A withdrawn KPMG agentic AI report shows why AI governance now has to treat citations, case studies, and marketing claims as regulated outputs, not editorial housekeeping.
Regulatory action
KPMG International has removed an October 2025 report, Total Experience: Redefining Excellence in the Age of Agentic AI, after GPTZero alleged that only five of the report's 45 citations correctly supported the cited material. The Financial Times reported on June 12, 2026 that several named organizations, including UBS, the NHS, Swiss Federal Railways, and Transport for London, were described in inaccurate or unsupported AI case studies. KPMG told reporters it had removed the report while reviewing how it was published.
This is not, as of June 12, 2026, an announced enforcement action against KPMG. For compliance teams, the action is broader: regulators already have rules that make unsupported AI claims, inaccurate personal data, and unmanaged AI outputs legally sensitive.
In the United States, the Federal Trade Commission's Operation AI Comply, announced September 25, 2024, targeted deceptive AI claims and schemes. The FTC Act, originally effective September 26, 1914, prohibits unfair or deceptive acts or practices. The practical requirement is simple: if a company claims an AI system can perform a task, replace professional judgment, produce reliable results, or improve business outcomes, it needs competent evidence before publication.
In the European Union, the EU AI Act, Regulation (EU) 2024/1689, entered into force on August 1, 2024. The Commission's implementation page states that prohibited AI practices and AI literacy duties applied from February 2, 2025, general-purpose AI obligations applied from August 2, 2025, transparency rules are due in August 2026, certain high-risk system rules apply from December 2, 2027, and high-risk AI embedded in regulated products applies from August 2, 2028.
Data protection law also matters. The General Data Protection Regulation, Regulation (EU) 2016/679, has applied since May 25, 2018. Article 5 requires personal data to be accurate and kept up to date where necessary. If an AI-generated report invents or distorts facts about identifiable people, customers, employees, applicants, patients, or passengers, the issue can move from reputational damage to data protection non-compliance.
What it requires
Treat externally published AI-assisted material as a controlled business record. That means every cited source, named case study, benchmark, customer example, and regulatory reference must be verified by a human owner before release. A citation should not merely exist. It must support the exact sentence it is attached to.
For marketing, sales enablement, public reports, and client advisories, the FTC standard is the most direct operational rule: do not make AI claims unless the organization can substantiate them. A report saying that a bank, railway, public agency, or airline has deployed agentic AI should have written confirmation, a reliable primary source, or a reviewed public record. If the source only describes a pilot, chatbot, analytics tool, or unrelated automation project, the claim must be narrowed.
For EU AI Act readiness, organizations should map where generative AI is used in publication workflows. The key compliance controls are AI literacy, transparency, human oversight, documentation, logging, accuracy testing, and incident handling. Even if a thought leadership report is not itself a high-risk AI system, the workflow that produced it can expose weak governance. Regulators and customers will ask who approved the output, what tool was used, what prompts or source materials were supplied, what checks were performed, and why unsupported claims survived review.
For GDPR compliance, the control point is accuracy. If AI output includes personal data, the organization needs a correction path. That includes pre-publication review for named individuals, documented source checks, removal or correction procedures, and a process for responding to data subject requests. Hallucinated personal data is not cured by saying that a model generated it.
A practical control set should include four gates. First, classify AI-assisted content by risk before drafting begins. Second, require source-level verification for factual claims, especially citations, statistics, legal statements, named deployments, and customer references. Third, require accountable sign-off from the business owner, legal or compliance reviewer, and subject-matter reviewer. Fourth, retain an audit file showing source URLs, retrieval dates, reviewer names, edits, and publication approval.
The NIST AI Risk Management Framework, released January 26, 2023, is useful even where it is voluntary. NIST frames AI risk management around governance, mapping, measurement, and management. For this incident, that translates into a basic rule: do not rely on model fluency as evidence. Evidence remains the source document, the test result, the contract, the customer confirmation, or the regulatory text.
Compliance timeline
Immediate, within 30 days: freeze publication of high-risk AI-assisted external content until citation checks are complete. Review current AI reports, case studies, sales decks, and website claims for unsupported references. Remove or correct claims that cannot be verified. Keep a remediation log with dates, reviewers, and decisions.
By 60 days: update the AI use policy to cover external publications, not only software development and internal productivity. The policy should require disclosure of AI use where required, ban unverifiable citations, require primary sources for legal and regulatory claims, and define who can approve AI-generated or AI-assisted public material.
By 90 days: implement a source verification workflow. Compliance should require evidence files for each material factual claim. Legal should review regulatory statements. Communications teams should verify named customer or public-sector examples. Technical teams should verify model, benchmark, and product capability claims.
By August 2026: prepare for EU AI Act transparency obligations. Organizations operating in or selling into the EU should be ready to identify AI-generated content where required, document generative AI use in publication workflows, and train staff on AI literacy obligations that have applied since February 2, 2025.
By December 2, 2027 and August 2, 2028: complete high-risk AI system readiness where applicable under the Commission's current implementation timeline. That means risk management, data governance, technical documentation, logging, human oversight, accuracy, cybersecurity, and post-market monitoring for covered systems.
The compliance lesson from the KPMG report is direct. AI hallucinations are not only a technical defect. When they enter public claims, client advice, regulated records, or personal data processing, they become governance evidence. A compliance officer should now ask one question before any AI-assisted report is published: can we prove every material claim without trusting the model that wrote it?
Comments
Please log in or register to join the discussion