The senior who pasted a client's P&L into ChatGPT
Here is the scene that should keep a managing partner up at night. It is the third week of March. A second-year staff has six returns stacked up, hits a depreciation question they can't resolve fast, and pastes a client's full profit-and-loss — entity name, EIN, the works — into a free chatbot to "just ask it." The answer comes back in seconds. The return ships. Nobody ever knows. That last part is the problem.
This is not a hypothetical edge case in accounting. It is the default behavior of a smart, overloaded team that has been handed powerful tools and no rules. The broader research confirms why the pressure is so high in firms your size: the RSM middle-market AI survey, the San Francisco Fed analysis of AI and small businesses, and the OECD report on AI adoption by small and medium-sized enterprises all land on the same point: smaller firms adopt AI faster than they build the management muscle to control it.
An accounting firm's exposure is unusually concrete. The source material isn't marketing copy — it's client tax IDs, workpapers, audit evidence, owner financial statements, and engagement-letter-covered confidential data. The fix isn't a ten-page risk memo nobody reads in April. It's a single page that answers four questions a staff member can recall under deadline pressure: what can I draft, what can I never upload, what must I keep, and who do I ask when I'm not sure.
Draw the line where the client data starts
The whole policy turns on one distinction your staff already understand intuitively: firm-internal work versus client-file work. Drafting an internal staff-meeting agenda, reformatting a checklist, or rewording a generic engagement-status email in a public tool? Fine — there's no client confidential data in play. The moment a prompt contains a return, a trial balance, an audit sample, a workpaper, or a named client's numbers, the rule flips hard: that data goes only into a managed, firm-approved assistant, never a personal or free account.
Two references do the heavy lifting when you draft the actual control language. The NIST AI Risk Management Framework gives partners a structured way to map context, measure exposure, and assign controls instead of guessing. The CISA AI Data Security Best Practices spells out the specific paths client data can leak — prompts, retrieval, logs, training, and model outputs — which is exactly the list a firm needs to close off when audit evidence and tax positions are the inputs.
If you've standardized on Microsoft Copilot or ChatGPT Enterprise, do not assume "enterprise" means "configured." Open the settings and check the actual training, retention, and access toggles against Microsoft 365 Copilot privacy and data controls or OpenAI enterprise privacy commitments. A common miss: a firm buys the enterprise tier, never disables prompt-based training at the tenant level, and assumes the marketing page covered it. The vendor doc tells you what the tool can do — your firm decides what a return is allowed to touch.
Bolt it onto engagement review, not a binder
A policy that lives in a shared drive is theater. A policy that lives in your engagement review cadence is a control. Wire it in: every engagement gets a named owner for AI use, an approved-assistant list, the restricted-data rule above, a reviewer step before AI-touched work reaches a workpaper or deliverable, a retention standard for prompts and outputs, and an escalation path for the staff member staring at an ambiguous client file at 9pm. Treat AI-assisted output the same way you'd treat any preparer's work — it gets a reviewer's eyes and a partner's signoff before a client ever sees it or it lands in the permanent file.
Make compliance observable. Once a quarter, pull a sample of engagements and check whether staff actually routed client data into the approved tool or quietly went around it — the way you'd sample-test any other control. The honest answer that first quarter is usually "some of both," and that tells you exactly where training and tooling need to improve.
Two things to do Monday. First, draft the one-pager — four questions, one named owner, one approved tool list — and circulate it before the next filing crunch, not after. Then score where your client-data controls actually stand with the SMB AI readiness assessment, and use the 90-day implementation plan to sequence the tooling, training, and reviewer steps so the policy is real before busy season, not aspirational after it.
