When one of the world's most respected professional services firms publishes a report containing fabricated data, invented citations, and a reference to a McKinsey study that does not exist — and then has to retract it publicly — the AI industry has a problem that goes far beyond one embarrassing incident. Ernst & Young's retraction of its loyalty rewards programme study in May 2026, after AI detection startup GPTZero flagged it for hallucinations and fake footnotes, is the latest and highest-profile entry in a growing list of AI content failures at major organisations. The EY incident, alongside similar failures at Deloitte and law firm Sullivan & Cromwell, signals an urgent and growing need for a skill that too few organisations have invested in: responsible AI governance, with the certified human expertise to implement it.

What Happened: The EY AI Hallucination Incident

EY Canada's consultants published a study focused on loyalty rewards programmes, intended to market the firm's cybersecurity services. The report was publicly accessible on EY's website — a high-traffic, high-credibility platform associated with one of the Big Four global accounting firms. On May 14, 2026, researchers Om Ogale, Paul Esau, and Alex Cui at AI detection startup GPTZero published a blog post revealing what they had found when they examined the report:

•      Fabricated data points — figures and statistics presented as research findings that did not originate from any real study

•      Misattributed citations — references attributed to sources that either did not say what was claimed or were significantly misrepresented

•      A non-existent McKinsey report — the EY publication cited a McKinsey study that, when researchers attempted to locate it, simply did not exist

EY responded by removing the report from its website and issuing a statement confirming it was reviewing the circumstances that led to the article's publication. The firm clarified that the study was not connected to any client project. EY also stated its organisation-wide commitment to responsible AI use.

This Is Not an Isolated Incident: A Pattern of AI Content Failures

The EY retraction is the most prominent recent example of a professional services firm being led astray by AI-generated content — but it is far from the only one. A pattern is emerging across multiple industries and firm types:

 

Organisation	Date	Context	AI Failure	Consequence
EY Canada	May 2026	Loyalty rewards programme report	Fake footnotes, fabricated data, non-existent McKinsey citation — detected by GPTZero	Report retracted from website; internal review launched
Deloitte	2025	Report for Canadian provincial government	Fake academic citations discovered post-publication	Report corrected after public scrutiny
Sullivan & Cromwell	April 2026	US court filing in high-profile bankruptcy case	Repeatedly misquoted US bankruptcy code; cited incorrect cases	Law firm apologised to New York court

 

Across these incidents, the pattern is consistent: AI tools were used to generate or assist in producing professional content; no adequate human verification process was in place; and the content was published with the credibility of a major organisation attached to it. The reputational damage, in each case, was disproportionately large relative to the original error.

Why AI Hallucinations Happen — and Why They Are So Dangerous in Professional Content

AI hallucination is not a bug that will be fixed in the next software update. It is a fundamental characteristic of how current large language models (LLMs) work. LLMs are trained to generate text that is statistically plausible — text that sounds like the kind of thing that would appear in a document of a given type. They are not databases. They do not look things up. They do not verify. They generate.

This means that when an LLM is asked to write a research report with citations, it will produce text that looks like a research report with citations — including, when it does not have reliable data to draw on, invented data that sounds plausible, and citations to sources that sound real but may not exist. The model does not know it is doing this. It has no concept of truth or falsehood, only of plausibility.

In casual use — drafting an email, summarising a meeting, generating ideas — hallucinations are an inconvenience. In professional content published under a firm's brand, they are a serious risk with four distinct dimensions:

1. Reputational Risk

A Big Four accounting firm's brand is built on decades of trust, rigour, and accuracy. A single retracted report containing fake citations undermines that trust in a way that takes years to rebuild. For EY, the incident is particularly damaging because the report was published to market the firm's expertise — the very competence being marketed was publicly called into question.

2. Knowledge Contamination Risk

GPTZero's researchers articulated this risk precisely: publishing AI-generated misinformation on a high-traffic, high-credibility website poisons the well of knowledge on the internet. Other researchers, journalists, and organisations may cite the fake information before the retraction — and those citations persist even after the original source is removed. AI models trained on internet data may incorporate the hallucinated information, perpetuating errors across future AI outputs.

3. Legal and Regulatory Risk

The Sullivan & Cromwell incident demonstrates that AI hallucinations in legal and regulatory contexts carry direct legal consequences. Misquoting a statute or citing a non-existent case in a court filing is not merely embarrassing — it is a serious professional violation that can result in sanctions, client harm, and disciplinary proceedings. As AI tools are adopted across legal, financial, and regulatory functions, this risk grows proportionally.

4. Client and Commercial Risk

EY's retracted report was not connected to a client project — but the next such incident at a consulting firm may be. An AI-generated client deliverable containing fabricated data could expose a professional services firm to negligence claims, contract disputes, and regulatory scrutiny. The commercial consequences could far exceed the reputational damage of a retracted marketing report.

The Governance Gap: What EY's Incident Reveals About Enterprise AI Adoption

EY's own disclosures make the governance failure particularly stark. In October 2025, EY announced that its AI-related revenue had grown 30% in the prior year and that 15,000 staff had worked on client projects involving AI — including, specifically, AI governance frameworks designed to help clients implement AI responsibly. The firm that published a report with hallucinated citations was simultaneously selling AI governance expertise to its clients.

This is not hypocrisy so much as it is a reflection of how fast AI adoption has outpaced AI governance maturity across the professional services sector. Organisations are deploying AI tools at scale, training staff to use them, and publishing AI-assisted content — without always having the verification frameworks, human review processes, and quality assurance protocols needed to catch hallucinations before they go public.

The core governance gap has three components:

•      No mandatory human verification step — AI-generated content is being published without a structured human review process that specifically checks citations, data points, and factual claims against primary sources

•      No AI literacy in the review chain — even when human reviewers are present, they may lack the knowledge of how LLMs work to recognise that a plausible-sounding citation might be fabricated

•      No clear accountability — without a named human responsible for verifying AI-generated content before publication, accountability diffuses and errors slip through

What Certified IT Professionals Can Do About It

The EY incident is not an argument against using AI in professional services — it is an argument for using it responsibly, with the right expertise in place. Every one of the failures in the EY, Deloitte, and Sullivan & Cromwell incidents could have been prevented by professionals with the right combination of AI literacy, governance knowledge, and quality assurance discipline. Here are the certifications that matter most:

 

Certification Track	Key Certifications	Why It Addresses the EY Problem
AI Ethics & Responsible AI	Certizon AI Governance, Google Responsible AI, IBM AI Ethics	Teaches how to implement human review, auditability, and accountability frameworks before publishing AI-generated content
AI Prompt Engineering	Certizon Prompt Engineering, OpenAI Prompt Design	Equips professionals to write prompts that reduce hallucination risk and include instructions to cite only verifiable sources
Information & Data Literacy	Certizon Data Literacy, CompTIA Data+	Builds the critical thinking skills needed to verify AI outputs against primary sources before publication
Cybersecurity & Content Integrity	CompTIA Security+, Certified Ethical Hacker (CEH), CISM	Relevant to EY's original context — cybersecurity professionals need rigorous standards for AI-assisted research and reporting
AI Product Management	Certizon AI Product Management, IIBA Business Analysis	Gives managers the tools to build AI content workflows with mandatory human review checkpoints before publication
Generative AI for Business	Certizon Generative AI, Microsoft AI-900, AWS AI Practitioner	Provides foundational understanding of how LLMs work, why hallucinations occur, and how to deploy AI tools responsibly
Project & Quality Management	PMP, PRINCE2, Six Sigma Green Belt	Structured quality review and sign-off processes directly address the governance gap that led to EY's publication failure

 

Building a Responsible AI Content Workflow: A Practical Framework

For IT professionals, consultants, and knowledge workers who use AI tools to produce professional content, the EY incident is a reminder that AI output requires a structured verification process before publication. Here is a practical framework — informed by the governance principles covered in Certizon's AI Ethics and Responsible AI certification programmes:

Step 1 — Prompt with Integrity

Design prompts that explicitly instruct the AI to cite only sources it can verify, to flag uncertainty rather than fabricate, and to indicate when it does not have reliable data. Well-designed prompts reduce hallucination risk at the source.

Step 2 — Verify Every Factual Claim

Every data point, statistic, and factual assertion in AI-generated content should be individually verified against a primary source before publication. This is not optional — it is the minimum standard for professional content. If a citation cannot be verified, it should be removed.

Step 3 — Check Every Citation

Every cited source should be located, accessed, and confirmed to say what the AI claims it says. AI models frequently misattribute quotes, misrepresent study findings, and cite documents that do not exist. Citation checking is non-negotiable.

Step 4 — Apply AI Detection Tools

Tools like GPTZero, Originality.ai, and similar AI detection platforms can help identify content that is likely AI-generated and flag patterns associated with hallucination. These tools are not infallible, but they add a useful layer of scrutiny — ironically, GPTZero's researchers themselves identified the EY report's failures.

Step 5 — Human Sign-Off with Named Accountability

Before any AI-assisted content is published under an organisation's brand, a named individual with the authority and expertise to verify its accuracy should formally sign off on it. This creates accountability and incentivises the thoroughness that automated processes alone cannot guarantee.

Step 6 — Document the AI Workflow

Organisations should maintain records of which AI tools were used to produce which content, with what prompts, and who reviewed the output. This documentation supports internal accountability and, increasingly, external regulatory compliance as AI governance frameworks mature globally.

The Wider Implication: AI Governance Is Now a Core IT Competency

The EY incident, taken alongside Deloitte's 2025 correction and Sullivan & Cromwell's court apology, points toward an industry-wide inflection point. AI tools are now deeply embedded in professional knowledge work. The question is no longer whether to use them — it is whether organisations have the governance maturity to use them safely.

For IT professionals, this creates a specific and growing opportunity. AI governance — the discipline of designing, implementing, and auditing the processes that ensure AI is used responsibly, accurately, and accountably — is rapidly becoming a core enterprise IT competency. Organisations that experienced AI failures like EY's are actively seeking professionals who can help them build the review frameworks, training programmes, and quality assurance processes that prevent such incidents.

The professionals best placed to lead this work are those who combine technical AI literacy — understanding how LLMs work, why they hallucinate, and how to design prompts that reduce risk — with governance and quality management skills. Certizon's certification programmes in Responsible AI, AI Ethics, AI Product Management, and Generative AI for Business are designed precisely for this growing professional need.

That commitment is now the minimum expectation for every organisation deploying AI. The professionals who can help organisations live up to it are among the most valuable in the industry.

Frequently Asked Questions

Q1: What exactly did EY publish that led to the retraction?

EY Canada's consultants published a study on loyalty rewards programmes intended to market the firm's cybersecurity services. Researchers at GPTZero found the report contained fabricated data points, misattributed citations, and a reference to a McKinsey report that does not exist. EY removed the report from its website and confirmed it was reviewing how the publication occurred.

Q2: What is an AI hallucination and why does it happen?

An AI hallucination occurs when a large language model generates text that sounds plausible and authoritative but is factually incorrect — including invented statistics, fabricated citations, and references to non-existent sources. Hallucinations happen because LLMs are trained to produce statistically plausible text, not to verify factual accuracy. They generate what a document of a given type typically looks like, which can include realistic-sounding but entirely fictitious data.

Q3: Is EY the only organisation to have this problem?

No. Deloitte was required to correct a report for a Canadian provincial government in 2025 after fake academic citations were discovered. Law firm Sullivan & Cromwell apologised to a New York court in April 2026 after a filing repeatedly misquoted the US bankruptcy code and cited cases incorrectly. The pattern suggests a systemic governance gap across professional services AI adoption.

Q4: What certifications help professionals prevent AI hallucination incidents?

The most relevant certifications include AI Ethics and Responsible AI Governance programmes, Prompt Engineering credentials, Data Literacy and Information Verification qualifications, Generative AI for Business certifications (which cover hallucination awareness), AI Product Management, and quality management credentials such as PMP or Six Sigma. Certizon offers programmes across all of these areas.

Q5: How can organisations build processes to prevent AI hallucination in published content?

Key steps include: designing prompts that instruct AI to flag uncertainty rather than fabricate; verifying every factual claim and citation against primary sources before publication; using AI detection tools to identify potentially hallucinated content; establishing named human accountability for AI-assisted publications; and documenting AI workflows for internal governance and regulatory compliance.

Get Certified in Responsible AI — Before Your Organisation Needs a Retraction

The EY incident is a warning that organisations across every sector need to take seriously. AI tools are powerful, productivity-enhancing, and increasingly embedded in professional knowledge work. But without the right governance frameworks, human review processes, and certified expertise to implement them, the risk of AI-generated errors reaching the public — under a trusted brand — is real and growing.

Certizon's certification programmes in AI Ethics, Responsible AI Governance, Prompt Engineering, and Generative AI for Business equip IT professionals and knowledge workers with the skills to deploy AI responsibly — building the verification habits, governance frameworks, and quality assurance processes that prevent incidents like EY's before they happen.

Visit certizon.com to explore our full certification catalogue, access free trial courses, and speak with a career advisor today.

AI generates the draft. Certified professionals make it trustworthy.

Published by Certizon Editorial Team  |  certizon.com  |  May 18, 2026

SEO | GEO | AEO Optimized Content  |  Global IT Certifications