I came across an interesting Linked in post today. I could have just given a link to the post and moved on. But I felt that it is better to reproduce the entire post just to ensure that readers donot miss the essence of this post…It requires guts to write such posts and I appreciate Mr Nicholas P for his post. (I hope Mr Nicholas has no objection for reproducing his post here)
Quote:
When a Big 4’s own AI report is filled with AI hallucinations – it’s clear the standards need to catch up.
In October 2025, KPMG published a glossy report about the miracle of agentic AI, and last week was exposed for hallucinating the very thing it was selling.
Forty of forty-five citations were fake, half the claims were invented, and the report contradicted KPMG’s own survey numbers – even citing a 2019 East Japan Railway press release as evidence of agentic AI, blowing enough smoke to give a new definition to full steam ahead.
We’ve seen this movie before, and it ended with everyone else footing the bill. Deloitte fed AI hallucinations into a government report, cut a refund, and walked – except a refund doesn’t un-spend the taxpayer money, doesn’t un-make the decisions built on the fiction, and teaches every firm watching that the cost of getting caught is pocket change.
KPMG, in a way, sold trust. A global concrete icon – a hundred and thirty years old, a quarter-million people across a hundred and forty countries, four letters that meant a banker in Frankfurt could believe a ledger in Singapore without ever shaking the hand that wrote it.
Trust is a belief about a partner’s goodwill; assurance is what you sell when that belief is gone – and it only works if you can still trust the firm selling it, which is seemingly a loan the Big 4 are starting to default on.
Buried in the report, KPMG found that integrity was the number-one driver of “customer loyalty”. A belly-chuckle of a finding, dripping with irony, 8 months before its own integrity disintegrated in public. And somewhere down the line, everybody will be asking:
What exactly were we paying for when we said we were buying trust?
Unquote
What Mr Nicholas has written applies to all consultants including Naavi and FDPPI. When we use AI for assistance, we should ensure that we keep our human control in tact. If not, we will churn out decisions which to our customer’s look like a human decision but it actually is an AI output passed through a human zombie.
We have been discussing the use of AI in Judiciary for the last week and in the last article we have debated about how to identify AI before we regulate them. The biggest challenge here is to identify AI elements “embedded” in what appears to be permissible software tools because we donot know what libraries are called in the background and where an AI hallucination can sneak in.
We have found that many companies have a blind faith in Big4 and pick them in preference to others because of the reputation which the Directors feel will cover up for their inability to understand the task. They trust the Big4 as if what ever they say is the truth. Even the Government agencies may have a similar inclination.
The article of Mr Nicholas exposes how hollow this trust is since what they may receive as consultancy may not be the brilliance of the persons who come to present their recommendations and carry IIT or IIM degrees but the hallucinated AI outputs.
When companies invest in such services and further depend on them for their business, the shareholders have the right to ask them if the Board of Directors are really doing their job or they have to be replaced by an AI board (remember Mika of Dictador or Diella of Albania). We have of often quoted these innovative use of humanoid robots with “Sophia” the humanoid robot which got citizenship of Saudi Arabia as questionable decisions.
But on second thoughts it appears that Sophia decision is relatively less risky than Mika which is less risky than Albania. This is because the decision making capacities are different in different models. Mika can hallucinate and ruin the company and Diella can hallucinate and ruin a country. May be Sophia is less powerful. But all these are examples which we in India need to learn before we reflect on ET recommendation that Companies should install an AI agent for DPDPA compliance.
There is a need to adopt a policy of “Restrained Innovation” and not pursue “Innovation over Restraint” which is advocated by technology companies and often endorsed by NASSCOM and MeitY.
Unless a user of AI is able to read and understand every line of text created by an AI generative system, he will be inviting a trap when he uses AI either to write a software code or to draft a pleading in a Court or to write a consultation report on a project.
Directors need to have the ability to ask the right questions to the consultants before accepting their reports. In a recent discussion at AIDAI (Association of Independent Data Auditors) we discussed the need for
a) Scope of a DPDPA audit to be written independently by some body other than the auditor or the company.
b) Peer reviewing a DPDPA compliance audit report.
These are principles of “Independence” incorporated in AIDAI Code of Conduct for their empanelled Auditors that distinguishes AIDAI from any of the Big4 or other auditors.
Companies who are looking for DPDPA auditors should therefore factor in the expertise available in AIDAI at least for a “Review of an Audit” already done even if it is by a Big 4.
Naavi is in the process of developing a “DGPSI Framework for Review of a DPDPA Audit”. Perhaps it will be discussed in the next CIDA (Certified Independent Data Auditor) training.
Hope companies who have done their present DPDPA gap assessment from a Big4 should think of a “Review” with AIDAI empanelled Independent Data Auditors who are not aligned even with NASSCOM and are not under the influence of NASSCOM controlling Big Tech Companies.
Ponder….
Naavi
