A cybersecurity report published by EY Canada in December 2025 was retracted after researchers at GPTZero found that 16 of its 27 citations were hallucinated. Sixty percent of the evidentiary foundation of a document designed to sell cybersecurity services did not exist. One citation pointed to a McKinsey report that has never been published. The document was titled "Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems." Three named professionals, two partners and a senior manager, put their names on it. [Sherwood News]
EY removed the report and issued a statement noting it was "not connected to client work" and that the firm was reviewing the circumstances that led to its publication. [Going Concern] That framing requires examination. The report was a marketing instrument. Its audience was prospective clients. The distinction EY is drawing between client work and business development collateral is a liability boundary, not an accountability one. The document was published under EY's name, carried EY's credentials, and was intended to generate EY engagements. The retraction does not change what the document was built to do.
That would be a serious enough governance failure on its own. It is not the primary problem.
Before EY pulled the report, it had already traveled. It was referenced in a Canberra Times article that was syndicated to more than sixty newspapers across Australia. The hallucinated citations, presented as authoritative research from a Big Four firm, entered the broader information supply chain as verified fact. More consequentially, GPTZero confirmed that the fabricated data has been ingested by AI tools including ChatGPT, Claude, and Perplexity, where it is now being retrieved and cited as a reputable source. [Sherwood News] The retraction closed the EY document. It did not issue a recall on what the document seeded.
This is not an isolated incident.
In August 2025, Deloitte Australia submitted a $290,000 report to the Australian government's Department of Employment and Workplace Relations containing fabricated academic citations and a manufactured quote attributed to a federal court judgment. A Sydney University researcher identified the errors. Deloitte issued a partial refund. [Fortune, October 2025] Weeks later, a $1.6 million Deloitte Canada healthcare report commissioned by a provincial government was found to contain fake citations, real researchers credited to papers they never authored, and fictional co-authorships between academics who had never worked together. In both cases Deloitte's public position was that the substance of the findings was unaffected and that citations represented a small correction. [Fortune, November 2025] In both cases the documents had already been published, distributed, and acted upon.
The pattern extends beyond the private sector. ENISA, the European Union Agency for Cybersecurity, acknowledged that two of its own threat intelligence reports published in 2025 contained AI-hallucinated sources. Researchers found 26 incorrect footnotes out of 492 in one report alone. The South African government withdrew its Draft National Artificial Intelligence Policy after civil rights researchers identified at least six hallucinated sources among its 67 citations. [Rest of World, May 2026]
The documents being corrupted here are not marginal. They are the evidentiary layer. They inform security programs, shape policy decisions, guide procurement, and increasingly feed the AI systems that will generate the next round of research. When a hallucinated citation from an EY cybersecurity report enters a major AI tool's retrieval index and gets served as a credible source to the next analyst drafting the next report, the contamination compounds without a traceable origin point. There is no mechanism in place to chase it back.
The accountability gap in each of these cases follows the same architecture. An institution trusted to produce verified, evidence-based work used AI to accelerate production. The human review layer, nominally responsible for catching what the model invented, did not function as a check. The output looked authoritative. It was formatted correctly. It carried the right names and the right logos. It passed every surface test because the surface was intact. The interior was not.
EY sells cybersecurity services. The report that failed basic citation integrity was a document intended to demonstrate EY's cybersecurity credibility to potential buyers of those services. The attack pattern that bypassed EY's internal review process, plausible-looking output that circumvents human verification, is precisely the attack pattern a competent cybersecurity advisory would warn clients to defend against. The firm did not defend against it internally.
Deloitte's Australian report fabricated a court judgment. A government welfare policy was informed by a quote from a judge who never said it. Deloitte's Canadian report invented academic partnerships between researchers who had never met. A provincial healthcare strategy was built on a research consensus that did not exist.
The retractions are administrative. The downstream exposure is not.
Vordan Accountability Framework Assessment
The Vordan Accountability Framework evaluates institutional accountability across six components. Applied to this pattern of failures, the diagnostic is as follows.
Origin. The decision to use AI in the production of externally published, citation-dependent deliverables was never surfaced as a governance question. No institution in this record documented who authorized AI use in research workflows or under what constraints. The origin of the failure has no owner.
Voice. The practitioners closest to the work, the authors whose names appear on these documents, signed outputs they had not verified. Whether that reflects pressure to produce, misplaced confidence in AI output, or the absence of a verification mandate, no internal voice functioned as a check before publication.
Traceability. Once the EY report entered news syndication and AI retrieval indexes, the hallucinated citations became untraceable. There is no mechanism to identify every downstream document, board presentation, or security program that inherited fabricated sources. The damage is real and the scope is unknown.
Timing. The errors were caught externally, by independent researchers and a citation integrity firm, after publication, after syndication, and after AI ingestion. In every case the internal review process that should have caught the failure before distribution did not exist or did not function.
Response. EY retracted the document and issued a liability-scoped statement. Deloitte issued partial refunds and defended its conclusions. ENISA corrected its footnotes. None of these responses address the propagation problem. The administrative action closed the named document. It did not close the gap.
Transparency. No institution in this record has published an account of how AI was used in the production process, what review controls were in place, why those controls failed, or what has changed. The corrections are quiet. The accountability is absent.
The full Vordan Accountability Framework is published at vordan.co.
For security leaders and governance practitioners, the operational question is not whether your vendors are using AI. They are. The question is whether the verification layer that sits between AI output and published, distributed, acted-upon deliverables is functioning as an actual check or as a formality. Named authorship did not produce verified citations. It produced accountability that was visible on the cover page and absent from the footnotes.
The citation is where the claim meets the evidence. That is where the gap opened. That is where it remains open.
Vordan publishes Gap Alerts when an accountability gap crosses the threshold of operational consequence. Gap Alert Eight covered the trust failure inside a system built to protect children. This alert covers the evidentiary layer that informs security programs, shapes policy, and feeds AI retrieval indexes and what happens when the institutions responsible for that layer stop being the actual check.
Sources
Sherwood News — GPTZero investigation, EY Canada report, citation count, syndication and AI ingestion figures https://sherwood.news/tech/ai-hallucinations-appear-to-be-creeping-into-consulting-reports/
Going Concern — EY retraction, public statement https://www.goingconcern.com/ey-gets-busted-and-yeets-cybersecurity-report-littered-with-ai-hallucinations/
Fortune — Deloitte Australia, $290,000 welfare report, fabricated court judgment https://fortune.com/2025/10/07/deloitte-ai-australia-government-report-hallucinations-technology-290000-refund/
Fortune — Deloitte Canada, $1.6 million healthcare report, fake academic partnerships https://fortune.com/2025/11/25/deloitte-caught-fabricated-ai-generated-research-million-dollar-report-canada-government/
Rest of World — ENISA threat reports, South African policy withdrawal, pattern analysis https://restofworld.org/2026/government-ai-hallucinations-south-africa-deloitte/