Back to blog

Responsible AI in the Enterprise: Advice is easy but accountability needs to be hard

Hamish Tedeschi8 min read
Responsible AI in the Enterprise: Advice is easy but accountability needs to be hard

Artificial intelligence is reshaping consulting and delivery at pace. I, as the Founder of Mechanical Rock, have been in technology for over 25 years and it is the biggest disruption I have ever experienced. Over this time, the Big 4 consulting firms have positioned themselves as trusted guides for enterprise AI adoption, advising governments and corporations on strategy, risk, and transformation. The irony is difficult to ignore: some of the most instructive case studies we can use for AI governance don’t come from clients who got it wrong - but from the advisors themselves.

We should be transparent: Mechanical Rock sells AI services too. We have skin in this game, which is precisely why we think these discussions matter. The firms that get governance right will be the ones still standing when clients get more discerning about what they're actually buying.

These are not abstract cautionary tales. They involve public money, undisclosed AI use, and cultural dynamics that should prompt any executive to ask harder questions before placing blind faith in an AI recommendation - regardless of the firm’s brand.

The Stakes: Why this matters beyond the firms themselves

Consulting firms do not just advise; they shape policy, influence procurement, and embed their tools and people deep within client organisations. When AI governance falls short at that level, the consequences extend far beyond their own balance sheets. Public sector clients are spending taxpayer money on the assumption that any disclosed risks are real risks and undisclosed ones, such as the use of AI, don’t exist. And the broader enterprise AI ecosystem has a credibility problem it cannot afford to make worse.

This matters to us directly. As a consultancy that also delivers AI services with the same fundamental obligations to our clients, we think the stakes here for organisations working with AI need to be raised.

When things go wrong: Real cases, real consequences

Undisclosed AI-generated work

In October 2025, The Guardian reported that Deloitte agreed to repay money to the Australian federal government after it emerged that a $440,000 consulting report had been substantially generated using AI - without disclosing this to the client. The Albanese government, which had paid for what it reasonably assumed was expert human analysis, instead received AI-generated content without being told that was the case.

This is not a story about AI going wrong in a technical sense; it is a story about deliberate opacity, specifically a firm leveraging AI to reduce its own delivery costs while billing at full human-expertise rates, and doing so without informed client consent.

The implications for any organisation procuring consulting services are significant: how much of what you are paying for is genuinely expert analysis, and how much is a polished AI output? Without mandatory disclosure requirements, clients have no reliable way to know. Whether the gap here reflects a deliberate strategy or just the absence of policy, the client’s best interest needs to be centred and to do that, they need full disclosure.

The threat of concealment culture

Responsible deployment of any powerful technology depends entirely on psychological safety, the ability of individuals within an organisation to raise concerns without fear of retaliation. A firm that suppresses whistleblowers in its core business will suppress AI risk signals just as readily. Governance frameworks mean nothing if the culture punishes the people meant to activate them.

In 2019, The Australian Financial Review reported that whistleblower allegations against KPMG Australia had sparked a parliamentary probe. This is worth revisiting in this context as it demonstrates the kind of institutional culture that makes responsible AI deployment structurally impossible. The broader pattern in these professional services is familiar: when allegations surface, its institutional brand does the work that accountability should.

The DevOps Answer: Engineering responsibility into delivery

The failures above are not primarily technology failures. They are governance and culture failures - which DevOps, properly applied, addresses. DevOps is often mischaracterised as a set of technical practices for faster software delivery. It is more than that. At its core, DevOps is a culture of shared ownership, continuous feedback, and systemic accountability - principles that map directly onto the challenges of responsible AI.

1. Shift left on ethics and risk

In DevOps, "shifting left" means moving testing earlier in the process, catching defects when they are cheap to fix, not after they have reached production and affected users and potentially damaged brands. The same discipline must apply to AI governance. Bias assessments, data privacy reviews, explainability standards, and disclosure obligations must be embedded at the design stage, not bolted on as a post-delivery sign-off.

The AI disclosure failure described above was not a deployment problem, it was a design problem. A shift-left governance model would have required explicit client consent and disclosure protocols before AI tooling was ever introduced into a billable engagement. It may have changed the contractual arrangement to be outcome focused over time and materials - if it ever was.

2. Continuous monitoring: You cannot govern what you do not measure

DevOps encourages continuous monitoring of systems in production, not because you distrust deployments, but because systems degrade, environments change, and assumptions prove wrong. AI models are no different: they drift, they amplify biases over time, and their outputs need ongoing scrutiny.

For consulting firms and their clients alike, this means AI outputs must be systematically audited, not spot-checked when something goes wrong. Automated pipelines that flag anomalies in model behaviour, data quality, and output consistency should be standard practice, not aspirational.

3. Blameless post-mortems and genuine psychological safety

One of DevOps's most powerful cultural contributions is the blameless post-mortem, which is a structured mechanism for learning from failure that deliberately removes individual blame in order to surface systemic causes. This only works when psychological safety is genuine, not performative. In fact, we ran one at Mechanical Rock last week and came out with a constructive action plan.

Organisations that have historically suppressed concerns represent the precise opposite of this culture. When individuals who raise concerns are silenced or marginalised, organisations lose their most valuable early-warning system. No AI governance framework survives contact with a culture that punishes dissent.

4. Cross-functional ownership: No more siloed sign-off

Traditional delivery models separate development, risk, compliance, and legal into sequential gates. DevOps dismantled that model in software, as responsibility became distributed, continuous, and embedded in the team (that built the software) rather than delegated to a function at the end of the process (a separate “Ops” team).

AI governance demands the same integration. Legal, risk, data privacy, and domain experts must be part of the delivery team from day one, not reviewers parachuted in at the point of client delivery. In a consulting context, this means an AI engagement that lacks embedded governance expertise is, by definition, incomplete.

5. Minimum viable governance: move fast, but not recklessly

DevOps teaches iterative delivery, start with what is essential, ship it, learn, and improve. The same logic applies to AI policy. Organisations should define a Minimum Viable Governance (MVG) standard: the non-negotiable controls that must be in place before any AI tool is deployed against client data or billable outputs.

For professional services, MVG should include at minimum: client disclosure of AI use, human review of AI-generated deliverables, data residency and confidentiality controls, and a clear escalation path for AI risk concerns. Everything else can be iterated. These cannot.

What should executives be asking around responsible AI use?

Large consulting firms will continue to sell AI transformation services. That is not, in itself, the problem. The problem is the gap between what they sell and what gets practised. Executives procuring these services, or building internal AI capability, should hold their advisors to the same standards they are being asked to implement:

What you need to seeWhy it matters
Mandatory AI disclosureDo you know when AI is being used in work you are paying for? And does this matter to your organisation?
Auditable outputsAI-generated deliverables must be traceable and reviewable - what tooling are the organisations you work with using for this? Stay tuned for a mechanism that we have helped develop for industry, which should help with this.
Embedded governanceRisk and compliance must be in the team, not a final gate
Continuous monitoringProduction AI systems require ongoing oversight, not one-time sign-off
Whistleblower protectionsGovernance only works if people can safely raise concerns
Iterative policyGovernance frameworks should evolve through regular review cycles

Conclusion

Because AI scales opacity, it automates bias, and it can be deployed in ways that are genuinely invisible to clients, the firms best positioned to navigate this responsibly are not those with the largest AI practices or the most polished frameworks. Rather, they are the ones that have done the harder work of building cultures where accountability is structural, not reputational. DevOps offers a proven model for exactly that and for more than a decade, we’ve seen this work.

We hold Mechanical Rock to that standard. If you are considering working with us on your AI journey, ask us the same questions above. Let’s chat.