversation:

  • Regulation S-P amendments. Large advisers (RIAs with at least $1.5B AUM) had to comply by December 3, 2025; smaller firms by June 3, 2026. Required: an incident response program, service-provider oversight covering every third party that touches client data (including AI vendors), and individual notice to affected customers no later than 30 days after the firm determines sensitive customer information was or is likely to have been accessed.
  • Supervision of AI under 206(4)-7. The 2026 priorities call out procedures to monitor and supervise AI across automation, fraud detection, back-office, AML, and trading. Controls have to match disclosures and evidence human oversight on material decisions.

A platform that drafts the IPS is no longer enough; the firm has to show how AI participated in supervision. See documenting IPS supervision under 206(4)-7.

What AI investment policy statement software actually does in the workflow

AI investment policy statement software covers four distinct capabilities — advisor-stage IPS generation, firm-level Suitability extraction, continuous drift monitoring, and 204-2 evidence. Most products do one well; the ones that scale do all four on a single data lineage.

"AI investment policy statement software" is a useful label, but it covers four distinct capabilities. Doing one well is not the same as doing all four.

Capability What it replaces Audit consequence if absent
Advisor-stage IPS generation Template-and-fill IPS drafting in Word Boilerplate language that does not reflect the actual client allocation or constraints
Suitability data extraction Manual transcription of risk questionnaires, custodial statements, IMAs, IAAs, and account applications Inconsistent policy fields across households; intake errors propagate for years
Continuous drift monitoring Quarterly spreadsheet review of allocation versus IPS bands Breaches identified months late, or only at annual review
Version control and audit evidence Email threads, shared folders, manual change logs No defensible review trail for the examiner; 206(4)-7 implementation gap

The strongest platforms do all four on one data lineage. Most do one and call themselves an "IPS solution." Separate the demo from the workflow.

The IPS fields that have to land in the structured policy schema

The CFA Institute's position papers on IPS elements — for both individual and institutional investors — and most working RIA templates converge on the same intake fields. AI extraction earns its place only when it lands every one as discrete, queryable data:

  1. Scope — which of the client's assets the IPS governs (advisory accounts, held-away, trusts, 529s, business interests).
  2. Investment Objective — the goal the portfolio is structured around (growth, income, capital preservation, total return, ESG-aligned, retirement income).
  3. Risk Tolerance — drawdown tolerance and volatility ceiling, not just a 1-to-5 score.
  4. Investment Experience — the client's history with each asset class, used to support suitability of recommendations.
  5. Time Horizon per goal (retirement, education, legacy, philanthropic).
  6. Target Asset Allocation with minimum/maximum bands per asset class.
  7. Liquidity Needs, including expected distribution timing and amounts.
  8. Tax Considerations — cost-basis sensitivity, wash-sale windows, state-specific considerations.
  9. Concentration Limits — single-security and single-industry caps. The same field the Upright Financial case turned on.
  10. Restricted Securities and ESG / legal constraints.
  11. Rebalancing Triggers — threshold, calendar, or hybrid.
  12. Benchmark and Performance Measurement methodology.
  13. Governance, Roles, and Standard of Care — responsibilities across advisor, CCO, custodian, and client, plus the named standard of care the adviser is held to.
  14. Review Cadence and the events that force an off-cycle update.

If extraction does not produce these as queryable data, the platform drafts a pretty PDF no monitoring layer can use. That is the single most common gap.

How to evaluate AI investment policy statement software

The strongest AI investment policy statement software runs advisor-stage IPS generation, firm-level Suitability extraction, continuous drift monitoring, and 206(4)-7 evidence on one connected system. The seven dimensions below separate that from a single-feature tool.

This framework works for one vendor or three. Score each on a 1-to-5 scale; the gaps reveal where the CCO will end up doing the work manually.

  1. Advisor-stage IPS generation that reflects the household. Does the first-draft IPS reference actual current allocation, concentrations, and distribution needs — or a generic template with the client's name in the header? Strong platforms generate the IPS as part of the advisor's onboarding workflow, off parsed brokerage statements, tax returns, and estate documents.
  2. Suitability data extraction at the firm level. Can the system extract Investment Objective, Risk Tolerance, Investment Experience, Asset Allocation, Time Horizon, and Liquidity Needs from documents your operations team already collects — IMAs, IAAs, New Account Applications, custodial paperwork, custodial statements (Schwab, Fidelity, Pershing), risk questionnaires, and client update forms? A platform that requires re-keying defeats the purpose.
  3. Good Order checks on the paperwork. Does the platform run automated Good Order review — signatures, dates, custodial-form-version match, required fields — and surface exceptions before the document hits the supervision queue?
  4. Continuous drift monitoring. Does the system check the portfolio against the policy daily and surface only the breaches that matter? An alert that fires on every 1% drift is the same as no alert.
  5. Version control and reviewer attribution. When a policy field changes, can the system show who proposed it, who approved it, the prior version, and when the client acknowledged? This is the 206(4)-7 evidence layer.
  6. Single data lineage across the workflow. Does the advisor-stage IPS, the firm-level Suitability extraction, and the compliance supervision all read from one connected system — or three parallel data sets that need to be reconciled? The reconciliation work is where most CCO teams burn out.
  7. AI governance fit. Does the vendor's AI policy match what your firm must attest to — written AI supervision procedures, Form ADV alignment, service-provider oversight under Reg S-P, and an incident response process supporting the 30-day notification standard?

CCOs who succeed treat this as a supervision-infrastructure decision, not a tool decision. For the broader stack view, see the 206(4)-7 portfolio supervision gap.

The four IPS workflows AI investment policy statement software should own end-to-end

End-to-end ownership means the same parsed data flows through four stages — generation, extraction, drift, evidence — without re-keying. Point tools cover one or two stages and force the CCO to reconcile the rest manually.

1. Advisor-stage IPS generation at onboarding

At the prospect-to-client moment, the platform reads brokerage statements, 401(k)s, IRAs, tax returns, estate documents, and the risk questionnaire — then produces a first-draft IPS that reflects the household: actual allocation, concentrations, distribution timing, tax constraints. The advisor edits rather than starting from a blank template. This is the advisor workflow, not the back office. See our review of AI document data extraction.

2. Firm-level Suitability data extraction from operations paperwork

After onboarding, the firm-level operations team processes the paperwork no advisor opens daily — IMAs, IAAs, New Account Applications, custodial paperwork, mutual fund forms, client update forms. AI extracts the Suitability fields (Investment Objective, Risk Tolerance, Investment Experience, Asset Allocation, Time Horizon, Liquidity Needs) into the CRM and the supervision queue, with Good Order checks on the paperwork itself.

3. Continuous drift between policy and portfolio

The policy says 60/40 with a 5% band; the portfolio drifts to 67/33 because equities rallied; nobody notices. The compliance layer compares policy to portfolio every business day and surfaces only material breaches — bands, concentrations, distribution constraints, restricted securities. More in portfolio supervision and IPS intelligence.

4. Annual review and 206(4)-7 evidence trail

Every IPS change is a small policy event — who proposed it, who approved it, when the client acknowledged it, what the prior version said. AI-native systems treat each version as an artifact with reviewer attribution and a timestamped acknowledgment. That is what "books and records" under Rule 204-2 actually means. Structure in the practical guide to Rule 206(4)-7 annual review.

The regulatory backbone: 206(4)-7, 204-2, and Reg S-P

Three regulatory anchors make IPS supervision concrete. The platform either produces the evidence each rule expects, or the CCO reconstructs it manually before the exam.

Rule What it requires IPS implication
Rule 206(4)-7 Written policies reasonably designed to prevent violations of the Advisers Act, reviewed at least annually The IPS is the per-client expression of those policies; the annual review must cover every household
Rule 204-2 (books and records) Maintain compliance records for five years, first two on-site Every IPS version, approval, client acknowledgment, and supervision evidence is in scope
Regulation S-P (2024 amendments) Incident response program; service-provider oversight; individual customer notice no later than 30 days after determining sensitive customer information was or is likely to have been accessed Compliance: December 3, 2025 for RIAs at or above $1.5B AUM; June 3, 2026 for smaller firms. AI vendors fall under service-provider oversight.

A platform that cannot produce a defensible record of who reviewed what, and when, is not solving the problem. For exam prep, see our SEC exam preparation guide for investment advisers.

How StratiFi runs the IPS workflow as one seamless flow

The differentiator across StratiFi is that the IPS workflow runs on one data lineage — advisor sales workflow into firm-level Suitability extraction into compliance supervision — with no re-keying between systems. Three modules, one connected system.

  • AdvisorIQ. At the prospect-to-client moment, AdvisorIQ scans brokerage statements, 401(k)s, IRAs, tax returns, estate documents, and insurance policies, extracts the proposal-grade field set (ticker, description, cost basis, quantity, gains/losses, entity structure), runs risk scoring, generates the IPS, routes it for e-signature, and completes client onboarding. The IPS is created where the client relationship begins, off real client data.
  • OperationsIQ. After onboarding, OperationsIQ runs the firm-level paperwork the advisor does not touch — IMAs, IAAs, New Account Applications, custodial paperwork, mutual fund forms, client update forms, tax returns. It extracts the Suitability fields (Investment Objective, Risk Tolerance, Investment Experience, Asset Allocation, Time Horizon, Liquidity Needs, Tax Considerations, Restrictions, Beneficiary info) into the CRM and runs AI-powered Good Order checks on the paperwork itself.
  • ComplianceIQ. Reads the data both layers produce and monitors the portfolio against the IPS continuously. Material exceptions land in the CCO's queue with the underlying evidence attached — IPS version, supervision rule, source-document citation, reviewer attribution. The 206(4)-7 annual review runs against evidence rather than narrative.

For a mid-market or enterprise firm that is scaling, the seamless flow is the value. Point tools that handle one slice (just drafting, just extraction, just monitoring) leave the CCO reconciling three data sets quarterly. StratiFi removes that work by design.

The principle is the one we hold across the platform: human judgment amplified by institutional-grade intelligence. The IPS remains the advisor's commitment; the platform makes it continuously defensible.

See AdvisorIQ, OperationsIQ, and ComplianceIQ run the IPS workflow as one flow

A 30-minute walkthrough on anonymized client data. AdvisorIQ generates the IPS at onboarding off a real brokerage statement, OperationsIQ extracts the Suitability fields from a sample IMA, and ComplianceIQ runs the drift report your CCO will start using on Monday.

Book a walkthrough

What a 90-day rollout actually looks like

Treating new IPS software as a backlog project delays value and leaves the firm exposed during the migration. A more defensible cadence:

  1. Days 1-30. Integrate custody and CRM feeds and run extraction across every existing IPS in the book. The output is a clean inventory of which households have a current household-specific IPS, which have a template IPS in name only, and which have none.
  2. Days 31-60. Refresh the top 20% of households by AUM. Each gets a current IPS with the prior version preserved and a fresh client acknowledgment. Drift monitoring goes live for this cohort the same week.
  3. Days 61-90. Bring the rest of the book current in weekly waves. The annual-review delta report runs at quarter end. The CCO can now answer "show me the policy for this household and how you supervised it" in under a minute, for any client.

Key takeaways

  • The IPS is the first document an examiner asks for, and the most common place 206(4)-7 implementation breaks down.
  • AI investment policy statement software is four capabilities — advisor-stage generation, firm-level Suitability data extraction, continuous drift monitoring, and 204-2 evidence — and the strongest platforms run all four on one data lineage rather than three reconciled systems.
  • The 2026 Exam Priorities (released November 17, 2025) put AI governance and Reg S-P readiness on every exam — your IPS vendor's AI policy is now part of your AI policy.
  • Recent enforcement — Upright Financial (March 2025 concentration case) and Meridian Financial (September 2025 Marketing Rule and 206(4)-7 case) — shows examiners are testing implementation against manual language.
  • For mid-market and enterprise firms scaling past 10+ advisors, the seamless AdvisorIQ → OperationsIQ → ComplianceIQ flow removes the reconciliation work that breaks point-tool stacks.

Frequently asked questions

What is AI investment policy statement software?

Software that uses document extraction and policy reasoning to draft, monitor, and update a client's IPS. The strongest implementations cover four workflows on one data lineage: generating the IPS at the advisor stage off parsed client documents, extracting Suitability fields (Investment Objective, Risk Tolerance, Investment Experience, Asset Allocation) from operations paperwork at the firm level, monitoring the policy-to-portfolio gap continuously, and producing a versioned audit trail under Rule 204-2.

Are RIAs required by the SEC to have an investment policy statement?

The SEC does not name "investment policy statement" as a discrete required document, but Rule 206(4)-7 requires written policies reasonably designed to prevent violations of the Advisers Act, and fiduciary duty requires recommendations suitable for the specific client. In practice the IPS is how firms translate firm-wide policies into per-client commitments, and the document examiners most often request. For ERISA plan assets, an IPS is effectively required as evidence of prudent process.

How does AI improve the annual IPS review under Rule 206(4)-7?

AI-driven review produces a per-household delta report — what changed in the portfolio, the household circumstances, and the regulatory environment — so the CCO reviews exceptions rather than re-reading every IPS. Routine cases re-attest with reviewer attribution; only material changes consume senior time, which is how mid-market firms get the review done in one quarter without skipping households.

How often should an IPS be updated?

The working standard is annual review with a comprehensive refresh every three to five years, plus event-triggered updates whenever the portfolio, household, or regulatory environment shifts materially. Triggers include life events, concentration breaches, large distributions, and regulatory changes. AI IPS software flags these rather than waiting for the next annual cycle.

Can AI IPS software detect drift between the policy and the portfolio?

Yes. The portfolio is compared to the stated policy every business day. Material breaches — moves outside allocation bands, concentration limit violations, restricted-security holdings, or distribution-constraint conflicts — surface as alerts with supporting evidence attached. Cosmetic drift does not fire. The March 2025 SEC charges against Upright Financial — a disclosed 25% industry concentration policy breached over multiple years — are the textbook example of a drift breach that continuous monitoring would have flagged within days rather than after a multi-year look-back.

How does StratiFi run the IPS workflow end-to-end?

AdvisorIQ generates the IPS at advisor onboarding off parsed client documents (brokerage statements, tax returns, estate documents, insurance policies). OperationsIQ extracts the Suitability fields (Investment Objective, Risk Tolerance, Investment Experience, Asset Allocation, Time Horizon, Liquidity Needs) from the firm-level paperwork operations owns — IMAs, IAAs, New Account Applications, custodial paperwork, mutual fund forms, client update forms. ComplianceIQ monitors the portfolio against the IPS continuously and produces the 206(4)-7 evidence trail. The three modules share one data lineage — no reconciliation between point tools.

How long does it take to roll out AI IPS software at a mid-market RIA?

A workable rollout is 90 days: 30 days to integrate custody and CRM feeds and extract existing IPSs into the structured policy schema; 30 days to refresh the top quintile of households by AUM and turn on drift monitoring for that cohort; 30 days to bring the rest of the book current and run the first annual-review delta report.

Talk to StratiFi about your IPS workflow

A working session on your book. We will run drift on a sample of accounts and show what a 206(4)-7 review looks like when the evidence is already attached — AdvisorIQ generating the IPS, OperationsIQ extracting the Suitability fields, ComplianceIQ monitoring the portfolio against it.

Book a walkthrough
View full post