Five things to put in place before you run client work through AI, and a plain-English walkthrough of what each one is, why it matters, and how to set it up. Download the template, customize it with AI in minutes, and have your counsel review.
The moment client data meets AI, four professional duties attach. These five artifacts cover all four. Put them in place once, document that you took reasonable steps, and you can use AI on real work with confidence. This is the boring part that makes the rest safe.
Work them in order, they build on each other. The flow for each is the same: download the template, upload it to Claude (or your firm's AI tool), and run the prompt to tailor it to your practice. Then have your own counsel review before you adopt it. Educational, not legal advice.
When: adopt this first, the other pieces reference it.
Why it matters. Without a written policy, every staff member improvises, and the riskiest habit (pasting client data into a free chatbot) quietly becomes the norm. A policy makes the safe path the standard, sets which tools are allowed, and documents that your firm took reasonable, deliberate steps, which is exactly what you want on record if anyone ever asks.
Upload the downloaded file to Claude, then paste this:
I've attached my firm's AI Acceptable-Use Policy template. Act as a compliance-savvy assistant (not a lawyer); do not invent legal requirements. Ask me, one group at a time: (a) firm legal name, effective date, and who owns the policy; (b) every AI tool we use or plan to use, and for what; (c) which of those are on a business/enterprise plan that contractually does not train on our data; (d) any firm-specific rules to add. Then fill in every [bracket], tailor the Approved Tools and Permitted/Prohibited Uses to my real tools, keep all compliance language intact (IRC §7216, FTC Safeguards/WISP, AICPA, verification, human review), flag anything I should confirm with counsel, keep the disclaimer, and output the finished policy in full.
When: before any new AI tool touches client data.
Why it matters. "It's a big company" is not due diligence. The questions that actually decide whether a tool is safe (does it train on your inputs? is there a data-processing agreement? where does the data live? is there a SOC 2?) are the line between a defensible choice and a confidentiality breach. The FTC Safeguards Rule explicitly requires you to oversee your service providers, so this step is not optional.
Upload the checklist, then paste this with the tool you're evaluating:
I've attached my firm's AI Vendor Due-Diligence Checklist. I'm evaluating [VENDOR / TOOL] for client work. Go through it item by item: for each, tell me what to look for and where it usually lives in a vendor's published terms (privacy policy, DPA, trust center, sub-processor list, SOC 2), and draft the specific questions I should send the vendor. Do not state what this vendor's terms say unless I paste them in; flag every item you cannot verify from a primary source. End with a draft decision, the residual risks, and a re-review date.
When: as soon as an approved AI tool is in your workflow.
Why it matters. If you handle client financial data you are a "financial institution" under the FTC Safeguards Rule and must keep a Written Information Security Plan, and the IRS requires a data security plan for paid preparers. AI tools are now part of where client data flows, so your WISP has to account for them or it is incomplete. One hard rule: a WISP must describe controls you actually have, not ones you wish you had.
Upload the addendum, then paste this:
I've attached a WISP AI addendum template. Help me complete it accurately. Critical rule: a WISP must describe controls we actually have, not aspirations. For each safeguard, ask me whether we have it, and mark anything we do not yet have as "TO IMPLEMENT" rather than claiming it. Interview me for: firm name, the Qualified Individual, our data inventory (where client data lives), and which safeguards are in place (MFA, encryption, access controls, backups, training). Fill in the brackets, produce a punch list of the "TO IMPLEMENT" gaps, keep the disclaimer, and remind me to have counsel review before adopting.
When: add it to your engagement letters going forward.
Why it matters. Telling clients you use vetted AI and service providers is both good practice and supports your professional obligations. A short, calm disclosure sets expectations, documents that clients were informed, and avoids the two failure modes: saying nothing, or overpromising. It is a disclosure, not a consent, the two are different (see step 5).
Upload the disclosure, then paste this:
I've attached a Client AI Disclosure template with two options: a plain-language client notice and an engagement-letter clause. Ask me which I want (one, the other, or both), my firm name, and my client contact info. Customize the bracketed items. Remind me that if my AI use discloses tax return information to a third party, IRC §7216 may require a separate signed consent, and this disclosure does not replace that. Output the finished version.
When: before disclosing tax return information to a third party (with no exception).
Why it matters. §7216 is the highest-stakes item here because it carries criminal exposure. If an AI use discloses a client's tax return information to a third-party service and no §301.7216-2 exception applies, you need a valid signed consent first, or the disclosure itself is the offense. Many AI uses fit an exception and need no consent, so the first job is knowing which case you're in.
Paste this to figure out whether you need a consent and how to complete the official form:
Help me with a §7216 consent question. First, help me decide whether I even need one: my AI use is [describe what you're doing and whether tax return information is disclosed to a third party]. If it fits a §301.7216-2 exception, tell me a separate consent may not be required. If it does need a consent, do NOT draft the mandatory statements yourself; they are prescribed by Rev. Proc. 2013-14 and must be copied from the AICPA official sample form. Instead, walk me through the required elements and help me identify, for this client: whether they are an individual (1040 series, where the mandatory consumer-protection language applies) or a business entity (non-1040, more flexible), the specific AI vendor as the recipient, the specific information, the purpose, and the duration, so I can complete the official form correctly.
Then build freely. Use the Safe-Use Planner for the case-by-case "can this go into AI?" calls, and the Redactor to anonymize client data before it ever reaches a tool.
Can this client data go into AI as-is, or do you need to anonymize or get consent first? A four-question read with the governing cite.
Strip a client's identity from a note before any of it goes to AI, entirely in your browser.
Set up and want more? The full Library has copy-paste workflows for client work, hands-on labs, and the compliance deep-dive.
Explore the Library