A study from the University of Texas at Austin and Microsoft, summarized by Help Net Security on April 29, observed 15 academic researchers using commercial AI tools — Research Rabbit, Elicit AI, ChatGPT — for literature review, synthesis, and ideation. The researchers were filmed thinking aloud while they worked, and the resulting transcripts document the workarounds they built around two unresolved problems: prompt confidentiality (sending unpublished work into tools whose data handling is opaque) and output verification (proving where a generated citation actually came from). The sample is small, but the patterns map directly onto the same problems enterprise security teams are now managing with employee use of commercial LLMs.
The two named failure modes are useful vocabulary. Attribution displacement happens when an LLM ties accurate information to the wrong source — the fact is real, the citation is misassigned. Synthetic blending happens when an LLM integrates fabricated claims alongside legitimate citations in a single output, making verification slow and error-prone. One participant described challenging ChatGPT about a non-existent citation; the model apologized and produced more fabricated references. Seven of the fifteen participants treated hallucinations not as discrete factual errors but as transparency failures — the model gives no signal about which parts of the output are grounded and which are interpolated. On confidentiality, two participants directly raised concerns about training-set reuse and storage opacity ("not knowing how much of my personal data is being stored, where, and who has access to it"); the underlying behavior — pasting unpublished research questions, draft hypotheses, and proprietary domain knowledge into commercial AI tools — was widespread across the sample regardless of stated concern.
This is a recognizable pattern. Researchers, like enterprise employees, paste sensitive content into commercial AI tools because the tools are useful and the friction of self-hosting an alternative is high. The study describes this as "an institutional answerability problem" — there is no visible forum through which AI vendors can be held responsible for collected, stored, or repurposed inputs. The same gap exists at companies, where staff routinely paste internal documents, code, and strategic plans into commercial LLMs with no enforced data-handling guarantees. The two named failure modes — attribution displacement and synthetic blending — also generalize beyond academic research. Any system that produces citations or source-attributed claims will produce both; any verification pipeline that does not detect both will let some through.
For builders, three concrete things. First, if your product produces source-attributed claims (RAG outputs, summarized search results, AI-written reports), bake checks for both failure modes. Attribution displacement is detectable by re-querying the cited source and verifying the specific claim is supported there; synthetic blending is detectable by matching every cited reference against an authoritative database before serving output. Most production RAG systems check the first and skip the second. Second, the prompt-confidentiality angle is going to drive enterprise procurement. If you sell AI tooling to enterprises, "your prompts are not used for training" needs to be a contract clause backed by audit, not a marketing line. The UT Austin study formalizes the concerns buyers will start using to push back. Third, "transparency failure" is the right framing for hallucination management. Users do not just want lower hallucination rates — they want the system to flag which outputs are grounded and which are interpolated. That kind of provenance UI is missing from almost every consumer AI product, and it is the next round of differentiation.