EY pulls study offline after researchers uncover AI hallucinations
Artificial intelligence in the hands of major consulting firms sounds like a recipe for innovation and efficiency.
But what happens when that technology starts making up data, fabricating citations, and referencing reports that simply never existed?
That is exactly what the research group GPTZero discovered in a study published by EY Canada — one of the largest consulting firms in the world.
The report, titled Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems, was being used by EY consultants in Canada to promote their cybersecurity services. The problem? The material was riddled with AI hallucinations: contradictory data, footnotes pointing to nonexistent pages, and even a reference to a McKinsey report that, well… does not exist anywhere. 👀
As soon as the inconsistencies surfaced, reported by GPTZero late on a Thursday, EY pulled the material offline and launched an internal review.
The episode raises a serious alarm about the real risks of publishing content generated or assisted by AI without proper validation — especially when it comes from companies with a high level of authority and credibility in the market.
What GPTZero found in the EY report
GPTZero is known for developing tools that detect AI-generated content, and it was during a detailed analysis that the group came across the document published by EY Canada. The report aimed to present data on vulnerabilities in loyalty and rewards programs, arguing that these systems are frequent targets of fraud and cyberattacks. As a bonus, the content served to position the consulting firm’s cybersecurity services as the solution to those challenges. The problem is that a significant portion of the information presented simply had no real basis — in practice, they were fabrications by the artificial intelligence that likely assisted in producing the material.
GPTZero researchers — Om Ogale, Paul Esau, and Alex Cui — detailed the inconsistencies in a post published on their blog. Among the most serious issues identified was a direct reference to a McKinsey report that simply could not be located in any database, archive, or official publication from the consulting firm. It was not an imprecise or outdated citation — it was a source that did not exist. On top of that, more than half a dozen footnotes in the document pointed to web pages that either did not exist or did not contain the cited information. This type of error is a classic sign of AI hallucination: the model generates information that looks plausible, well-structured, and even convincing, but in practice is fabricated from scratch.
The statistical data presented throughout the report also raised serious doubts. In different sections of the document, the loyalty program market size was estimated at 200 billion dollars — and the volume of unredeemed loyalty points was presented at exactly the same figure, which immediately raised suspicions about the accuracy of the numbers. These contradictory variations within the same document suggest that different sections may have been generated independently, without any human review to cross-check the information before publication.
In the consulting world, where numbers are used to support high-impact strategic decisions, this kind of inconsistency is more than a technical error — it is a serious credibility failure.
The researchers’ warning about data poisoning
An especially relevant point raised by GPTZero researchers has to do with the cascading effect this type of publication can create. In the research group’s own words, publishing a report online is essentially a form of injecting data into the knowledge pool that is the internet. When that report includes false information — whether invented citations or unfounded claims — it can poison the well, misleading future researchers, analysts, and even other AI models that may eventually use that content as training data.
This risk becomes even more critical when the document is published by a globally recognized consulting firm and hosted on a high-traffic website. The brand’s authority lends credibility to the content, causing readers and automated systems to treat it as verified information — when in reality it may be pure algorithmic fabrication. 🔍
AI hallucinations: the problem nobody wants but everyone can face
The term AI hallucination might sound overly technical at first glance, but the concept is easy to grasp. Language models like those powering popular text generation tools are trained to produce coherent and fluent responses — but that does not mean those responses are necessarily true. When a model does not have enough data to answer something accurately, it may simply fill in the gaps with made-up information, maintaining the same confident and professional tone it would use to describe something factual. The result is text that looks legitimate but carries false information embedded in a nearly invisible way.
This phenomenon has already been documented in numerous public situations, and the EY case is far from the first. The original report highlights that Deloitte, another Big Four giant and direct rival of EY, had to revise a report produced for a Canadian provincial government last year after revelations that the document contained fabricated academic citations. More recently, the law firm Sullivan and Cromwell had to formally apologize to a New York court because a document submitted in a high-profile case incorrectly cited the U.S. bankruptcy code and inaccurately referenced court cases.
What makes the EY episode particularly noteworthy is the context: one of the largest consulting firms on the planet, with decades of reputation built on analytical rigor and data reliability, published a document with errors that any basic fact-checking process would have caught. This raises a question that goes far beyond technology — it is a question of internal processes and a culture of validation.
The speed at which artificial intelligence tools are being integrated into workflows at companies around the world is impressive, and that acceleration brings a real risk: the temptation to use AI as a shortcut for content production without establishing adequate layers of human review. The more authority a company holds in the market, the greater the impact of this type of mistake — because audiences tend to trust content produced by recognized sources without questioning it much. And that is exactly where the problem gets amplified. 🎯
Consulting firms are betting big on AI, even with the obvious risks
Despite episodes like this, major consulting firms remain committed adopters of artificial intelligence. They invest heavily in the technology, train their teams to use it daily, and promote their own AI implementation services to clients across a wide range of industries.
EY itself announced in October that its AI-related revenue had grown 30 percent over the previous year. The company also highlighted that 15,000 employees had worked on client projects involving artificial intelligence, spanning everything from large-scale business transformations to the development of AI governance frameworks aimed at responsible technology implementation.
This paradox is interesting and worth paying attention to: the very companies selling governance and responsible AI services to their clients are stumbling in applying those same practices to their own operations. This does not invalidate the technology or the services offered, but it certainly puts into perspective the need for these firms to practice what they preach — and with extra rigor, since they serve as a reference for hundreds of other organizations around the world.
EY’s response and what it means for the market
As soon as GPTZero’s findings went public, EY acted quickly: the loyalty program report was removed from the website, and the company announced it was reviewing the circumstances that led to the article’s publication. The consulting firm also made a point of stating that the study was not connected to work performed for any EY client, seeking to limit the reputational fallout from the episode.
In an official statement, EY Canada declared that it takes the accuracy of all published content seriously and that it has an organizational commitment to the responsible use of artificial intelligence. The response was relatively swift and transparent, which is a positive sign — but the mere fact that the document made it to the publication stage is, on its own, a clear indication that something in the internal processes failed significantly.
For the consulting market and for companies using artificial intelligence in the production of institutional content, the episode serves as an unintentional case study in what not to do. This is not about demonizing the use of AI — on the contrary, these tools have enormous potential to boost productivity and quality of output across many areas. The central point is that AI does not replace human curation, especially in contexts where the credibility of information is critical. Consulting reports, market studies, regulatory analyses — all these formats depend on verifiable data and traceable sources, and no language model, no matter how advanced, guarantees that by default.
The reputational risk is real and growing
Another important aspect of this episode is the impact it can have on the perception of trustworthiness in the corporate use of AI. When a consulting firm publishes fabricated data to promote its own services, even without a deliberate intent to deceive, the practical outcome for anyone consuming that content is the same: they are being influenced by false information. Regulators around the world are already watching situations like this closely, and it is likely that cases like EY’s will accelerate discussions around legal liability for the use of AI-generated content in commercial and institutional contexts. 📋
Beyond the regulatory angle, there is the matter of public trust. In an era where misinformation is already a serious problem on its own, having major brands publish content with fabricated data — even if unintentionally — contributes to a landscape of eroding institutional credibility. And rebuilding trust, as we know, is a much slower and costlier process than losing it.
What to take away from all of this
The EY case is not just a story about the limits of artificial intelligence — it is a story about what happens when the rush to adopt new technologies steamrolls the processes that ensure quality and reliability. Generative AI tools are powerful, but their outputs need to be treated as smart drafts, not final products ready for publication. That distinction seems obvious when said out loud, but in practice, many teams are skipping that step — whether due to deadline pressure or overconfidence in the technology.
Companies that want to use AI responsibly in their production need to invest in review layers that go beyond a surface-level read of the text. This includes:
- Verifying every cited source and confirming it actually exists and contains the referenced information
- Cross-checking statistical data against original references and primary sources
- Ensuring that any relevant factual claim has real and traceable backing
- Implementing formal content audit processes before publication
- Training teams to recognize typical hallucination patterns in AI-generated text
It might sound like a lot of work, but this is exactly the kind of rigor that separates trustworthy content from dangerous content — regardless of who produced it, human or machine.
The episode also reinforces the importance of AI-generated content detection and auditing tools in the corporate environment. GPTZero’s work in this case shows that it is possible to identify hallucinations and inconsistencies before they cause real damage — as long as there is an organizational culture that values this verification step. In a landscape where AI is increasingly present in the creation of documents, reports, and analyses, knowing how to distinguish what is real from what was fabricated by a language model is becoming an essential skill — for both those who produce and those who consume this type of content. 🤖
The final takeaway is simple and straightforward: artificial intelligence is an extraordinary tool, but trusting it blindly, without human verification, can turn credibility into public embarrassment. And as the EY case shows, not even the biggest organizations in the world are immune to that risk.
