Finance teams are often enthusiastic early adopters of Claude — summarizing lengthy filings, drafting variance commentary, turning spreadsheets into narrative. All of that is genuinely useful. The risk is not the drafting; it is reliance: a generated figure flowing unchecked into a regulatory report, a board deck, or a payment instruction. A finance addendum to your company AI policy (see the layering approach) should therefore concentrate on three things: output-reliance limits, data restrictions, and mandatory review. What follows is recommended practice to adapt with your controllers, auditors, and counsel — not regulatory advice.
Output-reliance limits
The single most valuable sentence in a finance addendum is a bright line about what generated output may be used for. A common formulation: Claude may draft, summarize, and explain; it may not be the system of record for any number. Concretely:
Any figure, ratio, or total appearing in AI-generated text must be traced back to the source system (ERP, general ledger, treasury platform) before it is used in reporting, filings, or payment decisions. Treat generated calculations as unverified by default — large language models produce fluent text, not audited arithmetic. Narrative commentary (for example, explaining a variance the team has already computed) is a lower-risk use than asking the model to compute the variance itself.
Data restrictions
Finance handles categories of data that deserve their own rows in your data sensitivity matrix: pre-release results and other material non-public information, treasury positions and bank credentials, and personal payroll data. The addendum should say explicitly which of these may be sent to which approved deployment, and which may not be sent to any AI system at all.
Two platform facts help calibrate this conversation. First, for Anthropic's commercial products, inputs and outputs are not used to train models by default — the documented exception is when you explicitly submit feedback or otherwise opt in. Second, for the Claude API, Anthropic states it automatically deletes inputs and outputs on its backend within 30 days of receipt or generation by default, with stricter zero-data-retention arrangements available by contract. On Amazon Bedrock and Google Cloud, the cloud provider is the data processor, so verify equivalent retention and data-handling terms with your provider. None of this replaces your own classification decisions; it informs them.
Mandatory review requirements
Rather than a blanket "review everything," tier the review requirement by destination:
| Output destination | Recommended minimum review |
|---|---|
| Internal working notes, first drafts | Author self-review |
| Management reporting, board materials | Second-person review of all figures against source systems |
| Regulatory filings, audited statements, payment instructions | Existing control framework applies in full; AI output enters only as a reviewed draft, never directly |
Document in each case that AI assisted and who reviewed — your auditors will eventually ask. The audit trail article covers what to record.
Making usage visible to finance itself
Finance is also the team that will want to see AI spend. On the Claude API, the Admin Usage and Cost API exposes token consumption with breakdowns by model, workspace, and service tier, and a cost endpoint reporting USD amounts at daily granularity — usage data typically appears within about 5 minutes of request completion. That gives finance the raw material to reconcile AI spend against budgets without asking engineering for exports. On the cloud platforms, use the provider's native billing and cost tools instead.
Where to go next
Pair this addendum with risk tiering so review depth matches exposure, and with high-stakes output review for the filing-adjacent cases. The platform overview explains the deployment options your approved-tools list will reference.