All posts

    March 24, 2026 · 7 min read

    AI for Tax Professionals: What to Look For and What to Run From

    By TJ Ruff, Founder & CEO, Nomo AI

    A translucent shield with grid pattern in periwinkle blue on a dark background
    Visual generated with Google Gemini

    In this post

    • Why IRC Section 7216 makes AI choices career-level decisions for tax pros
    • The 5 questions to ask any AI vendor before giving them access to client data
    • Red flags that should stop you cold
    • Why pasting client emails into ChatGPT is a compliance violation

    You've heard the pitch a hundred times by now: AI will transform your practice. It definitely can. But here's what the pitch leaves out: not all AI is built for people who handle Social Security numbers for a living.

    If you're a CPA, EA, or tax preparer evaluating AI tools, the stakes are different for you than for a marketing team or a software company. Your clients trust you with their most sensitive financial data. The IRS holds preparers personally liable for unauthorized disclosure of client tax information under IRC Section 7216. A wrong choice isn't embarrassing — it's a career risk.

    So here's a framework. Not a product pitch, but a genuine checklist for evaluating any AI tool that will touch your client data.

    The IRS holds you personally liable for unauthorized disclosure under IRC Section 7216. A wrong AI choice isn't embarrassing — it's a career risk.

    The Five Questions That Matter

    1. Does it store your email content?

    This is the first question and the most important one. Many AI tools ingest your data to improve their models or store conversation history for "context." If a tool stores your client's email content on their servers, that data now exists in a system you don't control, can't audit, and can't delete on demand.

    What to look for: A zero-retention architecture. The tool processes your email in memory and discards it immediately. Nothing is written to their database. If the vendor can't explain exactly where your data goes and when it's deleted, walk away.

    2. Does it scrub PII before AI processing?

    Even if a tool doesn't store your email, it probably sends content to an AI model (GPT, Claude, Gemini) for processing. The question is: what gets sent? If a client email contains a Social Security number and that SSN reaches a third-party AI provider's servers, you have a disclosure problem — even if the provider claims not to retain it.

    What to look for: Automatic PII redaction before any external API call. SSNs, EINs, ITINs, dates of birth, bank account numbers — all stripped and replaced with tokens before the data leaves the vendor's server. And critically: if the scrubbing fails, the request should abort. Not retry, not skip — abort.

    3. Is your data isolated from other clients?

    This is where the Sage Copilot incident matters. Sage is one of the largest accounting software platforms in the world, used by millions of businesses. In January 2025, their AI assistant surfaced one client's invoice data to a different client. It was a data isolation failure in a multi-tenant environment — the AI could access multiple companies' data and pulled from the wrong account. Sage suspended the service and fixed it quickly, but the incident revealed how easily AI systems can blur the boundaries between client accounts when proper isolation isn't built into the foundation.

    What to look for: Explicit documentation of how your data is isolated from other users in a multi-tenant environment. Ask specifically: can your data ever be accessed in the same context as another client's data? And separately: does the vendor use your data to train their models? You need clear written answers to both.

    4. How does authentication work?

    If a tool asks for your Gmail password, close the tab. OAuth — the same "Sign in with Google" button you use everywhere — is the only acceptable authentication method. It gives the tool scoped access (read email, apply labels) without ever transmitting your password. You can revoke it instantly from your Google account settings.

    What to look for: OAuth-only authentication with clearly documented permission scopes. The tool should explain exactly which permissions it requests and why. Extra credit: a one-click disconnect that reverts everything to its pre-tool state.

    5. Can you undo everything?

    This is the one most vendors hope you won't ask. If you decide the tool isn't right, can you go back to exactly where you were? Not "we'll delete your account" — can the tool remove every label it created, restore every label it changed, and leave your inbox exactly as it was before you connected?

    What to look for: A documented rollback capability. One click, everything reverts. If the vendor can't do this, it means their tool makes changes they can't track — which should concern you for reasons beyond just uninstalling.

    Red Flags to Run From

    Beyond the five questions, here are patterns that should make you immediately skeptical:

    • "We take security seriously" without specifics. Everyone says this. Look for architecture details, not reassurances.
    • No privacy policy, or a vague one. If the policy doesn't explicitly address email content storage, PII handling, and third-party AI training, it's not written for your use case.
    • Requires a Chrome extension with broad permissions. An extension that asks for "Read and change all your data on all websites" is a red flag. Permissions should be scoped to exactly what the tool needs — your email provider and the tool's own backend.
    • Free tier with no explanation of the business model. If the product is free and the company isn't charging for something else, your data is likely the product.
    • No SOC 2 and no roadmap to get there. SOC 2 Type 1 isn't expensive or difficult for a small company. If a vendor handling sensitive data hasn't started the process and can't tell you when they will, security isn't a priority — it's a talking point.

    The Biggest Risk Isn't a Vendor. It's Shadow AI.

    Here's the scenario nobody wants to talk about: a tax preparer copies a client email into ChatGPT, Gemini, or Claude to help draft a response. It works. The reply is good. So they do it again. And again. Every day.

    That's shadow AI. It's unvetted, unmonitored, and already happening in your firm. No PII scrubbing. No audit trail. No control over where the data goes or how long it's retained. A client's Social Security number, their income, their filing status, their disputes with the IRS, All pasted into a consumer chatbot with no contractual obligation to protect it.

    This isn't hypothetical. In April 2023, Samsung engineers pasted proprietary source code and confidential meeting notes into ChatGPT on three separate occasions within 20 days. That data became part of OpenAI's training set. Samsung banned ChatGPT company-wide (Cybersecurity Dive). A month earlier, an OpenAI bug exposed chat history titles, first messages, and payment information to strangers (CS Hub). Roughly 1.2% of ChatGPT Plus subscribers were affected.

    Now imagine that happening at a tax firm. A preparer pastes a client email into ChatGPT to draft a response. The chat is titled "Johnson 2024 CP2000 response." That data is transmitted to OpenAI's servers, where on free-tier accounts it may be used to train future models. There is no business associate agreement, no IRS-compliant data handling, and no way to verify deletion. If Samsung — a $200 billion company with a security team — couldn't prevent employees from leaking data into ChatGPT, what's happening at a three-person CPA firm with no AI policy?

    Shadow AI isn't a future risk. It's the default behavior right now for any professional who has discovered that AI is useful but hasn't been given a safe way to use it. The solution isn't banning AI. That doesn't work, and your best people will ignore the policy anyway. The solution is giving them a tool that's built for their workflow and their compliance requirements, so the safe path is also the easy path.

    The Standard We Hold Ourselves To

    Full disclosure: we built Nomo AI, so we're not a neutral party here. But we built it specifically because the tools we evaluated didn't meet this bar. Here's what we committed to from day one:

    • Zero email storage — content processed in memory, immediately discarded
    • Automatic PII scrubbing before any AI call, fail-closed if scrubbing fails
    • Your email content is never stored or used to train any AI model. When you correct a classification, Nomo learns from the pattern — not the content. Those signals improve your experience first, and may inform system-wide improvements only after human review
    • OAuth only — we never see your password
    • One-click rollback to your pre-Nomo inbox state

    We believe these should be table stakes for any AI tool in a regulated industry. They're not yet. Hopefully they will be.

    Whatever tool you choose — ours or someone else's — ask the five questions first. Your clients are trusting you with their most sensitive information. The tool you plug into that trust chain should earn it.

    Read our full security architecture

    See exactly how Nomo handles your data — what we access, what we never store, and how PII scrubbing works.