When an AI Prompt Becomes a Disclosure: Applying the IESBA Code to Protect Client Information

15 JUL 2026
Assurance
Digital Adoption and Transformation
Reporting Standards

In the AI Era What Accountants Should Ask Before Pressing Enter

The Question We Are Not Asking

An auditor uploads a loan portfolio extract into an AI tool and asks: “Review this portfolio and identify unusual credit risk trends.”

A tax advisor uploads a draft tax computation and requests: “Identify opportunities to reduce the effective tax rate.”

A consultant uploads a client’s strategic plan and asks: “Summarize the key risks and opportunities for the Board presentation.”

None of these professionals intended to breach confidentiality. None intended to disclose sensitive information. Most were simply trying to work more efficiently.

In fact, many of us would probably view these actions as perfectly reasonable. After all, the objective is not to disclose information. It is to work faster, think more efficiently, and make better use of technology.

Yet that is precisely why this issue deserves attention.

The greatest confidentiality risks associated with generative AI may not arise from deliberate misconduct. They may arise from well-intentioned professionals who do not realize that they have crossed an ethical line.

As generative AI becomes increasingly embedded in professional services, accountants are asking whether AI can improve efficiency, reduce costs, and enhance productivity.

Perhaps the more important question is not whether AI can improve efficiency, but whether accountants are sharing more information than they realize.

The IESBA’s Message Is Clear: Ethics Are Technology-Neutral

Artificial intelligence may be new, but the ethical obligations of professional accountants are not.

The International Code of Ethics for Professional Accountants (including International Independence Standards) issued by the International Ethics Standards Board for Accountants (IESBA) is principles-based. Its five fundamental principles apply regardless of the technology being used:

  • Integrity
  • Objectivity
  • Professional Competence and Due Care
  • Confidentiality
  • Professional Behavior

This position was recently reinforced by the IESBA in its Snapshot: Ethics and Independence Approach to the Use of Technology, which emphasizes that the fundamental principles of the Code remain fully applicable in a technology-enabled environment. The Snapshot reminds professionals that technological innovation does not diminish ethical responsibilities. Rather, it requires those responsibilities to be applied in new and evolving circumstances.

While all five fundamental principles remain relevant, confidentiality and integrity are particularly important in the context of generative AI. Confidentiality requires professionals to protect information obtained through professional and business relationships, while integrity requires them to act honestly, transparently, and responsibly when using emerging technologies.

The emergence of generative AI has not created a new ethical framework. Rather, it requires professionals to apply existing principles to new situations.

The principle most immediately affected is confidentiality. For decades, accountants have understood that client information should not be shared with unauthorized parties. The challenge today is determining when entering information into an AI platform may constitute “a disclosure of confidential information” and what safeguards may be necessary to protect it.

When Does an AI Prompt Become a Disclosure?

Many professionals do not think of an AI prompt as a disclosure of information. Perhaps they should. Consider the following examples.

Scenario 1: The Audit Manager

An audit manager is reviewing expected credit loss calculations for a bank. To save time, she uploads a spreadsheet and enters the following prompt: “Review these ECL calculations and identify any weaknesses in the assumptions.”

The spreadsheet contains customer names, loan balances, credit ratings, and provision amounts.

The objective is entirely legitimate. But the question is whether confidential client information has now been shared beyond those authorized to access it.

If the same spreadsheet had been emailed to an external consultant without authorization, most professionals would immediately recognize the confidentiality concern. Why should the ethical assessment be different simply because the recipient is an AI platform?

Scenario 2: The Tax Advisor

A tax advisor is preparing a corporate tax review. He uploads supporting schedules and asks: “Identify potential tax risks and optimization opportunities.”

The information includes shareholder details, profit margins, transfer pricing arrangements, and planned transactions.

The AI response may be useful. However, before considering the quality of the answer, the professional should first consider whether the information should have been submitted in that form in the first place.

Scenario 3: The Consultant

A consultant assisting with a strategic transformation project uploads a draft business plan and asks: “Summarize the most important strategic risks.”

The document includes planned acquisitions, future pricing strategies, cost reduction initiatives, and market expansion plans.

The response may be excellent, but the confidentiality implications may be significant. If such information became publicly available, competitors, investors, suppliers, or customers could gain access to highly sensitive insights about the organization.

None of these scenarios necessarily represent an ethical breach. The key point is that professionals should consciously assess the confidentiality implications before sharing information with any AI platform. The ethical risk often arises not from malicious intent, but from failing to recognize that a disclosure may have occurred.

This concern aligns closely with the IESBA’s observations regarding technology-enabled risks. The issue is often not the technology itself, but whether professionals have adequately considered the ethical implications of using that technology, particularly when handling information obtained through professional and business relationships.

The Hidden Assumption: “It’s Only AI”

One reason confidentiality risks are often overlooked is that many professionals unconsciously make a dangerous assumption: “It’s only AI.”

That assumption can create a false sense of comfort. Professionals may assume that nobody sees the information, that the information is not stored, that it is not retained, that it cannot be accessed by others, or that it remains entirely within their control.

In reality, the answer depends on the platform being used, the contractual arrangements in place, the organization’s policies, and the nature of the information submitted.

It is also important to recognize that not all AI platforms operate in the same manner. Some organizations use enterprise AI solutions that incorporate contractual safeguards, access controls, data governance measures, and restrictions on how information is retained or used. While others may rely on publicly available AI tools with different terms of use and data handling practices.

From an ethical perspective, however, the distinction does not eliminate the need for professional judgment. The existence of technical safeguards does not automatically remove confidentiality considerations. Professional accountants must still assess whether the information being shared is appropriate, whether adequate protections are in place, and whether the use of the technology aligns with their professional obligations.

In many respects, AI has changed the form of the risk rather than the nature of the risk. Confidential information remains confidential regardless of whether it is shared with a colleague, a consultant, a cloud service provider, or an AI system.

 

The IESBA’s technology-related guidance reflects this principle. The ethical assessment should focus not on the nature of the tool, but on the professional accountant’s responsibilities when using it. Whether information is shared with a person or a technology platform, the obligation to protect confidential information remains unchanged.

Confidentiality Is More Than Cybersecurity

When discussing AI risks, organizations often focus on cybersecurity. Cybersecurity is important, but confidentiality is not merely a technology issue. It is an ethical obligation.

An organization may have strong firewalls, advanced encryption, and sophisticated access controls. Yet a confidentiality concern may still arise if sensitive information is shared inappropriately.

The question is not simply whether information is secure. The question is whether the professional had the right to share the information in the first place. That distinction sits at the heart of the IESBA Code.

Integrity Matters Too

Confidentiality is not the only principle affected by AI. Integrity also plays a critical role.

The IESBA Snapshot also highlights that technology does not replace professional judgment. While AI systems can assist with analysis, drafting, and information processing; accountability for decisions, conclusions, and communications continues to rest with the professional accountant.

Professionals should ask themselves:

  • Have I been transparent about my use of AI?
  • Have I adequately reviewed AI-generated outputs?
  • Am I exercising professional judgment?
  • Would I be comfortable explaining my approach to a client, regulator, or audit committee?

Artificial intelligence can generate impressive outputs, but it cannot exercise professional judgment, demonstrate professional skepticism, or assume responsibility for the conclusions reached. Those responsibilities remain with the professional accountant.

Five Questions Every Accountant Should Ask Before Using AI

Before entering information into an AI platform, consider the following questions:

  1. Does the information contain confidential client or employer data?
  2. Can sensitive identifiers be removed, anonymized, or masked?
  3. Do I understand how the platform processes, stores, and retains information?
  4. Would I be comfortable explaining this use of AI to the client or employer?
  5. Does this use comply with my firm’s policies and my professional obligations under the IESBA Code?

If any of these questions cannot be answered confidently, additional consideration may be required before proceeding.

Conclusion

The ethical challenge posed by generative AI is not that it creates new confidentiality obligations. As the IESBA has emphasized through its technology-related initiatives and recent Snapshot on the Use of Technology, the fundamental principles of the Code continue to apply regardless of the tools being used. What has changed is not the ethical framework, but the environment in which professionals must apply it.

Most accountants are not asking whether they should use AI. That conversation has largely passed. The more relevant question is how to use it responsibly.

Generative AI may represent one of the most significant technological developments affecting the profession in decades. Yet the IESBA’s message remains clear: integrity, objectivity, professional competence and due care, confidentiality, and professional behavior are as relevant today as they were before the emergence of AI.

Technology will continue to evolve. New platforms will emerge. Capabilities will improve. What should not change is our commitment to protecting the information entrusted to us.

Before pressing “Enter,” perhaps the question is not whether the prompt will generate a useful answer, but whether we would be comfortable explaining the information we shared to our client, our regulator, or ourselves.

 

References

 

Related Insights