IRS Circular 230: What the New AI Guidance Means for Tax Practitioners
The IRS Office of Professional Responsibility (OPR) has confirmed that no new rulebook is needed for artificial intelligence: every obligation that already exists under Treasury Circular 230 applies in full whenever a practitioner uses AI to assist with tax work. Issued in late June 2026, the OPR bulletin draws a clear line between AI as a useful tool and AI as a substitute for professional judgment, a distinction that has direct consequences for due diligence, fees, data security, and firm-wide governance.
What the OPR Actually Said
The bulletin, published by the office that enforces Circular 230 (31 C.F.R. Part 10) and can discipline or sanction practitioners for violations, sets out a simple principle: AI output is a starting point, not a finished product. Final decisions on any matter governed by Circular 230 must rest with qualified professionals who understand the applicable law and the ethical standards that surround it.
The OPR acknowledged the genuine benefits of generative AI, including faster data analysis, cost savings, and potential government uses such as fraud detection and audit risk assessment. But it was equally direct about the risks: fabricated outputs, embedded bias, and a lack of transparency about how conclusions are reached. Courts have already sanctioned lawyers for submitting filings containing AI-generated citations that turned out not to exist, with penalties ranging from financial sanctions and public censure to removal from cases. The bulletin notes that while most of those cases involve attorneys, tax professionals face the same exposure.
Due Diligence and Competence Obligations
Under Circular 230, practitioners have a long-standing duty to exercise due diligence in preparing returns and other submissions. The OPR's position is that this duty now extends explicitly to verifying every factual assertion, citation, and calculation that an AI system produces. Practitioners cannot simply adopt AI output without scrutiny. Human review and editing are, in the OPR's own words, essential.
Competence requirements go further than knowing the tax law. The bulletin states that practitioners must also understand how the AI tools they deploy actually generate content and where errors or bias may arise. A practitioner who lacks that technological understanding runs the risk of providing improper advice or filing a flawed return, which constitutes a Circular 230 violation regardless of whether the underlying error originated with a machine.
This matters particularly for crypto-focused practitioners. The volume and complexity of digital asset transaction data makes AI assistance attractive, but the same due diligence requirements apply when AI calculates gains, identifies cost-basis lots, or classifies income types. For a closer look at the accuracy obligations that attach to those calculations, see our article on crypto cost-basis methods and the accuracy obligations they create.
Fees: AI Efficiency Must Benefit the Client
One of the more commercially significant points in the bulletin concerns billing. If AI tools reduce the time a practitioner actually spends on a task, the OPR warns that charging the client as though that time was still spent could constitute an "unconscionable fee" under Circular 230. The bulletin's position is that cost savings generated by AI should be passed through to clients, and that practitioners should disclose AI use where appropriate and fairly credit any resulting cost reductions.
For firms that have not yet reviewed their billing policies in light of AI adoption, this guidance makes that review urgent. The risk is not hypothetical: the OPR specifically cited an example in which an accounting firm delivering a report to the Australian government included invented quotations and incorrect citations, and was required to partially refund its fee.
Data Security and Confidentiality
The OPR devoted significant attention to the risk that generative AI platforms, particularly public or unsecured tools, could expose confidential taxpayer data. The relevant Code provisions impose both civil and criminal penalties for unauthorised disclosure of tax return information, and the OPR made clear that Circular 230 disciplinary action is also on the table for willful mishandling of client data.
The bulletin's instruction is straightforward: practitioners must use only secure, enterprise-approved AI systems when handling any client information. This aligns with broader trends in institutional compliance, where infrastructure-level controls are increasingly expected rather than optional, a direction explored in our coverage of permissionless blockchain compliance at the infrastructure level.
Firm-Level Governance Requirements
The OPR did not limit its guidance to individual practitioners. Firm leaders have their own Circular 230 obligations to establish procedures ensuring that everyone within the firm complies. In the AI context, the bulletin outlines what those procedures must cover:
- Staff training on AI capabilities and limitations
- Secure data-handling protocols for AI tools
- Accuracy monitoring processes for AI-generated work product
- Vetting of any third-party AI platforms before deployment
- Documentation demonstrating adherence to Circular 230 requirements
Firms that have already adopted AI tools without formalising these policies should treat this bulletin as a prompt to do so, with documented evidence that they have.
Key Circular 230 Duties Applied to AI Use
| Circular 230 Duty | Application to AI-Assisted Work |
|---|---|
| Due diligence | Verify all AI-generated facts, citations, and calculations before use |
| Competence | Understand how the AI system generates output and where it may err |
| Confidentiality | Use only secure, enterprise-approved AI when handling taxpayer data |
| Fee standards | Reflect AI-driven cost savings in client billing; avoid unconscionable fees |
| Supervisory responsibilities | Implement firm-wide policies covering training, data security, and AI tool vetting |
What Firms Should Do Now
The OPR bulletin does not introduce new rules, but it does clarify that existing rules carry real teeth in the AI context. Practitioners and firm leaders should treat it as a compliance checklist rather than background reading. Audit your current AI tooling against the data security requirements. Review billing practices for any AI-assisted engagements. Confirm that staff training covers not just how to use AI tools, but how to critically evaluate their output. And document everything.
For firms advising on digital assets, where AI-assisted transaction analysis is already common, the stakes are compounded: errors in AI-generated cost-basis calculations or income classifications carry the same Circular 230 exposure as errors in any other return, and the IRS now has a clear basis on which to pursue them.
FAQ
Does the IRS OPR bulletin create new Circular 230 rules for AI?
No. The bulletin clarifies that existing Circular 230 duties, including due diligence, competence, confidentiality, and fee standards, apply directly to AI-assisted work. No new regulations were issued; the OPR is applying the existing framework to a new context.
Can a practitioner be disciplined for errors in AI-generated output they did not personally introduce?
Yes. The OPR's position is that practitioners maintain full responsibility for any work produced with AI assistance. If an AI system fabricates a citation or miscalculates a figure and the practitioner submits that work without adequate review, the Circular 230 violation belongs to the practitioner.
What counts as an "unconscionable fee" in the context of AI?
The OPR warns that charging clients for time not actually spent, because AI completed a task faster, raises unconscionable fee concerns under Circular 230. Firms should review billing practices and ensure that AI-driven efficiencies are fairly credited to clients.
Which AI tools are acceptable for handling taxpayer data?
The bulletin does not endorse specific platforms but requires that practitioners use only secure, enterprise-approved AI systems for any work involving client data. Public or unsecured generative AI platforms are explicitly flagged as a risk, given the civil and criminal penalties available under the Code for unauthorised data disclosure.
What firm-level documentation does the OPR expect?
Firms should be able to demonstrate, through documented policies and procedures, that they have addressed staff training on AI limitations, secure data handling, output accuracy monitoring, and vetting of third-party AI tools. The documentation itself is part of the compliance obligation, not an optional add-on.
Source: Journal of Accountancy
FAQ
No. The bulletin clarifies that existing Circular 230 duties, including due diligence, competence, confidentiality, and fee standards, apply directly to AI-assisted work. No new regulations were issued; the OPR is applying the existing framework to a new context.
Yes. The OPR's position is that practitioners maintain full responsibility for any work produced with AI assistance. If an AI system fabricates a citation or miscalculates a figure and the practitioner submits that work without adequate review, the Circular 230 violation belongs to the practitioner.
The OPR warns that charging clients for time not actually spent, because AI completed a task faster, raises unconscionable fee concerns under Circular 230. Firms should review billing practices and ensure that AI-driven efficiencies are fairly credited to clients.
The bulletin does not endorse specific platforms but requires that practitioners use only secure, enterprise-approved AI systems for any work involving client data. Public or unsecured generative AI platforms are explicitly flagged as a risk, given the civil and criminal penalties available under the Code for unauthorised data disclosure.
Firms should be able to demonstrate, through documented policies and procedures, that they have addressed staff training on AI limitations, secure data handling, output accuracy monitoring, and vetting of third-party AI tools. The documentation itself is part of the compliance obligation, not an optional add-on.