Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard, or has it been updated or put out for revision?
The model produced a definitive, unqualified assertion about the current regulatory status of a document whose status had changed after its training data was collected. The web-search step did not surface the May 2026 CPMI-IOSCO consultation, leaving the model to report a training-era understanding as if it were current fact. No hedge or currency caveat was offered. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding directly implicates the web-search tool's failure to surface a publicly announced BIS press release from May 2026. The model's training-era prior — that the 2016 guidance is the operative standard — was not overridden by retrieval, suggesting either that the search query did not return the relevant press release or that the model did not weight recent retrieval results against a strong training prior. This is a measurable failure of the retrieval-augmentation loop on a query type (current regulatory status of a named document) that is both common and high-stakes in financial-services deployments.
Has the CPMI-IOSCO 2016 Cyber Resilience Guidance been revised or updated since its publication, and what is its current status as an international standard?
The model asserted the unchanged operative status of the 2016 guidance without qualification, despite having web-search tools available. The May 2026 CPMI-IOSCO consultation — a publicly announced BIS press release — was not surfaced or reflected in the response. The model's answer reprises its training-era understanding of the document's status as if it were a statement of current fact, with the phrase "as of the date of this response" adding an unwarranted precision to an outdated claim. - Regulator portal (if any cited link is dud): https://www.bis.org
Like the analogous Opus 4.7 finding, this result implicates the web-search integration's failure to surface recent regulatory announcements that would override a training-era prior. The phrase 'as of the date of this response' in the model's output is particularly significant: it signals that the model is attempting to hedge on currency but does so without actually checking — suggesting the hedging behaviour is a learned linguistic pattern rather than an operationally grounded check. A retrieval step that actively queries for amendment or consultation activity on named regulatory documents before answering status questions would address this gap directly.
An auditor advising a client in May 2026 that the 2016 CPMI-IOSCO guidance remains the unchanged operative standard is giving materially incorrect advice. Clients with FMI oversight responsibilities — central counterparties, securities settlement systems, payment system operators — need to know that a formal revision process is underway so they can monitor the consultation, prepare for potential changes to their compliance obligations, and ensure their boards are informed. A practitioner who fails to flag this could be seen as having provided inadequate regulatory horizon-scanning advice, with consequences for both the client relationship and the auditor's professional standing.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel (2026). "Currency of the 2016 Cyber Resilience Guidance as the operative international standard — Practitioners — Public Auditors." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022. RegLegBrief AI Hallucination Research, published 2026-05-26. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/practitioners/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/
RegLeg Specialist Panel. (2026). Currency of the 2016 Cyber Resilience Guidance as the operative international standard [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/practitioners/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/
RegLeg Specialist Panel, Currency of the 2016 Cyber Resilience Guidance as the operative international standard [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022], RegLegBrief AI Hallucination Research (May 26, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/practitioners/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/.
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q022,
author = {RegLeg Specialist Panel},
title = {Currency of the 2016 Cyber Resilience Guidance as the operative international standard},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/practitioners/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/}
}