What about security?
What every firm should know before letting AI touch client work.
Charlie Barmore, CPA · CFE · ~10 min read
Highlight any passage to ask the built-in tutor about it.
AI is everywhere in accounting now. It can draft a research memo in seconds, summarize a reconciliation, or rewrite a client email three ways, and newer tools can handle multi-step tasks on their own. Most professionals can see it would help. But one question comes up every time: is it safe to use with client work?
That question stops a lot of firms cold. Unsure of the answer, they wait. Meanwhile their staff are already using free AI tools on personal accounts, often pasting in client data, with no rules and no oversight. That is the real risk: not AI itself, but using it without a plan.
The good news: this is manageable. AI isn’t “safe” or “dangerous.” It’s a tool you control with a few sensible rules, the same way you already handle your cloud software and tax program. Here’s how to do that.
· 01 , The three real risks
Know the three real risks.
You can’t manage a risk you can’t name. With AI, the exposure comes down to three things. Once you know them, each one is manageable.
1. Confidentiality.If someone types a client’s name, return, or numbers into a tool that can store or train on the input, the firm has shared confidential information with an outside company. That breaks the same rules that have always governed client data. The only new part is the channel.
2. Wrong answers.AI tools make things up. They invent citations, state outdated tax positions with full confidence, and produce math that looks right and isn’t. This doesn’t leak data, but it ruins your work product if it goes out without review.
3. Over-reliance.The biggest risk isn’t the tool leaking. It’s trusting a confident answer without checking it. The model doesn’t sign the return. You do.
None of these are new duties. AI just puts more pressure on the ones you already have.
· 02 , Not all tools carry the same risk
A free chatbot and a business account aren’t the same tool.
When people say AI is risky, they usually picture one thing: a free chatbot on a personal account. But the same company often sells a paid business version with very different terms, one that doesn’t train on your data and is built for sensitive work. Those aren’t the same product at different prices. One is fine for client work with a few rules; the other isn’t. Here’s how the main tiers compare.
| Tier | Security profile | For client data | Typical examples |
|---|---|---|---|
| Free / personal | Free, shared tools. The provider may store what you type and use it to train future models. | Prohibited | Free chatbot versions signed into with a personal account. |
| Business / team | A paid business plan with a contract that says they will not train on your data, plus encryption, admin controls, and audit logs. | Permitted, with policy | Business or team plans of major assistants like ChatGPT, Claude, and Microsoft Copilot. |
| Built into your software | AI built into the tax or audit software you already use, covered by your existing vendor agreement. | Permitted, in context | Research and document features inside established tax, audit, and engagement platforms. |
You already do this with other tools. Your firm trusts a cloud accounting platform, a hosted tax program, and a document portal with full client files: names, Social Security numbers, complete returns. You do it under a contract and the vendor’s security guarantees. A business-tier AI assistant belongs in that same group of trusted vendors. A free consumer chatbot does not. So the real question was never “AI: yes or no.” It’s which version, for which data.
· 03 , The control firms overlook
The data does not have to leave the building at all.
A no-training contract is one layer. The firms most comfortable with AI don’t stop there. They stack a few simple controls so no single one has to be perfect.
The first layer is free: anonymize first.Strip the identifiers before anything leaves the firm. Use “a manufacturing client with about $4M in revenue” instead of the name and EIN. It works with any tool, needs no software, and removes the confidentiality problem at the source. Most AI work needs the numbers and the question, not the client’s name.
The second layer is technical, and it has improved fast. A growing set of tools detects and removes personal information locally, on your own device or in a gateway between your staff and the AI, before any text is sent. They spot names, Social Security numbers, and account numbers, swap them for placeholders, send only the clean version, and put the real values back in the answer. The sensitive data never reaches an outside server. Add basic usage logging and you have real layers: a contract, anonymizing, a technical gate, and an audit trail.
No filter is perfect. They miss some identifiers and sometimes over-redact, which is why they back up human review instead of replacing it.
· 04 , What the standards already require
Have the rules caught up to AI?
So what do the rules actually say? Part of what makes this confusing is that there isn’t one rulebook. The guidance is scattered across the AICPA Code, IRS regulations, the FTC, and the tax standards, and it isn’t obvious which one applies to AI, or whether any of them do yet. So let’s look. Does anything name AI directly? Actually, yes. The revised Statements on Standards for Tax Services now name “artificial intelligence” by name ( SSTS No. 1, §1.4, Reliance on Tools), which addresses a member’s use of and reliance on AI tools. The rest of the rules below never say “AI,” but they cover it just as clearly. Here are the ones that count.
Confidential Client Information (ET 1.700.001).You can’t share client information without consent. Putting identifiable client data into a tool that may store or train on it is sharing it. Business-tier terms and anonymizing keep you on the right side of this rule.
Due Care and Competence (ET 1.300).You can’t hand your professional responsibility to a model. Competence now includes knowing what the tool can and can’t do. Due care means checking AI output against original sources before you rely on it, the same as you would a new staffer’s draft.
A few outside rules point the same way. For tax work, IRC §7216makes it a crime to disclose or use a client’s return information without consent, and that includes return data entered into an AI tool. IRS Circular 230 §10.22 still requires due diligence; an AI draft does not satisfy it. The FTC Safeguards Rule, under Gramm-Leach-Bliley, treats tax-preparation firms as financial institutions that must keep a written security plan and oversee their vendors, which reasonably includes AI vendors. And the revised Statements on Standards for Tax Services (SSTS No. 1, §1.3) require a reasonable effort to protect taxpayer data, which clearly covers data given to an AI tool.
The common thread: the firm, not the tool, is responsible. AI assists. It never signs.
· 05 , What good governance looks like
Good governance fits on one page.
None of this needs an IT department or a big budget. The controls that make AI defensible in a small firm fit on one page and use systems you already run.
Write a one-page AI policy. List approved tools, prohibited inputs (no raw client PII), the anonymize-first rule, required human review, and what a new tool must meet to be approved. Fold it into your existing security and quality-control policy instead of starting a binder no one opens.
Approve specific tools, and make the approved option the easy one. Shadow AI, staff using personal accounts because the firm gave them no alternative, is the real failure. Fix it by giving people an approved tool that is genuinely easier than the workaround.
Keep human review where it is. AI-assisted work goes through the same review as any other draft, and you note significant AI help in the workpapers. Vet AI vendors like any hosted provider: no-training terms, a SOC 2 report, encryption, and a data processing agreement. And put a one-page do/don’t sheet at the desk, so the policy lives where the work happens instead of in a drawer.
You usually do not need to disclose routine AI use to clients, but one sentence in the engagement letter, noting you may use approved, secure AI tools subject to your review, costs nothing and builds trust.
✦ Take this with you
Don’t just read it, put it to work.
Here is the week-one version: concrete steps, copy-paste patterns, and two files you can use the same day.
Do this week
0/6Your progress is saved on this device.
Anonymize-first, in practice
Most AI work needs the numbers and the question, not the client’s identity. Copy a pattern and adapt it.
Before, identifiable
“Acme Manufacturing (EIN 58-1234567) had $4.2M in revenue in 2025 and wants to know whether to elect S-corp status…”
After, anonymized
“A manufacturing client with ~$4M in revenue, taxed as a C-corp, is weighing an S-corp election. What factors should drive the decision?”
The judgment question is identical; the identity is gone.
Before, identifiable
“Summarize this email from John Sider at Riverside Dental about their overdue 2024 reconciliation…”
After, anonymized
“Summarize this client email about an overdue prior-year bank reconciliation and list the action items.”
Resources & downloads
Get the security starter kit
One-page firm AI policy + AI at the desk: do / don’t card, sent to your inbox and unlocked right here.
The kit, plus the occasional Academy update. No spam, unsubscribe anytime.
The standards behind this essay
The security question is not a reason to wait. It is a reason to put controls in place.
It is the same move the profession made a decade ago when it moved client files to the cloud: answered not with a slogan, but with contracts, controls, and documentation. Firms that handle it well will use AI sooner and more safely than the ones still treating the question as a wall.
And the payoff is real. Once you can use AI safely, you can use it well: faster research, cleaner first drafts, quicker turnaround, and more time for the judgment work clients actually pay you for. Used right, AI does not put client service at risk. It raises it.
Course 01 builds this whole framework live in two hours: the tool tiers, the anonymize-first habit, and a firm AI policy you adapt and use the same week.
The Academy is designed to be CPE-ready. Final credit, field of study, and approval depend on the registered sponsor and delivery method; approval submissions begin after the pilot. Reserve a seat or join the waitlist for credit confirmations as they're approved.