Organizations / IOSCO
IOSCO
International Organization of Securities Commissions · www.iosco.org/
IOSCO is the global standard-setter for securities markets. Its FR/02/2026 Supervisory Toolkit for AI Use in Capital Markets sets out the records, audit trail, and disclosures supervisors expect firms to be able to evidence — the basis for the pack below.
How the publications map to ponens policies
The IOSCO Supervisory Toolkit is supervisor-facing: for each area it lists the “Supporting Evidence for Review” a firm must be able to produce. ponens treats that evidence column as the specification. Each recordkeeping and disclosure expectation from Tables 5 and 6 becomes a policy over the AI system's decision/output trace — that decisions and outputs are logged and model-version-stamped, traceable to the actions they drive, explainable, human-overseen where material, incident-recorded with root cause, and properly disclosed to clients. ponens makes that evidence computable rather than a manual document review.
Where the FIX pack is preventive — gating execution in real time — this pack is evidentiary: it computes the audit trail a supervisor would otherwise inspect by hand. ponens trace check returns pass / warning / error per requirement and aggregates to a Green / Amber / Red picture of exactly which records or disclosures are missing. The toolkit's organisational layers — monitoring indicators, third-party concentration, and firm-level governance such as board oversight and training — are population- or firm-level rather than per-trace, and so are intentionally out of scope for this pack.
Supervisory Recordkeeping & Disclosure
The IOSCO Supervisory Toolkit's recordkeeping, audit-trail and disclosure expectations, expressed as computable policies over an AI system's decision/execution trace.
Maps Tables 5 (Disclosure) and 6 (Recordkeeping & reporting) of the IOSCO FR/02/2026 Supervisory Toolkit onto ponens policies. Where the FIX pack is preventive runtime governance, this pack is evidentiary: it checks that AI decisions and outputs are logged, traceable to the actions they drive, explainable, human-overseen where material, incident-recorded, and properly disclosed to clients — i.e. it computes the 'Supporting Evidence for Review' a supervisor would otherwise inspect by hand.
Source: IOSCO FR/02/2026 — Supervisory Toolkit for AI Use in Capital Markets (May 2026).
Recordkeeping & Audit Trail 7
ai_inventory_recorded warning AI Inventory Recorded
AI systems producing decisions or outputs are recorded in the firm's AI inventory.
G((Decision ∨ Output) → inventory_recorded)ai_outcomes_logged error AI Outcomes Logged
Every AI decision or output is recorded, with the model version that produced it, throughout the AI system lifecycle.
G((Decision ∨ Output) → logged ∧ model_version_recorded)decision_logic_recorded error Decision Logic Recorded
Each AI output documents the decision-making logic and reasoning behind it (explainability).
G(Output → explainability_recorded)human_oversight_evidenced error Human Oversight Evidenced
Investor- or market-impacting AI outcomes carry evidence of human oversight or intervention.
G(material_impact → human_reviewed)incidents_root_caused error Incidents Root-Caused
AI-related incidents are recorded with root-cause analysis and remediation actions.
G(Incident → root_cause_recorded ∧ remediation_recorded)output_action_traceable error Output-to-Action Traceable
Every consequential action is traceable to a logged AI output that preceded it.
G((Release ∨ Deploy) → P(Output ∧ logged))reportable_incident_notified error Reportable Incident Notified
Reportable AI incidents are notified to the supervisory authority.
G(Incident ∧ reportable → F(supervisor_notified))Disclosure & Transparency 4
ai_content_marked warning AI Content Marked
AI-generated client-facing content is marked or labelled as AI-generated/synthetic.
G(Output ∧ client_facing → marked_ai_generated)ai_use_disclosed error AI Use Disclosed
Clients are informed when an AI system is generating client-facing responses or analysis.
G(Output ∧ client_facing → ai_disclosed)consent_for_ai_decisions warning Consent for AI Decisions
Client consent is recorded where AI materially affects client rights, account access, or privacy.
G(ai_affects_client_rights → P(client_consent))no_ai_washing error No AI-Washing
Public claims about the firm's AI are substantiated and not overstated (no 'AI-washing').
G(ai_claim → claim_substantiated)