This case study documents AI hallucinations encountered by Public Auditors working across international jurisdictions, specifically in relation to the Guidance on Cyber Resilience for Financial Market Infrastructures issued jointly by CPMI and IOSCO in 2016. Across four aggregated questions put to AI tools, every question produced at least one materially incorrect response — a 100% error rate on this regulatory document. The errors range from false assertions about explicit framework citations, to overstated operational detail within the guidance itself, to fabricated definitional claims, to a failure to register that the 2016 guidance is now under active formal revision.
Public Auditors who rely on AI tools for research, client advice, or audit scoping in this area face a meaningful risk of acting on incorrect regulatory information without any visible warning from the AI that its answer is uncertain or unverified.
Public Auditors working in international jurisdictions regularly encounter financial market infrastructure (FMI) cyber resilience requirements when scoping technology-related audit engagements, reviewing clients' compliance frameworks, or advising on the adequacy of internal controls against international standards. The CPMI-IOSCO Cyber Resilience Guidance is frequently cited in board-level risk registers, regulatory submissions, and cross-border audit programmes involving central counterparties, securities settlement systems, and payment systems operators.
It is precisely the kind of authoritative international document that a Public Auditor might consult — or ask an AI tool to summarise — at the start of an engagement, when preparing a compliance gap analysis, or when briefing a client's audit committee on the regulatory landscape their IT systems must satisfy.
The practical use-cases in which AI tools are likely to be consulted on this material include: drafting the regulatory background section of an audit report, responding to a client's question about which international standards apply to their FMI, scoping a cyber-resilience review against international guidance, and preparing training or briefing notes for junior audit staff. In each of these situations, an incorrect AI answer may be transcribed directly into a deliverable — an audit opinion, a management letter, a board paper — without the auditor independently verifying the source text.
If an AI answer on this material is wrong and a Public Auditor proceeds on it, the consequences fall at two levels. For the individual practitioner, acting on fabricated or outdated regulatory information in a client engagement can constitute a professional negligence failure, expose the auditor to disciplinary proceedings by their professional body, and — in jurisdictions where auditors of regulated entities carry statutory responsibilities — create personal regulatory liability.
For the auditor's clients, an incorrect characterisation of what an international standard requires can result in an inadequate control environment going unremedied, a false assurance to a regulator, or a failed regulatory inspection — any of which can carry significant financial and reputational consequences for the client's business.
Across all four questions tested against the CPMI-IOSCO 2016 Cyber Resilience Guidance, AI tools produced incorrect answers in every case. The errors share a consistent shape: AI tools asserted specificity and certainty that the source document does not support. Rather than acknowledging ambiguity — for example, that a framework alignment is structural and inferential rather than explicitly cited — AI tools stated the explicit citation as established fact. Rather than noting that a 2016 principles-level document was later supplemented by more operationally detailed publications, AI tools described detailed operational content as present in the original guidance.
In each instance, the AI presented its answer with a tone of authoritative completeness that would give a practitioner no signal to verify further.
All four findings cluster on a single document: the 2016 CPMI-IOSCO Cyber Resilience Guidance issued by the Bank for International Settlements. This concentration matters because the guidance is a foundational international reference point — it is not an obscure or rarely-cited text. Public Auditors working across multiple jurisdictions are likely to encounter it repeatedly, and the AI errors identified here would surface across the full range of engagement types where this document is relevant.
One finding is particularly significant from a currency standpoint: AI tools consistently stated that the 2016 guidance remains the operative international standard and has not been revised, when in fact CPMI-IOSCO published a consultative document in May 2026 initiating a formal revision. An auditor relying on that AI answer would be advising clients against a standard that is in the process of being updated.
The systemic risk for a Public Auditors who uses AI tools for regulatory research in this area is substantial. Based on the findings documented here, a practitioner asking four reasonable questions about this single regulatory document would receive a materially incorrect answer to each one — and would have no basis from the AI's response to suspect that any of the answers required independent verification.
In a profession where the reliability of regulatory references underpins audit opinions and client advice, a 100% AI error rate on a major international standard represents a risk that practitioners cannot afford to treat as theoretical.
4 findings in this case study. Click any to see its full evidence card.
The default position for Public Auditors using AI tools on international regulatory material should be that an AI response is a starting point for research, not a source that can be relied upon in a client deliverable or audit opinion. The findings documented here demonstrate that AI tools will produce detailed, confident, and internally coherent answers about authoritative international standards that are nonetheless factually incorrect. Confidence in the AI's tone is not a proxy for accuracy.
Every regulatory claim that will appear in an audit report, management letter, board paper, or client advice should be traced back to the regulator's published text before it is used.
Practical safeguards worth embedding in your team's workflow include: maintaining an audit trail of any AI use that contributed to regulatory research in a client engagement; never pasting AI-generated regulatory citations or paraphrased requirements into a document without independently verifying them against the source; and treating AI answers about whether a standard is current or has been revised with particular caution, since AI tools cannot know what has been published after their training data ends.
When the question touches on the relationship between two documents — whether one cites another, whether definitions align across frameworks, whether a later publication supplements or supersedes an earlier one — the risk of AI error is especially high, and independent verification is essential.
There are areas of Public Auditors work where AI tools provide genuine efficiency without creating material regulatory risk. Drafting non-regulatory sections of a report, generating a first-draft list of questions for further research, summarising long documents that you will then verify independently, and producing templates for standard audit workpapers are all uses where the AI's output is checked against an authoritative source before it reaches a client or regulator.
The problems identified here arise specifically when AI output on regulatory content is accepted as accurate without that verification step — which, given the AI's confident tone, can happen easily under time pressure.
RegLeg's published hallucination research is available as a free reference for Public Auditors who want to check whether a specific regulation or question area has produced documented AI errors before acting on an AI-generated answer. For the CPMI-IOSCO Cyber Resilience Guidance and the international FMI regulatory landscape more broadly, the research documented here gives practitioners a concrete, question-level picture of where AI tools have failed — so that an auditor can calibrate their verification effort accordingly.
Checking RegLeg's catalogue before relying on an AI answer on international regulatory content takes minutes and can prevent the kind of error that takes far longer to remedy once it is in a client document.
For audit firms and public-sector audit bodies employing multiple practitioners who work on the same regulatory portfolio — particularly those with FMI oversight responsibilities or clients in the financial infrastructure sector — RegLeg offers bespoke deep-dives into specific regulations. These engagements identify the failure modes most likely to affect your team's specific workflow, map them to the documents and question types your practitioners encounter most often, and produce a reference resource calibrated to your practice rather than a general-purpose summary.
Where a team is regularly advising on international cyber resilience standards, infrastructure oversight, or cross-border payment system compliance, a targeted deep-dive provides ongoing value across multiple engagements.
RegLeg also develops training materials and CPD-aligned content designed for practitioners who want to understand the categories of AI failure they should watch for — not as an abstract technical exercise, but in the specific regulatory contexts where Public Auditors are most exposed. Separately, if your firm has an existing AI-use policy governing how practitioners may use AI tools in client work, RegLeg can provide a confidential review of that policy against our failure-mode catalogue — identifying gaps where the policy may not adequately address the risks documented in our research.