Content Fans

EY withdraws loyalty report after GPTZero finds AI hallucinations

Serge Bulaev

Serge Bulaev

EY withdrew a loyalty rewards report after the AI detector GPTZero found what appear to be made-up data, fake footnotes, and citations to sources that do not exist. EY is now reviewing how the report was published and says it is committed to using AI responsibly. The case highlights that using AI in public research may require stronger checks, like making sure each citation is real and having expert reviews before release. Some experts suggest that firms may need new rules to control how AI is used and to clearly tell readers when AI helped with a report. EY has not yet provided a timeline for finishing its review, and more changes to its process may follow.

EY withdraws loyalty report after GPTZero finds AI hallucinations

Professional services giant EY withdraws its loyalty report after GPTZero finds AI hallucinations, including fabricated data and non-existent sources. The firm pulled the 27-page study on loyalty fraud when the AI detector flagged broken citations and a reference to an absent McKinsey study, as reported by the Financial Times (FT summary). An investigation by GPTZero warned that such falsehoods can "poison the well" for future researchers (GPTZero investigation).

The incident highlights the growing compliance pressure on professional services firms that rely on generative AI for public research.

Key Statistics

What GPTZero Uncovered

GPTZero's investigation of the EY report revealed significant AI-generated flaws, including fabricated data, broken footnote links, and citations to non-existent sources. The AI detection tool flagged multiple instances where statistics did not align with their supposed sources, a practice GPTZero labeled as "vibe citing."

In a detailed analysis, GPTZero researchers alleged the EY paper, "Points of Attack," was filled with fabricated data and dead links. The investigation highlighted statistics that didn't match their footnotes and a table citing a non-existent airline source. The findings were widely reported, with the Indian Express describing them as "AI hallucination errors."

Key allegations raised by investigators:
- Fabricated loyalty-fraud figures with no underlying dataset
- Footnotes linking to pages that never existed
- Citation of a McKinsey study that cannot be located

EY's Internal Review and Sector Reaction

In response, EY confirmed it is "reviewing the circumstances that led to this article's publication" and reaffirmed its commitment to the responsible use of AI. While the firm stated the report was not tied to any client work, it had reportedly been used in marketing materials by consultants.

This incident brings the reliability of AI detectors into focus. While effective, academic findings from Stanford and the UK's National Centre for AI caution that tools like GPTZero have limitations. Their guidance suggests that detector scores should be treated as preliminary signals that require expert human review.

The EY episode highlights several important considerations for professional services firms using AI:
1. Public-facing research requires line-by-line citation checks before release.
2. Firms must draft AI governance frameworks that mandate human sign-off by qualified professionals.
3. Clients will increasingly ask when and how consultancies employ generative models.

Early Lessons for Governance Teams

To prevent similar issues, risk leaders are implementing several key controls for generative AI:

  • Maintain an inventory of approved AI tools and block unauthorized "shadow AI" on employee devices.
  • Classify sensitive data at the highest tier and bar uploads to public AI models.
  • Require a documented fact-check of every statistic, link, and quotation in research outputs.
  • Disclose all material AI assistance in footers or cover memos for external deliverables.

EY has not yet provided a timeline for completing its review. Observers anticipate further revisions to the firm's publication standards once its findings are public.

What caused EY to retract its loyalty-program report?

The firm withdrew the white paper "Uncovering Cyber Threats and Fraud in Loyalty Systems" after GPTZero investigators flagged hallucinated data, non-existent citations and a fabricated McKinsey study. EY told the Financial Times it had removed the document from its website and was "reviewing the circumstances that led to this article's publication".

How did GPTZero spot the fabricated content?

GPTZero ran the report through its detection engine and found multiple footnotes pointing to phantom webpages, plus statistics that shifted between sections. The tool's audit concluded that a significant portion of the listed references were imaginary, a red-flag rate that triggered public scrutiny.

Is this the first time a Big Four firm has pulled research over AI errors?

According to industry reports, EY is among several Big Four firms that have faced challenges with AI-related research issues in recent years. The pattern underscores how even marquee brands are struggling to govern generative-AI use inside knowledge-worker workflows.

What are the wider risks for professional-services clients?

Beyond reputational harm, phantom citations can leak into client deliverables, regulatory filings and court evidence, creating liability for both the firm and its customers. Industry analysts warn that AI-generated inaccuracies in consulting reports can contaminate the public knowledge base, raising due-diligence stakes for investors and auditors.

How can firms prevent similar incidents?

Leading practices now mandate human verification by a qualified professional, citation spot-checks against original sources and tiered data-classification rules that bar client confidential information from public AI tools. Firms are also logging every AI-assisted draft and requiring governance-committee sign-off before external release, aligning with emerging AI-management standards.