
Generative AI has crossed from novelty to normal in tax and accounting. Organization-wide adoption nearly doubled in a year, to roughly 40% of professionals, and about a third of tax firms already use it in client work. The open question is no longer whether to adopt, but how. And for anyone weighing AI adoption for CPA firms, the answer is not a tool purchase. It is a process.
On June 24, 2026, the IRS Office of Professional Responsibility made that point official. OPR Alert 2026-19 confirms that every duty you already carry under Circular 230, including diligence, competence, confidentiality, and reasonable fees, stays exactly where it was when you hand part of the work to a machine. AI changes how the work gets done. It does not change who is responsible for it.
The firms that come out ahead treat adoption as a deliberate sequence: assess, select, pilot, govern, scale. Here is how to run it.
Do not start by shopping. Start by mapping where your team's hours actually go, then target the high-volume, low-judgment work first. That is where AI earns its keep without risking your signature.
Across the profession, the heaviest use clusters in a few places: tax research, first-draft return preparation, document intake and extraction, and reconciliations. They are repetitive, verifiable, and easy to review.
Before you evaluate a single vendor, decide what success looks like. Most firms skip this. Only about 18% track any return on their AI investment, and another 40% do not know whether anyone is measuring it at all. Pick two or three metrics you will actually watch: hours saved per return, review time, and turnaround. If you cannot say what you are measuring, you cannot tell whether the tool is working.
An AI tool that touches client data is not office software. It is a service provider under your data-security obligations, and must clear the same bar.
Two rules do the heavy lifting; the full criteria for vetting AI tax software sit alongside them. First, confidentiality. Under IRC sections 7216 and 6713, unauthorized disclosure or use of tax return information carries civil and criminal penalties, and Circular 230 section 10.51(a)(15) treats willful violations as disreputable conduct. Free, consumer-grade tools that train on their inputs do not meet the standard, because client data can be retained, reused, or exposed. Keep taxpayer identifiers out of any tool that is not covered by a written data agreement.
Second, security. The FTC Safeguards Rule (16 CFR Part 314) classifies tax preparers as financial institutions and requires documented oversight of the service providers who handle client data. Adopting an AI tool is a material change that should trigger a review of your written information security plan, the WISP the IRS describes in Publication 5708. Get the vendor's terms in writing: no training on your data, encryption in transit and at rest, multi-factor authentication, data residency, and breach notification.
One nuance: disclosing return information to a U.S.-based provider that only helps prepare or process the return generally needs no client consent, though you still owe that provider the written 7216 and 6713 notice. Consent is required if the provider makes substantive determinations or sits offshore.
Resist the urge to roll a tool out firm-wide on day one. Run a contained pilot: one or two workflows, a handful of experienced users, a fixed window, and the success metrics you set earlier.
Keep a human in the loop on everything, and treat every AI output as a first draft rather than a finished product. Circular 230 section 10.22 requires due diligence you cannot delegate to software, which means checking every figure, every citation, and every calculation, and confirming the reasoning actually fits the client in front of you. The cautionary tales are real: in a widely reported 2025 engagement, a major firm refunded part of its fee after an AI-assisted report went out with fabricated quotes and citations to sources that did not exist.
At the window's end, compare against your metrics and decide with data, not enthusiasm. Expand what worked, cut what did not.
Before you scale, write down how the firm uses AI, because the OPR alert makes clear the rulebook already exists. Here is how the core Circular 230 provisions apply once AI is in your workflow.
In practice, that means a short written AI acceptable-use policy: which tools are approved, what data may and may not go into them, who reviews AI output and how that review is documented, and mandatory training for everyone who touches client work, including seasonal staff. It does not need to be long, only real and matched to what your firm actually does.
Two more items belong on the list. On fees, AI efficiencies belong in your billing, not in hours you did not work. And state law is moving fast, with California, Colorado, Illinois, and Utah among those enacting AI rules on transparency and consumer protection, so build in a habit of staying current.
Scaling is not flipping a switch. Expand tool by tool and workflow by workflow, repeating the discipline each time: update the WISP, vet the new use, retrain staff, re-measure.
The real return is not the hours saved. It is what you do with them. Firms with a documented AI strategy are roughly twice as likely to see AI-driven revenue growth as firms adopting ad hoc, because they redeploy freed-up capacity into advisory work machines cannot do: gray-area judgment, planning, and client relationships.
If the research and first-draft workflows above are where you want to start, that is exactly what Marble's Intelligence agent is built for: ask a federal or state tax question in plain English, get a citation-backed answer that links to the underlying IRC section or IRS guidance, and generate memos and client communications that are ready for your review. Get started with Marble now.
Not for anything involving taxpayer information. Consumer-grade tools typically train on what you put into them, which means client data can be retained or exposed, and that runs straight into your confidentiality duties under IRC sections 7216 and 6713. Use only secure, enterprise-grade tools covered by a written data agreement, and keep client identifiers out of anything you have not vetted.
No. OPR Alert 2026-19, issued June 24, 2026, does not prohibit AI. It confirms that your existing Circular 230 duties, including diligence, competence, confidentiality, and reasonable fees, apply when you use it. You can use AI for research and drafting as long as you verify the output, understand the tool, and protect client data.
Yes. Under the FTC Safeguards Rule, an AI vendor that handles client data is a service provider subject to documented oversight, and adding one is a material change that should prompt a WISP update. Get the vendor's security terms in writing and review them at least annually.
Start with high-volume, low-judgment work that is easy to verify: tax research, document intake and extraction, first-draft memos, and reconciliations. Keep a human review step on all of it, and expand only after a pilot shows the tool holds up against your metrics.