Accounting Firm AI Policy Template 2026

Published: May 12, 2026 | By: The Crossing Report

According to Karbon's 2026 State of AI in Accounting Report, 98% of accounting firms use AI daily. Only 21% have a documented AI policy or strategy. That 79% gap is not an oversight — it is a liability accumulating with every unreviewed AI output, every unapproved tool a staff member is using right now, and every piece of client financial data that may have passed through a system without a Data Processing Agreement.

Firms with a written AI strategy save 60 extra minutes per employee per day and see 2x the adoption rates of peers without one. The policy is not a compliance exercise — it is also the operational mechanism that makes AI work.

This page gives you the accounting firm AI policy template. One page. Five sections. Customize in 20 minutes. The GLBA Safeguards compliance checklist, three-tier tool classification table for accounting software, and 20-minute rollout steps are all below.

The Accounting Firm AI Policy Template (Copy and Customize)

Copy this block. Put your firm name and today's date at the top. Update the Yellow-tier tool list to match the software your firm has actually licensed. That is it.

[FIRM NAME] AI Usage Policy — Accounting Operations
Effective: [DATE] | Last reviewed: [DATE]

1. Approved Tools

GREEN TIER — General purpose AI (no client data permitted)
Permitted for internal research, summarizing industry articles, drafting
firm communications that do not include client PII or financial data.
Examples: ChatGPT (paid, no training), Claude.ai (Pro), Perplexity Pro

YELLOW TIER — Approved accounting AI (firm-provisioned accounts only)
Permitted for client work when accessed through firm-licensed accounts only.
Confirm vendor has a Business Associate Agreement or Data Processing Agreement
on file before use on client matters.
Examples: [Karbon AI / CCH Axcess Advisor / Basis / QuickBooks AI / Canopy Coworker]

RED TIER — Prohibited for client work
Consumer AI tools with unknown data handling; any tool that does not have a
signed DPA; any tool that trains on submitted content without waiver; any
tool not reviewed and approved by [PARTNER NAME / FIRM ADMINISTRATOR].

2. Client Data Rules

No client name, EIN, SSN, financial statement, tax document, or personally
identifiable financial information may be entered into any RED TIER tool.
YELLOW TIER tools require firm-provisioned accounts with a signed DPA.
All AI output used in client deliverables must be reviewed and approved by a
licensed CPA or authorized staff member before transmission.

3. Review Requirement

Every AI-generated document, analysis, tax memo, or financial statement
delivered to a client or filed with a taxing authority must be reviewed by a
licensed CPA before transmission. AI output is a draft starting point.
The CPA's judgment — and professional liability — governs the final work product.

4. Incident Reporting

If a staff member uses an unapproved tool with client data, report it to
[PARTNER NAME / FIRM ADMINISTRATOR] within 24 hours. Document the tool used,
the type of data submitted, and the date of the incident.

5. Policy Review

This policy will be reviewed [annually / quarterly] or when a new AI tool is
adopted by the firm.

Signed: ____________________________ [Managing Partner / Firm Administrator]
Date: ______________________________

To customize this template:

Fill in your firm name and today's date
Replace the Yellow-tier examples with the specific accounting tools your firm has licensed
Set your review cadence (annually is sufficient for most small firms; quarterly if you are actively adopting new tools)
Have the managing partner or firm administrator sign it and distribute to all staff — including bookkeepers, administrative staff, and any contractor who touches client data

Why 79% of Accounting Firms Don't Have This (And Why You Should)

Three reasons the policy gap persists — and why each one matters.

1. AI adoption happened faster than governance.

The Karbon data makes this plain: 98% daily use, 21% documented policy. In practice, this means your staff has already made thousands of judgment calls about what to enter into which AI tool — without written guidance. Some of those calls were correct. Some were not. You do not know which. A policy does not undo those decisions, but it closes the gap going forward and establishes the standard your firm applies.

2. GLBA Safeguards Rule covers AI tool usage.

The Gramm-Leach-Bliley Act Safeguards Rule (16 CFR Part 314) requires financial institutions — including most CPA firms that handle consumer financial information — to maintain a written information security program. That program must cover the safeguards applied to client financial data. AI tools that process client tax returns, financial statements, or personally identifiable financial information are within scope. An AI acceptable use policy is the mechanism that documents your safeguards compliance for AI tool usage.

If your firm has not updated its information security program since adopting AI tools, that is a gap. The Safeguards Rule does not require perfect security — it requires documented, reasonable safeguards with identified responsibility. The template above satisfies that requirement for AI tool usage.

3. State CPA boards are beginning to formalize AI guidance.

AICPA guidance (2024) mirrors the ABA's requirements for lawyers: professional oversight of AI output, protection of client confidentiality, and disclosure where AI assistance is material to the work product. State CPA boards in New York, California, and Texas have issued or are developing parallel guidance. Having a written policy is rapidly becoming the de facto evidence that your firm exercises reasonable professional care in AI adoption — and the absence of one is increasingly the first thing flagged in an E&O investigation or state board inquiry.

The Three-Tier Tool Classification (Accounting Firm Edition)

The Green / Yellow / Red framework in the template is designed for practical use in a small accounting firm. Here is how to think about each tier — and how common accounting tools fit.

Green Tier — General-purpose AI, no client data

Consumer and prosumer AI tools that your staff may already use for their own productivity. These are cleared for internal research, drafting general communications, summarizing industry articles, and administrative tasks — provided no client name, EIN, SSN, financial statement, or tax document is included.

Common Green-tier tools: ChatGPT (paid, with confirmed no-training setting), Claude.ai Pro (personal account), Perplexity Pro.

Yellow Tier — Approved accounting AI, firm accounts only

Tools your firm has licensed under a business or enterprise agreement, with a Data Processing Agreement on file. These tools are cleared for client-specific work because you have confirmed the vendor does not train on your submissions and provides adequate data protection. Every firm should be able to name the specific tools in this tier.

Red Tier — Prohibited for client work

Any tool not reviewed and approved, any tool whose data handling terms are unknown, any tool that trains on user submissions without explicit waiver, any tool a staff member is accessing from a personal account for client work.

The practical rule: if a staff member found the tool on their own and is using it for client matters, it is Red tier until reviewed and approved.

Common accounting firm tool classifications (2026):

Tool	Default Tier	Condition to Move Up
ChatGPT (free)	Red	Sign enterprise DPA
ChatGPT Team / Enterprise	Yellow	Firm account + DPA confirmed
Claude.ai Pro (personal)	Green	No client data
Claude.ai Team / Enterprise	Yellow	Firm account, confirm no training
Karbon AI	Yellow	Firm-provisioned account
CCH Axcess Advisor	Yellow	Firm-provisioned account
Basis	Yellow	Firm account confirmed
Canopy Coworker	Yellow	Firm-provisioned account
QuickBooks AI	Yellow	Firm ProAdvisor / firm account + client data rules applied
Microsoft Copilot for M365	Yellow	Enterprise agreement with DPA
Notion AI, Grammarly AI	Red	Depends on DPA — review before approving
Consumer apps (personal accounts)	Red	Do not use for client matters

AICPA and GLBA Compliance Checklist

Before distributing your policy, confirm your firm covers each of these requirements.

GLBA Safeguards Rule:

Is client financial data (tax returns, financial statements, PII) covered by your AI tool DPAs?
Do you have a named person responsible for your information security program?
Have you conducted a risk assessment that includes AI tool usage?
Are all third-party AI vendors (Yellow-tier) reviewed for data protection adequacy?

AICPA AI Guidance:

Does your policy address professional oversight — is a licensed CPA reviewing all AI output before client delivery?
Does your policy address confidentiality — which tools are cleared for which data?
Does your policy address disclosure — do you have language for engagement letters and client communications?

State CPA Board Requirements:

Has your state CPA board issued AI guidance? (Check your state society's website)
If yes, does your policy align with that guidance?

Staff Implementation:

Do all staff — including bookkeepers, administrative staff, and contractors — know the approved tool list?
Do your engagement letter templates reference AI tool usage and CPA review?
Is there a clear reporting path for incidents?

How to Roll Out This Policy in 20 Minutes

You do not need a consultant, a committee, or a firm retreat. Here is the 20-minute rollout.

Step 1 (10 min): Identify your Yellow-tier tools.

Open your firm's software list — or ask your office manager. Every accounting AI tool your firm has licensed with a firm account is a candidate for the Yellow tier. For each one, ask: do we have a Business Associate Agreement or Data Processing Agreement on file? If yes — Yellow tier. If you do not know — Red tier until confirmed. Karbon AI, CCH Axcess Advisor, Basis, QuickBooks AI (firm account), and Canopy Coworker are the most common Yellow-tier tools for small accounting firms.

Step 2 (5 min): Fill in the template.

Firm name. Today's date. Your actual Yellow-tier tools. Sign it.

Step 3 (2 min): Send it to your team.

Email to every CPA, bookkeeper, and staff member. Subject line: "Our AI Tools Policy — Effective [Date]." One sentence: "Please read this before using any AI tools for client work." No presentation required.

Step 4: Add one sentence to your engagement letter template.

"We may use AI-assisted tools in our work. All AI-generated content is reviewed by a licensed CPA or authorized staff member before delivery."

Run it by your malpractice carrier at next renewal — most carriers are now asking about AI governance as a standard underwriting question.

Step 5: Set a 90-day review reminder.

After 90 days, check your tool list for changes and re-distribute. After the first review, annual cadence is sufficient for most small firms.

That is it. You now have the documented AI governance framework that the GLBA Safeguards Rule expects, state CPA boards are looking for, and malpractice carriers are beginning to require.

Frequently Asked Questions

Does the AICPA require accounting firms to have a written AI policy?

The AICPA has not issued a formal standard mandating a written AI policy by name, but AICPA guidance requires CPAs to exercise professional judgment, protect client confidentiality, and ensure that AI-generated work meets professional standards. A written policy is the practical mechanism for meeting these obligations. Several state CPA boards have issued parallel AI guidance making written policies the de facto standard of reasonable care. Firms with no documented AI governance face greater exposure in an E&O claim or state board investigation.

What does GLBA require for accounting firms using AI?

The Gramm-Leach-Bliley Act Safeguards Rule (16 CFR Part 314) requires financial institutions — including many CPA firms — to maintain a written information security program that covers how client financial data is protected. AI tools that process client financial data are within scope. The policy must identify who is responsible for the security program, conduct a risk assessment, implement safeguards, and oversee third-party service providers. An AI acceptable use policy documents the safeguards component of GLBA compliance.

What is the difference between this template and the law firm AI policy template?

The structure is identical. The specifics differ. For accounting firms: the approved tool list reflects accounting software (Karbon AI, CCH Axcess Advisor, Basis, QuickBooks AI); the data prohibition covers client financial data, tax returns, EINs, SSNs, and personally identifiable financial information; the compliance framework references GLBA Safeguards Rule and AICPA guidance instead of ABA Formal Opinion 512 and state bar rules. Both templates require a three-tier tool classification, a review requirement, and incident reporting. See also: Law Firm AI Policy Template (2026 Edition).

How do I know if my accounting AI tools have adequate data protection?

Ask three questions: (1) Does the vendor have a signed Data Processing Agreement or Business Associate Agreement available? (2) Does the vendor's terms of service allow training on submitted content without waiver? (3) Can the vendor provide independent audit evidence — a SOC 2 Type II report — of their security claims? For Karbon AI, CCH Axcess Advisor, and Canopy Coworker, request the DPA directly from your account rep. For Claude.ai Pro and ChatGPT Team, Enterprise agreements include DPAs; consumer tiers do not.

How often should an accounting firm update its AI policy?

At minimum annually, and whenever the firm adopts a new AI tool. The Karbon 2026 report shows accounting firm AI adoption is accelerating, with new tools entering practice management, tax preparation, and advisory workflows continuously. A 90-day review cycle is appropriate for firms actively evaluating new tools. Review the policy when: (1) a new AI tool is added to the approved list; (2) a vendor changes its data handling terms; (3) a new state or federal AI regulation passes; (4) a staff incident involving AI occurs.

The Crossing Report covers the AI transition for professional services firm owners — accounting, law, consulting, staffing, and marketing agencies. Subscribe here for weekly insights on what's changing and exactly what to do next.

Accounting Firm AI Policy Template (2026 Edition — Copy and Customize)

The Accounting Firm AI Policy Template (Copy and Customize)

Why 79% of Accounting Firms Don't Have This (And Why You Should)

The Three-Tier Tool Classification (Accounting Firm Edition)

AICPA and GLBA Compliance Checklist

How to Roll Out This Policy in 20 Minutes

Frequently Asked Questions

Does the AICPA require accounting firms to have a written AI policy?

What does GLBA require for accounting firms using AI?

What is the difference between this template and the law firm AI policy template?

How do I know if my accounting AI tools have adequate data protection?

How often should an accounting firm update its AI policy?

Frequently Asked Questions

Does the AICPA require accounting firms to have a written AI policy?

What does GLBA require for accounting firms using AI?

What is the difference between this template and the law firm AI policy template?

How do I know if my accounting AI tools have adequate data protection?

How often should an accounting firm update its AI policy?

Get the weekly briefing

Related Reading