Here’s a sentence I never thought I’d write: a Big Four consulting firm just got burned by the very technology it tells clients to trust.
KPMG published a report in October 2025 called Redefining Excellence in the Age of Agentic AI. It was meant to be a flagship piece — the kind of glossy PDF that lands in executive inboxes and shapes procurement decisions. The report made bold claims about how major organizations were using AI. UBS. The UK’s National Health Service. Swiss Federal Railways. Transport for London.
There was just one problem: those organizations say the claims were false.
Last week, KPMG quietly pulled the report from its websites. Research firm GPTZero had taken a closer look and found something worse than exaggeration. Of the report’s 45 citations, 40 were fabricated. Forty out of forty-five. The model had invented references, mangled real source titles beyond recognition, and in at least one case cited a 2019 railway press release as evidence of AI-agent use — despite the term “agentic AI” only entering common usage in 2024.
The Irony Is Almost Too Perfect
Think about this for a second. KPMG is one of the world’s largest professional services firms. Companies pay them millions for advice on digital transformation, AI strategy, and risk management. They have guidelines on the “responsible use of AI, including human oversight to validate content and verify independent sources” — their own spokesperson said so.
And yet somehow, a report about the promise of AI slipped through with 89% of its citations being fake. The humans who were supposed to validate the content either didn’t exist, didn’t read it, or didn’t care enough to check.
I’ve been in rooms where consultants present decks with confident numbers and authoritative citations. You nod along because these are the experts, right? They’ve done the research. They’ve verified the sources. That trust is the entire business model.
When that trust breaks, it breaks hard.
This Isn’t Just KPMG’s Problem
What makes this story stick isn’t that one firm made a mistake. It’s that this keeps happening, and it keeps happening to the very organizations we’re supposed to trust for rigor and verification.
Last month, EY withdrew a report on loyalty rewards programs after it was found to contain fake footnotes and AI-generated hallucinations. Before that, Deloitte had to refund part of an Australian government contract over AI errors. Law firm Pinsent Masons faced High Court criticism after a lawyer filed documents containing AI-generated fake legal citations. A Massachusetts judge recently barred a Morgan & Morgan attorney from a case after repeated AI-generated fake case citations.
The people selling AI governance can’t govern their own AI use. Read that again.
If you’re a developer, a manager, or anyone who’s been told to “just use AI” to speed up your work, this should make you deeply uncomfortable. Not because AI is bad — it isn’t. But because the pressure to ship faster is colliding with the fundamental truth that AI doesn’t know what it doesn’t know. It will confidently tell you something is true while being completely wrong, and it’ll wrap that wrongness in language so polished you won’t think to question it.
I’ve written before about why AI agents still can’t be trusted despite the safeguards being built. The KPMG story is that argument playing out at enterprise scale, with real money and real reputations on the line.
The Citation Supply Chain Is Broken
There’s a secondary problem here that doesn’t get enough attention: once a hallucination enters the ecosystem, it spreads.
GPTZero’s analysis noted that the flawed statistics from KPMG’s report had already been picked up by trade publications. Worse, they were surfacing in answers from ChatGPT and Google’s Gemini. A single unverified document, published by a trusted brand, had begun polluting the information supply chain.
This is what keeps me up at night as someone who builds things with code. When AI agents can be tricked into running malicious code, and AI-generated reports can inject fake statistics into search indexes, we’re looking at a feedback loop where bad data trains more bad data. The models don’t fact-check each other. They just absorb and regurgitate.
The KPMG report cited “KPMG research” claiming 55% of chief executives rank AI as their top investment priority. But KPMG’s own 2025 CEO Outlook survey, published the same month, put that figure at 71%. The AI hallucinated a number that was convenient for its narrative and nobody caught it.
What This Means If You Actually Build Things
I spend my days writing code, managing IT infrastructure, and trying to figure out which AI tools are worth the hype. Here’s what I’ve learned, reinforced by every story like this one:
AI is a junior colleague, not a senior partner. Treat its output the way you’d treat work from someone brilliant but occasionally wrong about basic facts. Review everything. Verify the important stuff twice. If you can’t verify it, don’t publish it.
The gap between “AI-assisted” and “AI-generated” is where the damage lives. KPMG’s report was almost certainly produced with AI assistance, but somewhere between drafting and publication, the human review step collapsed. The difference between using AI as a tool and letting AI drive the bus is everything.
Brand trust amplifies the damage. If a random blog publishes fake statistics, nobody’s surprised. When KPMG does it, trade journals quote it, news articles reference it, and AI training data absorbs it. The more trusted the source, the more responsibility it carries — and the more catastrophic the failure when that trust is breached.
I use AI coding tools in my daily workflow, and I’ve seen firsthand how they can accelerate development. But I’ve also watched them confidently suggest code that would create security vulnerabilities, use deprecated APIs, or solve the wrong problem entirely. The skill isn’t in accepting the output — it’s in knowing enough to catch what’s wrong.
The Verdict
KPMG will weather this. They’ll update their internal guidelines, maybe fire a few people, and eventually publish another report. The cycle will continue because the incentives are stacked toward speed: publish the thought leadership first, capture the attention, worry about accuracy later.
But for the rest of us — the developers, the IT managers, the small teams trying to figure out which AI tools to trust — the lesson is clearer than ever. AI doesn’t know anything. It predicts what word should come next based on patterns in its training data. Sometimes that prediction aligns with reality. Sometimes it fabricates 40 out of 45 citations and nobody notices for eight months.
If KPMG can’t catch hallucinations in their own flagship report, what chance does a three-person startup have? What chance does a government agency have? What chance do you have when the next AI tool promises to write your reports, generate your citations, and handle your research?
The answer isn’t to stop using AI. It’s to stop trusting it. Verify. Cross-check. Read the sources yourself. If a citation looks suspicious, it probably is. If a number seems too perfect, find the original dataset. These aren’t optional steps — they’re the difference between publishing insight and publishing fiction.
We’re in a strange moment where the firms selling AI assurance keep getting caught by the same failure mode they’re supposed to protect against. The chess game between humanity and artificial intelligence is still ongoing — and right now, the machines are winning not because they’re smarter, but because we’ve stopped paying attention.