Key Takeaways
- Most accounting firms are already using AI tools — through ChatGPT, Microsoft Copilot, and built-in software features.
- The real risk is not AI itself. It is everyone using it differently with no shared rules.
- Small firms do not need a big compliance program. They need a short list of clear rules staff can follow.
- The Red / Yellow / Green model helps teams decide what is safe to do with AI in seconds.
Why is AI already inside accounting workflows?
AI entered most accounting firms before anyone made a plan for it.
A staff accountant asks ChatGPT to rewrite a client email. A manager uses Microsoft Copilot to take meeting notes. A tax team finds new AI features built into tools they already pay for.
A 2025 Thomson Reuters report found that 41% of workers in professional services used public AI tools like ChatGPT. A 2024 Microsoft and LinkedIn study found that 75% of all office workers used AI on the job.
The question for CPA firms has changed. It is no longer whether AI will enter your firm. It already has. The question now is whether your firm has rules to manage it.
Free CPA AI policy checklist
If staff are already testing ChatGPT, Copilot, QuickBooks AI or vendor AI features, start with the free checklist before expanding usage. It helps define approved tools, prohibited client data, review standards and escalation rules.
What risk does quiet AI adoption create?
When there are no rules, each person makes their own. That creates problems fast.
One employee pastes client notes into a public AI tool. Another refuses to use AI at all. One manager accepts AI-written drafts. Another rewrites them from scratch.
This is called shadow AI. It is when staff use AI tools without firm rules or oversight. Microsoft found that 78% of AI users at work were bringing their own tools from home. Partners cannot manage what they cannot see.
Why is inconsistency the real AI risk?
The biggest risk is not one bad decision. It is dozens of small decisions made differently across the firm.
CPA.com and AICPA are clear on the data issue. When you put data into an AI tool, you are sharing that data with the tool's owner. CPA.com's due diligence guide tells firms to ask: What data does the vendor access? Where does it go? Can it be used to train the model?
These are not questions for each staff member to answer on their own. A firm that handles tax returns, payroll records, bank statements and client emails needs one shared answer.
| Inconsistent Behavior | Operational Problem | Governance Standard |
|---|---|---|
| Staff paste client facts into public AI | Client data exposure is unmanaged | Red data list and approved tools only |
| Managers review outputs differently | Client deliverables vary by reviewer | Documented AI output review standard |
| Vendors turn on AI features silently | Data paths change without review | Vendor review gate before client-data use |
| Some employees avoid AI completely | Training and workflow expectations split | Green use cases for safe starting points |
Do firms need a compliance program or just clear rules?
Most small firms do not need a big compliance program. They need short, clear rules staff can actually follow.
The words "AI compliance" can make the job sound bigger than it is. A 20-person firm does not need a legal team before a staff member can use AI to write a clearer email.
It does need a list. Write down which tools are approved, what data is off-limits, how to review AI output, and what to do if something goes wrong. NIST's AI Risk Management Framework is a good reference. For most accounting firms, it translates into a one-page operating model.
A good starting rule is simple: staff may use public AI for general writing and learning. They may not put client data into any tool the firm has not reviewed and approved.
How does the Red / Yellow / Green framework work?
Red, Yellow, Green gives your team a fast way to sort AI use by risk. Any staff member can learn it in five minutes.
Red means never paste. This includes client names, Social Security numbers, EINs, payroll records, bank statements, tax returns, audit files, financial statements, contracts, and client emails.
Yellow means ask first. A sanitized example, a draft memo, or a tax research outline may be fine. But a manager still needs to review the work and check the data before it goes to a client.
Green means safe to start. Rewriting an internal checklist, drafting training materials, summarizing public guidance, improving a generic email tone, or brainstorming questions for a vendor demo are all good starting points.
What confidence does governance create?
Clear rules build confidence for everyone in the firm.
Staff know what they can do. Managers know what they must check. Partners know which vendors have been reviewed. Clients get a straight answer when they ask whether the firm uses AI.
Clear rules also make it safe to try new things. The goal is not to slow down AI use. The goal is to make it intentional. A short set of standards turns AI from a risk into an advantage.
The control question
For accounting firms, AI governance should feel like a workflow checklist, not a legal memo. The best standard is one a tired employee can follow during busy season.
Why does this matter now?
AI is moving fast. Staff habits are forming before firm rules do.
Thomson Reuters found that 52% of professional services workers said their firm had no AI policy. Another 64% said they had received no AI training at work. Yet 95% said AI would be central to their firm's work within five years.
AICPA published a small-firm AI policy template in April 2026. CPA.com quoted Jason Staats: "We just have to start. Find a way to make the use of AI a habit."
The longer a firm waits, the more the informal habits become the firm's real policy.
What free resource helps accounting teams start?
The AI Data Safety Guide for Accounting Teams is now available free to newsletter subscribers.
Nexairi's free 8-page guide is ready to download now: The AI Data Safety Guide for Accounting Teams. It is a first reference, not a full policy package.
The guide covers the Red / Yellow / Green framework, a quick safety check, and real accounting examples. It helps partners take the first step without turning it into a month-long project.
Join the Nexairi newsletter below to get the guide free. A $2,000 AI pilot is easier to approve when your team knows which data is off-limits. A $20,000 cleanup is much harder to explain after the fact.
What should firms do after the first guide?
The first guide helps your team stop guessing. Firms that need more can build a fuller system.
Firms that handle larger client datasets, run audits, or use AI inside practice management software may need a complete set of operating standards. That means policy documents, vendor review checklists, staff rules, and quarterly reviews.
That is what the Nexairi AI Policy Kit is built for. The goal is to make your firm's standards strong enough for the work AI is already doing inside your systems.
Firms that govern AI well do not fear it. They use it better than the firms that don't.
Sources
- Thomson Reuters Institute: 2025 Generative AI in Professional Services Report
- Microsoft and LinkedIn: 2024 Work Trend Index
- NIST: AI Risk Management Framework
- CPA.com: Artificial Intelligence resources
- CPA.com: AI Solution Due Diligence Guide for Accounting Firms
- CPA.com/AICPA: Generative AI risks to CPA firms
- AICPA: Small Firm Generative AI Policy Template
Related Articles on Nexairi
Free Assessment
Is your firm ready for AI?
A 5-minute governance check for CPA firms using ChatGPT, Copilot or AI accounting software. Get your score and your top gaps — free.
Editor in Chief
Editor in chief at NEXAIRI, guiding reporting and long-form features. Previously led editorial teams at regional publications across the Southeast.
