As I’ve shared before, I’m grateful for what AI makes possible. But I’m also noticing something important happening in business: new patterns are forming around governance, trust, and accountability.
In the last eight months, two of the Big Four professional services firms have publicly stumbled, in different ways, at the kind of governance they are paid to provide to others.
In October 2025, Deloitte Australia agreed to a partial refund of an A$440,000 federal government contract after a 237-page welfare compliance report it produced was found to contain fabricated court quotes, non-existent academic citations, and footnotes pointing to papers that did not exist. The report had been generated using Azure OpenAI GPT-4o. Nobody at Deloitte caught it. The errors were found by an outside academic at the University of Sydney.
In the past few days, KPMG Australia’s CEO Andrew Yates resigned with immediate effect, more than a year before his term was due to expire, after the firm acknowledged its handling of whistleblower allegations about misuse of client information had been inadequate. The national managing partner of audit and assurance, Julian McPherson, also stepped down and will leave the firm after a transition period.
Both events have produced commentary. Most of it has been about provenance.
How do we know which AI tools touched which documents? How do we prove what was generated and what was written? Can we trace the lineage of an input through to a final decision?
These are useful questions. They are not the right ones.
Provenance is necessary. It is not sufficient.
Provenance asks: where did this come from? It is a question about inputs. It treats AI as contaminated material that needs to be traced and labelled.
But Deloitte didn’t have a provenance problem. Deloitte had a judgment problem. The AI-generated citations were perfectly traceable. The Deloitte team produced them, knew they came from a language model, and submitted them to government anyway. The provenance was clear. The thinking was absent.
KPMG’s situation is different in subject matter (client information rather than AI hallucinations), but identical in structure. The fact pattern is not that systems failed to record what happened. The fact pattern is that humans, equipped with all the records they needed, failed to engage with them.
This is the lesson every board, every CEO, every founder personally on the hook for company decisions needs to absorb.
The point is not whether you can show that AI was used. The point is whether you can show that someone with authority thought about what AI produced, before signing it.
The bad habits quietly creeping in
There is a particular set of AI behaviours moving into boardrooms, executive teams, and founder operations, and almost no one is naming them.
Summary substitution. A director receives a 200-page board pack. The director uploads it to ChatGPT and asks for a summary. The director reads the summary. The director votes. Section 137 of the Companies Act 1993 requires directors to exercise “the care, diligence, and skill that a reasonable director would exercise in the same circumstances.” A reasonable director, in 2026, would not vote on the strength of a five-paragraph machine summary. Many do.
Consensus capture. A CEO has an idea. The CEO asks an AI whether the idea is good. The AI, trained to be agreeable, says yes. The CEO walks into the management meeting with “I’ve thought about this and I’m confident.” What the CEO has actually done is mistaken the absence of pushback for the presence of validation.
Disclosure as defence. A management paper states “AI was used in the preparation of this analysis.” The disclosure is offered as a kind of inoculation. The implication is: now you know, so the responsibility transfers to you. But disclosure is not engagement. The legal question is not whether you were told AI was used. The legal question is what you did about it.
Policy theatre. Many boards now have an AI policy. The policy lives on a shared drive. Nobody can describe its operative provisions from memory. The policy has never been referenced in a board decision. The policy exists. The policy is also useless.
The Provenance Reflex
All four habits share the same shape. We have started calling it the Provenance Reflex.
The Reflex is the unconsidered assumption that knowing where information came from is the same as having engaged with what it says. It is the substitution of traceability for thought. Once it sets in, decisions get faster, paperwork looks tidier, and disclosures multiply. Engagement quietly disappears.
What makes the Reflex dangerous is that it does not look like a failure. It looks like good governance. The AI use is logged. The disclosure is on the paper. The policy is filed. Everything is in order. Nothing has been thought about.
This is the kind of pattern; Pattern Intelligence is built to surface. The work begins by detecting reflexes like this before they calcify into how an organisation makes its decisions. Once the Provenance Reflex is set, it is significantly harder to interrupt than it is to prevent.
The legal frame, briefly
Some readers will be impatient with the legal framing. The argument is sometimes met with: “we’re not lawyers, we just want to know what to do.” Fair enough. But the law tells you what regulators will eventually do, and what plaintiffs will eventually argue.
Section 137 of the Companies Act 1993 imposes a duty of care on directors. Section 138 provides a partial safe harbour for reliance on information provided by management, but only if the reliance is reasonable. The reliance defence requires that the director assessed the information, identified the source, and formed their own judgment.
In Australia, the equivalent provisions are sections 180 and 189 of the Corporations Act 2001. The structure is identical.
There is no serious argument that ‘the AI recommended it’ will satisfy the duty under these provisions. The duty to exercise judgment is personal. It does not pass to a model.
This is the substantive change. Boards cannot delegate the duty to a vendor. Founders cannot delegate the duty to an AI tool. CEOs cannot wave a policy at it and call it done.
If you cannot demonstrate that a human director, acting personally, engaged with the AI inputs before deciding, the reliance defence falls away.
Founders and CEOs are exposed differently
This lands differently depending on which seat you sit in.
For founders, usually executive directors, the reliance defence under section 138 is almost unavailable. You cannot reasonably rely on information you yourself prepared. The AI inputs that shape your founder-led decisions are inputs you curated. If something goes wrong, “I trusted the AI” is not a defence; it is an admission that you didn’t do the work.
For CEOs, the exposure sits at the management-to-board interface. Your teams generated the AI-derived analysis the board now relies on. If management cannot demonstrate that AI use was disclosed, verified, and bounded, the CEO carries the operational liability. If the board cannot demonstrate it engaged with the disclosed AI use, the directors carry the governance liability. The two are linked, and they fall back on each other.
For independent directors, the question is sharper still. The whole basis on which a non-executive director claims protection is that they applied their own mind to the matters before them. When the matters before them are increasingly AI-shaped, the application of mind becomes harder to evidence, and easier to assume happened when it didn’t.
The question almost no board can answer
So here is the question that we have not yet seen any board answer cleanly.
If a regulator wrote to you tomorrow and asked you to produce evidence (not minutes, not policies, evidence) that each director on your board engaged independently with the AI-derived inputs to your last three material decisions, what would you submit?
Most boards would submit their minutes. Minutes record outcomes, not reasoning. They show who voted, not who thought.
Some would submit the AI-use disclosure attached to the management paper. That shows what AI was used. It does not show what the directors did about it.
The most forward-thinking would submit their AI governance policy. The regulator would read the policy, then look for evidence the policy was followed in any specific decision. There would be none.
The honest answer, for almost every board in New Zealand and Australia today, is: nothing. There is no record that proves the directors thought independently, considered the AI inputs, applied judgment, or did anything beyond raise a hand at the vote.
That is the gap.
That is what Deloitte and KPMG have just shown us, in different shapes. Not that the inputs were untraceable. That the thinking was undocumented because it didn’t substantively happen.
What we built
We built Attune to close this gap. Pattern Intelligence is how we detect the reflexes that turn into governance failures. Yoke is the infrastructure that captures the engagement those reflexes would otherwise replace.
Yoke exists because no current system (not board portals, not AI provenance tools, not enterprise AI governance platforms, not Big 4 policy templates) produces the artefact regulators will increasingly demand. The artefact is a decision-by-decision record showing what AI was used, what it produced, how directors engaged with it, and what they decided after engaging. Not summaries. Not policies. Engagement.
We are also small and new. We are working with our first boards now, and we are opening the Founding Boards Yoke Programme for those who want to be among the early cohort of New Zealand and Australian boards able to demonstrate, decision by decision, that the thinking happened.
Sit with the question
If you sit on a board, if you found a company, if you carry a CEO title, ask yourself this. Honestly. Once.
If the question came tomorrow, what would you submit as evidence that your directors thought?
Most readers will not have a clean answer. That is the conversation happening underneath the louder one about provenance, governance frameworks, and AI policies. Provenance answers a question about the past. The duty under section 137 asks a question about now.
The firms that work this out in 2026 will own the next decade of governance practice. The firms that do not will find out, in the manner of Deloitte and KPMG, what undocumented thinking is worth.
The hardest part is not building the record. The hardest part is being honest about whether there is one to begin with.
