The Governance Gap

In 2024 and early 2025, adopting AI was optional. In 2026, not having an AI governance program is now a liability.

Your external auditors will ask for it. Your liability insurance company will want to see it. Your state accountancy board is beginning to expect it. And your clients — especially those in regulated industries — will ask: "Do you have a documented AI governance framework?"

Yet when we surveyed 30+ CPA firm owners this spring, fewer than 10% had a written governance program for the AI tools they're already using.

The Risk

An AI tool makes an error in your firm's analysis. It's relayed to a client. The client relies on it and makes a business decision. When something goes wrong, the first question will be: "Did your firm have controls over how that AI tool worked?"

If the answer is "we just use it," that's a liability exposure. If the answer is "we have a documented, auditable governance framework," you're protected.

What's Now Required: The 7-Point AI Governance Framework

Based on guidance from AICPA, ISACA, EY, and your insurance carriers, here's what a basic AI governance program for CPA firms must include:

Your AI Governance Checklist

1. Written AI Policy — A documented policy that covers how your firm evaluates, adopts, and oversees AI tools. This doesn't need to be 50 pages. One page that says "We use AI in X areas, with Y oversight" is a start.
2. Tool Inventory & Risk Assessment — A list of every AI tool your firm uses (ChatGPT, Claude, specialized tax software with AI, etc.). For each, a simple risk assessment: "What's the worst thing that could go wrong if this tool fails?"
3. Data Handling & Privacy Controls — Clear rules about what firm data (and what client data) can go into each AI tool. If you're using public AI models, what's your data retention policy?
4. Human Review & Oversight — For every high-risk AI output (tax analysis, audit conclusions, client advice), who reviews it before it's used? This is your control: "AI creates the draft, a human always verifies before delivery."
5. Audit Trail & Recordkeeping — Your ability to prove what the AI did, when, and what a human reviewed. If you're audited, you need to show "Here's the AI analysis our team reviewed, and here's the decision we made."
6. Transparency & Client Disclosure — When you use AI in client work, do clients know? Have you disclosed it? (Required by law in some states, and by professional ethics in all states.)
7. Quarterly Review & Updates — Your governance framework isn't static. As new tools emerge and regulations change, you review and update your policy. Document the review.

What's Missing from Most Firms

When auditors and regulators review CPA firm AI governance in 2026, here's what they're finding:

❌ No Written Policy

Most firms have an unspoken policy: "Partners can use AI tools as long as they're smart about it." That's not a policy. That's hope.

❌ No Risk Assessment

Firms use high-risk AI (client advisory work, audit analysis) with the same framework they use for low-risk AI (email drafting). One needs heavy oversight. The other doesn't.

❌ No Audit Trail

If you use ChatGPT for client work and don't save the prompts, the outputs, and the human review, you have no proof of what happened. Auditors want proof.

❌ No Client Disclosure

Many firms use AI without telling clients. The ethics rules are evolving, but the trend is clear: clients need to know.

Building Your Framework: Where to Start

You don't need to build this from scratch.

AICPA has published templates. ISACA has checklists. Your liability insurer likely has guidance. But the frameworks are scattered across a dozen sources, and they're written for large firms with 200-person teams.

What you actually need: a one-page written policy, a simple inventory of your AI tools, a clear rule about human review, and a way to document that review happened.

That's 80% of compliance. The other 20% is updating it quarterly and having documentation ready for your auditors.

The Honest Truth

If you're waiting for perfect guidance from your state board or national standards body, you'll be waiting forever. Regulation moves slowly. Your firm can't.

The firms winning in 2026 are the ones who:

  1. Acknowledge they're using AI
  2. Document why and how
  3. Put a human in the loop for high-risk decisions
  4. Keep records showing they did that
  5. Update their practices as they learn more

That's not just compliant. That's professional.

A note from us: We built Covenant Systems around this exact principle. When you use our daily intelligence briefing, you're not getting a black-box AI recommendation. You're getting a sourced, auditable intelligence briefing with clear attribution. You review it. You decide. We keep the record. That's governance done right.

Need help building your framework?

We work with CPA firms to create practical AI governance programs that satisfy auditors, regulators, and your insurance company. No templates. No overkill. Just what your firm actually needs.

Start a conversation →

What's Next

This checklist is just the start. In future posts, we'll cover:

  • How to create your AI tool inventory in under 2 hours
  • Sample client disclosure language (and when you legally must use it)
  • What auditors will ask about your AI governance (and how to answer)
  • Building a quarterly review process that actually works

Subscribe to stay updated.