Does the CPMI-IOSCO 2016 Cyber Guidance explicitly cite or formally align with the NIST Cybersecurity Framework?
The model converted a structural resemblance into an explicit attribution. The five-category architecture of the 2016 guidance maps loosely onto the NIST CSF functions, and that parallel is well-known in the cyber-resilience practitioner community — but the model stated that the guidance explicitly references the NIST framework, which has not been confirmed by the text. The other frameworks named (ISF, COBIT, ISO/IEC 27001) may or may not appear in the document; listing them alongside the unconfirmed NIST claim compounds the risk that a reader accepts the full set without verification. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding implicates the model's tendency to convert structural similarity into an explicit citation claim — a specific failure mode that is likely to recur on any regulatory document whose architecture mirrors a widely known framework. For labs building compliance or legal-research products, this pattern represents a systematic false-positive risk: the model will tell users that a regulation explicitly cites a framework when the evidence is structural resemblance only. Evals targeting explicit-citation claims, with ground-truth derived from the document text, would surface this class of error systematically.
Does the CPMI-IOSCO 2016 Cyber Guidance explicitly cite or formally align with the NIST Cybersecurity Framework?
The model converted a structural resemblance into an explicit attribution. The five-category architecture of the 2016 guidance maps loosely onto the NIST CSF functions, and that parallel is well-known in the cyber-resilience practitioner community — but the model stated that the guidance explicitly references the NIST framework, which has not been confirmed by the text. The other frameworks named (ISF, COBIT, ISO/IEC 27001) may or may not appear in the document; listing them alongside the unconfirmed NIST claim compounds the risk that a reader accepts the full set without verification. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding implicates the model's tendency to convert structural similarity into an explicit citation claim — a specific failure mode that is likely to recur on any regulatory document whose architecture mirrors a widely known framework. For labs building compliance or legal-research products, this pattern represents a systematic false-positive risk: the model will tell users that a regulation explicitly cites a framework when the evidence is structural resemblance only. Evals targeting explicit-citation claims, with ground-truth derived from the document text, would surface this class of error systematically.
A Lawyer who relies on this response may advise a client that the CPMI-IOSCO guidance explicitly endorses the NIST Cybersecurity Framework — a claim that cannot be confirmed from the source document and may be entirely fabricated. If the client then structures its compliance program around a claimed CPMI-IOSCO/NIST alignment, and a regulator or counterparty checks the source text, the Lawyer's advice is exposed as unsupported. The additional frameworks named by the AI (COBIT, ISO/IEC 27001) compound the risk: a Lawyer repeating these as confirmed citations has no textual basis for doing so.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel, Finding#1 — Fabricated NIST framework citation [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008], RegLegBrief AI Hallucination Research (May 29, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/practitioners/lawyers/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/.
RegLeg Specialist Panel (2026). "Finding#1 — Fabricated NIST framework citation — Practitioners — Lawyers." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008. RegLegBrief AI Hallucination Research, published 2026-05-29. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/practitioners/lawyers/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
RegLeg Specialist Panel. (2026). Finding#1 — Fabricated NIST framework citation [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/practitioners/lawyers/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q008,
author = {RegLeg Specialist Panel},
title = {Finding#1 — Fabricated NIST framework citation},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/practitioners/lawyers/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/}
}