AI & Tech Issue #126 ·

Three of the Big Four Caught Citing Fake Sources

Only 5 of 45 footnotes in KPMG's agentic AI report were real — and the root cause is organizational, not technological.

Three of the Big Four Caught Citing Fake Sources

Opening

Last month, EY deleted one of its own reports. 16 of its 27 footnotes turned out to be fake. Then this week, KPMG got caught doing the same thing — and this time it was worse. Only 5 of 45 footnotes were real. Add Deloitte to the list, and 3 of the Big Four1 have now been caught using fake citations manufactured by AI.

GPTZero, an AI-detection startup, has given this phenomenon a name: “vibe citing”2 — taking fake sources invented by AI and using them as-is, without verification.

Let me give you the conclusion up front: this is not a case of individual companies making mistakes. The essence of the problem is not the technology but “an organizational structure that lets people skip verification”.

The GPTZero research team traced two reports line by line — EY Canada’s and KPMG’s “Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems” and “Total Experience: Redefining Excellence in the Age of Agentic AI” — and what they found is fairly shocking.

🔍 What Was Actually Found in the EY Report

First, some context: EY’s report covered cybersecurity vulnerabilities in loyalty programs (points and mileage schemes). Two EY partners and one senior manager were listed as authors, and the Canadian office was using it as sales collateral for its cybersecurity consulting practice.

Chronologically, this was the first incident. GPTZero traced, line by line, the loyalty-program cybersecurity report EY Canada published in late 2025.

  • 16 of 27 references (roughly 60%) were hallucinated: the URLs returned 404s, or the cited documents simply did not exist
  • A fabricated McKinsey report: it cited a McKinsey publication called the “Loyalty Economics Report (2022)” — no such McKinsey report exists. GPTZero’s analysis flagged it as a “secondhand hallucination”: AI re-absorbing information that had already been hallucinated on low-quality blogs
  • Self-contradicting data: the report put both the size of the loyalty market and the value of unredeemed points at $200 billion — simultaneously
  • 72% probability of AI generation: 72% of the report’s text was judged to be AI-generated. EY Canada immediately deleted the report and said it was “reviewing how it came to be published.” At the same time, it drew a line: “this report is not related to any client project.” In other words: we wrote it, we published it, but we don’t know how it got posted, it has nothing to do with clients, and we don’t know where the data came from. 😂

KPMG: An AI Report Filled With AI Hallucinations

Less than a month after EY blew up, an even bigger case erupted at KPMG this week.

The problem is “Total Experience: Redefining Excellence in the Age of Agentic AI,” a report KPMG International published in October 2025. It covers enterprise use cases for agentic AI3 — and according to GPTZero’s analysis, of its 45 footnotes, only 5 matched their sources exactly. The other 40 had altered titles, could not be traced to any source, or were fabricated outright.

The footnotes weren’t the only problem. Roughly half of the factual claims in the report were false or attributed to the wrong sources. The report described, in concrete detail, AI deployments at UBS, the UK’s NHS, Swiss Federal Railways, and Transport for London — and those organizations confirmed to the FT that “no such thing happened.” The claim that Emirates’ AI chatbot ‘Sara’ can change flights was also false. Sara is not a chatbot but a robot concierge, and it has no flight-change capability.

The greater irony is the self-contradiction. The report stated that “55% of CEOs name AI as their top investment priority” — but KPMG’s own CEO Outlook report, published the same month, put that figure at 71%. The firm couldn’t even cite its own report correctly.

KPMG pulled the report from its website and said it was “investigating how it came to be published.” (Sound familiar?)

📋 This Isn’t Just a Consulting Problem

Before EY and KPMG, Deloitte had already been caught twice. Fake academic citations were found in a 2025 Australian government welfare report (part of the fee was refunded) and in a Canadian healthcare-workforce report (CAD 1.6 million) — real researchers were listed as co-authors on papers they had never worked on together.

The legal industry is no exception. In April 2026, Sullivan & Cromwell — a white-shoe Wall Street law firm — submitted an apology to the U.S. Bankruptcy Court in New York. An emergency filing was found to have misquoted the U.S. Bankruptcy Code and cited case law that does not exist. Partner Andrew Dietderich admitted that “the firm’s internal AI policy was not followed.”

Academia is no different. GPTZero analyzed 4,000 accepted papers from NeurIPS 2025, the world’s most prestigious AI conference, and found more than 100 hallucinated citations across at least 53 papers. The AI hallucination case-law database run by Damien Charlotin of HEC Paris had logged more than 1,450 cases as of early 2026 — and roughly 90% of them occurred in 2025 alone.

🧩 The Structural Problem: Why This Keeps Happening

At this point it’s easy to land on “AI is the problem.” I’m looking somewhere slightly different.

First, the production structure of “thought leadership reports” has changed.

Neither EY’s loyalty report nor KPMG’s agentic AI report was a client deliverable. They are marketing assets built to advertise consulting services. The Big Four publish hundreds of these reports every year, and they send the market a signal: “we are the experts in this field.” As production pressure mounts, the verification process simply isn’t as rigorous as it is for client deliverables. In KPMG’s case, the fact that a report about AI use cases was filled with AI hallucinations goes beyond irony — it’s a defect in the trust structure itself.

Second, “was AI used or not” is missing from the verification checklist.

The Deloitte Australia case is emblematic. The original report made no mention of AI use at all. Only after the problem surfaced did the firm admit it had “used Azure OpenAI.” Sullivan & Cromwell likewise said it has “a comprehensive AI use policy and training requirements” — while admitting that “this policy was not followed.” Having a policy and having a policy that works are entirely different things.

Third, a new contamination pathway has emerged: “secondhand hallucination.”

What GPTZero paid particular attention to this time is secondhand hallucination4. The fake McKinsey source in the EY report is most likely the result of an AI ingesting already-hallucinated information from low-quality blogs as “real” and then reproducing it. In the GPTZero team’s own words, the very act of posting such reports online is like “poisoning the well of knowledge that is the internet”. Information published on the website of an authoritative institution like EY is especially likely to be absorbed into the training data of other AI models, creating a vicious cycle in which hallucinations breed hallucinations. And because AI models prefer to cite authoritative outlets, the problem is all the more serious.

Oswarld’s Take

I don’t believe the core of this incident lies in the technical defect we call “AI hallucination.”

There’s a pattern I’ve seen countless times while building GTM strategies. When a new tool appears, companies sell it to clients while simultaneously using it internally. For this dual position to work, they need proof that “we can manage this tool’s risks” — and right now, 3 of the Big Four have failed that proof at the same time. EY boasted 30% growth in AI revenue while failing to verify its footnotes; KPMG emphasized AI governance while publishing cases an AI had fabricated.

The way I see it, the real danger isn’t the hallucination itself. Generating one footnote with AI takes 3 seconds; verifying it takes 3 minutes. With 27 footnotes, that’s 81 minutes. Most organizations have not yet realized that the cost of catching hallucinations can exceed the time AI saved them.

Closing

Three things worth remembering from this episode.

  1. The fact that 3 of the Big Four were caught means this is not a culture problem at any one firm but a structural problem of the industry. And there’s no guarantee the remaining one (PwC) is safe.

  2. The reason the problem keeps recurring is not the technology but the verification process inside organizations. Having an “AI use policy” is not enough. You need a structure that confirms the policy actually works.

  3. In an industry that sells trust, the accuracy of sources is the product itself. The moment a single fake footnote is exposed, doubt attaches not to the report’s conclusions but to the institution’s entire judgment.

The next time you read a consulting report or a piece of research, try clicking one of the footnote URLs yourself. That small act is the beginning of the question, “is this source real?”

References & Further Reading

Primary sources

Background

The author, Kwangseob Ahn, is a professor of business administration at Sejong University and lead consultant at OBF (Oswarld Boutique Consulting Firm). He teaches statistics and data analysis — including business data management and business analytics — at the university, while leading GTM strategy and AI strategy consulting in the field, designing the interface between technology and business. He has published academic research on memory architecture for AI dialogue systems (HEMA) and runs Daily Arxiv, a project curating global AI papers every day. He completed a master’s program at Korea University’s Graduate School of Management of Technology and its KMBA. He is the author of Homo Brainless: The People Who Outsource Their Thinking.

Footnotes

  1. Big Four: The world’s four largest accounting and consulting firms — Deloitte, PwC, EY (Ernst & Young), and KPMG. They are the industry’s biggest players, handling audits, strategy consulting, and tax advisory for major corporations and government agencies worldwide.

  2. Vibe citing: A neologism for the act of using fake sources or citations generated by AI without verification. Meaning roughly “citing by vibe,” the term was coined by GPTZero in early 2025.

  3. Agentic AI: AI systems that go beyond conventional generative AI, which merely waits for user instructions — they set their own goals, plan, and autonomously execute complex multi-step tasks using the data and tools they need.

  4. Secondhand hallucination: A phenomenon in which an AI learns information that was already hallucinated (fabricated) elsewhere as if it were real, then reproduces it. Structurally similar to fake information getting its “sources laundered” as it circulates around the internet.