AI Isn't the Security Problem
You Think It Is.

I've seen a lot of concern lately about AI being a security risk for accounting firms. I get it — new technology, client data, professional obligations. It's worth thinking about carefully. But I want to offer a different perspective, coming from someone who spent 14 years in software development building network and operating system infrastructure before ever touching a bookkeeping file.

You've Already Opened the Door

Before you ever logged into an AI tool, you handed your data to Microsoft, Apple, Google, Intuit, and probably Facebook. Your client files live in QuickBooks Online. Your email runs through Microsoft or Google servers. Your phone backs up to iCloud or Google Drive.

Nobody staged a protest when QBO moved to the cloud. But somehow AI is the threat?

Think of Your Computer Like a Building

Most people think of security as a lock on a specific door — the AI app, the email client, the portal. But real security works like a building. You need a foundation, walls, and a roof before the locks on the doors mean anything.

No App Can Fix a Broken Foundation

Here's the thing most people miss: no software — AI or otherwise — can protect you from a breach that happens at a lower level. If your network is compromised, it doesn't matter how secure Claude, QBO, or your client portal is. The attacker is already inside the building. They don't need to pick the lock on the AI door because they're already standing in your lobby.

The System Boundary Is Where Real Risk Lives

Each tool you use — your AI assistant, QBO, your client portal, your email — operates inside its own security envelope. Inside that envelope, your data is protected by that vendor's infrastructure.

The moment data crosses from one system to another — a copy-paste, an export, a screenshot, an email — it enters a new risk environment. This is why "AI is secure" and "AI is a risk" can both be true at the same time. Inside a properly configured workspace, your data is protected. The moment you take it outside that system boundary without thinking, all bets are off.

This is also why at Petry Bookkeeping we use a dedicated client portal for all document exchange. Email is for conversation — not for sending financial files. That's a system boundary decision, not just a preference.

What You Should Actually Do

A few basics that apply to every firm handling sensitive client data, regardless of whether you use AI:

• Enable multi-factor authentication on every account that offers it. No exceptions.
• Use a password manager. Stop reusing passwords.
• Enable full-disk encryption on your devices. Windows BitLocker and Apple FileVault both do this — they're just not always turned on by default.
• Maintain a Written Information Security Plan (WISP). The IRS requires it for tax professionals. If you don't have one, that's your first project.
• Use a client portal for document exchange. Email is not a secure file transfer system.
• Know where your trust boundaries are. Understand which data lives where, and what happens when it moves between systems.