Introduction
Earlier this spring, a single employee at Vercel — a well-known tech company — signed up for a third-party AI productivity tool using their work credentials. They clicked ‘Allow All’ on the permissions screen without reading what they were authorizing. Two months later, the AI vendor was compromised, and attackers used that OAuth token to access Vercel’s Google Workspace. Customer data was stolen. The incident triggered a public breach disclosure and is now part of a pattern that regulators and boards are watching very closely.
This wasn’t a sophisticated nation-state attack. It was an employee taking a shortcut.
For small businesses — especially accounting firms, bookkeepers, and financial services companies — this kind of story should hit close to home.
The SEC Is Paying Attention — And So Are Regulators That Affect You
Forbes contributor and Villanova professor Noah Barsky recently highlighted a growing trend: companies are now being required to disclose in SEC filings when employees’ use of AI tools creates a material cybersecurity risk. For public companies, that means a bad AI decision by one employee can show up in a regulatory filing.
But here’s the part that matters for small businesses: you don’t have to be a public company for this to affect you. The FTC Safeguards Rule already requires financial services firms — including accounting practices and tax preparers — to implement a written information security plan. The SEC’s 2026 Examination Priorities explicitly call out AI monitoring and policies. And state regulators are watching too.
If your team is using AI tools — and they are — and you don’t have a policy governing how, you have a gap. A gap that could cost you a client, a regulatory fine, or worse.
What’s Actually Happening Out There
“Vercel was compromised through a third-party AI tool with broad OAuth permissions — with a two-month dwell time before discovery.”
— PKWARE 2026 Data Breaches Report
Here’s the pattern we’re seeing in 2026:
• Employees sign up for free or consumer-grade AI tools using their work email or work accounts.
• They grant broad permissions — because the app asks and it’s faster to click ‘Allow All.’
• Client data (financial records, tax documents, emails) gets pasted into the AI tool for ‘help.’
• The AI vendor gets compromised. The attacker now has your credentials, your clients’ data, or both.
• You find out two months later. Or your client does.
For accounting and bookkeeping firms, this isn’t theoretical. Your staff has access to SSNs, bank statements, tax returns, and financial records. Any one of those pasted into an unsanctioned AI chatbot is a potential Safeguards Rule violation — before anything even goes wrong.
What ‘Having an AI Policy’ Actually Means
- A lot of businesses think they’re covered because they told employees, ‘don’t use AI for client stuff.’ That’s not a policy. Here’s what a real AI acceptable use policy covers:
- A list of approved AI tools (and the explicit message that everything else is not approved)
- Prohibited data categories — what can never be entered into an AI tool
- How to request approval for a new AI tool
- What happens if someone violates the policy
- How the company monitors for unauthorized AI tool usage
Think of it like your Acceptable Use Policy for the internet — except this one also needs to address what the AI vendor does with your data, who owns the output, and whether the tool is compliant with your client confidentiality obligations.
The Real Risk for Accounting Firms Specifically
- Under the FTC Safeguards Rule, you are required to:
- Identify and assess risks to customer information
- Implement safeguards to control those risks
- Train staff on your security program
- Monitor and test the effectiveness of your controls
An employee who pastes a client’s Schedule C into ChatGPT to ‘write a summary’ has introduced a risk you haven’t assessed, with a tool you haven’t approved, using data your safeguards weren’t designed to protect. That’s three Safeguards Rule gaps from one click.
What You Should Do Right Now
You don’t have to ban AI. In fact, you shouldn’t — it’s already a competitive tool and your staff is using it regardless. What you need to do is get in front of it.
Three immediate steps:
• Audit what AI tools your team is already using. (Hint: more than you think.)
• Draft or update your AI Acceptable Use Policy — before regulators ask for it.
• Have a conversation with your IT partner about approved AI tools that keep client data inside your controlled environment.
At LAN Services FBG, we help accounting and financial services firms in the Texas Hill Country build the kind of security foundation that regulators expect — and that clients deserve. If you’re not sure where you stand, our free IT Risk and Compliance Audit is a good place to start.
Because when an employee takes an AI shortcut with client data, it’s your name on the disclosure — not theirs.