← Back to the Library
Library · Guide

Lesson 10: Local AI Models: The Compliance Shortcut and Its Limits

← Study Guide home · Lesson 10 of 12

The most important emerging topic with no formal IRS guidance

Learning Objectives

After completing this lesson, you will be able to:

What "Local AI" Means

"Local AI" refers to AI models where:

  1. The model weights run on hardware you control: your firm's server, workstation, or laptop
  2. Inference (processing) occurs on your machine: no query goes to an external server
  3. Data does not leave your network: prompts, client data, and outputs remain within your infrastructure

This is distinct from:

Common local AI platforms for practitioners:

Common local models:

Here is the complete step-by-step argument for why genuinely local AI does not trigger §7216's disclosure prohibition:

Step 1: IRC §7216(a) prohibits a tax return preparer from "disclos[ing] any information furnished to him for, or in connection with, the preparation of any such return."

Step 2: The definition of "disclosure" in Treas. Reg. §301.7216-1(b)(5) is: "the act of making tax return information known to any person in any manner whatever."

Step 3: The definition turns on the word "person." IRC §7701(a)(1) defines "person" as: "an individual, a trust, estate, partnership, association, company, or corporation." This list is exhaustive for purposes of the Code.

Step 4: Software model weights running on your hardware are none of these. A local AI model is:

Step 5: Therefore, running a prompt containing client tax data through a local AI model does not make that information "known to any person" within the meaning of §301.7216-1(b)(5).

Step 6: Therefore, the disclosure prohibition is not triggered, and §301.7216-3 consent is not required for the local AI analysis itself.

This is a textual, plain-language reading of existing regulations. It does not rely on any IRS guidance, revenue ruling, or interpretation that is specific to AI, because none exists. It applies the definitions Treasury established in 2009/2012 to a technology that did not exist then.

The Potential Counterarguments and Why They Are Weak

Counterargument 1: "The model company is a person who created the model weights."

This argument would say that because Anthropic, Meta, or Microsoft created the model weights, and those companies are "persons" under §7701(a)(1), using their model constitutes making information known to them.

Why it is weak: The disclosure definition requires making information known to a person. The company that distributed the model weights does not "know" what you do with them after download, particularly if there is no telemetry or reporting back. The act of downloading software that a company created and then using that software on your local hardware does not make information known to the company that wrote the software. Under this argument, using Microsoft Word would constitute a disclosure to Microsoft every time you drafted a client engagement letter. That cannot be the correct reading.

Counterargument 2: "The cloud infrastructure that supports local model distribution is a 'person.'"

This argument notes that even "local" models may initially be downloaded from a cloud repository and may receive updates over the internet.

Why it is weak: The one-time download of model weights from a repository, with no client data transmitted during that download, does not constitute a disclosure. The analysis under §301.7216-1(b)(5) turns on what data is transmitted, not what software was obtained from whom. If no client data ever traverses the network connection to the model vendor, no disclosure occurs.

What "Genuinely Local" Requires

For the local-model §7216 argument to hold, the following must be true:

  1. No telemetry with prompt content: The model must not send prompt text, completions, or any content back to the model provider. Many models are entirely local by default; confirm this for any model you deploy.

  2. No cloud fallback: The model must not automatically send requests to a cloud endpoint if local processing is slow or fails. Some tools have optional or default cloud fallback, disable it.

  3. No hosted RAG (Retrieval-Augmented Generation): If you are using a retrieval-augmented system where documents are uploaded to a cloud vector database, the client data leaving for the cloud server is a disclosure. Local RAG implementations (where the vector database runs on your hardware) do not have this problem.

  4. No remote OCR: If OCR (optical character recognition) of scanned documents is handled by a cloud service, those documents, including client data, are being disclosed to that service.

  5. Firm network control: The inference must occur on hardware that is within your firm's control, not on a shared network resource operated by a third party.

COMPLIANCE NOTE: Before deploying a "local" AI tool, run it with network monitoring active (e.g., Wireshark or a similar tool) to confirm that no data leaves your network during normal operation. The vendor's documentation is a starting point, but verification is better practice.

What Local Models Do NOT Eliminate

Being on a local model removes the §7216 disclosure concern (under the analysis above) but does not eliminate other compliance obligations:

Obligation Does Local AI Eliminate It? Why
§7216 use prohibition No Using client data for purposes other than return preparation (e.g., training a custom model) is still a "use" violation
WISP endpoint controls No Your WISP must address AI tool security regardless of deployment model
§10.22 due diligence No You still must review AI outputs and verify accuracy
SSTS §1.4 member responsibility No You remain responsible for positions taken on the return
§10.35 competence No You must understand the local model tool well enough to use it competently
§10.36 firm procedures No Adequate AI use procedures are required regardless of local vs. cloud
ET §1.700.001 Potentially No The AICPA confidentiality threat/safeguards analysis must be applied; if the model is genuinely controlled by your firm, threats may be reduced to acceptable levels, but this must be analyzed
Georgia Rule 20-12-.11 Potentially No May be satisfied if the firm controls the model and data does not leave firm control

The Honest Guidance Gap Statement

⚠️ GUIDANCE GAP: As of June 2026, no revenue ruling, notice, FAQ, or Chief Counsel memorandum addresses whether local or cloud AI constitutes a "disclosure" under §7216. The local-model conclusion rests entirely on applying 2012-era regulations by their plain terms, software is not a "person" under §7701(a)(1). That is a sound and textually defensible argument, and the IRS has not asserted the contrary. But it does not have IRS blessing, because it does not have IRS blessing. No one should represent to clients, colleagues, or regulators that the IRS has approved or endorsed local-model use as outside §7216. Confirm any reliance on this analysis with counsel or your E&O carrier before building your practice around it.

Risk Comparison Table

AI Deployment §7216 Disclosure? Consent Needed? WISP Obligation? Best for...
Consumer cloud AI (ChatGPT Free/Plus) Yes, disclosure occurs Yes (if no exception) Yes General tasks only; NOT for client data
Enterprise cloud AI with DPA (e.g., Copilot, ChatGPT Enterprise) Likely yes, disclosure occurs Yes, but auxiliary exception possible if non-substantive Yes, including vendor oversight Cloud AI + proper paperwork path
Cloud AI with enterprise DPA + valid §7216 consent Disclosure occurs but authorized Consent already obtained Yes Full compliance path with cloud AI
Genuinely local AI (no telemetry, no cloud fallback) Likely no, no "person" receives data Not triggered under local analysis Yes Best §7216 position, but other obligations remain

Practical: Hardware and Tools

What hardware do you need for local AI?

For models in the 7B–13B parameter range (capable of meaningful tax research support):

Practical capability for tax practice:

Local models at the 7B–13B parameter level are capable of:

Local models at this size are not as capable as the best cloud models (GPT-4, Claude 3.7 Sonnet, Gemini 2.0 Ultra) for complex multi-step legal reasoning. The compliance benefit of local deployment comes with a capability tradeoff.

📌 PRACTICE TIP: A reasonable approach for a small firm: use a genuinely local model for all work involving client-specific data (drafting letters, organizing data, summarizing documents), and use cloud AI with appropriate DPAs and consent for research and general tasks that do not involve client-specific information.

Key Takeaways

Quick Review

Q1: You run Ollama on your firm's workstation with the Llama 3.3 70B model. Network monitoring confirms no prompt data leaves your network during inference. You paste a client's full Schedule C data into a local prompt for help drafting a depreciation memo. Is this a §7216 disclosure?

Answer: Under the plain-text legal analysis: No. The information was not made "known to any person" because the model weights running on your workstation are not a "person" under §7701(a)(1). However: (1) this has no IRS guidance confirming it; (2) you must still comply with SSTS §1.4, §10.22, and other professional standards; and (3) confirm with counsel before relying on this as your compliance strategy.

Q2: You use LM Studio to run a local model. You discover that LM Studio has an optional telemetry setting that was enabled by default, which sends usage statistics, but not prompt content, to the LM Studio servers. Does this affect the §7216 analysis?

Answer: If only usage statistics (not prompt content) are sent, the §7216 analysis is unchanged, the client's tax return information has not been made known to another person. However, confirm what "usage statistics" includes in the vendor's documentation. If any portion of the prompt, client name, or identifying information could be included in telemetry data, you have a potential disclosure issue.

Q3: You run a local Ollama instance for drafting and research. However, you use a cloud-hosted vector database service to store and search your client files for retrieval-augmented generation. Is this setup "genuinely local"?

Answer: No. The cloud-hosted vector database is a third-party server receiving your client files. Uploading client files to the vector database is a disclosure under §301.7216-1(b)(5). This setup is not genuinely local from a §7216 perspective.

Q4: True or false: A local AI model eliminates the need for your firm to have AI-related procedures in its WISP.

Answer: False. The WISP must address all AI tools used in the practice, including local models. Security risks associated with local models (endpoint security, access controls, physical security of the workstation, data retention) are all WISP concerns regardless of whether the model is local or cloud-based.

Q5: A local AI model summarizes a client's K-1 incorrectly, attributing ordinary income as capital gain. The CPA does not review the summary carefully and files the return with the incorrect characterization. The CPA's defense is that the local model is not a "person" under §7216, so there was no unauthorized disclosure and therefore no violation. Evaluate this defense.

Answer: The defense misses the point. The §7216 disclosure analysis may support the local model position, but the issue here is not §7216, it is §10.22 (due diligence), SSTS §1.4.4 (member responsibility regardless of tool use), and potentially §10.35 (competence). The local-AI §7216 argument is only relevant to the disclosure element. It does not excuse the practitioner from reviewing AI outputs, verifying accuracy, and applying professional judgment. The CPA has failed to meet professional standards regardless of the §7216 analysis.

← Lesson 9: State Law Layer · Study Guide home · Lesson 11: Putting It All Together →

The AI Lab for Accountants · An educational resource, not legal or tax advice.