5 mistakes companies make on AI policy

From not having an AI policy or not sharing it with employees to incomplete or ambiguous accountability structures, there are basic mistakes business leaders should avoid.
5 mistakes companies make on AI policy

IMAGE BY KATKAMI/ADOBE STOCK

McKinsey & Co.’s report The State of AI in 2025: Agents, Innovation, and Transformation summarised findings many of us had realised already: AI’s outputs lack accuracy and referencing and do not provide an ability to see how answers are generated. The conclusion reached time and time again is that there is a need for iterative testing, validating, and revising workflows to ensure AI is used responsibly and reliably.

Look at the havoc Excel can wreak when used without formal guidance. Anyone working in accounting or finance will recognise that no two colleagues build spreadsheets the same way. Formulae may be inconsistent, key cells are mis-referenced, logical errors are made, and formulae can be unnecessarily complex, making it difficult for others to understand โ€” or check โ€” the conclusions, if any, that are reached. Indeed, it even gives scope for potential fraud โ€” when complexity can be used to hide what would otherwise be obvious fraudulent activity.

Policies, standards, and training are all part and parcel of good practice in spreadsheet usage for businesses in the 21st century โ€” with good reason. However, whilst Excel’s scope in the corporate environment is vast, it is almost insignificant compared to AI’s potential role. The risks also become much larger. They may include:

  • Data privacy breaches and other security issues (eg, payroll data inadvertently supplied to all employees).
  • Potential (unintended) bias in automated decision-making.
  • Unchecked/incorrect data used, referenced, or sourced incorrectly.
  • Lack of transparency in the process, causing end users to question the veracity of the conclusions reached or to rely on erroneous “black box” results.
  • Lower staff morale due to less training/deskilling of the workforce or the risk of losing their jobs altogether โ€” potentially leading to greater key person risk, too.

Therefore, it is even more important to have the appropriate safeguards in place for responsible and reliable AI usage. In particular, in accounting and finance, businesses should be especially cautious about data security and confidentiality. Any automated systems (not just AI ones) handling financial transactions or reporting can be vulnerable to cyberattacks or data leaks โ€” how many times have you had to change your password or replace a credit card?

Furthermore, if AI algorithms and routines are not properly audited, there is a risk of inaccurate financial reporting, compliance breaches, hallucinations, or the propagation of existing biases in financial decision-making. But who are the auditors? You need specialists here, and few are trained for this role presently.

Still not convinced? Consider the example in the screenshot “Copilot Example in Excel”.

Copilot example in Excel

Here, I have used Excel’s COPILOT function and the following prompt:

=COPILOT(“Plot the 5 products over five years from 2025 onwards (years displayed horizontally). The products are given by the following:”,F13:F17,”Initial sales for the first year are given by the following:”,G13:G17,”Annual growth rates are given by the following:”,H13:H17)

If you clicked on cells K12:P17, this is what you would see as the formula, which is not a typical Excel calculation. It is difficult to check the logic of these results since the method of derivation of values cannot be surmised. It appears to be pretty impressive, even though opaque. There’s only one problem: It’s wrong.

Unfortunately, this suffers from the same problems that models built with large language models (LLMs) often have โ€” computational errors.

Cell O14 should be 22,497, not 22,517, and all numbers in the final year have errors โ€” some minor, some more noticeable. This is the danger with LLM-led modelling: The errors are hard to spot. The Excel calculation engine somehow needs to be combined with the LLM because somewhere, somehow, they are not talking to each other. The fact the calculations are not shown โ€” only the COPILOT syntax โ€” does not help. An AI policy suggesting that more appropriate tools such as Agent Mode, Claude for Excel, or other tested boutique AI tools should be adopted in this instance would avoid such problems here, as they utilise the Excel calculation engine instead and return “genuine” Excel formulae.

The problem is the numbers almost look right. That is the worst part. They are going to be tricky to spot, and unsuspecting analysts make erroneous computations โ€” and hence conclusions โ€” regardless of the warnings Microsoft gives them about checking results.

But the risks are much more than simply Excel-specific. All businesses โ€” no matter how large or small โ€” need a robust in-house AI policy. Establishing such a policy offers significant benefits, including reducing the risks cited above, setting clear guidelines for ethical AI use, ensuring compliance with legal and industry regulations, and supporting consistency in how AI tools are deployed across the organisation.

The policy must be flexible and updated regularly. AI is moving quickly; policies must keep up. Restrictive procedures may stifle innovation, and out-of-date processes may be inapplicable or present potential legal liabilities. Regular review and staff training are essential to ensure the policy remains relevant and effective as AI technologies, accounting rules, and regulations evolve.

And so, to this article’s headline: What are the top five mistakes companies make regarding an AI policy? Having assisted many of my clients with policies, there are several issues that keep occurring.

Try to avoid the following common clangers:

  1. Not having a policy or, worse, creating one but not communicating it appropriately with all employees and other key stakeholders. Compliance cannot be enforced if no policy exists or if it has not been disseminated.
  2. Insufficient stakeholder involvement: Sometimes key staff and other stakeholders are not consulted when corporate policies โ€” on AI or in other areas โ€” are being developed. This can lead to operational/transactional blind spots and resistance to adoption. Policy gaps and a lack of buy-in should be avoided. It is an age-old trick in consulting to engage with those affected and obtain their feedback and address their pushbacks. Policy walk-throughs with associated training can address many of these issues.
  3. Overlooking data protection requirements and/or ignoring other regulatory provisions: Neglecting data protection obligations or compliance with other legal requirements may lead to legal penalties/sanctions, operational disruption, and reputational damage. The role of internal and external audit should be clear in maintaining internal control and compliance checks. AI is developing fast; audit staff need to be trained regularly; and updates to legal and regulatory stipulations should be implemented without delay.
  4. Incomplete/erroneous risk assessments: You can have full consultation with stakeholders and even check off every legal and regulatory requirement. But have you actually checked the results? Audited the numbers? Verified the results and references? Considered the ethics of the process? Have you considered all security and risk implications? Especially given the world of AI is new to most of us, not all risks may be identified, and they may even seem superficial compared to those recognised by experienced assessors. For key policies, you should consider third-party assistance from subject matter experts and conduct thorough, scenario-based, department-specific analyses for risks and uncertainties.
  5. Insufficient or ambiguous accountability may lead to inadvertent gaps in the process not being addressed, delayed actions, and/or increased liabilities. The process needs to have a reporting structure identifying who is responsible for each element and how it may be escalated in times of staff unavailability, urgency, or major incidents.

Ultimately, a well-crafted AI policy not only safeguards your business, your clients/customers, and yourself, it also fosters trust and confidence, culminating in the ability to seize AI opportunities quickly, effectively, and efficiently as they arise.

To assist, rather than merely criticise, allow me to criticise constructively. Here are several points I suggest as a checklist for your own AI policy. This is neither intended to be comprehensive nor relevant to all organisations. The following are simply ideas to help you avoid some of the common mistakes discussed above:

  1. AI system selection
    • Consider due diligence on all vendors; assess their incident histories and compliance certifications; and procurement procedures should be explicit.
    • Ensure any provider can adhere to all policy requirements; minimise third-party risk.
    • Have you tested the systems? Can a trial/parallel run be undertaken with sanitised data?
  2. Governance
    • Appoint a compliance officer.
    • Create an accountability structure/oversight committee.
    • Reporting issues should be documented and corrected.
    • For dealing with deliberate employee nonadherence โ€” there should be staff guidelines/disciplinary procedures.
    • For authority to approve AI processes and/or investment โ€” is the process clear?
  3. Data management and reporting
    • Ensure extracting, transforming, and loading data is automated with as little adjustment as possible to avoid prejudice and biases.
    • Create a requirement for explicit consent to use third-party data in AI processes.
    • Data minimisation โ€” ie, use only what is necessary.
    • Data retention periods should be clear and categorised, if necessary.
  4. Risk management
    • Identify all risks associated with the implementation of AI in business reporting (within reason).
    • Address the likelihood and impact of risks identified.
    • Implement controls and other risk-mitigation processes (eg, outsourcing of noncore, nonconfidential reporting to free up managerial time to review AI-assisted work) with regular review and updates. Consult specialists/auditors as necessary.
  5. Data security
    • Review AI usage of data included in prompts and associated references. Will it be made available online? Will it be used to train AI software thereafter?
    • Communicate encryption policies for data protection prior to AI usage.
    • Create audit workflow procedures for AI and/or IT consultants and for internal and external auditors.
    • Restrict access to AI datasets and models to authorised personnel only, using strong authentication and role-based permissions.
  6. Cyber incident response
    • What are the breach procedures? Is everyone trained?
    • Reporting processes should be produced, both automated and manual, including for third-party reporting (eg, authorities, regulators, and clients).
    • Remediation policies: how similar issues will be prevented next time; consultation with system designers and forensic analysts, if necessary.
  7. Ethical considerations
    • Are the processes fair? Avoid discrimination, inadvertent prejudice, or results that may disadvantage clients, customers, staff, or other key stakeholders.
    • Be transparent: Maintaining accessible, clear documentation of logic and processes helps everyone understand and have buy-in to the policy.
    • Ensure grievances are raised with those responsible and/or accountable for the AI process or processes affected. Allow the right to contest, again within reason.
  8. Training
    • Educate staff and key stakeholders on the risks, ethics, data management, and security, emphasising the need for compliance; document with training manuals.
    • Consider efficiency, effectiveness, and economy initiatives regularly, with regular reviews for improvement, through suggestion boxes, consultation, and audit.
  9. Review the policy regularly
    • AI technologies, rules, and regulations are evolving rapidly, so policies must keep up.
    • Frequent reviews should identify new risks or ethical issues.
    • Operational activities and changes to strategic objectives may make certain aspects of the policy obsolete.

Word to the wise

If you are thinking “we haven’t got time for that”, you are, ironically, exactly the individual or organisation that needs to make time for “that”. Get AI to help you. Uncontrolled, unregulated AI processes will be the downfall of many businesses. Don’t be a casualty: The light at the end of the tunnel might be a train on copilot.


Liam Bastick, FCMA, CGMA, FCA, is director of SumProduct, a global consultancy specialising in Excel training. He is also an Excel MVP (as appointed by Microsoft), author of Introduction to Financial Modelling and Continuing Financial Modelling, and co-author of Python in Excel: Unlocking Powerful Data Analysis and Automation Solutions. Send ideas for future Excel-related articles to him at liam.bastick@sumproduct.com. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.


MEMBER RESOURCES

Articles

โ€œAI Vulnerabilities Emerge as Fastest-Growing Cyber Riskโ€, FM magazine, 13 January 2026

โ€œFinance and Cyber Resilienceโ€, FM magazine, 17 December 2025

โ€œCybersecurity Tool Provides Steps to Manage Risks, Keep Data Safeโ€, FM magazine, 14 October 2025

Report

AI Demystified: A Glossary of Essential Terms, CIMA, 15 January 2026

Up Next

Fragmented talent data comes at a high cost

By Steph Brown
July 16, 2026
Eighty per cent of business leaders estimate that fragmented talent data systems cost their companies at least 3% of total payroll.
Advertisement

LATEST STORIES

5 mistakes companies make on AI policy

Fragmented talent data comes at a high cost

Leadership traits that help finance teams thrive

UK government unveils significant reforms to SME investment

UK regulator revises pension standard

Advertisement
Read the latest FM digital edition, exclusively for CIMA members and AICPA members who hold the CGMA designation.
Advertisement

Related Articles

4 steps for businesses to establish an AI governance policy