The accounting profession stands at a critical inflection point. Major firms including Deloitte and EY have deployed agentic AI systems to automate document review, issue identification, and service delivery across audit, tax, and consulting functions. These technologies promise significant productivity gains and cost efficiency. Yet a 2025 KPMG survey reveals a troubling paradox: 46% of US workers admitted uploading sensitive company information to public AI platforms, while 53% presented AI-generated output as their own work without disclosure. For UK accountancy firms regulated by the Financial Reporting Council (FRC) and subject to Information Commissioner's Office (ICO) oversight under UK data protection law, this disconnect between technological capability and human behaviour presents an urgent governance challenge.

The regulatory landscape demands heightened scrutiny. The FRC's recently strengthened auditor independence rules, combined with the ICO's evolving guidance on AI and data protection, create explicit accountability for firms deploying generative AI without adequate controls. The EU AI Act, applicable to UK operations with EU clients, classifies high-risk AI systems and mandates transparency and human oversight—requirements that conflict sharply with uncontrolled staff use of public platforms. Additionally, the UK's Senior Managers & Certification Regime (SM&CR) holds individual partners and executives personally accountable for systemic failures in risk management. A data breach resulting from employee misuse of public AI platforms could trigger multiple investigations: ICO enforcement action under the UK General Data Protection Regulation, FRC discipline for audit quality failures, and personal liability for senior management.

The competitive pressure driving AI adoption is undeniable, but firms must distinguish between controlled, enterprise-grade agentic systems and unvetted public platforms. Trovix Audit and Trovix Sift provide firms with secure, auditable AI capabilities designed specifically for regulated environments, enabling staff to leverage AI-assisted analysis without exposing client data or generating unattributed content. Enterprise-grade agentic AI, properly implemented within a firm's own infrastructure and subject to data governance frameworks compliant with SYSC (COBS systematic compliance) principles, mitigates the risks evident in the KPMG findings. The distinction is material: internal agentic platforms can be monitored, logged, and integrated into audit trails; public platforms introduce uncontrollable data flows and accountability gaps.

Immediate action is necessary. Firms should conduct urgent audits of staff access to public AI platforms, implement policies with clear consequences for misuse, and provide training aligned to regulatory obligations. The FRC's audit quality supervision programme has increasingly focused on methodology and governance; evidence of uncontrolled AI use could trigger inspection findings. Moreover, Trovix Brief can help firms document governance decisions and maintain defensible records of AI implementation choices—critical evidence should regulators investigate AI-related failures. Investment in proprietary, secure AI infrastructure is no longer a competitive differentiator; it is a regulatory imperative.

Source: CPA Trendlines