Practice Management

AI Adoption for CPA Firms: A Roadmap for Introducing AI Into Your Firm

July 10, 2026
·
Andrew Sedlacek, CPA
·
7
min read

Generative AI has crossed from novelty to normal in tax and accounting. Organization-wide adoption nearly doubled in a year, to roughly 40% of professionals, and about a third of tax firms already use it in client work. The open question is no longer whether to adopt, but how. And for anyone weighing AI adoption for CPA firms, the answer is not a tool purchase. It is a process.

On June 24, 2026, the IRS Office of Professional Responsibility made that point official. OPR Alert 2026-19 confirms that every duty you already carry under Circular 230, including diligence, competence, confidentiality, and reasonable fees, stays exactly where it was when you hand part of the work to a machine. AI changes how the work gets done. It does not change who is responsible for it.

The firms that come out ahead treat adoption as a deliberate sequence: assess, select, pilot, govern, scale. Here is how to run it.

Start with the work, not the tool

Do not start by shopping. Start by mapping where your team's hours actually go, then target the high-volume, low-judgment work first. That is where AI earns its keep without risking your signature.

Across the profession, the heaviest use clusters in a few places: tax research, first-draft return preparation, document intake and extraction, and reconciliations. They are repetitive, verifiable, and easy to review.

Before you evaluate a single vendor, decide what success looks like. Most firms skip this. Only about 18% track any return on their AI investment, and another 40% do not know whether anyone is measuring it at all. Pick two or three metrics you will actually watch: hours saved per return, review time, and turnaround. If you cannot say what you are measuring, you cannot tell whether the tool is working.

Vet AI tools like a service provider, not a gadget

An AI tool that touches client data is not office software. It is a service provider under your data-security obligations, and must clear the same bar.

Two rules do the heavy lifting; the full criteria for vetting AI tax software sit alongside them. First, confidentiality. Under IRC sections 7216 and 6713, unauthorized disclosure or use of tax return information carries civil and criminal penalties, and Circular 230 section 10.51(a)(15) treats willful violations as disreputable conduct. Free, consumer-grade tools that train on their inputs do not meet the standard, because client data can be retained, reused, or exposed. Keep taxpayer identifiers out of any tool that is not covered by a written data agreement.

Second, security. The FTC Safeguards Rule (16 CFR Part 314) classifies tax preparers as financial institutions and requires documented oversight of the service providers who handle client data. Adopting an AI tool is a material change that should trigger a review of your written information security plan, the WISP the IRS describes in Publication 5708. Get the vendor's terms in writing: no training on your data, encryption in transit and at rest, multi-factor authentication, data residency, and breach notification.

One nuance: disclosing return information to a U.S.-based provider that only helps prepare or process the return generally needs no client consent, though you still owe that provider the written 7216 and 6713 notice. Consent is required if the provider makes substantive determinations or sits offshore.

Pilot before you scale

Resist the urge to roll a tool out firm-wide on day one. Run a contained pilot: one or two workflows, a handful of experienced users, a fixed window, and the success metrics you set earlier.

Keep a human in the loop on everything, and treat every AI output as a first draft rather than a finished product. Circular 230 section 10.22 requires due diligence you cannot delegate to software, which means checking every figure, every citation, and every calculation, and confirming the reasoning actually fits the client in front of you. The cautionary tales are real: in a widely reported 2025 engagement, a major firm refunded part of its fee after an AI-assisted report went out with fabricated quotes and citations to sources that did not exist.

At the window's end, compare against your metrics and decide with data, not enthusiasm. Expand what worked, cut what did not.

The Circular 230 duties that shape AI adoption for CPA firms

Before you scale, write down how the firm uses AI, because the OPR alert makes clear the rulebook already exists. Here is how the core Circular 230 provisions apply once AI is in your workflow.

Circular 230 provision What it requires once you use AI
Section 10.22 (Diligence as to accuracy) Verify the facts, citations, and calculations the tool produces before any of it reaches advice, a return, a filing, or the IRS.
Section 10.35 (Competence) Understand each tool well enough to use it competently for the matter at hand: its limits, its failure modes, and when its output needs further review.
Section 10.36 (Procedures to ensure compliance) Whoever holds principal responsibility for the firm's practice must take reasonable steps to keep adequate procedures in place: an approved-tools list, secure data handling, accuracy monitoring, vendor vetting, and staff training, all documented.
Section 10.37 (Requirements for written advice) Advice must rest on reasonable factual and legal assumptions and connect the law to the relevant facts. Relying on AI reasoning or authorities you cannot examine can itself be unreasonable.
Section 10.27(a) (Fees) A practitioner may not charge an unconscionable fee in a matter before the IRS. The OPR warns that if AI reduces research or drafting time, billing for manual labor or time not actually spent, double billing for AI-assisted tasks, or failing to fairly credit AI-related cost reductions may create a section 10.27 issue depending on the facts. The risk is billing that misrepresents time, effort, or cost, not the mere use of value-based pricing.
IRC Sections 6713 and 7216; Circular 230 Section 10.51(a)(15) (Confidentiality) Do not disclose or use tax return information through unsecured, public, or unauthorized AI tools absent an exception or valid consent. Violations can bring civil and criminal penalties, and Circular 230 discipline.

In practice, that means a short written AI acceptable-use policy: which tools are approved, what data may and may not go into them, who reviews AI output and how that review is documented, and mandatory training for everyone who touches client work, including seasonal staff. It does not need to be long, only real and matched to what your firm actually does.

Two more items belong on the list. On fees, AI efficiencies belong in your billing, not in hours you did not work. And state law is moving fast, with California, Colorado, Illinois, and Utah among those enacting AI rules on transparency and consumer protection, so build in a habit of staying current.

Scale what works, and redeploy the time

Scaling is not flipping a switch. Expand tool by tool and workflow by workflow, repeating the discipline each time: update the WISP, vet the new use, retrain staff, re-measure.

The real return is not the hours saved. It is what you do with them. Firms with a documented AI strategy are roughly twice as likely to see AI-driven revenue growth as firms adopting ad hoc, because they redeploy freed-up capacity into advisory work machines cannot do: gray-area judgment, planning, and client relationships.

If the research and first-draft workflows above are where you want to start, that is exactly what Marble's Intelligence agent is built for: ask a federal or state tax question in plain English, get a citation-backed answer that links to the underlying IRC section or IRS guidance, and generate memos and client communications that are ready for your review. Get started with Marble now.

Frequently asked questions about AI adoption for CPA firms

Can I use ChatGPT or another free AI tool for client work?

Not for anything involving taxpayer information. Consumer-grade tools typically train on what you put into them, which means client data can be retained or exposed, and that runs straight into your confidentiality duties under IRC sections 7216 and 6713. Use only secure, enterprise-grade tools covered by a written data agreement, and keep client identifiers out of anything you have not vetted.

Does the IRS guidance ban AI in tax practice?

No. OPR Alert 2026-19, issued June 24, 2026, does not prohibit AI. It confirms that your existing Circular 230 duties, including diligence, competence, confidentiality, and reasonable fees, apply when you use it. You can use AI for research and drafting as long as you verify the output, understand the tool, and protect client data.

Does adopting an AI tool change my WISP obligations?

Yes. Under the FTC Safeguards Rule, an AI vendor that handles client data is a service provider subject to documented oversight, and adding one is a material change that should prompt a WISP update. Get the vendor's security terms in writing and review them at least annually.

What should we automate first?

Start with high-volume, low-judgment work that is easy to verify: tax research, document intake and extraction, first-draft memos, and reconciliations. Keep a human review step on all of it, and expand only after a pilot shows the tool holds up against your metrics.

This article is a general discussion of certain accounting and tax developments and related topics of interest and should not be relied upon as accounting or tax advice. If you require accounting or tax advice you should consult a qualified practitioner.
For permission to republish this or any other publication, contact support@marble.ai.
Marble is building AI agents to transform the tax industry.
Try the preview of our first agent Intelligence. Intelligence is an AI Tax Research assistant designed for citation backed information retrieval, research and memo drafting.