The Landscape

What's changed — and why waiting is its own decision.

The objection is predictable: 'AI changes every six months — we'll wait.' But the trajectory is not hype. Capability has doubled every 12–18 months, and open-weight models now run on private hardware. The firms building infrastructure today are accumulating an advantage that's expensive to claw back.

The pace of capability change

What stays vs what changes

What stays

  • Your client relationships — AI assists; professionals decide
  • Your workflows — M365, FYI Docs, Xero, Active Workpapers remain unchanged
  • Your obligations — APES 320, Privacy Act, TPB Code still apply
  • Your audit trail — every AI interaction can be logged and reviewed

What changes

  • How long tasks take — document review, drafting, reconciliation
  • What junior staff spend their time on — less data grunt work
  • How quickly you can query your firm's own precedents and templates
  • The competitive gap between firms that acted early and those that waited
The question is not whether to adopt AI. It is whether you are choosing your adoption path, or it is choosing itself through shadow usage.

Australian regulatory floor

Privacy Act 1988 + APPs

Personal information handled by AI must meet APP 11 security obligations. Any tool that processes client data — knowingly or not — must comply.

View source →

TPB Code of Professional Conduct

Confidentiality and competence obligations extend to AI assistance. Using an unapproved tool for client work may breach Code sections 5 and 10.

View source →

APES 320

Quality management systems must explicitly address AI use. Unmanaged shadow AI sits outside the QMS scope — a gap auditors will increasingly flag.

View source →

ASIC REP 798

AI governance is a board-level responsibility, not an IT one. Firms cannot delegate oversight of AI tools to their technology teams.

View source →
So what does the cost of standing still actually look like?

Risk of Inaction

The cost of waiting is not zero.

Each risk below is a present exposure — not a hypothetical — that grows with every month of unmanaged adoption.

Buying a SaaS AI tool (Copilot, ChatGPT Enterprise) addresses shadow usage — but it substitutes one data exposure for another. Client data still leaves your network, processed in a vendor's cloud. For SMSF clients, high-net-worth individuals, and medical professionals, that answer may not hold. See the Options page for a full comparison.

What are the realistic options available to your firm?