Book a demo
Blog

Apr 22, 2026 · 4 min read

Self-Hosted AI for Finance: Tenant Isolation, SEC 17a-4 Audit Trails, and Compliance Review

Compliance review kills more AI pilots in finance than any other failure mode. The technology works. The vendor questionnaire doesn't.

Most "AI for finance" products are SaaS layers on top of multi-tenant LLM APIs. That architecture is non-starter for regulated firms (investment banks, hedge funds, asset managers, private equity) because it puts client data in a perimeter the firm doesn't control. Compliance, IT, and legal sign off on deployment, not on demos.

This post walks through what "self-hosted AI" actually means in 2026, and what the architecture has to look like to clear a real compliance review at a regulated firm.

§1. What self-hosted AI actually means

Self-hosted AI is not a marketing label. It has a specific technical meaning: the inference, the data, the indexing, and the audit log all live inside the firm's own cloud tenant. No data crosses into a vendor-controlled environment, ever.

There are three deployment patterns that get called "self-hosted" but only one of them is:

  • Vendor SaaS with "private" branding. Data still flows to the vendor's infrastructure. Not self-hosted.
  • VPC peering or private link. Data crosses a private network connection but still lands in the vendor's account. Not self-hosted.
  • Per-tenant deployment in the customer's cloud account. Infrastructure provisioned inside the customer's Azure subscription or AWS account. Vendor has no runtime access. This is self-hosted.

For a compliance team, only the third option satisfies the question "where does our data physically live."

§2. Per-tenant deployment

A self-hosted AI deployment for finance ships into the customer's existing cloud footprint:

  • Azure deployments. App Service for the application layer, Cosmos DB for indexed firm data, Key Vault for secrets and credentials. The whole stack runs under the firm's Azure subscription, billed to their existing enterprise agreement.
  • AWS deployments. Provisioned via Terraform into the firm's AWS account. Inference goes through Amazon Bedrock, scoped to the firm's account.

Both paths ship via CI/CD into fully isolated environments. No shared infrastructure with other customers. No shared models. No shared databases. The firm's security team owns the network boundary, the IAM policies, and the keys.

§3. Isolated model endpoints

Tenant isolation extends to the model layer. Each tenant runs against its own model endpoint. For AWS deployments that means a tenant-scoped Bedrock invocation; for Azure it means tenant-scoped routing to Azure OpenAI or to per-tenant inference endpoints.

This matters for two reasons:

  1. No training on client data. When the model endpoint is scoped to your tenant, model traffic cannot be aggregated across customers. There is no shared corpus to train on.
  2. No cross-tenant leakage. A prompt from one firm cannot influence outputs at another firm, because the endpoints are physically separate.

The current routing layer dispatches per task across Claude Opus, Sonnet, and Haiku via Bedrock. Embeddings use OpenAI text-embedding-3-large. All inference is scoped to the customer's tenant.

§4. SEC 17a-4 audit trail

SEC Rule 17a-4 governs books-and-records retention for broker-dealers. AI outputs that influence investment decisions or client communications fall under it. The compliance question is: can you produce, on demand, a tamper-evident record of every AI-generated artifact, who requested it, what data it drew from, and what was returned?

A self-hosted AI deployment for finance has to log:

  • Every prompt, with the user identity and timestamp.
  • Every retrieval call, with the source documents accessed.
  • Every model response, with the model version and routing path.
  • Every downstream artifact (document, slide, table) generated from that response.

The log has to be immutable, retained per the firm's retention policy, and exportable in a compliance-friendly format. Admins should be able to filter by user, date range, deliverable type, or source document.

§5. Verification layer

Citation isn't a UX feature. It's a compliance requirement. Every claim in an AI-generated artifact has to trace back to source data, with attribution to the originating document, page, and passage.

The verification layer cross-checks generated outputs against the retrieval set. If a claim doesn't ground to a cited source, it doesn't ship. This is what makes AI outputs auditable: a compliance reviewer can pick any sentence in a memo and trace it to the underlying filing, transcript, or internal document it came from.

§6. Governance and two-step deletion

Destructive actions need a checkpoint. In a finance deployment, that means:

  • Admin approval for deletions. A user cannot unilaterally delete indexed documents, model outputs, or audit log entries.
  • Two-step sign-off. Compliance or IT has to approve any destructive action. This prevents accidental data loss and prevents bad-actor scenarios where a single compromised account could erase records.

For SEC 17a-4 environments specifically, deletion is rarely the right action. The right action is retention with archival markers. The governance layer enforces that.

§7. What compliance teams ask first

When yAI walks into a compliance review, the questions are predictable:

  1. Where is our data physically hosted? (Answer: your Azure or AWS tenant.)
  2. Does the vendor have access to our data? (Answer: no runtime access.)
  3. Do you train on our data? (Answer: no, isolated model endpoints.)
  4. How do we audit AI outputs? (Answer: immutable log with full provenance.)
  5. How do we delete data? (Answer: two-step admin approval.)
  6. What's the breach blast radius? (Answer: scoped to the tenant; no cross-customer exposure.)

Every question has a concrete architectural answer. That's what gets a pilot approved.

§8. Why this is table-stakes, not premium

A common pricing pattern in enterprise SaaS is to gate "private deployment" behind an enterprise tier. For finance, that pattern doesn't work. Compliance review doesn't have a SKU. Either the architecture clears review or it doesn't.

The right way to ship AI for finance is to make tenant isolation, isolated model endpoints, and audit trails the default, not the upsell. Everything else is built on top of that foundation.

§9. Conclusion

The firms that get AI into production are the ones that bring an architecture compliance can sign off on. That means per-tenant deployment in the customer's cloud, isolated model endpoints, SEC 17a-4-grade audit trails, citation-grounded outputs, and governed deletion.

This isn't a roadmap item. It's the entry condition.