Table of Contents▾
The short answer: AI governance is the set of policies and controls that keep your dealership's AI tools (chatbot, BDC, pricing, credit) compliant with data-security, consumer-protection, and privacy law. The FTC has been clear there is no AI exemption: you are responsible for what your AI says, the same as a salesperson on the floor.
Artificial intelligence has moved from a novelty to a daily operating reality inside the dealership. Chatbots qualify leads overnight. AI tools draft ad copy, price vehicles, screen credit applications, and answer service questions before a human ever picks up the phone.
That shift created a category of risk most dealers have not fully priced in: AI governance. Regulators are not treating AI as a gray area. The rules apply just as much to a single-point independent lot as they do to a 40-store dealer group, and they are existing laws being applied to new tools, not a special carve-out for AI.
This is especially true for smaller and independent dealers. Franchised megadealers often have compliance officers, in-house counsel, and dedicated IT security teams. Most independent dealers do not. That gap is exactly where regulatory exposure tends to concentrate, and it is exactly where the right AI vendor can close the distance. This guide breaks down what AI governance means for a dealership, which rules matter in 2026, and the specific practices every dealer should have in place before deploying AI in sales, service, marketing, or finance.
Why AI Governance Matters More in 2026 Than Ever
Three developments have converged to put AI governance on the front burner for auto dealers.
The FTC has made clear there is no AI exemption. The Federal Trade Commission's Operation AI Comply sweep, announced in September 2024, established a principle that shapes enforcement today: if a claim would be deceptive coming from a salesperson, it is still deceptive coming from a chatbot. The dealership is responsible for what its AI says, not the vendor that built it. The FTC's focus on deceptive AI has continued into 2026.
The FTC Safeguards Rule has real teeth. Under the Gramm-Leach-Bliley Act, most auto dealers count as financial institutions because they arrange financing or leasing. The amended Safeguards Rule requires a written information security program, including multi-factor authentication for anyone accessing customer information. It is an active compliance area, and auditors focus heavily on whether MFA is actually implemented across the DMS, CRM, and email, not just written into a policy binder.
California's ADMT rules are coming, and other states are following. The California Privacy Protection Agency finalized its CCPA regulations on automated decision-making technology (ADMT), which took effect January 1, 2026. The ADMT-specific obligations phase in on a delay: businesses that use ADMT for a significant decision (a category that includes lending, credit, and financing, though not advertising) must comply beginning January 1, 2027, with risk assessments and pre-use notices required by April 1, 2027. More states are expected to adopt similar rules, so dealers using AI anywhere in the credit or F and I workflow should map their exposure now, well ahead of the 2027 deadlines.
On top of these, the Telephone Consumer Protection Act (TCPA) governs every automated text and call an AI BDC sends, and a growing number of states require disclosure when a customer is talking to a bot rather than a person.
Here is how the four rules that matter most line up, and what each one actually asks of a dealer.
| Rule | What it covers | What the dealer must do |
|---|---|---|
| FTC Act / Operation AI Comply | Deceptive claims made by AI (chatbot, pricing, BDC) | Stand behind every AI claim as if a salesperson made it. No "guaranteed approval" the store cannot back. |
| FTC Safeguards Rule (GLBA) | Customer data security at dealers who arrange financing | Written security program, MFA across DMS, CRM, and email, encryption, and documented vendor oversight. |
| California ADMT (CCPA) | AI that drives significant decisions like credit and financing | Pre-use notices, consumer opt-out, and risk assessments (phasing in through 2027). Map where AI touches F and I now. |
| TCPA and state bot-disclosure laws | Automated texts and calls, plus AI chat | Track consent, honor opt-outs in real time, and disclose when a customer is talking to a bot. |
Why Independent and Small Dealers Are More Exposed, Not Less
There is a common assumption that AI governance is a big-dealer-group problem. The opposite is usually true.
- Independent dealers are less likely to have a dedicated compliance or legal function reviewing vendor contracts and AI outputs.
- Smaller dealers often adopt AI tools straight from a vendor's default configuration, with limited internal IT oversight of how the tool handles consent, data, or escalation.
- A single deceptive AI-generated message, a mishandled data breach, or an improperly tracked opt-out can carry the same FTC or state penalty regardless of dealership size.
- Independent dealers frequently run sales, service, and F and I data on shared networks without the segmentation the Safeguards Rule effectively requires.
The regulatory bar is the same for a single rooftop as it is for a 50-store group. The resources to clear that bar are not. That makes vendor selection one of the most important governance decisions a small dealer will make.

Core AI Governance Best Practices for Every Dealership
These are the practices that matter most, based on where enforcement and regulation are actually focused right now.
1. Build a written information security program
This is not optional for dealers who arrange financing, which covers most franchised and independent dealers. A compliant program should include a designated qualified individual responsible for the program, multi-factor authentication for anyone accessing customer information in the DMS, CRM, website backend, or email, encryption of customer data at rest and in transit, regular risk assessments (including of AI and software vendors with access to customer data), a tested incident response plan rather than one sitting on a shelf, and documented vendor oversight, since the Safeguards Rule holds the dealer responsible for how its service providers handle customer data.
2. Treat every AI output as a dealership statement
Any claim your chatbot, AI BDC, or AI pricing tool makes is treated by regulators as a claim the dealership made. No AI system should promise financing outcomes like "guaranteed approval" unless the store can actually back it. Pricing, incentive, and vehicle-condition claims generated by AI need the same accuracy standard as a claim made by a salesperson on the floor. And there should be a documented process for what happens when the AI gets something wrong: a customer-facing correction, an internal review, and an update to the tool's rules or training.
3. Disclose that customers are talking to AI
A growing number of states require clear disclosure when a customer is interacting with a bot rather than a person. Even where it is not yet mandated, transparent disclosure reduces both legal exposure and customer distrust. It applies to website chat, SMS and BDC conversations, and phone-based AI assistants.
4. Manage consent and communication compliance inside the platform
Every automated text or call an AI system sends is subject to TCPA. Consent has to be tracked at the point of capture, not assumed. Opt-outs need to be honored in real time, not on a delayed batch process. Quiet hours and frequency limits need to be enforced automatically, not left to manual oversight. If a vendor's platform does not enforce this at the system level, the liability sits entirely with the dealership.
5. Understand where AI touches credit and financing decisions
Under California's ADMT rules, and the state privacy frameworks likely to follow, any tool that processes personal information and materially influences a lending, credit, or financing decision may trigger specific obligations: pre-use notices, consumer opt-out rights, and documented risk assessments, phasing in through 2027. Map exactly where AI touches your credit and F and I workflow, and confirm the vendor can support the required consumer-facing controls before those deadlines arrive.
6. Vet AI vendors like you vet your DMS provider
Your AI vendor likely has access to some of your most sensitive customer data. Before signing, confirm how the vendor implements MFA and encryption, whether it has documented and tested incident response procedures, how it handles consent tracking, opt-outs, and quiet hours for automated messaging, whether the AI has guardrails against hallucinated pricing, financing, or condition claims, and whether the vendor can support pre-use notices and opt-out mechanics for any AI touching credit decisions.
A Practical AI Governance Checklist for Independent Dealers
- Written, comprehensive information security program in place
- MFA enforced across DMS, CRM, website admin, and email
- Customer data encrypted at rest and in transit
- Incident response plan documented and tested, not just filed away
- AI chatbot and BDC outputs reviewed for accuracy on pricing, financing, and condition claims
- Bot disclosure implemented on website chat and SMS conversations
- Consent, opt-out, and quiet-hour enforcement automated at the platform level
- Credit and F and I touchpoints mapped for ADMT and state privacy exposure ahead of the 2027 deadlines
- Vendor contracts reviewed for data handling, security, and compliance support
- A named person internally accountable for AI oversight, even at a single-rooftop dealership
Where Get My Auto Fits Into This Picture
Most independent dealers do not have the bandwidth to build all of this from scratch. That is the gap Get My Auto was built to close. The platform was designed around these governance principles rather than bolting them on after the fact.
The dealer management system and CRM are built with access management and data-security controls that support the written information security program dealers need under the Safeguards Rule, including multi-factor authentication and encrypted data handling. The website platform keeps pricing, inventory, and offer information accurate and consistent, which reduces the risk of auto-populated or AI-generated claims drifting from what the dealership can back up. And Ava AI is designed to handle customer conversations with clear bot disclosure, consent-aware messaging that respects opt-outs and quiet hours, and escalation paths so financing or pricing questions that require a human commitment get routed to a person instead of the AI improvising an answer.
For a small or independent dealer, the practical benefit is straightforward. Instead of layering governance on top of five disconnected point solutions, a connected DMS, CRM, website, and AI assistant built around the same foundation means fewer places for compliance gaps to hide, and a real starting point for meeting the obligations above.
AI governance is not a one-time project. It is an ongoing discipline of vendor oversight, documentation, and monitoring. Choosing tools built with that discipline in mind is one of the most effective steps a small dealer can take.
Car Dealer AI Governance: Common Questions Answered
Topics
Share this article
Help others discover this content



