In January 2025, Sage Group suspended its AI assistant, Sage Copilot, following a privacy incident that exposed the fundamental risk of AI in accounting. When users requested recent invoices, the AI displayed invoices from other customer accounts. Financial data from one client appeared in another client's queries. The issue traced to flawed data isolation in the AI's design.
The same month, New York Attorney General Letitia James announced a settlement with Wojeski & Company, a public accounting firm that suffered two cybersecurity incidents exposing Social Security numbers, drivers' license numbers, and financial account information of nearly 6,000 individuals. The firm paid $60,000 in penalties and agreed to comprehensive security improvements. The investigation found Wojeski took over a year to notify breach victims.
These incidents frame the question every accounting firm faces: can AI tools like Google Gemini safely process the financial data your clients trust you to protect?
The short version: If you need to redact sensitive documents before they reach AI systems, PaperVeil handles that layer. The rest of this article explains where it fits in the broader governance architecture.
What "Safe" Actually Means for Accounting Firms
Safety in accounting isn't just about preventing data breaches. It encompasses client confidentiality, regulatory compliance, professional ethics, and the trust that defines the accountant-client relationship.
Client confidentiality is the foundation. The AICPA Code of Professional Conduct requires CPAs to protect client information from unauthorized disclosure. This applies regardless of whether disclosure is intentional or accidental, and regardless of the technology involved.
Regulatory compliance adds specific requirements. Firms handling personal financial information must comply with the Gramm-Leach-Bliley Act (GLBA). Firms with publicly traded clients face SOX requirements. State privacy laws create additional obligations. Each regulation imposes data handling standards that AI tools must support.
Professional liability creates practical stakes. IBM's 2025 Cost of a Data Breach Report found that financial sector breaches average $5.56 million in costs. GLBA violations can reach $100,000 per incident. State penalties add another layer of exposure.
When accountants ask whether Gemini is "safe," they're asking whether the tool can process client data without creating confidentiality breaches, compliance violations, or professional liability exposure.
The Data Accounting Firms Handle
Understanding the risk requires cataloging what accounting firms actually process.
Personal identification data: Social Security numbers, EINs, drivers' license numbers, passport information. Every tax return, every new client engagement, every entity formation involves these identifiers.
Financial account information: Bank account numbers, investment account details, credit card numbers, loan information. This data appears in reconciliations, financial statements, and transaction analyses.
Tax returns and supporting documents: W-2s, 1099s, K-1s, and the underlying documentation. These contain comprehensive financial pictures of individuals and businesses.
Business financial data: Revenue figures, expense details, profit margins, cash positions, accounts receivable, accounts payable. For business clients, this information represents competitive intelligence and operational details.
Payroll information: Employee compensation, benefits details, withholding information. Accounting firms processing payroll handle sensitive employment data.
Strategic business information: M&A plans, financing discussions, business valuations, succession planning documents. Accounting firms advising on these matters hold information that could move markets or compromise negotiations.
Each category carries its own regulatory implications and confidentiality obligations. And each represents data that clients expect will never leave your control without explicit authorization.
How Gemini Handles Your Data
Google offers Gemini in multiple tiers with different data handling practices.
Consumer Gemini (Free and Paid Personal)
Consumer Gemini poses significant risks for client data. By default, conversations may be used for model training. Human reviewers can read your prompts and Gemini's responses. Data retention extends up to 18 months, and some data persists even after deletion.
Google's privacy hub explicitly warns users not to enter confidential information they wouldn't want a reviewer to see. For accounting firms, this means every client name, every Social Security number, every financial figure potentially becomes accessible to Google employees and training systems.
Human-reviewed conversations aren't deleted when you delete your Gemini activity. They're retained separately for up to three years. If you paste a tax return into consumer Gemini, that information may exist in Google's systems for years, regardless of your deletion attempts.
Enterprise Gemini (Google Workspace, Vertex AI)
Enterprise deployments operate differently. Google acts as a data processor under written agreements. Data isn't used for training foundation models. Human review is disabled by default for enterprise contexts. Retention follows your organizational policies rather than Google's defaults.
For enterprise users, Google Workspace with Gemini qualifies as a core service under Google's Data Processing Addendum. The agreement includes security commitments, confidentiality provisions, and restrictions on data use that align with professional requirements.
Enterprise Gemini holds ISO 42001 certification for AI management, along with SOC 2, ISO 27001, and other security certifications. These certifications provide the third-party validation that due diligence requires.
The Consumer-Enterprise Gap
The distinction matters enormously. An accountant using personal Gemini with client data is transmitting confidential information to systems that may train on it, retain it indefinitely, and share it with human reviewers. An accountant using properly configured enterprise Gemini operates within a controlled framework with contractual protections.
But even enterprise deployment doesn't eliminate all concerns. Data still transmits to Google's infrastructure. Third-party subprocessors (including Anthropic as of January 2026) may access the data. The control remains with Google, not with your firm.
Where Gemini Falls Short for Accounting
Even enterprise Gemini creates gaps in accounting firm security.
Training Data Concerns for Consumer Users
Consumer Gemini's potential training usage directly conflicts with client confidentiality. If client information becomes training material, that information may influence responses to other users. The theoretical risk exists that patterns from your client's data could surface in responses to competitors or adversaries.
Human Review Exposure
Consumer Gemini's human review creates confidentiality exposure that may violate professional standards. Google employees reviewing conversations to improve AI safety aren't bound by the accountant-client relationship. They aren't subject to your firm's confidentiality policies. This exposure occurs regardless of your intent or authorization.
Retention Beyond Control
When you upload a client's financial documents to consumer Gemini, those documents may persist in Google's systems for years. If a client requests confirmation that their data has been destroyed, you cannot provide that assurance. The data exists outside your control and your ability to verify deletion.
Access Expansion
Google's July 2025 announcement that Gemini would access phone, messages, and other applications "whether your Gemini Apps Activity is on or off" demonstrates how access terms can change. If you've integrated Gemini into workflows involving client data, policy changes can affect that data retroactively.
Third-Party Subprocessor Risk
Starting January 2026, Anthropic became a subprocessor for Microsoft 365 Copilot. Similar subprocessor additions can occur for Gemini. Each additional party in the data processing chain represents expanded exposure and reduced control.
Professional Ethics Questions
The AICPA's guidance on AI usage emphasizes that CPAs remain responsible for the work product regardless of AI assistance. Using AI tools that may expose client data raises questions about whether the efficiency gains justify the confidentiality risks.
Making Gemini Safe for Accounting Work
The safest approach removes client data from the equation entirely.
Redaction-First Processing
Before any document enters Gemini, remove the identifying information:
Original document:
"Tax return analysis for Johnson Manufacturing Inc. (EIN 84-1234567). Total revenue of $2,847,392 with net income of $341,287. Owner Sarah Johnson (SSN xxx-xx-4521) took distributions of $125,000."
After redaction:
"Tax return analysis for [COMPANY] (EIN [REDACTED]). Total revenue of [REVENUE] with net income of [NET_INCOME]. Owner [OWNER_NAME] (SSN [REDACTED]) took distributions of [DISTRIBUTION_AMOUNT]."
Gemini processes the redacted version. You get AI assistance with analysis structure, compliance considerations, or documentation language. The client's identifying information never leaves your environment.
This approach works regardless of which Gemini tier you use. It eliminates training exposure, human review exposure, and retention concerns. The AI never receives the data that creates risk.
Enterprise Deployment with Controls
If redaction isn't practical for your workflows, enterprise Gemini with proper configuration provides the next-best option:
-
Deploy through Google Workspace Enterprise with signed Data Processing Addendum and appropriate business associate terms if you handle healthcare-related financial data.
-
Configure data residency to keep processing within your jurisdiction if geographic requirements apply.
-
Set retention policies appropriate for client data, ensuring automatic deletion after business need ends.
-
Train staff on appropriate Gemini usage, emphasizing what data can and cannot enter the system.
-
Document your security program to demonstrate due diligence if questions arise about your AI usage practices.
Hybrid Approach
Most firms will use a combination: redaction for sensitive client data, enterprise Gemini for general productivity, and clear policies defining which approach applies to which use cases.
Tax returns with client identifying information: redact before AI processing.
General research on tax code interpretations: enterprise Gemini acceptable.
Client-specific financial analysis: redact client identifiers.
Template development and process documentation: enterprise Gemini acceptable.
The key is making conscious decisions about what data enters which systems, rather than defaulting to convenience.
Practical Implementation for Accounting Firms
Step 1: Inventory Your AI Usage
Document current AI usage across your firm. Who uses Gemini? What types of queries? What client data might enter prompts? This inventory reveals your current exposure and guides policy development.
Step 2: Classify Data Sensitivity
Not all accounting data carries equal risk. Client names might be low sensitivity in some contexts. Social Security numbers are always high sensitivity. Create classification guidelines that staff can apply consistently.
Step 3: Match Controls to Sensitivity
Low-sensitivity queries can use enterprise Gemini with standard protections. High-sensitivity data requires redaction before any AI processing. Medium-sensitivity falls into either category based on your risk tolerance and regulatory requirements.
Step 4: Implement Detection Tools
Manual review doesn't scale. Use automated tools that scan documents for sensitive patterns before they reach AI systems. This catches Social Security numbers, EINs, account numbers, and other identifiers that staff might overlook.
Step 5: Create Audit Trails
Document what data flows through AI systems and what redaction occurred. These records demonstrate due diligence if clients, regulators, or insurers question your data handling practices.
Step 6: Train and Monitor
Staff need to understand both the risks and the procedures. Regular training, clear policies, and monitoring of AI usage patterns ensure that good intentions translate into consistent practice.
The Professional Responsibility Question
The AICPA's guidance on AI emphasizes that CPAs bear responsibility for their work regardless of AI assistance. Using AI tools that may compromise client data isn't just a security issue. It's a professional ethics question.
Can you demonstrate to clients that their data remains confidential when processed through AI systems? Can you certify to regulators that your data handling meets statutory requirements? Can you defend to your professional liability insurer that your AI usage represented reasonable professional practice?
For consumer Gemini with client data, these questions are difficult to answer affirmatively. For enterprise Gemini with proper controls, the answers become more defensible. For redaction-first approaches, the questions become largely moot because sensitive data never enters external systems.
The choice reflects your firm's risk tolerance, your clients' expectations, and your assessment of what professional responsibility requires in an AI-enabled environment.
The Bottom Line
Google Gemini can be safe for accounting firms, but safety requires deliberate choices about deployment and usage.
Consumer Gemini is not safe for client data. The training usage, human review exposure, and retention practices create confidentiality risks that conflict with professional standards.
Enterprise Gemini provides appropriate controls when properly configured. The contractual framework, certification compliance, and data handling commitments align with professional requirements.
Redaction-first processing eliminates the core risk. When sensitive client data never enters Gemini, questions about training, review, and retention become irrelevant. You get AI productivity benefits without the confidentiality exposure.
Your clients trust you with their most sensitive financial information. The question is whether your AI usage honors that trust or creates risks they never authorized.
PaperVeil removes sensitive data from documents before they reach AI systems. Automatic detection of SSNs, EINs, account numbers, and financial data. Audit trails that prove client information never left your control. The confidentiality layer accounting firms need for safe AI usage.