A tool call is a single operation an AI makes against an external system - a database query, an email send, a file read, a payment authorization, a Slack message - that happens *during* a conversation rather than being typed by the user. Modern AI sessions can contain dozens of tool calls per user prompt. Each one carries arguments (what the AI asked the tool to do), results (what the tool returned), timing, status, and the user identity that authorized the call.

Are tool calls subject to SEC and FINRA recordkeeping rules?

Regulators have not issued tool-call-specific guidance as of 2026. The existing rules (SEC 17a-4, FINRA 4511, the Advisers Act recordkeeping requirements) are channel-agnostic: communications and activity relating to client business, recommendations, or firm operations may be records under those rules. A tool call that sends a client email, updates a CRM, queries a portfolio system, or executes a trade is the AI taking action on behalf of the firm. The content of that activity, not the form factor, determines whether the obligation is likely implicated.

Why is the chat transcript not enough?

The transcript captures what the model said. A tool call captures what the firm's AI actually did. A model that says 'I will send that email now' produces text in the transcript. The actual send happens through a tool call - subject line, recipient, body, attachments, return message ID. If only the transcript is archived, the firm has a description of an action but no direct evidence of the action itself. An examiner asking 'show me what this employee's AI did on August 12' may not accept the transcript alone.

What do current compliance vendors capture?

As of public materials reviewed 2026-05-15, Smarsh publicly documents ChatGPT Enterprise and Microsoft 365 Copilot capture. Global Relay publicly documents ChatGPT Enterprise capture. Theta Lake publicly documents Microsoft Copilot inspection and capture. The OpenAI Compliance Platform itself includes conversations, files, memories, users, and workspace GPT configuration and metadata. Which of those data types each vendor exposes in examiner-ready form - and whether tool calls, GPT Action arguments and results, knowledge retrievals, and execution context are part of that export - is not consistently documented across vendor public materials. If a firm relies on these for regulated activity, request current documentation.

What evidence is an examiner likely to ask for?

Expect requests in the form 'show me everything this employee did with AI on [date] relating to [client / matter / ticker].' A defensible answer includes the prompt, the response, every tool call the AI made (with arguments and results), every retrieval, the model identity and version, the system prompt, the tool surface, any lifecycle hooks that fired, and the policy decisions made before each call ran. This is the reconstruction context. Some of this is in current vendors' capture today. Most of it is not.

Are LLM tool calls business records?

Part of: AI Activity Retention

AI Activity Retention for Regulated Firms The category overview - what AI activity retention means, why the chat transcript is not the full record, and how Arc spans human channels and AI execution.

A tool call is a single operation an AI makes against an external system - a database query, an email send, a file read, a payment authorization, a Slack message - that happens during a conversation rather than being typed by the user. The user prompts the model. The model decides to call a tool. The tool runs. The tool returns a result. The model uses the result to decide what to do next.

This is how modern AI works. It is also how a few words in a chat window become real business actions a regulated firm is accountable for.

The question this page answers: are those tool calls business records under existing SEC and FINRA rules, and if they are, what does it actually take to preserve them?

What a tool call looks like in practice

A registered representative opens a Copilot or ChatGPT Enterprise session and asks:

“Pull the latest performance data for the Henderson account and draft a quarterly review email to send to the client.”

What appears in the chat transcript is the rep’s prompt and a paragraph of AI-generated text. What actually happens during that exchange is closer to:

A tool call to a portfolio system: get_account_performance(account_id="HND-44218", quarter="Q3-2026"). Returns a performance JSON.
A tool call to a CRM: get_contact(account_id="HND-44218"). Returns client email and address.
A tool call to a document store: retrieve_template(name="quarterly-review-2026"). Returns the template body.
A draft response from the model with the filled-in template.
A tool call to send the email: send_email(to=..., subject=..., body=..., attachments=[...]). Returns a message ID.

The chat transcript shows the user’s prompt and a narrative version of step 4 - the AI’s drafted email and any prose around it. Steps 1, 2, 3, and 5 are the actual business activity: the performance data leaving the portfolio system, the client contact details being read, the template being retrieved, the email being sent. None of those tool calls appear in the chat transcript in any examiner-usable form. Without the tool calls, the firm has the AI’s description of what happened. With the tool calls, the firm has direct evidence.

Why existing rules likely apply

SEC Rule 17a-4 and FINRA Rule 4511 are channel-agnostic. They require broker-dealers to retain originals of all communications relating to the firm’s business. The Investment Advisers Act recordkeeping rules (SEC Rule 204-2) require investment advisers to preserve written communications relating to advisory business. None of these rules carve out AI tools. None require the communication to be in any particular form factor.

A tool call that sends a client email is likely a communication under those rules. A tool call that records a trade recommendation in a CRM is likely a record relating to firm business. A tool call that queries account performance and produces a client-facing summary is likely part of an advisory communication. The content determines whether the obligation is implicated, not the channel.

This is the same logic the SEC and FINRA pursued for WhatsApp, Signal, and iMessage during the 2021-2024 off-channel sweep. Neither the channel nor the format exempted the activity. The content was regulated, and firms were expected to preserve it. The sweep produced over $2 billion in penalties because firms could not produce records of communications that happened in channels they did not archive.

Whether tool-call activity follows the same enforcement pattern is not yet established. The framework that would support that path is in place.

What regulators have actually said

The SEC’s 2026 examination priorities explicitly name AI governance as a focus area. Examiners have been directed to assess whether firms have policies governing employee use of AI tools, whether those policies are enforced, and whether records of AI-assisted activity are being retained.

FINRA’s 2026 Annual Regulatory Oversight Report and Notice 24-09 signal that existing rules apply to AI-generated communications in the same manner as any other business communication.

What regulators have not specifically said: a tool call inside an AI session is a business record. That ambiguity is what makes this question current. The existing framework appears to implicate the activity, but no formal rulemaking says “yes, tool calls specifically.” A defensible compliance posture, in consultation with the firm’s counsel, often does not wait for explicit rulemaking before preserving activity that the existing framework appears to cover.

What the chat transcript misses

A captured ChatGPT or Copilot transcript captures the user’s prompts, the model’s responses, and timestamps. It is real progress and represents the work the major archive vendors have shipped via the OpenAI Compliance API and Microsoft Purview integrations.

As of public materials reviewed 2026-05-15, archive vendors generally do not document examiner-ready capture of the following beyond the chat transcript:

The arguments passed to each tool call (what the AI asked the tool to do)
The results returned by each tool call (what the AI received in response)
The user identity that authorized each tool call (when more than one employee shares an agent context)
The timing and latency of each tool call
The order in which tool calls fired relative to the model’s reasoning
The policy decisions made before each tool call ran - was anything denied, redacted, rate-limited
The model identity and version
The system prompt in effect
The tool surface (which tools the AI was permitted to call)
Lifecycle hooks that fired before or after each call

Vendors update their integrations. If a specific item above matters for a firm’s compliance posture, request current documentation from the vendor.

A firm that has captured only the transcript can describe to an examiner what the AI said it did. A firm that has captured the tool calls and execution context has direct evidence of what the firm did.

What a captured tool call should contain

A defensible captured tool call has the same general shape as any other regulated business record. Identity, timing, content, immutability.

Field	What it captures
User identity	Who authorized the AI session that produced this call
Tool name	Which tool was invoked
Tool arguments	The full set of arguments the AI passed
Tool result	The complete return value, including errors
Timing	When the call was issued, when it completed
Status	Success, error, denied by policy, redacted, rate-limited
Policy decision	Any middleware verdict made before the call ran
Model identity	The model and version that issued the call
Harness identity	The software wrapping the AI (web app, IDE, custom agent runtime)
Tool surface	The set of tools the AI was permitted to call at the time
Session context	The conversation or run trace the call belongs to

This is what reconstruction context for tool calls looks like in practice. It is the format an examiner asking “what did this AI actually do” can work with.

What an examiner is likely to ask for

Examination requests typically arrive in plain language and ask for activity, not artifacts.

“Provide all communications and records relating to the Henderson account between July 1 and August 31, including any AI-assisted output.”

A firm answering that request needs to be able to assemble:

The AI sessions that touched Henderson during that window
The full set of tool calls inside those sessions, with arguments and results
The retrievals that included Henderson data
The agent actions taken on Henderson’s behalf
The execution context (model, harness, system prompt, tool surface, hook firings) in effect

That is more than a transcript export. It is a query against captured execution.

How Arc captures it

Arc Relay sits between AI clients and the tools they call. Every tool call passes through a configurable middleware pipeline before reaching the destination tool. The pipeline authenticates the user, checks per-tool access, runs sanitizer middleware (PII redaction, custom regex, size limits), runs alerter middleware (pattern matching for high-risk tools), executes the call, and archives the full request and response with user identity, timing, status, and policy outcomes.

Tool-call capture via Arc Relay is in production today. It is open source under MIT license. A firm can self-host it behind its own firewall, point existing MCP clients at it, and have a tamper-evident record of every tool call from day one.

For AI surfaces that do not use MCP - ChatGPT Enterprise, Microsoft Copilot, Claude Enterprise, GitHub Copilot, self-hosted runtimes - Arc Bridge and Arc Gate extend the same compliance pipeline. Demo available today; production deployment is configured during the customer engagement.