Janet Harrison writes:

There is something clarifying about a consulting firm publishing a report on AI’s enterprise benefits that itself contains AI-generated hallucinations. That is what happened with KPMG, and it landed on top of a pattern. EY Canada pulled a cybersecurity report in May 2026 after researchers found fake footnotes, misattributed sources, and references to material that did not exist. Deloitte, meanwhile, agreed last year to refund part of an AU$440,000 Australian government contract after errors and fabricated references were found in a welfare compliance review that later disclosed the use of Azure OpenAI. Three of the largest advisory firms in the world have now had public report failures tied to the same basic weakness: unverified AI output moving too far through the publishing process.

The newest case is KPMG. As the Financial Times reported on June 12, the firm withdrew an October report titled ‘Redefining excellence in the age of agentic AI’ after GPTZero and the FT identified bogus case studies about AI adoption at organizations including UBS, the UK’s National Health Service, Swiss Federal Railways, and Transport for London. UBS told the FT it would ask KPMG to remove false claims. KPMG then pulled the report from some of its websites and began an internal review. That matters because KPMG is not just another publisher of thought leadership. It is selling advice to companies trying to decide how much trust to place in AI systems.

The EY case shows how quickly the problem becomes commercial. Its report, ‘Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems,’ was not just an internal draft. The FT reported that EY consultants in Canada used it to market cybersecurity services. GPTZero researchers found invented data, inaccurate citations, and a McKinsey report that did not exist. One of the report’s central market claims also shifted in ways that made the analysis hard to rely on. EY removed the study and said it was not connected to client engagements, but that answer leaves a practical question hanging. If a report can be used in sales conversations before its sources are confirmed, where exactly is the control point?

The problem identified at EY was not the mere use of AI. It was the absence of verification. Citation checks, source confirmation, and final output validation are not exotic controls. They are the minimum standard for any research-backed document that asks clients to trust its conclusions. A research group outside the firm caught what the firm’s own publication process apparently missed, and that is the part enterprise buyers should pay attention to. [Continue reading…]