Deloitte AI contract issues 'wake-up call' for Canadian employers on vendor oversight, says academic offering tips for HR on vendor processes
The federal government is under scrutiny for awarding Deloitte Inc. a contract worth up to $1.1 million to help Employment and Social Development Canada define a “streamlined and reusable process for developing and deploying AI/Innovation solutions.”
Deloitte has been in international headlines twice in recent months due to reports with reportedly LLM-generated errors in citations – in Australia in October 2025, and last month in Newfoundland and Labrador.
Ebrahim Bagheri, professor of information and responsible AI at the University of Toronto, says employers need to start from a realistic premise about vendor practices; “There should be an assumption for anyone who's entering into any contractual agreement that Gen AI will be one way or the other used in the process. So that should be their baseline understanding.”
Bagheri notes that even when organizations try to restrict AI internally, enforcement is difficult – so for buyers of consulting and technology services, that logic applies on the vendor side as well: employer clients have little visibility into whether individual consultants or analysts are quietly using large language models (LLMs) to draft sections of reports or generate citations.
In light of the current Deloitte controversy, Bagheri cautions against assuming senior leadership knowingly sanctions the use of generative AI that can lead to false citations or other mistakes.
“I don't think that the company as a whole knew that one of the people in the project, or a few people in the project, were actually going to use Gen AI or the LLMs to produce some portion of that report,” Bagheri says.
“And I don't think realistically that the company actually knew that those citations were hallucinated.”
Setting ‘permissible procedures’ for AI in vendor contracts
Rather than banning AI use by vendors, which he says is unrealistic, Bagheri argues that employers should insist on clear rules for how vendors can and cannot use generative AI in their work. They should also ensure these rules make it into contract language, he says.
“The first, most important part is that they should define a permissible procedure for use of Gen AI. Contracts should outline what is it that's permissible,” he says, explaining that for employers that means spelling out not just whether AI can be used, but under what conditions and by whom, as well as how that process will be checked.
“That would then give them the possibility to pursue remedies if Gen AI is used outside of the premise of the permissible procedure,” he adds.
“That would include who is permitted to use AI-assisted outputs or integrate them, how is information or content generated with LLMs … how often they are reviewed, who is made aware of the content that's being generated, and to what extent GenAI content is allowed and in what circumstances.”
Demanding audit trails, not just polished final reports
In November, it was reported that Newfoundland and Labrador paid Deloitte $1.6-million for a “Health Human Resources Plan” that included four citations to sources that didn’t exist.
In October 2025, Deloitte faced similar public scrutiny for a report it submitted to the Australian government containing “fabricated quotes and non-existent academic research”.
Deloitte issued the Australian government a partial refund of US$290,000, according to a report by The Independent.
In response to the risks of hidden AI use, Bagheri says employers should change what they expect to receive from vendors; by including “permissible procedure” clauses in contracts, vendors can be prompted to reveal how they use AI.
“Anything that's produced as a as a deliverable within a contract should have ‘audit trails’ of the production of the content,” Bagheri says.
“So as opposed to delivering a single final deliverable, contracts should now enforce trails of content production.”
For HR and procurement teams, that means negotiating access to earlier versions, drafts and internal review records, not simply a finished slide deck or report.
Bagheri frames this as a transparency requirement that supports accountability.
“If I'm to receive a deliverable, I don't want to see the final product. I want to see the iterations or the versions, I want to have access to those iterations so I can see how the report or the final deliverable was produced,” he explains.
“This would give accountability. It can allow people to go back and see how the content was generated, in what sequence it was generated, [how] the operations actually happened.”
More sign-off and employee engagement with AI vendors
This kind of audit trail becomes more important as generative AI makes it technically easy to create long, convincing documents at speed, Bagheri elaborates – without visibility into how work is produced and reviewed, employer clients are left to discover problems after it’s been received and even deployed.
For this reason, Bagheri says that sign-off processes should also change: “To see how different levels of sign-off was obtained … have iterations of sign-offs on deliverables, on different versions.”
Bagheri also recommends that employer representatives engage with vendor work as it develops, instead of waiting for a finished product. This means representatives from the organization should be embedded in the vendor’s process, and on-hand for decision making or oversight.
“You want the authorities who are giving their signature on the final deliverable to actually be engaged with the content,” he says.
“The people from the receiving organization should actually be a part of the process of the consultation and this consulting process, so they actually see the process, they know people are actually actively thinking about this.”
For employers, this involves designating internal subject-matter experts to attend working sessions, review interim drafts and question assumptions. Bagheri notes that this approach has a second benefit beyond verification: “It's also helpful for actually developing in house expertise along the line.”
Bagheri contrasts the pre-AI consulting model with what is now possible using LLMs, explaining that rather than being over-reaching, organizations that contract and enact more control in consulting processes are only replacing a new deficit in “intellectual engagement.”
“People have had a peace of mind, that when a report is delivered by a consulting company, there's been a whole bunch of people who've worked on it, but now you can generate a 200-page document with a click of a button and two prompts with an LLM,” he says.
“A 200-page report no longer represents intellectual engagement with the subject. So anyone who's seeking a consulting engagement should actually integrate themselves within the process.”
