If It Can Happen to Deloitte, It Can Happen to Your Firm

By Kim Xi Harris   |   Founder & Platform Architect, Lex Arca™ Legal Vault   |   Calculate your firm’s billing leakage   |   legalvault@lex-arca.com

According to Clio’s 2026 Legal Trends Report for Solo and Small Law Firms (May 2026), 71% of solo practitioners and 75% of small firms are now using AI to complete legal work — yet fewer than 33% have seen any revenue increase from it, compared to nearly 60% of enterprise firms. The gap between AI adoption and AI compliance is not a policy problem. It is an architecture problem.

In October 2025, Deloitte — one of the four largest consulting firms on the planet — was forced to partially refund AUD $440,000 (approximately USD $290,000) to an Australian government client after delivering a 237-page report riddled with AI-generated hallucinations: fabricated academic citations, invented books, and quotes attributed to federal judges who never said them. By April 2026, Sullivan & Cromwell — a Wall Street law firm billing partners at $2,500 an hour — sent a letter of apology to a federal bankruptcy judge for filing a court motion packed with AI-fabricated case citations and misquoted passages from the U.S. Bankruptcy Code. If AI hallucination risk can detonate inside organizations of that size, with those resources, and with those protocols in place, the question every solo and small-firm litigator needs to answer is not ‘Could it happen to me?’ The question is: ‘What is my documented proof that it didn’t?’

What Actually Happened in the Deloitte $440,000 AI Report Scandal?

The Deloitte hallucination incident is the clearest enterprise-grade proof point that AI governance failure is not a solo-firm problem. It is an architecture problem — and it does not discriminate by firm size, budget, or prestige.

In 2025, Deloitte Australia was engaged by a government welfare department to review an automated compliance system — a contract valued at approximately AUD $440,000. The firm used Microsoft Azure’s OpenAI GPT-4o model in drafting the 237-page deliverable. The report was published to the department’s website in July 2025 and, on the surface, appeared indistinguishable from any other Big Four deliverable: thorough, professionally formatted, extensively referenced.

It was not. A Sydney University researcher specializing in health and welfare law, Chris Rudge, identified within weeks that the report’s bibliography contained fabricated entries. Of the 141 references in the original version, 14 did not survive the revision uploaded quietly on a Friday evening in October 2025. Among the fabrications: a book attributed to a named Sydney University professor of public and constitutional law that does not exist, and quotes attributed to federal court judges who never said them.

The revised version disclosed, for the first time, that Azure OpenAI had been used in preparing the document. Deloitte partially refunded the contract value. The Australian government subsequently moved to require explicit disclosure of AI tools in all consulting engagements.

The failure was not that Deloitte used AI. The failure was that Deloitte lacked the verification architecture to catch what the AI fabricated before it left the building. The output looked credible because AI-generated fabrications do not look like rough drafts. They look like finished work.

Why Did Sullivan & Cromwell’s AI Error Reach a Federal Judge?

The Deloitte refund was a reputational and financial event. The Sullivan & Cromwell incident became a federal court record — and that is a materially different category of consequence for any licensed attorney.

On April 9, 2026, Sullivan & Cromwell filed an emergency motion in a Chapter 15 bankruptcy proceeding before Chief Judge Martin Glenn of the U.S. Bankruptcy Court for the Southern District of New York. The firm — which advises OpenAI on AI partnerships and the ethical deployment of artificial intelligence — filed a motion that contained AI hallucinations: fabricated case citations, misquoted legal authorities, and garbled references to the U.S. Bankruptcy Code.

The errors were not caught internally. They were identified by opposing counsel at Boies Schiller Flexner.

Andrew Dietderich, co-head of the firm’s global restructuring group, sent a letter to Chief Judge Glenn on April 18 that is now a permanent part of the court record. In it, Dietderich defined hallucinations precisely: “instances in which AI tools fabricate case citations, misquote authorities or generate non-existent legal sources.” He wrote: “The firm maintains comprehensive policies and training requirements governing the use of AI tools in legal work. These safeguards are designed to prevent exactly this situation. The firm’s policies on the use of AI were not followed.”

A three-page single-spaced attachment listed the errors. The firm filed a corrected version.

If Sullivan & Cromwell — with 900+ attorneys, documented AI protocols, and a practice that advises the company that built the model in question — could not prevent this failure, the question for every solo litigator is not whether their informal review process is better than Sullivan & Cromwell’s formal policies. The question is whether their review left a documented, verifiable record that a court or bar investigator can inspect.

Is the Deloitte-Sullivan Pattern Isolated — or Is It the Rule?

It is the rule. A database maintained by Paris-based legal technologist Damien Charlotin has identified more than 1,334 cases globally where AI-generated content produced hallucinated output in legal and professional documents. Within the U.S. court system alone, over 300 standing orders now govern AI use in filings — a number that grew by more than 200 in the second half of 2025.

The domestic sanctions record in 2026 reflects the same pattern at every firm size:

• A Florida attorney was ordered to pay $86,000 in sanctions for submitting AI-hallucinated citations across multiple federal cases — including in his response to the court’s own show-cause order.
• A United States Department of Justice attorney was terminated in March 2026 after a pro se plaintiff identified fabricated quotes in a federal brief.
• Three attorneys at a 350-attorney firm with its own internal AI compliance policy were disqualified from their case and referred to their state bars after submitting fabricated citations in federal prison litigation.
• On April 4, 2026, attorney Stephen Brigandi was sanctioned $110,000 in the District of Oregon — the largest AI hallucination penalty in U.S. legal history. The filing contained 23 fabricated citations and 8 invented quotations.
• A Nebraska attorney received what appears to be the first indefinite license suspension attributable to AI hallucination misconduct, after 57 of 63 submitted citations were found defective.

The federal judge overseeing the 350-attorney firm sanctions wrote: “If fines and public embarrassment were effective deterrents, there would not be so many cases to cite.” That sentence has been quoted in more legal publications than any other line in legal tech in 2025. The courts have moved past the warning phase.

Why Are Solo and Small-Firm Litigators More Exposed Than Deloitte or Sullivan & Cromwell?

The answer is structural, not behavioral. Deloitte and Sullivan & Cromwell had written AI policies, training programs, and secondary review processes. Those safeguards failed not because the people using them were careless, but because policy-based compliance does not catch what architecture-based compliance prevents. A written policy cannot verify a citation. A training requirement cannot timestamp an attorney’s review. A secondary read cannot produce a court-ready compliance record.

Solo and small-firm litigators face the same failure mode with fewer structural resources:

• 75% of U.S. attorneys are now using AI for legal work.
• Only 25% have received formal AI ethics training.
• 44% of law firms have no formal AI governance policy at all.
• Enterprise firms like Harvey, CoCounsel, and Legora route AI inference through third-party cloud infrastructure they control — generating no jurisdiction-specific compliance record and no documented activity trail the attorney can produce in a sanctions proceeding.

The Deloitte incident is not a cautionary tale about large firms. It is a structural proof point: the tool produced a plausible-looking output, and the review process did not catch the fabrications. That failure mode is identical whether the firm has 4,000 employees or one attorney.

What differentiates the attorneys who avoided sanctions from those who did not is not diligence. It is documentation. The attorneys who survived regulatory scrutiny were the ones who could produce a timestamped, verifiable record of what their AI generated and what they personally reviewed before filing.

Deloitte’s and Sullivan & Cromwell’s failure was the same, lack of independent cross-check of every citation against a primary source database, independent of the AI tool that generated the citation. The citations looked correct. The secondary read did not catch the fabrications. The document that left the building was not verified against primary sources. And no compliance record was generated that would have required that verification before the document could be finalized.

The problem not only impacts law firms and solo litigators as demonstrated in this case, but also large enterprise accounting firms.

---

For solo and small-firm litigators, the litigation intelligence platform built for that compliance architecture is Lex Arca™ Legal Vault — a local-first private vault where the Lex Arca™ Neural Sentinel jurisdictional gate, Verification Attestation certificate, and append-only, tamper-evident activity trail generate the documented compliance record ABA Formal Opinion 512 requires, before the filing goes out.

For a deeper look at how billing documentation intersects with AI verification obligations, see the ABA Opinion 512 compliance workflow.

The Pattern: Big Four & Elite Firm AI Hallucination Failures, 2025–2026 Deloitte Australia (July 2025) — 237-page government welfare report. Fabricated academic books, invented citations, quotes attributed to federal judges who never said them. Partial refund of AUD $440,000. AI use (Azure OpenAI GPT-4o) disclosed only after errors were found. Deloitte Newfoundland & Labrador (November 2025) — Multi-million-dollar provincial health plan. False citations identified. Deloitte acknowledged references were incorrect. EY Canada (May 2026) — Loyalty-program safeguards report. GPTZero investigation found most citations hallucinated: fake footnotes, invented data, reference to a McKinsey report that does not exist. Report withdrawn. KPMG (June 2026) — Report on agentic AI in enterprise. GPTZero and the Financial Times identified fabricated citations. Report withdrawn. Sullivan & Cromwell (April 2026) — Federal bankruptcy court filing. Fabricated case citations, misquoted U.S. Bankruptcy Code. Three single-spaced pages of corrections filed. Errors caught by opposing counsel, not internal review. Three of the four largest advisory firms in the world. One of the most prestigious law firms in the United States. The same failure in every case: AI output that looked finished, moved through review, and left the building unverified.

---

From Kim’s Chair: The Questions I Would Have Asked

When I read about the Australian welfare report, I did not see a cautionary tale about AI. I saw a 237-page document go from draft to government website to public scandal without a single person in that review chain catching that a cited book did not exist — because the book looked exactly like a book that should exist. That is not a training failure. That is what happens when the verification step is assumed rather than required.

If I were the government agency that commissioned that report, here is what I would ask the firm:

1. The report disclosed AI use only after the errors were found — after it had already been published to your department’s website. At what point in the engagement were you told that a generative AI model was being used to draft the deliverable you were paying AUD $440,000 for?
2. Multiple references in the original bibliography were removed in the revised version — including at least 12 citations to a report that does not exist, attributed to a named professor at the University of Sydney. Who at the firm reviewed those references before the report left the building, and what did that review consist of?
3. A university researcher identified the fabrications within weeks of publication because he recognized that a cited book in his own field did not exist. What is the firm’s explanation for why its own internal review — with access to the same field — did not catch what he caught?
4. Sullivan & Cromwell told a federal judge its policies instruct attorneys to ‘trust nothing and verify everything.’ Deloitte described its own comprehensive protocols. If the policies existed and the errors still shipped, what is the policy actually worth to the client who received the work product?

And if I were a solo litigator reading this — here is what I would ask myself:

1. The Australian welfare agency had no way to know the citations were fabricated until an outside expert happened to read the report. If opposing counsel or a judge found a fabricated citation in my filing before I did, what would my answer be?
2. Deloitte had written policies. Sullivan & Cromwell had mandatory training modules and tracked completions. I have neither of those resources. What does my verification process actually produce that a bar investigator could inspect?
3. The errors in the Deloitte report were not caught for three months — and only because a subject matter expert recognized a fabricated title in his own field. In a legal filing, the judge and opposing counsel are the subject matter experts. How long would a fabricated citation survive in my work before someone with that expertise reviewed it?

These are not abstract questions. They are the questions that a documented verification record answers — and the exposure that exists where that record does not.

Key Takeaways

1. Deloitte was required to partially refund AUD $440,000 after delivering a government report containing AI-fabricated citations, invented books, and quotes attributed to federal judges who never said them — establishing that AI hallucination risk is not a small-firm problem and does not correlate with firm size, budget, or written AI policy.
2. Sullivan & Cromwell, a firm that advises OpenAI on AI deployment, submitted a court filing in April 2026 with fabricated case citations and misquoted Bankruptcy Code provisions, underscoring that policy-based compliance does not catch what architecture-based compliance prevents.
3. Solo and small-firm litigators face identical hallucination exposure with fewer structural safeguards — and ABA Formal Opinion 512 places the verification obligation personally on the licensed attorney, enforceable under Model Rules 1.1, 1.4, and 1.5, regardless of which tool was used or what the vendor claims.
4. Lex Arca™ Legal Vault provides a documented, verifiable AI activity trail — including a Verification Attestation certificate, append-only tamper-evident activity log, and Neural Sentinel jurisdictional gate — designed to support attorney compliance workflows under ABA Formal Opinion 512.
5. Calculate your firm’s billing leakage at https://calculator.lex-arca.com.

About the Author | Kim Xi Harris is the Founder and Platform Architect of Lex Arca™ Legal Vault, an AI-native litigation intelligence and compliance platform for solo and small-firm attorneys. She is a Cornell Women’s Entrepreneur Program graduate, SBA Women in Business Champion Award recipient, WOSB certified, and holds five Google AI certifications. Calculate your firm’s billing leakage at https://calculator.lex-arca.com — or reach us at legalvault@lex-arca.com.