Firm-wide governance for Claude, ChatGPT, and approved LLMs

Turn LLMs into governed firm capabilities.

Operating model, controls, roadmap, and adoption system for professional services teams using AI in client work.

Prepared for CPA Automation Inc. by Ray Sang | raysang@cpaautomation.ai | cpaautomation.ai

Governance thesis

LLMs should expand professional judgment, not bypass it. The firm needs clear decision rights before usage scales.

Governance frame

The goal is controlled adoption, not slower adoption.

LLM governance should make it obvious which use cases are encouraged, which require review, and which are off limits.

1. Enable

Use AI where judgment bottlenecks exist

Drafting, research synthesis, client-ready explanations, workflow documentation, and first-pass analysis.

2. Protect

Guard client data and firm reputation

Confidentiality, privilege, retention, disclosure, and output reliance must be designed into the workflow.

3. Standardize

Move from individual experiments to reusable patterns

Approved prompts, playbooks, model/tool records, evaluation rubrics, and shared examples.

4. Measure

Track value and reliability with the same discipline

Monitor adoption, cycle time, rework, exceptions, incidents, hallucination rates, and business impact.

02 / 19

Operating system

Adapted from the attached AI transformation model

Four workstreams make firm-wide LLM adoption governable.

AI vision & coordination

1

2

3

Program owner

Name accountable leader, council, and intake path.

Readiness & risk

Assess maturity, data exposure, standards, and gaps.

Strategy & roadmap

Set principles, priorities, pilots, budget, and timeline.

AI implementation

4

5

Data prep

Map data sources, sensitivity, access, and quality.

Build & maintain

Deploy approved LLM workflows and test them.

AI governance

6

7

Report & monitor

Measure usage, value, reliability, exceptions, and incidents.

Security & ethics

Keep AI secure, accurate, compliant, and explainable.

AI education

8

9

Training

Role-based learning for staff, managers, builders, and partners.

Center of excellence

Publish patterns, examples, office hours, and lessons learned.

03 / 19

Organization

Governance needs a council with real operating reach.

The AI Council is not a debate forum. It owns the policy system, approves restricted uses, and clears blockers across practices.

Executive sponsor

Sets risk appetite, funding, and firm-wide mandate.

Practice owners

Own use-case value, workflow fit, quality review, and staff adoption.

Client delivery leads

Retain professional judgment and certify final work product.

AI Council

Decision rights, exceptions, metrics, and roadmap governance.

Risk, legal, compliance

Own restricted data rules, client disclosure, retention, and incident policy.

IT and security

Own access, logging, DLP, approved tools, identity, and vendor controls.

AI Center of Excellence

Own standards, prompt libraries, evaluations, training, and reusable patterns.

04 / 19

Decision rights

Suggested ownership model

Assign ownership by decision, not by enthusiasm.

Decision

AI Council

Practice owner

IT / security

Risk / legal

CoE

Approve firm policy

A

C

R

Approve restricted use cases

A

R

C

R

C

Approve tools and integrations

C

A/R

C

Maintain playbooks and evaluations

C

A/R

Certify final client work

I

A/R

I

C

A = accountable | R = responsible | C = consulted | I = informed

05 / 19

Inventory

Start with the firm map: functions, systems, data, and work products.

The source model inventories org structure, processes, systems, and data sets before prioritizing AI. Apply that same discipline to every LLM platform.

Governance

Client delivery

Supporting functions

Systems & data

Executive leadership: strategy, risk appetite, operations, governance

Tax

Audit & assurance

Client accounting services

Advisory

Client onboarding

Finance

HR

Legal

IT & security

Marketing & sales

Knowledge management

DMS

Tax apps

Audit apps

CRM

Billing

Email / chat

Client portals

06 / 19

Use-case taxonomy

Default policy bands

Every LLM use case belongs in one of three lanes.

Allowed

Low risk

Public or internal non-sensitive content, brainstorming, formatting, checklists, training drafts, and general knowledge support.

Human review is still required before client or external use.

Examples: internal SOP draft, meeting agenda, first-pass email tone rewrite.

Controlled

Approval required

Client data, regulated subject matter, tax positions, audit evidence, contracts, financial statements, or output used in professional judgment.

Requires approved surface, logging, data handling controls, validation, and reviewer sign-off.

Examples: memo drafting from client files, reconciliations, contract clause summaries.

Prohibited

Do not use

Unapproved tools, secrets, credentials, raw sensitive personal data, privileged material without approval, or autonomous decisions without human review.

Exceptions must be formally documented and approved before any pilot.

Examples: uploading full client data rooms to a personal account, finalizing advice without review.

07 / 19

Assessment

Prioritize by fit, value, feasibility, risk, and effort.

Not every issue needs an AI solution. The intake scorecard should make weak use cases easy to stop early.

Strategic fit

Does the use case support firm goals, client service quality, or operating leverage?

1-5

Business value

Will it reduce cycle time, improve quality, increase capacity, or lower rework?

1-5

Feasibility

Are data sources, workflow owners, reviewers, and integration paths ready?

1-5

Risk

What is the confidentiality, regulatory, client reliance, and reputational exposure?

1-5

Effort vs. value

Can the firm pilot quickly, measure impact, and reuse the pattern elsewhere?

1-5

Gate 1: data sensitivity

Classify public, internal, confidential, restricted, privileged, and regulated data before any tool decision.

Gate 2: output reliance

Determine whether the LLM is drafting, summarizing, recommending, calculating, or triggering downstream action.

Gate 3: reversibility

Prefer pilots where errors are visible, reviewable, reversible, and contained inside a supervised workflow.

Gate 4: scale path

Require owner, training plan, control evidence, and monitoring metrics before broad rollout.

08 / 19

Policy stack

Policy should be operational enough to use on Monday.

Write the LLM policy around concrete workflow requirements, not abstract AI principles alone.

01

Approved surfaces

Define where approved LLMs can be used: browser, workspace, API, embedded agents, MCPs, and approved integrations.

02

Data handling

Specify what data may be entered, masked, uploaded, retained, logged, or excluded entirely.

03

Human review

State who reviews outputs, what evidence is retained, and when second-level review is needed.

Minimum documentation for every governed use case

Use case card: owner, data, prompt, output, reviewer, risk tier, controls, KPIs.

This card becomes the single record used by the AI Council, IT/security, practice leadership, training, and monitoring.

Client disclosure position Retention and audit trail Validation test set Exception process Responsible reviewer Rollback criteria

09 / 19

Screening process

Use one company-wide approval path for every LLM platform.

Claude, ChatGPT, and any future model should pass the same screening gates before users, data, MCPs, or client workflows are enabled.

1

Request

Business owner submits model, workspace, use cases, data classes, expected users, and target launch date.

2

Classify

AI CoE tags risk tier, data sensitivity, output reliance, affected clients, and required reviewers.

3

Screen vendor

IT/security reviews SOC reports, DPA, subprocessors, retention, admin controls, and incident terms.

4

Configure

Admins set SSO, groups, logging, retention, sharing, connector rules, model access, and default restrictions.

5

Pilot

Run test users, validation prompts, data-loss checks, reviewer sign-off, and rollback criteria.

6

Approve

AI Council approves scope, publishes playbook, trains users, and moves the record to monitoring.

Required intake artifacts

Use-case card, data map, owner, reviewer, user group, model/workspace requested, MCP/connectors requested, client impact, and KPIs.

Approval evidence

Vendor review, security review, legal/privacy review, data-governance decision, pilot results, and final configuration checklist.

Launch controls

Named admins, SSO group, approved user list, training completion, monitoring owner, incident channel, and exception expiration date.

10 / 19

Configuration baseline

Configure every LLM platform from one firm standard.

The policy should define the control objective; admins then map it to each platform's enterprise settings.

Enterprise tenant

Identity

SSO required; no shared accounts; group-based access by role, practice, and risk tier.

Data use

Disable training on firm data where available; document retention and deletion rules.

Sharing

Restrict public sharing, unmanaged export, external collaborators, and personal workspace migration.

Connectors

Default off; enable only approved connectors, MCP servers, and tool scopes.

Logging

Capture admin actions, user activity, tool calls, incidents, and exception approvals.

Model access

Maintain approved model list by use case, risk tier, and evaluation status.

Workspace rollout

Admin owners

Primary and backup admins named; changes require ticket and monthly review.

User groups

Pilot, builder, reviewer, partner, and restricted-data groups with different permissions.

Default prompts

Publish approved system guidance, disclaimers, review reminders, and data restrictions.

Knowledge sources

Curate approved firm libraries; tag client files, restricted data, and stale source material.

Release cycle

Review new features monthly before enabling browsing, memory, file tools, agents, or connectors.

Exit process

Remove departed users, rotate secrets, revoke tokens, and archive governed workspaces.

Decision rules

AI Council

Approves platform scope, restricted use cases, and exception policy.

IT/security

Owns SSO, groups, logs, connectors, secrets, and vendor security review.

Data owner

Approves data classes, retention, and use in client or practice workflows.

Practice owner

Certifies workflow value, quality review, user training, and final output accountability.

Legal/privacy

Approves client disclosure, DPA, cross-border terms, and regulated data use.

CoE

Maintains playbooks, prompts, evaluations, training, and adoption support.

11 / 19

MCP and connectors

Approve MCPs and connectors as system integrations.

An MCP can give an LLM operational reach into firm systems. Treat it like an integration, not like a prompt.

1

Register the MCP

Capture provider, code owner, hosting location, data touched, tool actions, auth method, and business purpose.

CoE + requester

2

Review access scope

Approve least-privilege OAuth scopes, service accounts, read/write limits, rate limits, and token rotation.

IT / security

3

Screen the third party

Review SOC report, DPA, privacy posture, subprocessors, retention, breach notification, and support model.

Legal / privacy

4

Sandbox and test

Use non-production data; test tool call boundaries, error handling, injection resistance, and audit logging.

Security + CoE

5

Approve and monitor

Publish allowed users, actions, data classes, owner, review cadence, kill switch, and incident path.

AI Council

Default rule

No third-party MCP or connector is enabled for firm data until it is registered, risk-scored, sandbox-tested, and approved by the AI Council.

Configuration checklist

Allowed tools, denied tools, read/write actions, OAuth scopes, service account, environment, log destination, token owner, and rollback switch.

Ongoing review

Monthly usage and exception review; quarterly access recertification; immediate review after vendor feature changes or incidents.

12 / 19

Data governance

Data approval decides what the LLM may see, not just which tool is allowed.

Each use case should carry a data decision: allowed, masked, restricted to approved tenant, or prohibited.

Public / published

Generally allowed in approved tools. Still verify sources, avoid misleading citations, and keep professional review.

Internal firm data

Allowed only in approved workspaces with retention, logging, and sharing controls configured.

Client confidential

Requires data owner approval, approved tenant, masking where practical, reviewer evidence, and client disclosure position.

Restricted / privileged

Default prohibited unless legal/privacy, data owner, practice owner, and AI Council approve compensating controls.

1. Data map

Source system, data fields, sensitivity, owner, retention, and client obligations.

2. Purpose limit

Allowed prompt purpose, output use, reviewer role, and downstream action.

3. Control design

Masking, approved workspace, logging, export limits, and access group.

4. Approval

Data owner plus legal/privacy for client, regulated, or privileged data.

5. Recertify

Quarterly review of data scope, users, MCP access, incidents, and exceptions.

13 / 19

Control architecture

Controls that make usage auditable

Approved LLMs need a control layer around identity, data, output, tools, and incidents.

Identity

SSO, groups, role-based access, named accounts.

Data

DLP, masking, approved upload classes, retention rules.

Tools

Approved LLM surfaces, MCPs, connectors, agents, and APIs.

Logging

Prompt/output records, user activity, exceptions, approvals.

Evaluation

Accuracy, hallucination checks, reviewer feedback, drift testing.

Response

Incident triage, client impact review, rollback, remediation.

Prevent

Access controls, data classifications, approved tools, training prerequisites.

Detect

Logs, usage monitoring, output review sampling, issue reporting.

Correct

Exception review, prompt/playbook fixes, user coaching, model/workflow rollback.

14 / 19

Roadmap

Run governance in sprints: stabilize, scale, industrialize.

The attached roadmap uses 0-3, 3-9, and 9+ month horizons. That cadence fits LLM governance well.

0-3 months

Stabilize

Appoint sponsor, AI Council, CoE lead, and security owner.
Publish interim LLM acceptable-use policy.
Inventory current usage, tools, systems, data, and top workflows.
Select 3-5 low-risk pilots with clear review steps.
Start role-based training and prompt/playbook library.

3-9 months

Scale

Implement approved access model, logging, DLP, and exception process.
Expand pilots into governed practice workflows.
Build evaluation rubrics for high-value use cases.
Launch monthly AI Council dashboard and office hours.
Codify client disclosure and reviewer evidence standards.

9+ months

Industrialize

Move proven patterns into reusable CPA Automation workflows.
Integrate governed LLM use into systems of record and client portals.
Maintain model, tool, prompt, and evaluation registries.
Run quarterly maturity reviews and control testing.
Refresh training as tools, risks, and standards evolve.

15 / 19

Education

Training and change management

Education is a control, not a one-time rollout activity.

All staff

Acceptable use, data rules, prompt hygiene, verification basics, and how to report issues.

Managers & reviewers

Output review procedures, evidence retention, exception handling, and client-ready quality checks.

Builders & automators

Workflow design, API/tool use, test sets, logging, security, and rollback criteria.

Partners & client leads

Risk appetite, client disclosure, engagement economics, quality accountability, and change leadership.

Prompt library

Approved examples by practice and risk tier.

Office hours

Weekly support for pilots and exceptions.

Champions

Embedded practice advocates with feedback loops.

Release notes

Policy, tool, and playbook updates as capabilities change.

16 / 19

Monitoring

Monitor adoption, value, reliability, and risk together.

The source model tracks development progress, business KPIs, training, change management, availability, and accuracy. LLM governance should do the same.

01

Active governed use cases

Count by practice, risk tier, workflow owner, and lifecycle stage.

02

Cycle-time reduction

Hours saved, review time, turnaround, and throughput improvement.

03

Quality and rework

Reviewer corrections, issue density, and client-facing defect trends.

04

Reliability

Availability, hallucination rate, stale-source rate, and evaluation pass rate.

05

Training coverage

Completion, role certification, policy acknowledgement, and office-hour demand.

06

Exception volume

Policy exceptions requested, approved, rejected, expired, and remediated.

07

Incidents

Data exposure, inaccurate output, unauthorized use, and remediation timing.

08

Reuse

Approved patterns reused across teams and retired one-off experiments.

17 / 19

Cadence

Use cadence to keep governance alive after launch.

Governance fails when artifacts are static. The cadence should refresh decisions, exceptions, metrics, and training every month.

Weekly CoE working session

Review pilots, prompt patterns, issue reports, evaluation results, and training needs.

Monthly AI Council

Approve use cases, exceptions, tool changes, roadmap shifts, and dashboard actions.

Quarterly maturity review

Test controls, refresh risk appetite, review vendor posture, and reset strategic priorities.

Use-case inventory

Firm-wide register by owner, data, risk tier, control status, and business value.

Policy exception log

Temporary approvals with expiration dates, compensating controls, and decision rationale.

Model and tool registry

Approved LLM surfaces, MCPs, integrations, connectors, agents, versions, and owners.

Evaluation library

Test prompts, expected outputs, pass/fail criteria, and reviewer calibration notes.

Training record

Role-based completion, policy acknowledgements, and remediation coaching.

Incident record

Detected issue, client impact, root cause, remediation, and control updates.

18 / 19

Recommended next move

Stand up the AI Council, inventory current LLM usage, and approve the first governed pilots.

1. Charter

Confirm decision rights, members, cadence, policy scope, and risk appetite.

2. Inventory

Collect tools, users, data types, workflows, and known AI experiments.

3. Pilot

Select measurable use cases with owners, controls, reviewers, and KPIs.

Ray Sang

raysang@cpaautomation.ai

cpaautomation.ai

CPA Automation Inc. | LLM governance operating model

19 / 19