KPMG's withdrawn AI report has turned a familiar warning into a reputational problem for the consulting industry. The issue is no longer whether generative AI can hallucinate, but whether the firms selling AI governance can prove their own work is being checked.
There is something clarifying about a consulting firm publishing a report on AI's enterprise benefits that itself contains AI-generated hallucinations. That is what happened with KPMG, and it landed on top of a pattern. EY Canada pulled a cybersecurity report in May 2026 after researchers found fake footnotes, misattributed sources, and references to material that did not exist. Deloitte, meanwhile, agreed last year to refund part of an AU$440,000 Australian government contract after errors and fabricated references were found in a welfare compliance review that later disclosed the use of Azure OpenAI. Three of the largest advisory firms in the world have now had public report failures tied to the same basic weakness: unverified AI output moving too far through the publishing process.
The newest case is KPMG. As the Financial Times reported on June 12, the firm withdrew an October report titled 'Redefining excellence in the age of agentic AI' after GPTZero and the FT identified bogus case studies about AI adoption at organizations including UBS, the UK's National Health Service, Swiss Federal Railways, and Transport for London. UBS told the FT it would ask KPMG to remove false claims. KPMG then pulled the report from some of its websites and began an internal review. That matters because KPMG is not just another publisher of thought leadership. It is selling advice to companies trying to decide how much trust to place in AI systems.
The EY case shows how quickly the problem becomes commercial. Its report, 'Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems,' was not just an internal draft. The FT reported that EY consultants in Canada used it to market cybersecurity services. GPTZero researchers found invented data, inaccurate citations, and a McKinsey report that did not exist. One of the report's central market claims also shifted in ways that made the analysis hard to rely on. EY removed the study and said it was not connected to client engagements, but that answer leaves a practical question hanging. If a report can be used in sales conversations before its sources are confirmed, where exactly is the control point?
The problem identified at EY was not the mere use of AI. It was the absence of verification. Citation checks, source confirmation, and final output validation are not exotic controls. They are the minimum standard for any research-backed document that asks clients to trust its conclusions. A research group outside the firm caught what the firm's own publication process apparently missed, and that is the part enterprise buyers should pay attention to.
Deloitte's Australian case made the same issue visible in a public-sector setting. The Department of Employment and Workplace Relations commissioned Deloitte to review the Targeted Compliance Framework for AU$440,000. University of Sydney academic Christopher Rudge identified fabricated references and other errors in the report, including problems tied to legal and academic citations. A revised version later disclosed that Azure OpenAI GPT-4o had been used in preparing the work. Deloitte agreed to repay the final portion of the contract, while the department said the corrections did not change the report's central recommendations.
KPMG's position is especially awkward because its own global AI trust research with the University of Melbourne has already warned about this category of risk. That study surveyed 48,340 people across 47 countries and found that 56% of employees reported making mistakes in their work because of AI, while 66% said they used AI outputs without evaluating accuracy. In other words, KPMG's own research described the behavior that creates these failures. The gap is between knowing the risk and building a process strong enough to stop it.
When a consultant delivers a report containing fabricated citations, who is accountable? So far, the answer has been limited. EY removed the study. Deloitte repaid part of a contract. KPMG opened a review and withdrew the flawed report. Those steps matter, but they do not yet answer the larger question facing clients, boards, and public agencies: what evidence should a professional services firm provide before AI-assisted work is treated as reliable?
For founders evaluating AI vendors, investors conducting technical diligence, and enterprise buyers signing advisory contracts, the implication is direct. The brand on the cover is not a substitute for verification. A citation in a consultant's slide deck should be checked like any other factual claim. Reports that rely on generative AI should carry a disclosure, a source log, and evidence that references were independently confirmed before publication.
The firms that will differentiate themselves over the next two years are not the ones selling AI transformation the loudest. They are the ones that can show, specifically, how they validate AI output before it leaves the building. The Big Four have just made the case for why proof of process now matters more than the logo on the report.
Also read: US insurance regulators are opening formal inquiries into the credit risks piling up inside AI data centre financing • Infineon opens its €5 billion Dresden megafab on July 2 as Europe's power chip ambitions meet their real test • OpenAI offers equity to Washington to preempt a far costlier forced takeover
