Open vs. Closed AI: What Advisory Firm Leaders Need to Know

Before your firm starts using AI across operations, client service, reporting, or advisor workflows, there's one basic question leadership needs to answer: what kind of AI are we talking about?

It sounds simple. It isn't. Not every AI tool treats data, control, and risk the same way. The ChatGPT prompt someone can pull up on their phone is a fundamentally different environment than a paid Microsoft Copilot or enterprise-grade closed model. Both have their uses. They should not be used the same way.

I've had this conversation a lot — with CCOs, CEOs, and CISOs at Ascent and elsewhere. In almost every case, the most useful thing I can do is start with the basics.

Know What You're Working With

Open AI tools are widely available, often free, and trained on large public datasets. Because they draw from such a broad pool of inputs, they tend to perform well on general tasks — research, brainstorming, drafting outlines, summarizing publicly available information. That broad training is part of what makes them useful.

It's also exactly why sensitive information doesn't belong there.

Client names, meeting notes, account details, financial plans, tax documents, internal reports, proprietary firm data — none of that should go into an open AI environment. COOs, CISOs, and compliance leaders need to be explicit with employees and advisors about where that line is, because if you don't draw it, someone else will — probably at the worst possible moment.

Closed AI is different. In a fully closed model, your firm owns the input and the output. That data doesn't go anywhere. It's not shared. It doesn't train a model that someone outside your organization can query. That's the reason you'd pay for it.

But closed AI comes with a tradeoff. Because it's only drawing from what your firm has fed it, you lose the breadth of perspective that a broader training set provides. A closed model tells you what it's already been told. Done wrong, that becomes an echo chamber.

Neither model is universally better. The right choice depends on what you're trying to do.

Match the Tool to the Use Case

For general, non-client-specific work — drafting internal communications, summarizing public research, exploring a concept — open AI is often fine. For anything involving sensitive business information, client data, or proprietary firm content, a closed environment is the appropriate choice, and the cost is usually worth it.

That said, a closed model is not a free pass. The output still needs to be reviewed. Accuracy matters. Communications that go to clients or advisors still need oversight. The security of the input environment doesn't eliminate the need to validate what comes out.

The questions firms should be asking before deploying any AI tool: What are we trying to accomplish? What data does this use case involve? Who needs access? Does this justify the controls required for a closed environment? Those answers should drive the decision — not the cost of the tool, and not the convenience of what's already on someone's phone.

Build the Policy Before You Need It

Here's the compliance piece that I think firms aren't taking seriously enough: the absence of AI-specific SEC guidance does not mean AI use is unrestricted.

If your firm uses AI in a way that violates existing rules — around client privacy, supervision, advertising, books and records, fiduciary responsibility — you're still liable. "The SEC doesn't have AI rules yet" is not a defense. The accountability runs through the existing framework, and advisors who treat AI as a regulatory gray area are going to find out the hard way that it isn't.

So even without a formal AI rulebook, firms need a policy. It doesn't have to be complicated, but it has to exist.

At minimum, that policy should spell out:

• Which AI tools employees are approved to use
• What data is and isn't permitted as input, mapped to whether the model is open or closed
• What review is required before AI-assisted output is used externally — for accuracy, compliance, and copyright
• Who has oversight responsibility and how AI-assisted work gets documented

Open and closed AI should not be governed by the same rules. Your policy should reflect that distinction.

The firms I've seen handle this well aren't the ones waiting for regulators to hand them a checklist. They're the ones that mapped out their own risk profile, made clear decisions about approved tools and data boundaries, and gave their people a framework before those decisions got made ad hoc.

AI is a powerful tool. The goal isn't to avoid it. The goal is to use it with enough clarity that when something goes wrong — and eventually, something will — your firm can show it acted responsibly.

That starts with understanding the difference between open and closed AI. Everything else follows from there.

One important clarification: Paying for an AI tool does not make it a closed model. A paid subscription to a consumer AI platform — faster responses, more features, higher usage limits — is still an open environment if your data is being used to train the underlying model or shared beyond your firm's control. What you're paying for and what you're actually getting are two different questions. Before your firm treats any tool as a closed model, verify what the vendor's data handling terms actually say. If you don't know where your inputs go, you don't have a closed model — you have an open one with a monthly fee.