Five things to put in place before you run client work through AI, and a plain-English walkthrough of what each one is, why it matters, and how to set it up. Download the template, customize it with AI in minutes, and have your counsel review.
The moment client data meets AI, four professional duties attach. These five artifacts cover all four. Anytime you bring a new technology into your practice, it's important to be set up properly first and to document the reasonable steps you've taken. This is the boring part that makes the rest safe.
Work them in order, they build on each other. The flow is the same every time: download the file, attach it to the AI tool you use most, and paste the prompt. It fills in what it can, asks you the rest, and hands you a draft to review. Then have your own counsel review before you adopt it. Educational, not legal advice.
Your firm's rulebook for AI: which tools are approved, what data may go in, who reviews. Adopt this one first.
Why it matters. Without a written policy, everyone improvises and the riskiest habit (pasting client data into a free chatbot) quietly becomes the norm. This sets the rules, names which tools are approved, and documents that your firm took reasonable, deliberate steps, which is what you want on record if anyone ever asks.
Download the file, attach it to your AI model of choice, and paste this prompt:
I've attached my firm's AI Use Policy template. Help me fill it in. First, fill in everything you reasonably can from what you already know about my firm, and tell me the assumptions you made. Then ask me, one at a time, only what you still need (our firm name, the AI tools we use, who owns the policy, any rules to add). Keep all the compliance language and the disclaimer intact, then give me a clean draft to review and edit before I adopt it.
The due-diligence questions to clear before any new AI tool touches client data.
Why it matters. "It's a big company" is not due diligence. These are the questions that actually decide whether a tool is safe for client data, does it train on your inputs, is there a DPA, where does the data live, is there a SOC 2. The FTC Safeguards Rule requires you to vet your providers.
Download the file, attach it to your AI model of choice, and paste this prompt:
I've attached my firm's AI Vendor Checklist. I'm evaluating [VENDOR / TOOL] for client work. Fill in everything you can from what you know about it, and clearly flag anything you can't verify. Then ask me, one at a time, only what you still need, and tell me where to find each answer in the vendor's published terms (privacy policy, DPA, trust center, SOC 2). Give me a draft decision, the residual risks, and a re-review date for me to review and edit.
Folds AI into your Written Information Security Plan, required under the FTC Safeguards Rule.
Why it matters. If you handle client financial data, a Written Information Security Plan is required under the FTC Safeguards Rule, and the IRS requires one for paid preparers. AI tools are now part of where client data flows, so this folds them into your WISP, describing the safeguards you actually have.
Download the file, attach it to your AI model of choice, and paste this prompt:
I've attached a WISP AI addendum template. Help me fill it in, but only with controls we actually have. First fill in what you can, then ask me, one at a time, which safeguards we have (MFA, encryption, access controls, backups, training) and our firm details. Mark anything we do not have yet as "TO IMPLEMENT" rather than claiming it, list those gaps as a punch list, and give me a clean draft to review before I adopt it.
Tells clients you use vetted AI and service providers. Drop it into your engagement letters.
Why it matters. A short, calm way to tell clients you use vetted AI tools and service providers. It sets expectations and documents that they were informed, without saying nothing or overpromising. It's a disclosure, not a §7216 consent (that's step 5).
Download the file, attach it to your AI model of choice, and paste this prompt:
I've attached a Client AI Disclosure template (a plain-language client notice and an engagement-letter clause). Ask me whether I want the notice, the clause, or both, plus my firm name and contact info, then fill it in. Remind me that this is a disclosure, not a §7216 consent, and give me a clean draft to review and edit.
Needed when an AI use discloses tax return info to a third party with no exception. Individuals (1040) use the prescribed AICPA form; business clients are more flexible.
No file to download for this one. Just paste this prompt to your AI model of choice:
Help me with a §7216 consent question. My AI use is [describe what you're doing and whether tax return information goes to a third party]. First, tell me whether I even need a consent (many uses fit a §301.7216-2 exception). If I do, do NOT draft the prescribed language yourself, it must come from the official AICPA form. Instead, walk me through the required elements and whether my client is an individual (1040, prescribed wording) or a business (non-1040, more flexible), so I can complete the official form, then I'll review it.
Then build freely. Use the Safe-Use Planner for the case-by-case "can this go into AI?" calls, and the Redactor to anonymize client data before it ever reaches a tool.