Security & Compliance Starter Kit

The single most-requested, highest-trust deliverable from the AI Lab findings: everything a firm needs to use AI on client work defensibly, in one place. Adopt these five artifacts and you've covered the four obligations that attach when client data meets AI, IRC §7216/§6713, the FTC Safeguards Rule/WISP, the AICPA Code & SSTS, and Circular 230.

Every piece is grounded in, and cross-referenced to, the verified Regulatory Foundation. None of it is legal advice, > replace every [BRACKET], delete what doesn't fit, and have your own counsel review it against your state board before adopting.

What's in the kit

#	Artifact	What it does	Status
1	AI Acceptable-Use Policy	The firm-wide rules: which tools are approved, what data may go in, who reviews	✅ template
2	§7216 Consent (elements)	What a valid consent must contain, for when an AI use falls outside a §301.7216-2 exception	✅ template
3	Engagement-Letter AI Clause	The client-facing disclosure that you use vetted technology/providers (satisfies AICPA ET §1.150.040 notice)	✅ new
4	WISP AI Addendum	The appendix that folds AI into your Written Information Security Plan, mapped to FTC Safeguards §314.4	✅ new
5	Vendor Due-Diligence Checklist	The questions to clear before routing client data to any AI vendor	✅ new

How the five fit together

   Engagement letter  ──▶  tells the client you use vetted AI/providers   (ET §1.150.040)
            │                and, where required, carries/points to the §7216 consent
            ▼
   §7216 consent      ──▶  obtained BEFORE any disclosure that needs it    (§301.7216-3)
            │
            ▼
   AI Acceptable-Use  ──▶  governs staff: approved tools, prohibited data, review
       Policy                    │
            │                    ▼
            ▼            Vendor Due-Diligence  ──▶  clears each tool before client data goes in
   WISP AI Addendum  ◀───────────┘                 (the 4 questions + 10-point diligence)
        folds it all into your written security program  (FTC Safeguards §314.4)

Deploy it (the 5-step rollout)

Adopt the AI Acceptable-Use Policy, name your Qualified Individual, list approved tools.
Run every AI tool through the Vendor Due-Diligence Checklist before it touches client data.
Add the WISP AI Addendum to your written security plan; log each approved tool.
Add the Engagement-Letter AI Clause to your letter set; obtain a separate §7216 consent where an AI use falls outside an exception (use the ai-use-checker to tell which).
Train staff on the policy and the "anonymize-or-approved-tool" default; keep redactor handy for the anonymize path.

The standing duties this kit operationalizes

§7216/§6713, consent before a non-exempt disclosure; remember §6713 civil penalty is strict liability (an accidental paste counts).
FTC Safeguards Rule / WISP, vet, contract-bind, encrypt, and log every AI vendor (§314.4).
AICPA ET, notify the client (§1.150.040), confidentiality agreement or consent (§1.700.040), evaluate & supervise the provider (§1.300.040).
SSTS §1.4 & Circular 230, AI is a tool; you remain the reviewer of record.

Built for the AI Lab for Accountants. Educational templates, not legal advice, customize and get counsel review before adopting.