The AI Due Diligence Questions Every Advisory Firm Should Be Asking

Advisors may think they’re making a decision about software, but increasingly, they’re also making a decision about AI.

AI is no longer arriving through standalone tools. It’s being added to the software advisors already use every day. Meeting notes. Client communications. Planning insights. Portfolio analysis.

That’s creating a new due diligence challenge. Advisors need visibility into how AI is being used inside the software they rely on.

Why AI changes vendor due diligence

For years, software due diligence was relatively straightforward.

Advisory firms could evaluate a platform’s functionality and review its security controls. While no software is completely risk-free, most systems behave in predictable ways.

AI introduces a new layer of evaluation.

As AI becomes embedded in advisor technology, firms need to understand more than what a product does. They also need to understand how information is generated, how client data is handled, and what safeguards exist when AI is involved.

That matters because advisors are increasingly encountering AI through tools they already use every day. Many new features and workflows in vendor products now include AI-generated content behind the scenes.

The technology can be incredibly useful. It can save time and reduce manual work. But it can also make software harder to evaluate. When an output is generated by AI, understanding where it came from and how it was produced isn’t always straightforward.

Of course, advisors are not expected to become AI experts. Most firms will never inspect a model or review source code. Instead, they will rely on vendors to make responsible decisions about how AI is built, deployed, and governed.

But this means transparency becomes extremely important.

A vendor’s AI strategy should be more than a product announcement or a feature label. Firms should be able to explain what oversight exists around AI-generated outputs and how information can be verified before it reaches a client.

The same standards advisors apply to client service still apply when AI enters the workflow. If a chart, recommendation, summary, or client communication comes from an AI-powered feature, the advisor still needs to understand it well enough to stand behind it.

The risks advisors should care about

For advisory firms, two concerns rise above the rest: data exposure and reliability.

Many AI tools require access to client information to produce useful results. That creates an obvious question: where does that information go once it’s entered into the system?

In the wrong environment, sensitive client data can be exposed beyond the advisory firm. Information entered into an AI tool could be retained longer than expected, shared with third parties, or used in ways the advisor never intended.

Consider a simple meeting summary. An advisor may enter detailed notes about a client’s finances, family situation, or future plans without realizing how that information is being processed behind the scenes.

If something goes wrong, clients and regulators are unlikely to focus on which vendor was responsible. They’ll look to the advisory firm that collected the information in the first place.

The second risk is reliability.

Generative AI can produce content that sounds polished and complete while still getting important details wrong. A meeting summary may misinterpret a conversation. A client communication draft may omit important context. An AI-generated insight may reflect an incorrect assumption.

The challenge is that these mistakes are not always obvious. An advisor may not discover the issue until the information is already being used in a client deliverable.

That’s what makes AI different from many traditional software tools. The output can look credible even when it contains errors.

Client-facing advice requires a higher standard. Before AI-generated content reaches a client, advisors need a way to review it, verify it, and understand where it came from.

What advisors should ask AI vendors

By this point, the conversation shouldn’t be about whether a vendor uses AI. Almost every vendor has an AI feature or workflow now embedded in their platform.

The better question is whether they can explain how they’re using it.

A handful of questions can reveal a great deal about how seriously a vendor approaches AI governance.

• Is my data used to train AI models? You shouldn’t have to guess. The answer should be written down and backed by the vendor’s agreement. If the answer is yes, firms should understand exactly what data is being used and under what circumstances.
• Can I see your latest SOC 2 report? No certification guarantees good behavior, but firms should be cautious when a vendor has nothing to show. Advisors should also understand whether the controls apply to the systems powering the vendor’s AI capabilities.
• How do you govern AI? Some vendors will point to ISO 42001 certification. Others may have their own governance framework. The important thing is whether they can explain how decisions are made, how risks are reviewed, and who is accountable when something goes wrong.
• Can I review AI-generated content before it reaches a client? AI should support advisor judgment, not replace it. Advisors should be able to review summaries, communications, and other client-facing content before anything is shared.
• Can I verify where an AI-generated output came from? Advisors shouldn’t have to take an AI-generated answer on faith. They should be able to see step by step how it was produced. 
• Do AI-generated outputs remain consistent over time? If the same input produces meaningfully different outputs every time, advisors have a problem. Client-facing information needs to be understandable enough that an advisor can explain it with confidence.

The strongest vendors will answer these questions directly. The weakest will rely on marketing language and broad assurances.

No due diligence process can eliminate every risk. But these questions can help advisors separate AI capabilities from AI governance and make better decisions about the technology they bring into their practice.

What strong AI governance looks like

Most advisors won’t inspect a model or review source code. That’s not the job.

The job is asking questions and expecting clear answers. Advisors should understand how client information is handled, how AI-generated content is reviewed, and where responsibility sits when something goes wrong.

FAQ: AI governance for advisors

What is AI governance?

AI governance refers to the policies and controls a company uses to manage AI. For advisors, it comes down to a few practical questions: How is client data handled? Who reviews AI-generated outputs? And what happens when something goes wrong?

Why should advisors care if they aren’t building AI themselves?

Most advisory firms will encounter AI through the software they already use. Advisors may not build the technology, but they are still responsible for the information they use with clients.

What questions should advisors ask AI vendors?

Start with the basics. Is client data used to train models? Can AI-generated outputs be reviewed before they reach a client? Can those outputs be verified? The answers reveal a great deal about how seriously a vendor approaches AI governance.

What is a zero-training commitment?

A zero-training commitment means a vendor doesn’t use customer data to train or fine-tune AI models. Advisors should look for that commitment in writing and confirm that it applies to any third parties involved in generating AI outputs.