CPA firms and professional service organizations are moving quickly to establish formal AI governance frameworks, recognizing that responsible adoption of generative AI requires clear policies, staff training, and data protection measures before regulators impose mandatory requirements. The shift reflects growing awareness that AI tools can introduce significant risks around data confidentiality, accuracy, and compliance if deployed without proper oversight.

Why Are Professional Firms Rushing to Create AI Governance Structures?

Generative AI is transforming how CPA firms operate, automating repetitive tasks like tax research, audit analysis, and document drafting while also enabling direct client interactions through chatbots and automated guidance systems. However, the distinction between AI tools that assist professionals under human supervision and autonomous systems that interact directly with clients matters enormously for regulatory exposure. The former presents lower liability risk; the latter requires heightened controls and monitoring to ensure accuracy, privacy, and legal compliance.

Without clear governance structures in place, firms risk exposing sensitive client data, making flawed decisions based on AI-generated errors, or violating evolving regulations. "Establishing an AI governance framework promotes security, compliance, and ethical AI use while helping firms maintain operational integrity and client trust," according to guidance from CAMICO, a professional liability insurer serving CPAs. The key insight is that responsible AI adoption is not just about choosing the right tool; it's about building organizational processes that ensure transparency, accountability, and ethical use from the ground up.

What Specific Risks Should Firms Address in Their AI Policies?

Generative AI systems are not infallible. They frequently produce outdated, misleading, or entirely fabricated information, a phenomenon known as "hallucinations". All AI-generated outputs must be reviewed for accuracy before being shared with clients or relied upon for critical decisions. Additionally, firms must guard against inadvertently compromising client data confidentiality when transmitting information to external AI platforms.

For tax-related work, firms must comply with Internal Revenue Code Section 7216, which restricts the use or disclosure of taxpayer information to third parties, including certain AI platforms. In many cases, written taxpayer consent is required before sending data to external systems. Firms should also research whether AI providers have a history of training their models on unauthorized data and carefully review vendor terms of service to understand how data and outputs are handled.

How to Build a Responsible AI Governance Framework

• Establish Written AI Policies: Create clear, documented guidelines that specify authorized uses of AI, prohibit creation of inappropriate or discriminatory content, and define escalation procedures for questionable AI-generated outputs. A written policy signals organizational commitment and helps ensure consistent application across teams.
• Conduct Thorough Vendor Due Diligence: Before deploying any AI tool, understand how it manages privacy and security, where and how data is stored and processed, and whether contractual terms require compliance with applicable laws and regulations. Verify that the vendor will not use your firm's data to train or improve models without explicit authorization.
• Implement Staff Training and Documentation: Successful integration of generative AI requires well-crafted implementation plans that include firm-wide education on responsible use, confidentiality safeguards, accuracy verification, and procedures for handling questionable outputs. Document that employees receive this training to demonstrate due diligence if regulatory scrutiny occurs.
• Secure Data and Enforce Access Controls: Encrypt sensitive data as appropriate, implement access controls to limit who can use AI systems with client information, and ensure compliance with applicable data protection regulations. Update the firm's Privacy Policy to provide transparency about what sensitive information is collected, how it is stored, and how it is shared.
• Engage Legal Counsel: Consult qualified legal counsel to review AI vendor contracts, ensure compliance with professional standards and regulations specific to your jurisdiction and practice area, and update policies as regulatory frameworks evolve.

The emphasis on proactive governance reflects a broader trend in AI regulation. Academic and policy research institutions are now systematizing the range of available regulatory instruments rather than advocating for any single approach. A comprehensive literature review published by LawAI in January 2025 surveyed the academic and policy landscape on frontier AI governance, examining regulatory tools including compute security measures, software and hardware export controls, licensing regimes for advanced AI systems, structured system evaluations, and procurement rules designed to advance AI safety objectives.

The review also examined voluntary corporate governance proposals such as Responsible Scaling Policies, which several leading AI developers have adopted, and formal AI certification schemes being explored by standards bodies and regulators. This signals that regulators at the international level, including the OECD and relevant UN agencies, are increasingly calling for evidence-based governance frameworks. Organizations that establish governance structures now will be better positioned to adapt as these frameworks become mandatory.

"The key isn't just adopting AI, but adopting it responsibly. From CAMICO's perspective, 'responsible use' of AI for CPA firms includes implementing and maintaining protocols and procedures designed to ensure transparency, privacy, accountability, compliance, and ethical use," according to CAMICO's guidance to professional firms.

CAMICO, Professional Liability Insurer

Compliance and risk teams at enterprises developing or deploying advanced AI systems should treat emerging literature on AI governance as a reference document for anticipating regulatory direction rather than waiting to respond to existing mandates. Teams responsible for AI governance strategy should pay particular attention to sections on licensing and certification schemes, as these mechanisms are under active consideration in multiple jurisdictions and could impose new pre-market approval obligations on developers of frontier models.

The European market offers a particularly instructive example. Organizations operating under the General Data Protection Regulation (GDPR), the EU AI Act, NIS2 (Network and Information Security Directive), and DORA (Digital Operational Resilience Act) face some of the world's most demanding regulatory frameworks. Companies expanding AI-enabled services in Europe are demonstrating how defensible, auditable workflows can stand up to regulatory scrutiny, opposing counsel, and boardroom oversight. These practices are increasingly becoming the global standard for what responsible AI governance looks like in professional and compliance work.

The bottom line: firms that establish AI governance frameworks now, before regulations mandate them, will gain competitive advantage, reduce liability exposure, and build client trust. Those that wait risk scrambling to comply with requirements that may be more stringent than frameworks they could have designed themselves.