The Deloitte AI misstep: why understanding still matters
When Deloitte was forced to refund part of a $440,000 government contract because its report contained AI-generated errors and fake citations, the headlines almost wrote themselves. It is easy to frame it as another "AI gone rogue" story, but the real problem was not artificial intelligence. It was human complacency.
What actually happened
Deloitte was paid $440,000 by the Australian government to conduct an assurance review. After release, researchers found fake legal references and fabricated citations in the report, and the firm later admitted sections were generated using AI tools. Deloitte corrected the report and refunded part of the contract.
What researchers uncovered are known as AI hallucinations: when a system confidently produces information that sounds credible but is not true. These errors occur when AI outputs are not properly checked, guided, or grounded in a verified source of truth. It was not an AI failure. It was a human oversight failure.
The real risk is not AI. It is us
At Cornerstone we use AI every day to analyse data, summarise documentation, and turn technical insight into clear, client-ready language. It is a genuine boost to productivity. But productivity means nothing without understanding. You still need to know the content, grasp the context, and recognise when something does not look right.
That is exactly what seems to have happened at Deloitte. A report meant to provide assurance ended up undermining trust, not because AI failed, but because people stopped questioning it. No one checked the sources. No one validated the claims. AI wrote confidently, and was confidently wrong.
AI should support us, not replace us
In cybersecurity, blind trust is dangerous, and the same goes for AI. We always point AI toward a source of truth, such as Microsoft documentation, ACSC guidance, NIST or CIS, and we validate everything it produces. When you build trust with clients that trust is fragile; one fabricated fact or hallucinated citation can undo years of credibility. We treat AI as a supporting tool, not a substitute for knowledge. It helps us move faster, but only because we know enough to spot when it is wrong.
AI governance means more than policy
The Deloitte case shows why every organisation needs more than an AI policy sitting in a document library. Governance is not just about permission; it is about education and discernment. Everyone in a business should understand what AI should be used for (research, drafting, summarising, data analysis), how to interact with it responsibly (accurate context, verified data, defined boundaries), and when to leave it on the sideline, especially for anything involving facts, legal interpretation or professional judgement.
Policy sets the rulebook. Education builds the instinct. When people know how and when to engage AI, they do more than comply: they make better decisions, protect the organisation's credibility, and reduce the risk of Deloitte-style mistakes.
The wake-up call
The Deloitte case is a wake-up call, not to fear AI but to re-establish accountability. AI should never be a shortcut to understanding; it should amplify expertise, not replace it. Use the tool, but keep your brain switched on. If you want help putting real governance around AI, our Secure AI work and the AI policy template are the place to start, grounded in the data discovery and access controls covered in Data Protection.