What every firm needs to know about AI tools and data security

As AI-powered technology transforms tax and accounting, it brings unprecedented efficiency and insight. But as they say, with great power comes great responsibility — especially when handling your client's sensitive financial and personal data.

From improving compliance workflows to unlocking personalized client insights, AI is redefining how tax professionals approach tax research, assess risk, and deliver client services. This technology, however, comes with its own set of risks.

Tax professionals routinely handle highly sensitive financial and personally identifiable information (PII), making data privacy and protection not just a compliance issue, but a critical pillar of client trust. As firms embrace AI tools to boost productivity, they must also evaluate the security implications of these tools, especially those that leverage large datasets or integrate with cloud-based platforms.

In this white paper, we'll explore the intersection of AI innovation and data security within the tax and accounting space by examining how AI is transforming tax research methodologies, the types of data most at risk, and the specific vulnerabilities introduced when using generative AI (GenAI) and machine-learning systems. We'll also walk through key regulatory and ethical considerations, such as Internal Revenue Service (IRS) data protection requirements and best practices for managing risk.

Ultimately, the goal is to empower your firm to harness the full potential of AI while upholding the highest standards of data integrity and confidentiality. With the right strategies and safeguards in place, you can navigate this new era confidently, delivering meaningful insight without compromising the trust of your clients.

Understanding data security risks in tax research

During tax research and client advisory work, accounting professionals routinely handle highly sensitive data. This includes Social Security numbers (SSNs), taxpayer identification numbers, financial statements, income and expense records, investment portfolios, business ownership details, and sometimes even health care or legal documentation. Such data is not only valuable to malicious actors but also strictly protected under various privacy and compliance regulations. In the digital age, where tax research often intersects with online platforms, cloud-based systems, and AI tools, safeguarding this data is critical.

The integration of AI into tax research introduces new efficiencies but also creates potential vulnerabilities. AI models, particularly those relying on machine-learning or natural-language processing, may require access to large datasets to function effectively. If not correctly configured, these systems can inadvertently retain or expose sensitive information during model training, API use, or data transmission.

For example, if a proprietary AI platform logs queries for improvement without proper anonymization, this could lead to unintended data exposure. Additionally, third-party AI tools or plugins may not meet the stringent data-handling standards required for financial information, leaving firms at risk of data leaks or compliance violations.
Regulatory frameworks provide a critical foundation for protecting tax-related data, and tax professionals must diligently adhere to them. In the U.S., IRS Publication 4557 outlines safeguards for taxpayer data, including the need for secure storage, encryption, restricted access, and breach response protocols. The IRS also mandates written information security plans (WISPs) for tax professionals under the Gramm-Leach-Bliley Act.

Moreover, under the IRS Security Summit initiative, firms are urged to adopt multifactor authentication, secure portals for file sharing, and ensure that all software — including AI tools — is updated regularly with security patches. The IRS also emphasizes the importance of employee training, recognizing that human error remains one of the leading causes of data breaches in the tax profession. Even a simple act like copying sensitive data into an AI-powered chat tool without verifying data handling policies can result in significant violations of confidentiality standards.

To responsibly adopt AI in tax research, firms should prioritize platforms with strong security credentials, including SOC 2 compliance, data encryption in transit and at rest, and user-level access controls. AI tools used for tax research must also support anonymization and ensure that data inputs are not retained or used for model training unless explicitly authorized. Firms should also maintain robust vendor due diligence processes to evaluate the cybersecurity posture of third-party AI providers.

Ultimately, data security in tax research is not just about protecting client information; it's about maintaining trust, preserving compliance, and mitigating reputational risk. As firms embrace AI and other digital tools to improve research efficiency and client service, they must do so with a clear understanding of the data security landscape.

By combining sound regulatory awareness with informed technology choices and internal safeguards, your firm can unlock the benefits of AI while upholding the confidentiality your clients expect, and the law requires.

At-a-glance: Data security regulations

Accounting firms in the U.S. handle vast amounts of sensitive financial and personal data, and they must comply with a range of data security regulations to protect client information and avoid legal and reputational risks. Here are the key data security regulations and frameworks that U.S. accounting firms should be aware of:

Federal regulations

• IRS Publication 4557. This publication requires tax professionals to implement safeguards like encryption, access controls, and a written information security plan to protect taxpayer data.
• Gramm-Leach-Bliley Act (GLBA). The act mandates financial service providers, including accountants, to develop and maintain a comprehensive security program for client information.
• FTC data security guidelines. These require all businesses to implement reasonable data security measures and avoid deceptive practices related to data protection.

State regulations

• State data breach notification laws. These require firms to notify affected individuals and sometimes regulators after a data breach, with specifics varying by state.
• California Consumer Privacy Act (CCPA/CPRA). This gives California residents rights over their personal data and requires businesses to implement privacy and security measures.
• New York SHIELD Act. This requires businesses handling New York residents' data to implement reasonable security safeguards and notify affected parties of breaches.

Voluntary but widely adopted frameworks

• SOC 2. This is a voluntary standard that evaluates how well a firm protects client data across five trust principles.
• ISO/IEC 27001. This is an international standard for managing information security through a structured risk management framework.
• NIST Cybersecurity Framework. This provides best practices and guidelines for identifying, preventing, and responding to cybersecurity risks.

Other industry considerations

• PCI DSS. This applies to any firm processing credit card payments and requires secure handling of cardholder data.
• HIPAA. This applies if a firm handles protected health information and mandates strict privacy and security measures.

AI-powered solutions: Benefits and security considerations

Key benefits of AI in tax research efficiency

When it comes to AI-powered tax research, one of the most significant benefits is the speed with which you can access relevant information. AI-driven platforms can parse through vast tax databases and regulatory content in seconds, pinpointing specific citations or interpretations that would take hours to uncover manually. This ability streamlines workflows and enables tax professionals to respond to client questions and compliance requirements much faster.

In addition to speed, AI enhances the accuracy and consistency of tax research. Unlike human users who may miss nuances or interpret language inconsistently, AI systems apply rules-based logic and natural-language processing to return consistent, standardized answers. This helps reduce the risk of misinterpretation and promotes uniform compliance across firm practices.

Of course, time and cost savings naturally follow increased efficiency and accuracy. By automating routine research and freeing up valuable hours, AI allows your staff to focus on higher-value tasks such as client advisory services, strategic planning, and issue resolution. Firms that leverage AI this way can also scale more efficiently, take on more clients without expanding staff, and ultimately drive stronger margins. You can also support employee retention by reducing burnout from repetitive tasks.

Real-time updates are another critical advantage. AI systems can continuously monitor regulatory changes and automatically incorporate new tax laws, IRS rulings, or court decisions into their databases. This monitoring ensures research results are always aligned with the most current guidance, reducing the risk of relying on outdated information. In a fast-changing tax environment, this feature becomes a vital safeguard against compliance errors.

Data migration and retention considerations

As your firm moves from legacy systems to AI-powered platforms, you must evaluate how client data is transferred, stored, and protected. During this migration, sensitive data may be exposed if not handled with proper encryption and security protocols, especially when transitioning from on-premises to cloud-based solutions.

AI systems themselves can introduce potential vulnerabilities as well. These include unauthorized data access, model inference attacks, and potential data leaks through third-party integrations. Since AI solutions often depend on large datasets and remote infrastructure, your firm must vet your technology providers' cybersecurity standards and ensure compliance with data privacy regulations like IRS Publication 1075.

Secure data transfer protocols are foundational to minimizing risk. Encryption during data transmission, strict access controls, and secure APIs are essential for preventing interception or tampering. Firms should also assess whether AI vendors conduct regular third-party security audits, use robust identity authentication, and offer client-specific data isolation.

Balancing accessibility with protection is an ongoing challenge. On one hand, AI systems need access to large amounts of data to generate valuable insights and improve performance. On the other hand, unrestricted access or poor controls can expose confidential client information. A tiered access model — where different team members have role-based access to specific datasets — can help ensure both usability and confidentiality.

Ultimately, the benefits of AI in tax research outweigh the risks, but your firm must approach implementation with a strong security mindset. With proactive risk management during data migration and ongoing use, you can fully capitalize on AI's potential while preserving the trust your clients have come to expect.

Maximizing the benefits while minimizing the risks:

AI is a game-changer, but only when deployed with trusted, secure infrastructure.

AI in tax research can:

• Accelerate research by quickly surfacing relevant tax code, rulings, and guidance with precision
• Boost accuracy by eliminating inconsistencies and reducing manual interpretation errors
• Keep you current with real-time regulatory updates

But it’s critical to:

• Secure your data with encrypted transfers and controlled access during AI implementation
• Vet your vendor and only partner with AI providers who meet rigorous data security standards

Best practices for secure AI implementation

Implementing AI in tax research offers substantial advantages, but it also requires a strong technical foundation. Some of the key data security measures include end-to-end encryption for data in transit and at rest, multifactor authentication, and strict access controls based on user roles. These tools help safeguard sensitive financial and personal information from unauthorized access or breaches, which is especially critical in the highly regulated field of tax and accounting.

Firewalls, secure APIs, and continuous monitoring of AI environments further enhance protection against evolving cyber threats. Firms should also consider network segmentation and endpoint detection and response (EDR) tools as part of a layered defense strategy.

- Did you know? 65% of firms cite data security as a key concern when considering GenAI, according to the Thomson Reuters Institute report, Generative AI in tax firms.

Equally important is the establishment of a robust data governance framework tailored to the specific demands of tax research. Governance structures define who owns the data, how it is classified, and who has permission to access or modify it. In AI-powered systems, transparent governance helps prevent misuse of data, ensures compliance with internal policies, and supports auditability.

This framework should also cover how data is sourced, how it flows through AI systems, and how any decisions or recommendations made by AI are documented and explained. Transparent metadata tagging and maintaining a clear lineage of data as it passes through AI tools can significantly improve visibility and accountability.

Before implementing any AI solution, conduct a thorough vendor assessment and due diligence. This includes evaluating the vendor's track record, reviewing their security certifications, such as SOC 2 or ISO 27001, and understanding their data-handling practices. Ask whether the AI model is trained on proprietary or publicly available datasets, and whether client data is used to train the model further. You should also assess whether the vendor complies with regulations such as IRS Publication 4557.

Data retention policies also play a critical role in secure AI implementation. Tax professionals must ensure that data is retained only for as long as necessary to meet regulatory requirements and business needs. Retaining data longer than required can increase exposure to risk, while deleting it prematurely could result in compliance violations. AI systems should be configured to follow firm-wide retention policies, with automated deletion processes and retention logs that support regulatory audits and internal reviews. Establishing data minimization practices and deleting redundant or outdated records can further reduce your firm's exposure to data breaches.

- Did you know? Only 9% of firms are using proprietary, tax-specific GenAI tools. Privacy design offers a strategic advantage.

To maintain accuracy and accountability, verification and validation protocols should be integrated into the AI implementation process. These protocols involve regularly testing the AI system to ensure it produces accurate, reliable, and explainable results. For tax research, this means validating that search results align with current laws and rulings, and that any recommendations are consistent with authoritative sources. It is also essential to conduct bias assessments to ensure the AI is not producing skewed outputs that could affect tax decisions.

Equipping staff with appropriate training is another cornerstone of secure AI adoption. Staff must understand how AI systems interact with sensitive data, recognize risks such as phishing or social engineering, and report anomalies in system behavior. Training should go beyond general cybersecurity awareness to include specific guidance on AI usage policies, data access protocols, and ethical AI practices. This training ensures not only security but also consistent and responsible use of AI tools across the firm.

- Did you know? Only 10% of firms report using GenAI at an organizational level. Early adopters must invest in education.

Ultimately, secure AI implementation in tax research is not a one-time initiative but an ongoing practice that blends technical safeguards, operational governance, and strategic oversight. By aligning security efforts with business goals and client expectations, your firm can position itself as a trusted, future-ready advisor in an AI-driven tax landscape.

Ten best practices for ensuring data security

1. Use data encryption at all times

Encrypt sensitive client data both in transit and at rest using strong, modern encryption standards.

Regularly review and update encryption protocols to prevent vulnerabilities.

2. Implement role-based access controls

• Limit access to AI-powered systems and sensitive data to authorized personnel only.
• Enforce multifactor authentication for all user logins to AI-powered systems.

3. Conduct quarterly security audits

• Perform regular audits and penetration tests to identify system vulnerabilities.
• Document findings and track remediation efforts to ensure continuous improvement.

4. Choose a technology provide with proven security standards

• Select AI-powered technology providers with a strong reputation for data protection and verified security certifications.
• Ensure compliance with industry standards such as SOC 2, ISO 27001, and IRS Pub. 4557.

5. Provide ongoing staff security training

• Integrate AI security protocols into your firm’s annual training curriculum.
• Train staff to recognize phishing, social engineering, and data misuse risks.

6. Minimize unnecessary data collection

• Collect only the data necessary for business and compliance purposes.
• Regularly review and delete outdated or redundant client data to reduce exposure risk.

7. Build privacy into AI systems

• Incorporate privacy-by-design principles when implementing AI tools.
• Conduct privacy impact assessments to identify and mitigate risks.

8. Maintain a data breach response plan

• Develop a clear incident response plan and review it regularly with your team.
• Conduct breach drills to ensure quick, confident responses in real-world scenarios.
• Empower staff to take immediate action to protect client data and firm reputation.

9. Monitor and log AI system activity

• Set up monitoring tools to detect unauthorized access or system anomalies.
• Regularly review logs and investigate irregular patterns to catch potential breaches early.

10. Keep clients informed and involved

• Communicate your firm’s data protection measures transparently.
• Obtain explicit consent for all data-handling activities.
• Demonstrate your commitment to secure and responsible data practices.

Building client trust through transparent security practices

In an age where data privacy and cybersecurity are top of mind, accounting firms must actively communicate security procedures. Building and maintaining client trust hinges on clearly articulating how sensitive data is protected, how it is used, and what measures are in place to mitigate risk. Transparent security practices not only reassure your clients but also demonstrate your firm's commitment to ethical data stewardship. Let's take a look.

Communicating security measures to clients

Your clients entrust your firm with highly sensitive financial, personal, and even confidential data. Introducing AI into the mix often raises concerns. To calm fears and build confidence, proactively communicate the AI-related security protocols you have in place. This communication includes describing how data is encrypted in transit and at rest, the access controls used to protect it, and your firm's approach to data governance and retention.

In your client communications, clear and concise language should replace technical jargon whenever possible. For example, instead of detailing the specifics of an encryption algorithm, simply explain that client information is protected using banking-level encryption and access is restricted to authorized personnel only."
Firms should also educate clients about how AI tools are used. For example, explain that AI systems assist in identifying relevant tax code changes or validating citations, but that a qualified tax professional reviews all final recommendations.

Positioning these communications as part of the client onboarding process or periodic service updates can reinforce your firm's value proposition. Whether through client welcome packets, security FAQs, or quarterly newsletters, integrating transparency into your ongoing client communication strategy turns security from an afterthought into a feature that differentiates your firm.

Documentation and disclosure best practices

Documentation is a powerful tool not only for internal compliance but also for demonstrating accountability to clients. When using AI-powered tax research tools, maintain documentation outlining the types of data collected, how that data is processed, and which third parties, if any, have access. This documentation becomes particularly important if client data is stored or analyzed through cloud-based platforms.

A best practice is to create a security policy summary or "data usage overview" document explicitly tailored for clients. This disclosure should highlight what types of client data are used within AI tools, how privacy is preserved, and what controls are in place to prevent misuse. Include statements on compliance with relevant regulations, such as IRS Pub. 4557 to further reinforce client confidence.

Some firms may also consider using data processing agreements (DPAs) or confidentiality addenda in client contracts to formalize their commitment to secure and responsible data handling. These documents not only protect the firm but also create clarity for clients, particularly business clients with their own compliance obligations.

Demonstrating compliance with industry standards

Firms that adopt AI tools should ensure their practices align with industry benchmarks for security and compliance. Demonstrating this alignment to clients strengthens your firm's credibility and eases client concerns about AI adoption. At a minimum, vet AI vendors for compliance with recognized security standards such as:

• SOC 2. This certification indicates that the vendor maintains stringent controls for security, availability, and confidentiality.
• ISO/IEC 27001. This is an international standard for information security management systems.
• IRS Publication 4557. These guidelines are specifically tailored for protecting taxpayer data.

Communicating compliance with these standards in your marketing materials, proposals, and client onboarding documents can lay a foundation for trust. It signals to clients that your firm takes cybersecurity seriously.

Another valuable tactic is to provide third-party audit summaries or certification reports during due diligence processes with larger or more security-conscious clients. For small and medium-sized firms, simply listing the credentials of the AI tools you use — such as Thomson Reuters CoCounsel is built on SOC 2-certified architecture — can provide reassurance.

Responding to client security concerns

Despite your best efforts, some clients will have lingering questions or even skepticism about AI-enabled systems. Your firm must be prepared to respond thoughtfully and thoroughly to these concerns. The key is to treat client inquiries not as objections, but as opportunities to demonstrate transparency, professionalism, and technical understanding.

Creating an internal knowledge base or client-facing FAQ that addresses common questions about AI and data security can streamline this process. Consider these examples:

Question. Does AI read all of my data?
Answer. AI tools only analyze information needed for the specific research or task at hand, and sensitive data is never used to retrain public models.

Question. Is my data stored or shared outside the firm?
Answer. All data is stored securely within U.S.-based servers and is not shared with any external third parties unless explicitly authorized.

When concerns escalate, designate a security liaison or subject matter expert within your team to handle the conversation. Demonstrating empathy and clarity during these exchanges not only retains client confidence but can also help turn cautious clients into long-term advocates of your firm's security practices.

A balanced approach to innovation and security

As accounting firms embrace AI to transform tax research and client service, they must do so with data security at the forefront. A balanced approach where technology is integrated strategically, and security is treated as an ongoing commitment, paves the way for firms to thrive in today's digital-first landscape.

To achieve this balance, firms should ground their AI initiatives in several foundational principles:

• Data stewardship is non-negotiable. Client trust hinges on how data is handled. Secure AI implementation must prioritize privacy, transparency, and regulatory compliance from day one.
• Security is proactive, not reactive. Regular audits, staff training, and system validation reduce the risk of breaches and reinforce a culture of accountability.
• AI enhances but doesn't replace expertise. AI tools can significantly streamline research and improve accuracy, but human judgment remains central to compliance and advisory work.
• Clear governance ensures consistent practices. Establishing internal policies around AI use, data access, and retention supports risk mitigation and regulatory alignment.
• Transparency builds client confidence. The more clients understand how their data is protected and how AI is used, the more likely they are to support your firm's technology-forward approach.

Action steps for tax and accounting professionals

Ready to take the next step and integrate AI responsibly into your firm? If so, it's necessary to move forward with both innovation and security in mind. While AI can bring significant efficiency gains to your tax and accounting workflows, it also comes with serious responsibilities.

With a few thoughtful steps, you can make sure your firm is using AI tools wisely, securely, and in a way that builds long-term trust with your clients. Here's how to get started:

• Evaluate your current security controls. Identify any gaps in data encryption, access management, or audit logging and take corrective action.
• Conduct due diligence on AI vendors. Ask vendors about certifications, data handling protocols, and their approach to privacy by design.
• Update client-facing documents. Revise engagement letters, privacy notices, and security policies to reflect AI usage and protections.
• Train your team. Ensure staff understand both how to use AI tools responsibly and how to communicate about them to clients.
• Create a security incident response plan. Be prepared for potential breaches or client concerns with a clear communication and containment strategy.
• Adopt tax-specific AI solutions. Leverage tools purpose-built for accounting, such as Checkpoint Edge with CoCounsel, which offer both domain expertise and robust security controls.

Firms that take these steps position themselves not only to reap the benefits of AI-driven efficiency but to do so in a way that aligns with professional ethics and long-term client relationships.

Take the next step with confidence

As the pace of innovation accelerates, so does the responsibility to protect the sensitive financial and personal data entrusted to you. With AI-powered tools like Thomson Reuters CoCounsel, your firm can embrace this evolution securely and confidently.

Purpose-built for the unique demands of tax and accounting professionals, CoCounsel combines trusted proprietary content, advanced compliance safeguards, and explainable AI to deliver faster, smarter, and more secure research outcomes.

Now is the time to elevate your tax research, protect your clients' most valuable information, and future-proof your practice against both emerging threats and rising client expectations. With CoCounsel, you gain more than just AI — you gain a trusted partner in building a resilient, ethical, and high-performing firm.

Ready to lead with confidence? Learn more about how CoCounsel supports secure, AI-driven tax research.