Responsible Technology Adoption in an AI-Enabled Profession

Are there any frameworks available to guide AI adoption? With AI on the rise, this feature looks at the importance of responsible and directed AI integration.

With the adoption of artificial intelligence (AI) accelerating – especially the integration of generative AI (GenAI) – questions regarding how to responsibly integrate AI tools into accounting processes are on the rise.

How do firms ensure responsible technology adoption? How will firms benefit from GenAI usage while also effectively managing the risks? And what principles or frameworks are available to guide adoption? The public trusts CPAs and look to us for our integrity and competence. That means CPAs must adhere to responsible principles when integrating or utilizing AI applications.

This was recently emphasized in the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) new publication released in February 2026, Achieving Effective Internal Control Over Generative AI (GenAI). The guidance offers organizations a practical, COSO-aligned approach to managing the risks and opportunities introduced by the rapidly advancing generative AI technologies.¹ In addition, an updated Generative AI Governance Framework, published in March 2026, further focuses on harnessing the power of GenAI while appropriately managing the risks.² With these frameworks coupled with other guidance, CPAs can both innovate responsibly and protect clients, investors, and the public interest.

Bridging the Gap

AI, particularly GenAI and Agentic AI, are transforming the accounting profession. However, while adoption has accelerated, governance maturity has not kept pace. This imbalance is creating measurable risks, exposing firms to compliance failures, data breaches, and operational inefficiencies. In the spring 2025 issue of the Pennsylvania CPA Journal, Colleen Krcelich, Christina Olear, and John Peatross discuss the various GenAI risks and risk mitigation strategies firms should consider.³ Their discussion reinforces a broader concern: while generative AI can enhance efficiencies in reporting, auditing, and client communication, it also introduces significant risks related to data accuracy, privacy, and ethical use. Generative AI outputs often appear reliable, but they can be incomplete or, even worse, incorrect. Additionally, improper handling of client data can expose firms to cybersecurity threats and legal consequences. To mitigate these risks, firms must implement strong governance practices, including clear policies, employee training, and ongoing human oversight.

Despite the awareness of AI-related risks, many organizations fail to implement AI-related oversight programs. In a recent report by AuditBoard, a cloud-based software platform, about 25% of organizations have fully implemented AI governance programs.⁴ Many firms have drafted governance frameworks but struggle to embed them into daily processes due to unclear ownership, limited expertise, and resource constraints.

At the leadership level, governance integration also remains limited. According to a National Association of Corporate Directors (NACD) 2025 board survey, 62% of boards discuss AI regularly, while only 27% have formally embedded AI governance into committee charters.⁵ Executive accountability is just as fragmented. According to McKinsey & Company’s 2025 State of AI Report, only 28% of CEOs directly oversee AI governance initiatives.⁶ The lack of top-level ownership often results in lacking or inconsistent risk management practices. Organizations that centralize oversight through dedicated AI committees or governance boards are more likely to achieve alignment between strategy, compliance, and operational execution.

Recognizing the importance of governance as a strategic priority is on the rise. According to recent data from Cicso’s data privacy benchmark studies (2025 and 2026), nearly 98% of respondents expect AI governance budgets to increase, signaling more investment in controls, monitoring, and compliance infrastructure. Over 90% of organizations plan to allocate additional resources into privacy and data governance over the next two years.⁷ Many organizations are establishing AI-governance committees to oversee AI policies, the risks across AI systems, and AI-monitoring programs.

Given the challenges, CPAs and organizations need more than just an awareness of risk. They need structured, practical guidance for implementation. While high-level principles such as transparency, accountability, and data privacy provide an important ethical foundation, they often lack specificity. COSO’s guidance on generative AI provides a structured approach to bridge the gap between principle and practice. It translates responsible AI concepts into actionable policies, controls, and procedures embedded across strategy, operations, and reporting.

Principles and Governance

Responsible AI (RAI) principles coupled with recent governance frameworks are the foundation for secure and effective GenAI adoption. Many organizations have published RAI principles, and, overall, they center around the following core components:

• Transparency – Understanding how AI tools work and what data is utilized.
• Human Oversight – AI should support, not replace, professional judgement. CPAs should always review and validate AI-generated outputs. Think of the output as an associate’s first draft requiring review and validation.
• Accountability – There should be unambiguous ownership over the AI systems, outputs, and the resulting impacts.
• Data Privacy and Security – Never input personally identifiable information into public AI tools, and follow organizational policies on data handling and security.
• Bias and Fairness – Watch for discriminatory or unfair outcomes, and be aware of potential biases in AI outputs. Also, if CPAs see overconfident statements from GenAI, ask for alternatives, counterarguments, or citations.
• Compliance and Regulation – Stay informed on evolving laws and policies regarding AI.

When PwC analyzed over 100 sets of ethical principles and consolidated them into nine core ethical AI principles for responsible AI, it included interpretability, reliability, accountability, data privacy, lawfulness and compliance, beneficial AI, human agency, safety, and fairness.⁸ EY emphasizes the principles of accountability, data protection, reliability, security, transparency, explainability, fairness, compliance, and sustainability.⁹ Security is an area of RAI that is heavily emphasized, especially in terms of data encryption, data anonymization, data retention, and data audit. These help ensure CPAs can use AI without compromising safety, especially when working with sensitive or confidential information.¹⁰

The GenAI Governance Framework can be used alongside RAI principles to ensure CPAs can innovate responsibly with GenAI. The framework provides a top-down, materiality-based foundation for organizations when assessing their governance of GenAI. It sets the enterprisewide GenAI governance foundation while COSO’s GenAI internal control guidance shows how to translate the foundation into specific controls, policies, and procedures.¹¹ The GenAI Governance Framework (see graphic below) breaks down governance into five domains:¹²

• Strategic Alignment and Control Environment – Includes aligning GenAI initiatives with organizational goals, strategies, and risk appetite, and developing comprehensive GenAI governance policies.
• Data and Compliance Management – Involves establishing processes for identifying, assessing, and mitigating data-related risks and ensuring compliance with legal and regulatory standards.
• Operational and Technology Management – Centers around integrating GenAI into operational processes and managing GenAI technology and IT security.
• Human, Ethical, and Social Considerations – Includes conducting GenAI trainings and managing of human resource risks, ensuring ethical GenAI use that mitigates bias, assessing and managing reputational and social impacts, and assessing and managing environmental impacts.
• Transparency, Accountability, and Continuous Improvement – Includes ensuring transparent and traceable GenAI decision-making and monitoring the evolution of GenAI and updating governance practices.

Each domain directly relates to the overall principles of RAI. For instance, ensuring traceable GenAI decision-making through the transparency, accountability, and continuous improvement domain directly advances the RAI principle of transparency, or managing GenAI IT security through the operational and technology management domain directly contributes to the RAI principle of data privacy and security.

GenAI Governance Framework¹³

Internal, External Factors Shaping Responsible AI Adoption

As organizations adopt AI tools into their ecosystem, there are a number of internal and external factors that must be considered. In a recent CPA Now blog, Ian McDowell, principal with S.R. Snodgrass PC, stresses that before exploring AI, organizations should look at the firm’s operational needs.¹⁴ Several internal factors can influence AI adoption including, but not limited to:

• Organizational Digital Maturity and Data Readiness – The effectiveness of AI is heavily dependent on the quality, structure, and accessibility of an organization’s data. Firms with mature digital infrastructures, such as integrated systems and standardized processes, are better positioned to deploy AI tools successfully. In contrast, organizations with fragmented systems or poor data governance may struggle to generate reliable outputs.
• Leadership Support, Culture, and Change Management – Successful AI adoption requires strong leadership commitment and clear expectations around AI use. They will invest in employee training and promote strong AI governance. Change management also plays a role, as employees may resist adopting new technologies without proper guidance.
• Resource Constraints, Staffing, and Technical Capabilities – Implementing AI solutions often requires significant investments in technology, training, and talent. Smaller firms may face challenges due to limited budgets and lack of in-house expertise. Even larger organizations must assess whether they have the technical capabilities to implement, monitor, and maintain AI systems effectively.
• Internal Controls, Documentation Practices, and Risk Tolerance – AI adoption must align with an organization’s internal control environment and risk management framework. Firms need clear policies governing acceptable use, documentation standards for AI-assisted outputs, and review procedures to ensure accuracy and compliance. Risk tolerance will also influence the pace and scope of adoption, as organizations must balance innovation with the need to protect client data, maintain firm quality, and comply with regulatory requirements.¹⁵

As the conversation around AI, GenAI, and agentic AI grows, so do the external pressures to adopt these tools. Some external factors for firm consideration include the following:

• Regulatory Expectations and Evolving Standards – Regulatory scrutiny surrounding AI is intensifying. The U.S. Securities and Exchange Commission, Public Company Accounting Oversight Board, and IRS are shaping expectations around governance, documentation, auditability, and data protection. Organizations must ensure that AI use aligns with these evolving standards.
• Vendor Ecosystem Maturity and Third-Party Risks – Many firms rely on third-party AI tools and platforms, making vendor selection and oversight critical. The maturity of vendors varies widely, and organizations must evaluate providers based on security, transparency, data usage policies, and reliability. Additional risks of data leakage, model bias, and lack of explainability must be addressed through due diligence, contractual safeguards, and ongoing monitoring.
• Client Expectations for Efficiency, Precision, and Transparency – Clients will soon, if not already, expect firms to leverage AI to deliver faster, more accurate, and more insightful services. However, these expectations also come with transparency demands regarding how AI was used and how outputs were validated. Firms must strike a balance between leveraging AI for efficiency while maintaining the trust and professional judgment that clients expect.
• Competitive Pressures, Industry Trends, and Market Adoption Patterns – Firms that successfully integrate AI into their workflows can enhance productivity and expand advisory capabilities, while those that lag may risk losing market share. At the same time, rapid adoption arising from pressure can result in implementation of AI tools before governance structures are fully developed. This increases the importance of a disciplined and strategic approach.

GenAI offers unprecedented opportunities to enhance efficiency, automate routine tasks, and elevate the role of accountants. Yet, as adoption accelerates, firms are increasingly recognizing that the benefits must be carefully balanced against significant risks related to accuracy, privacy, and professional judgment. Successful integration depends on embedding governance, training, and oversight into AI adoption strategies. 

The AI-Ready CPA

While much of the conversation around AI centers on governance and risk, it is equally important to recognize where AI is creating value in the accounting profession. Across audit, tax, and advisory services, AI is actively reshaping how professionals analyze data, generate insights, and deliver client value. Many Pennsylvania CPA Journal articles and CPA Now blog posts have discussed the various ways in which AI is transforming the accounting profession.¹⁶

In audit, AI enables the analysis of entire populations of transactions rather than samples, strengthening audit evidence and improving anomaly detection. Tools can summarize contracts, monitor internal controls in real time, and assist with complex areas such as revenue recognition and going concern assessments. However, these benefits introduce new risks, including AI-generated inaccuracies (“hallucinations”), documentation challenges, and evolving regulatory expectations around audit evidence and traceability.

In tax, AI is proving valuable in automating high-volume, process-driven work such as mapping trial balances, identifying book-to-tax differences, and drafting technical memoranda. More advanced applications include contract analysis and AI-assisted research across prior-year documentation. Yet, tax practice presents heightened risks due to the complexity and constant evolution of tax law, requiring careful validation of outputs and strict safeguards around client confidentiality.

In advisory, AI enhances financial modeling, forecasting, and scenario analysis, enabling CPAs to deliver deeper insights more efficiently. However, overreliance on AI-generated recommendations can expose firms to significant professional and reputational risk if underlying assumptions are flawed.

Nevertheless, across all functions a consistent theme emerges: AI does not replace professional judgment, it elevates the need for it. The AI-ready CPA must apply professional skepticism to all AI outputs, understand model limitations, and ensure proper documentation and governance of AI-assisted work. This governance requires an integration of technical understanding with traditional accounting judgement. CPAs will benefit from the knowledge of how their AI models function by being able to understand the sources of the models’ errors, the implications of data quality, and the conditions under which AI outputs are most meaningful and most reliable. This “AI literacy” enables more effective prompting, more meaningful interpretation of outputs, and more defensible documentation of AI-assisted deliverables.

Adoption and Accountability

The AI conversation is no longer centered on whether to adopt GenAI, but rather how to do so responsibly. This is a challenge when adoption outpaces governance. Firms that fail to close this gap risk operational inefficiencies, compliance failures, and erosion of client trust. In contrast, organizations that invest in governance through leadership accountability, clear policies, strong internal controls, and continuous monitoring are better positioned to capture AI’s value while managing its risks. What ultimately differentiates successful organizations will not be the tools they adopt, but the governance structures they build, implement, and monitor.

For CPAs, this moment presents both an opportunity and a responsibility. As trusted advisers and stewards of financial integrity, CPAs are well positioned to lead AI governance efforts. By leveraging expertise in internal controls, auditability, and regulatory compliance, we can help ensure that AI systems are not only innovative but also transparent, secure, and aligned with organizational objectives and can help close the gap between adoption and not just good, but great governance.

¹ www.coso.org/generative-ai

² https://cdn.prod.website-files.com/63dc3d14e6decd60bd2cf612/69949137c0683c8e2775d86a_GenAI%20Governance%20Framework%202.0.pdf

³ www.picpa.org/professional-resources/research-publications/pennsylvania-cpa-journal/spring-2025/2025/03/10/cpas-and-generative-ai--careful-steps-needed

⁴ AuditBoard, “From Blueprint to Reality: Execute Effective AI Governance in a Volatile Landscape” (2025).

⁵ www.nacdonline.org/all-governance/governance-resources/governance-surveys/surveys-benchmarking/2025-public-company-board-practices--oversight-survey/2025-board-practices-oversight-ai

⁶ www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai

⁷ www.cisco.com/c/en/us/about/trust-center/data-privacy-benchmark-study.html#~key-findings

⁸ www.pwc.com/gx/en/issues/data-and-analytics/artificial-intelligence/what-is-responsible-ai/pwc-responsible-ai-maturing-from-theory-to-practice.pdf

⁹ www.ey.com/en_gl/insights/ai/principles-for-ethical-and-responsible-ai

¹⁰ https://blog.picpa.org/how-accounting-firms-can-implement-ai-responsibly

¹¹ https://cdn.prod.website-files.com/63dc3d14e6decd60bd2cf612/69949137c0683c8e2775d86a_GenAI%20Governance%20Framework%202.0.pdf

¹² Ibid.

¹³ www.genai.global/solutions/framework

¹⁴ https://blog.picpa.org/integrating-ai-into-an-accounting-firm-how-should-you-decide

¹⁵ www.picpa.org/professional-resources/research-publications/insights-research-whitepapers

¹⁶ Pennsylvania CPA Journal; CPA Now blog

Shannon H. Galletta, CPA, is a PhD candidate at the University of Scranton, a manager at PwC, and an adjunct accounting professor at Stony Brook University in Stony Brook, N.Y. She can be reached at shannon.galletta@stonybrook.edu.

Jacob Crowley, CPA, is a PhD student at the University of Scranton and an assistant professor in accounting at Ohio Northern University’s James F. Dicke College of Business in Ada, Ohio. He can be reached at jacob.crowley@scranton.edu or j-crowley.1@onu.edu.

Ashley Stampone, CPA, PhD, is an assistant professor of accounting at the Kania School of Management at the University of Scranton in Scranton and is a member of the Pennsylvania CPA Journal Editorial Board. She can be reached at ashley.stampone@scranton.edu.