Deloitte's AI mess just got worse - and HR should be paying attention
Another public stumble, and this time the lesson is squarely about governance, disclosure, and how your people use AI. Deloitte's errors in a $440,000 welfare report weren't just about citations. They were about process, communication, and scope creep.
If you lead HR, this is your brief. Not the models. The behaviors around them.
What actually happened
First, Deloitte told the department the problems were "limited to the footnotes and reference list only." That fell apart when a fabricated quote from a key robo-debt case surfaced.
Then came a paper trail. On September 2, Deloitte told Finance that DEWR had been advised of the cause. Six days later, DEWR contradicted that, saying they were never told generative AI was involved. On September 12, Deloitte walked it back and "clarified" DEWR hadn't been told AI caused the errors.
The deeper problem: scope creep and silent AI
DEWR approved specific AI tools for code analysis inside its secure environment. Clear scope. Clear controls.
Deloitte staff also used generative AI for "publishing" tasks - summarizing a legal case and formatting citations - including open tools (MyAssist and ChatGPT). That wasn't covered by the approval. Later references to a locked-down Azure OpenAI GPT-4o tool chain only muddies the perception.
This is exactly how risk shows up at work: small shortcuts, deadline pressure, and undocumented exceptions that turn into headlines.
Money, accountability, and trust
DEWR requested a $97,587.11 repayment due to errors and a breach of Deloitte's own client disclosure policy. The final contract instalment remains withheld. Deloitte says the findings stand; critics say the sourcing doesn't.
One academic who surfaced the fake references argued the "fix" multiplied citations without firm evidence. A senator went further: "Deloitte has a human intelligence problem⦠Anyone looking to contract these firms should be asking exactly who is doing the work they are paying for⦠Perhaps instead of a big consulting firm, procurers would be better off signing up for a ChatGPT subscription."
Why HR owns this
AI risk is people risk. Who discloses AI use to clients? What gets disclosed, and when? Who approves exceptions? These are culture, behavior, and accountability issues.
If your team can't answer those in plain language, the tool isn't the problem - your operating system is.
Non-negotiables for HR AI governance
- Tool registry and access control: Maintain a whitelist of approved tools and versions. Ban open tools on client, employee, or confidential data. Document exceptions in advance.
- Clear disclosure standard: Require disclosure when AI shapes analysis, wording, citations, summaries, or visuals. Add a simple "AI used/Not used" flag and the tool name in deliverables.
- RACI for transparency: Define who informs clients, who approves AI use, and who signs off on corrections. Set time limits for incident notices (e.g., 24-48 hours).
- Logging and audit: Capture prompts, outputs, model/version, and reviewer. Keep logs for a defined period. Don't store PII in logs without a lawful basis.
- Human review gates: No AI-generated citations or legal summaries without a documented human check against primary sources. Second-person review is mandatory for quotes, footnotes, and numbers.
- Allowed vs. banned tasks: Allowed: drafting outlines, code comments in sandboxed environments, formatting. Banned: generating citations, legal analyses, or "summaries" that could be mistaken for fact without expert review.
- Data security rules: Sensitive work stays in tenant-hosted, enterprise tools. Disable training on your data. Block copy-paste of confidential content into open models.
- Vendor and consultant clauses: Require written permission before using AI, name the tool and host, log usage, and attest to human review. Include rights to audit, withhold payment, or seek refunds if undisclosed AI shows up.
- Incident response: Have a one-page playbook: pause use, preserve logs, verify scope, notify stakeholders, rework without AI where needed, and decide on refunds or credits.
- Training for judgment: Teach staff how hallucinations happen and where they hide (citations, quotes, numbers). Use realistic scenarios, not tool demos. Require annual attestation.
Vendor questions to start asking today
- Which AI tools did you use, where are they hosted, and who has access?
- Do you keep prompt and output logs? For how long? Can we review them?
- Was any content (citations, legal summaries, quotes) generated with AI? Who verified it against source material?
- How do you prevent open models from training on our data?
- Do subcontractors use AI on our work? Under what controls?
- If undisclosed AI is discovered, what remedy applies (rework, refund, termination)?
Policy wording you can adapt
- "Employees must use only approved AI tools for defined tasks. Use of any other tool requires written approval."
- "Any deliverable influenced by AI must disclose: tool name, version, and scope of use."
- "AI may not generate citations, legal summaries, or quoted material without human verification against primary sources."
- "Client, employee, or confidential data may not be entered into open models."
- "Failure to disclose AI use may trigger rework at cost, repayment, or disciplinary action."
Metrics that keep you honest
- % of AI-assisted deliverables with proper disclosure
- % of staff with current AI policy attestation
- Number of exceptions granted (and closed) per quarter
- Time to notify stakeholders after an AI incident
- Audit findings on citation/quote accuracy
Prepare for rising expectations
Governments and regulators are dialing up transparency. Expect clauses that force disclosure of where and how AI was used, and proof that humans checked risky parts. The direction of travel is clear.
If you need a reference point, the NIST AI Risk Management Framework offers a solid structure for controls, documentation, and accountability.
Skill up your HR team
Policy is a start. Capability closes the gap. Build practical skills in prompt reviews, audit trails, risk flags, and vendor oversight - not just "how to use a chatbot."
For curated learning paths by role, see AI courses by job.
Bottom line
AI didn't send those letters or skip that disclosure. People did. Set the guardrails, enforce them, and make disclosure a habit, not a debate.
If a Deloitte-style incident hit your org tomorrow, could you explain who used what, where, and why - with logs to back it up? If not, you have your next priority.
Your membership also unlocks:
