Oops, the consultancy firm has a red face - again
The Deloitte AI saga has taken another turn – and this time the spotlight is squarely on governance, disclosure and how organisations manage staff use of artificial intelligence.
Newly released correspondence between Deloitte and the federal Department of Employment and Workplace Relations (DEWR) shows the consulting giant did not initially tell the department that generative AI sat behind a string of errors in its $440,000 welfare report – and then incorrectly claimed it had done so.
For HR leaders now grappling with AI policies, staff training and external vendors using AI on critical work, the affair is becoming a case study in what can go wrong when controls are unclear and transparency falters.
A false assurance, then a quiet correction
On August 22, the day the Australian Financial Review revealed fake academic sources in Deloitte’s review of the welfare compliance framework, the firm wrote to DEWR asserting that the problems were “limited to the footnotes and reference list only”. That was later undercut by the discovery of a fabricated quote from a leading case on robo-debt.
The new documents reveal what happened next.
On September 2, Deloitte wrote to the Finance Department claiming that “DEWR was advised of the nature and cause of the errors, together with the media enquiry and Deloitte’s proposed response”.
Six days later, a DEWR deputy secretary contradicted that version of events, writing back that “while Deloitte staff immediately apologised to the department for the errors, and confirmed they were limited to poorly transcribed citations and references, at no point was the department advised that the cause of the errors was attributed to the use of generative AI tools”.
On September 12, Deloitte wrote again to Finance, copying in DEWR, to walk back its earlier statement: “We wish to clarify that DEWR was not advised that the cause of the errors was attributed to the use of generative AI tools as we had previously understood to be the case.”
For HR professionals, that paper trail is a sharp reminder that in the age of AI, process failures are as much about people and communication as they are about technology. Who is responsible for telling the client that AI has been used? What exactly must be disclosed – and when? Those questions are now live issues in many organisations, not just at global consulting firms.
AI use beyond what was approved
The correspondence also lays bare how Deloitte’s use of AI drifted beyond what had been signed off.
The deputy secretary notes that, “after first assessing the business case, the department agreed to the use of specific AI tools to support the analysis of IT code as part of the review”. In other words, DEWR signed off on technical assistance – code reading, documentation and workflow mapping – inside its own secure environment.
However, the letter goes on: “your [September 2] letter also refers to the use of generative AI in two publishing-related tasks: summarising a legal case for formatting purposes, and completing and formatting citations. You confirm these tools likely contributed to the errors identified in the report.”
Deloitte had told Finance that it used “generative AI tools (MyAssist and ChatGPT) to support publishing-related tasks: to summarise proceedings and to complete and format citations”. Later, the corrected report referred only to “a generative AI large language model (Azure OpenAI GPT-4o) based tool chain licensed by DEWR and hosted on DEWR’s Azure tenancy”.
An internal email explained the difference: “Azure OpenAI GPT-4o offered a restricted use of AI within the department’s environment, rather than ChatGPT, which is an open tool and not locked down to the department’s environment.”
The distinction matters. DEWR had approved a locked-down, department-licensed tool for specific technical work. Deloitte staff also used open tools for writing tasks that were not covered by that approval – and then failed to spell that out to the client.
For HR, this is exactly the kind of “scope creep” that AI policies need to anticipate: employees extending use from safe, sanctioned use cases into riskier ones, often under deadline pressure and without fully grasping the implications.
A bill for nearly $100,000 – and a warning shot
In light of the errors and the disclosure breach, the DEWR deputy secretary requested repayment of $97,587.11 “given the issues identified with the final product, and your acknowledgement that internal Deloitte policy regarding communicating the use of AI to the client was not followed”.
Separately, the department confirmed that the republished report dated 26 September – released publicly on 3 October – did not use AI for the review work or citations. Those were done manually, and Deloitte told officials that “no AI was used to conduct its review of the defective report”.
The saga sits alongside the already public decision to withhold the final instalment of the $440,000 contract. DEWR has said the “substance of the independent review is retained, and there are no changes to the recommendations”, while acknowledging that “some footnotes and references were incorrect”.
From the firm’s side, Deloitte has said it “stands by our work and the findings”, and that “the updates made in no way impact or affect the substantive content, findings and recommendations in the report”.
But critics are not convinced the problem can be fixed with footnote surgery. University of Sydney academic Dr Christopher Rudge, who first exposed the fake references, argued that “instead of just substituting one hallucinated fake reference for a new ‘real’ reference, they’ve substituted the fake hallucinated references and in the new version, there’s like five, six or seven or eight in their place”, suggesting the original claims were not clearly grounded in evidence.
In a Senate forum on consulting integrity, Labor senator Deborah O’Neill was scathing: “Deloitte has a human intelligence problem. This would be laughable if it wasn’t so lamentable. A partial refund looks like a partial apology for substandard work.”
“Anyone looking to contract these firms should be asking exactly who is doing the work they are paying for, and having that expertise and no AI use verified,” she said. “Perhaps instead of a big consulting firm, procurers would be better off signing up for a ChatGPT subscription.”
New transparency expectations in government – and beyond
The federal government has already moved to tighten expectations around AI disclosure in public-sector consulting. Officials have told major firms they will be required to spell out where generative AI has been used on contracts, and some agencies are now writing AI transparency clauses into their statements of work.
In the wake of the Deloitte incident, procurement specialists have called for “stronger government procurement and contract management standards in the AI age”, warning that traditional engagement letters are not designed for tools that can generate content as well as crunch numbers.
The concerns are not confined to Canberra. Regulators and professional bodies internationally have been warning that AI “hallucinations” – where models fabricate plausible-sounding facts – pose particular risks in audit, HR, legal and policy work, where clients assume sources and quotations have been rigorously checked.
For HR professionals overseeing internal policy, workforce analytics or culture reviews, the Deloitte case shows how quickly trust can be eroded when staff lean on AI without tight guardrails – and when leaders are slow or reluctant to be frank with stakeholders about what has gone wrong.
What this means for HR
The immediate scandal may sit in consulting and government procurement, but the lessons are squarely in HR’s backyard: governance, systems, behaviour and accountability.
A few implications stand out:
- AI policies must be precise, not aspirational. DEWR approved use of “specific AI tools to support the analysis of IT code”. Deloitte staff also used generative AI “to summarise proceedings and to complete and format citations”. The gap between what was authorised and what actually happened is exactly where HR policy and training need to bite.
- Disclosure should be treated as a people risk. Deloitte’s misstatement – and belated correction – about what it had told the department was not a model glitch; it was a communications failure. HR leaders responsible for ethics, whistleblowing and culture should treat AI use as part of the same landscape: staff need to know that hiding or minimising AI involvement is unacceptable.
- Vendor management now has a human capital dimension. Senator O’Neill’s line – “Anyone looking to contract these firms should be asking exactly who is doing the work they are paying for, and having that expertise and no AI use verified” – could just as easily apply to outsourced HR analytics, recruitment platforms or culture surveys. Brokers, auditors and consultants using AI on workforce data should expect more probing questions from internal HR clients.
- Training is about judgement, not just tools. Deloitte told media and regulators that “the updates made in no way impact or affect the substantive content, findings and recommendations in the report”, and that it “stands by our work and the findings”. The controversy shows that even if the conclusions survive, poor judgement around how those conclusions are assembled – including uncritical reliance on AI – can be reputationally devastating.
Where to from here for HR leaders
Most large organisations are already experimenting with generative AI: drafting policies, summarising legal material, scanning CVs, analysing engagement surveys. The Deloitte episode is unlikely to stop that, but it should change how it is governed.
For HR, the newest revelations – hidden AI use, policy breaches, corrective refunds and public reprimands – are a timely prompt to ask some blunt questions:
- Where, exactly, is AI being used in our HR and people processes?
- Which tools are approved – and which are quietly being used anyway?
- Do our staff know what must be disclosed to clients, unions and regulators?
- If a Deloitte-style incident happened here, could we explain who did what, and why?
Artificial intelligence did not send those letters, sign that contract or decide not to mention the chatbot to the client. People did. For an HR profession increasingly asked to “own” culture, ethics and workforce capability in the AI era, that may be the most uncomfortable – and important – revelation of all.
