What Worries me about CPA Firms and GenAI

In the last few weeks, I have done a fair amount of research on what CPA firms are talking about on their blogs and newsletters. GenAI was not mentioned on any of them when communicating with their clients through this channel. It is like a heist movie where the crew’s downfall isn’t the lasers or the vault, it’s the one person who cuts a corner “just this once.” That is what Generative AI feels like in many CPA firms right now: an efficiency super‑tool that quietly encourages exactly the kind of shortcuts that can blow up client trust, compliance, and firm culture.

The Transparency Gap With Clients

One value should travel with your firm into every new technology wave: transparency about how you do the work clients pay you to do. I'm certain most firms explain their process. However, right now, GenAI is often treated like a silent subcontractor:

• Engagement letters rarely mention when or how GenAI tools are used in tax prep, audit analytics, or advisory deliverables.

• Cloud AI platforms may process snippets of returns, trial balances, or narrative explanations. How is this recorded, where it was stored, or who can see it.

• Many tools’ default terms allow vendors to use customer inputs to improve their models, which is flatly incompatible with GLBA, FTC Safeguards expectations, and IRS data‑protection guidance if client identifiers are present.

Legally, disclosure rules for GenAI in professional services are still a patchwork.

Ethically, the bar for CPAs has always been higher than “only disclose what is mandatory.

If you would never outsource a return to an offshore team without telling your client, it is not acceptable to outsource parts of the thinking to an opaque model trained on unknown data.

Today's tools burn that capability into their features sometimes without even properly providing how to their clients.

Shadow AI

Gemini and Microsoft as the two leading vendors in workplace tooling, are embedding GenAI right into the very capabilities of their platforms. Your folks use these tools everyday and may not even know how they could be exposing your customers data.

Most headlines fixate on students cheating on exams or employees writing lazy emails with AI.

Meanwhile, in CPA firms, GenAI is drafting tax memos, scrubbing workpapers, and touching client data in ways that look a lot like “business as usual". Firms still sell the same story: “You can trust us with your financial life.”

But behind the scenes, there is a growing gap between that promise and how AI is actually being used.

Training focuses on “don’t get us sued,” not on building practical AI competence, skepticism, and review skills across all levels of the firm.

In professional services, hypocrisy is a culture risk, not just an HR problem.

When Efficiency Eats Professional Judgment

The third worry is the most subtle and the most dangerous: what happens to your judgment when the primary story about AI is speed.

It is March, partners are buried, firm owners are buried, everyone is under real pressure to deliver: shrinking margins, talent shortages, rising client expectations.

GenAI arrives promising to summarize, draft, reconcile, and “auto‑review” at a fraction of the time, and that sounds like salvation.

But there are real costs when “save time” becomes the north star:

• GenAI doesn’t understand professional standards, tax law nuance, or your specific client’s risk profile; it predicts plausible text, which can be confidently wrong, biased, or incomplete.

• Over‑reliance on AI‑generated risk scores or exception lists can hard‑wire historical bias into your audit approach, skewing attention toward what the model has seen before instead of what is actually emerging.

• The hours “saved” by auto‑drafted memos, workpapers, or client emails can quietly erode the deep, slow pattern recognition that used to come from reading underlying documents, tracing transactions, and wrestling with the messy edge case.

In tax and attest work, that depth is not a luxury, it is the differentiator.

If AI pulls professionals one layer further away from the raw evidence, you risk turning CPAs into editors of machine output instead of stewards of client risk.

And there is a reputational twist: if a client discovers that a key deliverable was largely AI‑generated, and they were never told, we know how that will play out.

The Compliance Shadow You Can’t Ignore

Even if no one in your firm intends to be reckless, the regulatory shadow around GenAI gets longer every month.

For CPA firms, GenAI risk is not abstract:

• GLBA and the FTC Safeguards Rule require financial institutions to safeguard nonpublic personal information and oversee service providers handling that data.

• IRS Publication 4557 and related guidance expect rigorous controls over taxpayer data, including encryption, access controls, incident response, and vendor due diligence. This applies when AI systems process returns or workpapers.

• State privacy laws and emerging AI‑specific statutes are beginning to require disclosure, impact assessments, and limits on automated decision‑making in certain contexts.

Most GenAI tools were not built with Circular 230, peer review, or PCAOB inspection in mind.

They were built to move fast and scale, sometimes by training on user data or routing workloads across multiple jurisdictions.

If your AI risk posture today is “the vendor says they’re SOC 2,” you are underestimating both the regulatory expectations and the professional duty of care.

Where CPA Firms Go From Here

This moment does not have to be an anti‑AI story.

It is a governance story, a leadership story, and a chance for your firm to raise its standard while the rest of the market chases shortcuts.

Here are the questions worth wrestling with in partner meetings, tech committees, and with your clients:

• Are you explicitly telling clients when and how your firm uses GenAI, and how you protect their data when you do?

• If you restrict staff use of AI, are you holding partners and managers to the same rule and explaining the rationale in plain language?

• When you adopt AI to “save time,” what specific forms of professional judgment, documentation quality, or client understanding are you refusing to outsource?

• Do your AI vendors’ terms, data flows, and model behaviors actually align with GLBA, FTC Safeguards, IRS guidance, and your state board’s expectations? Are you assuming they must?

• How will you train your people so GenAI becomes a supervised assistant, not an invisible decision‑maker?

Your firm, like every firm, is at a crossroads with AI.

The tools are not going away, and neither are the pressures to move faster.

CPAs have always been at their best when they choose stewardship over shortcuts, candor over convenience, and systems that protect clients even when nobody is watching.

Lead GenAI, do not fear it. Partner with vendors who understand GenAI and the regulatory environment. Partners who can help you write an all-encompassing WISP. Finally, educate yourself and ask questions. GenAI is not going away and neither are you.