Sanitized AI Team

Keeping Client Tax Returns Out of ChatGPT During Busy Season

It's the second week of March. An associate is behind on twelve files, and the fastest way to reconcile a messy set of T-slips against last year's return is to paste both into ChatGPT and ask it to flag discrepancies. The answer comes back in seconds and it's genuinely helpful. It also just moved a client's Social Insurance Number, full income picture, and dependents' details outside the firm — into a tool your engagement letter never contemplated, under terms your partners never reviewed.

That scenario is not an edge case. It's the predictable result of putting time pressure, useful tools, and confidential data in the same room. And the thing that makes it dangerous isn't the mistake — it's that the mistake can't be taken back.

Why busy season is exactly when this happens

The pressure that defines tax season is the same pressure that erodes judgment about where data goes. Staff working long days will reach for whatever shortens the task in front of them. Cyberhaven's 2025 research found that roughly 40% of AI interactions involve sensitive data, and LayerX reported the same year that 77% of employees who use generative AI paste data directly into the prompt box — 82% of it from unmanaged personal accounts. That last figure matters most for accounting firms: the associate isn't using a sanctioned enterprise seat with a data-processing agreement. They're using the free ChatGPT account on their personal login, because it's already open in another tab.

A client return is close to a worst-case payload for this. A single paste can carry a SIN, a home address, spousal and dependent information, business revenue, and a net worth picture — the exact categories that trigger real-risk-of-significant-harm breach reporting under PIPEDA and steep penalties under Quebec's Law 25, which reaches up to C$25M or 4% of worldwide turnover. Your CPA confidentiality obligations don't pause because it's March.

The part that can't be undone

Most firms think about this as a policy problem — write a rule, have people acknowledge it, move on. But the defining feature of a leaked prompt is that there is no cleanup step. Once a return is submitted to a public AI tool, the content becomes subject to that provider's terms of use, which can grant broad rights to retain it, process it through sub-processors, or use it to improve the provider's models. You cannot recall it, and you cannot audit where it went.

Samsung learned this in 2023: within about twenty days of allowing ChatGPT internally, engineers had pasted source code, a defect-detection algorithm, and a meeting transcript into it. The data couldn't be retrieved, and the company banned the tool. The lesson for an accounting firm isn't "ban ChatGPT" — bans push people to personal accounts you can't see. The lesson is that the only control that works is one that acts before submission, because after submission there's nothing left to control.

This is also why turning off training history or opting out of data retention doesn't solve the problem. Those settings change what one provider promises to do with the data; they don't change the fact that a client's SIN left your firm's boundary. The disclosure already happened.

Governance that survives contact with a deadline

The honest test for any AI control is whether it holds up at 11 p.m. during the worst week of the year. Policies that depend on a tired person stopping to remember the rules will fail on exactly the files where they matter most. And most existing safeguards don't watch the right place — traditional data-loss tooling inspects files, email, and endpoints, not the text an associate types into a browser tab.

What actually helps is meeting the risk at the moment of the paste, and doing it in a way that keeps the work moving. Consider the same associate, but this time the tool recognizes that the pasted block contains a SIN and financial identifiers. Instead of letting it through — or blocking the whole task and sending them to a personal account out of frustration — the sensitive values are redacted before the prompt reaches the AI tool, replaced with realistic placeholders so the discrepancy-checking still works. The associate gets their answer. The client's identity never left the firm.

The second effect is quieter but more durable. When a prompt is stopped or redacted with a plain-language note explaining what was flagged and why, the associate learns something in the moment they'll remember next time. Over a busy season, that's hundreds of small, specific lessons in safe AI use — the kind of behaviour change no annual policy acknowledgment produces. Netskope's 2025 data found the average organization logs around 223 sensitive-data policy violations per month, and regulated data made up 54% of them; each of those is a teaching moment being missed.

This is the principle Sanitized AI is built on: catch the sensitive data in the prompt and redact it before it ever reaches the tool, and turn each near-miss into a moment of in-the-moment training — so governance doesn't depend on perfect judgment during the least forgiving weeks of the year.

What to do before the filing crunch

The practical question to answer this quarter, before the deadline pressure arrives, is simple: if one of your staff pasted a client's return into a public AI tool tomorrow, would you know, and could you stop the sensitive fields from leaving? For most firms the honest answer is no on both counts. Fixing that isn't about restricting your people — it's about giving them a way to move fast without carrying a client's SIN out the door.

If you want to see how in-the-moment redaction and education work against the kind of prompts your team actually sends during busy season, request a demo and we'll walk through it with your workflows in mind.