Auditable AI: What a UK Tax Tribunal Case Tells Us About AI Hallucination Risk in Legal Work

In 2023, a UK First-tier Tax Tribunal judge noted something alarming in Harber v HMRC [2023] UKFTT 1007 (TC). A party's representative had submitted references to case law that did not exist. They had been generated by an AI tool and submitted without any verification process. The tribunal struck out the references. No citations that held up. No record of what the AI had actually retrieved. No defence.

This is not a warning about the future. It already happened, in a UK tribunal, in 2023. And it illustrates why regulated teams need more than AI that produces a source link. They need to see exactly where in a document the claim comes from, and they need the system to explain why that passage was selected. This post explains those gaps, what citation-first RAG closes, and includes a real HMRC document and question you can use to see the difference for yourself.

What happened in Harber v HMRC, and why it is not an edge case

The representative in Harber v HMRC did not set out to mislead. They used an AI tool, received an answer that appeared well-reasoned and legally grounded, and submitted it. The problem was structural: the tool produced citations to tribunal decisions that did not exist (hallucinated references that looked real) and there was no workflow in place to catch it before filing. Because the cases did not exist, there were no real source links to check. The judge's concern was not that AI had been used; it was that nothing had been verified and nothing had been recorded.

The SRA's 2023 AI guidance is explicit: "You are responsible for checking the accuracy of work produced with AI assistance." But checking is only half the obligation. The other half is demonstrating that you checked, and that is where most AI tools fall short for regulated professionals. A chat interface that produces a source link creates the appearance of verification without the substance of it.

A link to a page is not the same as showing you the passage

ChatGPT and similar tools have improved significantly: when browsing is enabled, they can link to web pages as sources. That is genuinely useful for general research. But for regulated work, a page link leaves three gaps that matter.

First, your most sensitive documents are not on the public web. Contracts, data room materials, internal policies, client correspondence, and tribunal bundles cannot be retrieved by a tool drawing on training data or web search. When the source is private, there is no link to give.

Second, even for publicly available documents such as HMRC manuals or FCA guidance, a link to the page still requires the reviewer to locate the relevant sentence themselves. A 40-page HMRC manual section is not a verification step; it is another search problem.

Third, and most important for compliance purposes, there is no explanation of why that passage was selected. A source link tells you where the AI looked. It does not explain what in that text justified the specific claim in the answer, or whether the retrieved passage actually supports the conclusion rather than merely appearing nearby. That reasoning is exactly what a reviewer needs to sign off, and what an auditor needs to reconstruct the chain of thinking.

What the citation explanation panel adds

NeuroVecta's citation explanation panel addresses all three gaps. For every claim in an answer, the system shows the exact passage retrieved from your document corpus, highlighted in the original document in the side-by-side viewer. Alongside that, the citation explanation panel sets out why the system selected that passage: what in the text connects to the specific question asked, and how it supports the claim made in the answer.

This changes what verification actually looks like. Instead of a reviewer opening a linked page and reading the whole section to decide whether the citation holds, they read the highlighted passage and the rationale together. If the rationale is sound and the passage supports the claim, they sign off. If it does not, they can see precisely where the reasoning broke down. That is a workflow a compliance officer can defend. A page link is not.

What "citation-first" means in RAG, and how it changes the Harber outcome

Citation-first RAG means traceability is built into the system from the start. Every claim in the generated answer is tied to a specific retrieved passage from your ingested document corpus. That passage is mapped back to the source document and, where possible, to exact page and span. The AI does not draw on training data memory. It retrieves from your documents. If a document is not in the corpus, the system cannot fabricate a reference to it; it tells you the source was not found.

In the Harber scenario, a citation-first system ingested with actual HMRC guidance and real tribunal decisions would have retrieved only real passages from real documents. A reviewer clicking any citation would have seen the original HMRC manual section or tribunal judgment alongside the answer, with the relevant text highlighted and a rationale explaining why it was used. There would have been no hallucinated case name to submit, because there was no matching document in the corpus to retrieve from.

Design patterns for regulated retrieval

Regulated environments need more than good citations; they need controlled access, retention, and where required, redaction. Design patterns that matter include: metadata partitions covering matter IDs, matter types, and confidentiality levels so retrieval and access respect boundaries; access controls at document or folder level; retention policies aligned with your compliance calendar; and redaction handling so sensitive spans are never surfaced in answers or logs. A compliance-first vector database should support these patterns so your RAG workflow stays within policy.

• Metadata partitions: matter, matter type, confidentiality, and jurisdiction
• Document- and folder-level access controls assignable from the Admin Dashboard
• Retention and deletion policies for vectors and logs
• Redaction handling so sensitive text is never returned or logged
• Secure vector search over private cloud infrastructure

How to evaluate citation quality: a simple scorecard

A simple scorecard helps you evaluate any RAG tool for regulated use. Four dimensions matter. Coverage: whether every material claim has a citation to a specific passage, not just a source page. Correctness: whether the cited passage actually supports the claim and is not just adjacent text. Reproducibility: whether the same question yields the same cited passages. Reviewer workflow: whether reviewers can read a citation rationale, sign off, and export an audit trail. A tool that only links to pages fails on coverage, correctness, and reviewer workflow at once.

• Coverage: every claim linked to a specific retrieved passage, not just a source URL
• Correctness: cited passage genuinely supports the claim, with an explanation of why
• Reproducibility: same query and corpus produce consistent cited passages
• Reviewer workflow: passage highlighted in viewer, rationale shown, sign-off and export available

Three regulated scenarios where this changes the outcome

In legal research and tribunal preparation, teams can query HMRC manuals, statute, and case law in their private corpus and get answers with passage-level citations and rationales, removing the risk of a Harber-style fabricated reference. In due diligence, data room contracts and filings become queryable with every answer traceable to the exact clause, page, and a rationale explaining why that clause is relevant, before a report is drafted. For regulatory change tracking, new HMRC guidance, FCA rules, or statutory instruments can be ingested and queried so compliance teams can show exactly which passage in which document a requirement originates from: not a paraphrase drawn from training data, but the actual text with the reasoning shown.

Who this is for

• Tax and legal professionals who need to demonstrate not just that they used a source, but that the source supports the specific claim
• Heads of Compliance and Legal Operations building defensible AI workflows
• General Counsel and risk leaders evaluating auditable AI tools for regulated teams
• Any professional who must be able to show a tribunal, a regulator, or a client exactly why an AI answer is supported by the underlying document

If you need answers that show their reasoning, not just a link to a page, NeuroVecta's citation-first RAG with passage highlighting and citation explanation is built for you. Book a demo to see your documents become verifiable, auditable answers.