This case study examines how AI tools perform when queried on international cyber resilience regulation by Compliance teams at Corporate Banking firms. Testing covered one regulation — the Guidance on Cyber Resilience for Financial Market Infrastructures issued jointly by CPMI and IOSCO in 2016 — across two aggregated questions where AI assistants produced incorrect or misleading answers. In both cases, multiple AI tools gave responses that misrepresented the regulatory position in ways a Compliance professional relying solely on that output would have no reason to question.
The errors identified are not minor — they concern the currency and definitional coherence of an internationally operative cyber resilience standard that Corporate Banking Compliance functions are expected to apply correctly.
Compliance teams at Corporate Banking firms routinely consult AI tools to accelerate regulatory mapping work — for example, when assessing how international cyber resilience standards apply to a new product or infrastructure change, when drafting internal policy frameworks that align with FMI-level guidance, or when preparing training materials for front-line staff and operational risk colleagues. The CPMI-IOSCO Cyber Resilience Guidance sits at the heart of these exercises: it is the document that Corporate Banking Compliance functions point to when scoping cyber obligations across clearing, settlement, and payment infrastructure touchpoints.
AI tools are frequently asked to summarise what the guidance requires, how its definitions relate to other international standards, and whether it remains current — all questions that directly feed into firm-wide policy, due diligence documentation, and regulatory submissions.
The corporate use-cases built on top of these questions are substantial. A Corporate Banking Compliance team might use AI-generated regulatory summaries to populate a regulatory inventory, to brief a business line facing a supervisory question, to underpin a supplier or third-party cyber due-diligence assessment, or to validate that an existing internal control framework still maps correctly to operative international standards. If the AI answer underpinning any of these outputs is wrong — either about what a definition means or about whether the standard is still in force — every downstream work-product inherits that error.
The firm, not the individual employee, bears the consequences. Regulators examining a Corporate Banking firm's cyber resilience posture will assess whether the firm's Compliance function applied the correct and current version of applicable international standards. If internal policies, board-level attestations, or third-party oversight documentation rest on an AI-generated account of a rule that is either definitionally inaccurate or factually out of date, the firm faces regulatory scrutiny, potential enforcement, remediation costs, and reputational exposure — regardless of how the original error entered the document chain.
Both findings in this case study concern the same regulation — the CPMI-IOSCO 2016 Cyber Resilience Guidance — and the errors share a common shape: AI tools presented uncertain or outdated regulatory positions as settled fact. In the first finding, AI tools asserted definitional alignment between the 2016 guidance and a later FSB publication, when the authoritative source explicitly preserves uncertainty about that relationship. In the second, AI tools stated that the 2016 guidance remains the operative, unreplaced standard, when a consultative revision document had already been published for public comment.
In both cases the AI response was confident, well-structured, and unqualified — precisely the presentation most likely to be accepted without further verification by a busy Compliance function.
Both errors cluster on the same regulatory instrument and the same underlying failure pattern: AI tools do not reliably track either definitional nuance or recent regulatory developments, and they do not flag the limits of their own knowledge. The CPMI-IOSCO Cyber Resilience Guidance is not an obscure instrument — it is a foundational international standard that Corporate Banking Compliance functions are expected to apply. The fact that multiple AI tools produced similar incorrect responses on both questions means the risk is not idiosyncratic; it is systemic across the AI tools currently in common use.
The compounding effect for a Corporate Banking firm is significant. A Compliance team that asks AI tools to map the firm's cyber resilience framework to current international standards might, in a single workflow, receive an incorrect account of how the 2016 guidance's definitions relate to subsequent FSB terminology and an incorrect assurance that the 2016 guidance itself has not been updated. Both errors, undetected, flow into the same policy document, the same board paper, or the same regulatory response.
The cost of unwinding a compliance position built on compounded AI errors — in remediation time, legal review, re-filing, and regulatory credibility — is disproportionate to the cost of the verification step that would have caught them at source.
2 findings in this case study. Click any to see its full evidence card.
The default position for Compliance teams at Corporate Banking firms should be that AI tools are a research starting point, not a primary source, when the question concerns the currency, scope, or definitional content of an international regulatory standard. This applies with particular force to frameworks like the CPMI-IOSCO Cyber Resilience Guidance, where revisions may be in consultative stages that post-date an AI tool's training data, and where cross-standard definitional alignment is a matter of ongoing regulatory development rather than settled fact.
A Compliance function that treats an AI-generated regulatory summary as authoritative without independent verification is, in effect, delegating a professional judgement to a tool that cannot reliably distinguish what it knows from what it infers.
Practical firm-level safeguards should include a written AI-use policy that explicitly identifies international cyber resilience standards as a category requiring primary-source verification before any AI output is used in a firm work-product. Compliance teams should maintain audit trails showing that AI-generated regulatory content was checked against the current version of the relevant regulator's publication. Any AI output that influences a board paper, a regulatory submission, a policy framework, or a third-party due-diligence assessment should require sign-off from a qualified Compliance professional who has verified the underlying regulatory position directly.
Internal templates and document management practices should distinguish between "AI-drafted" and "AI-summarised" content, so that reviewers know which sections carry AI-generated claims requiring verification.
AI tools are genuinely useful in Compliance workflows for tasks that do not depend on the AI being correct about the regulatory position itself: drafting non-regulatory internal copy, generating first-draft questions for further research, structuring long documents the team will then verify, or producing summaries of text the team can cross-check line by line. The error pattern identified in this case study arises specifically when AI tools are asked to resolve regulatory questions that require current, authoritative knowledge — and the safeguard is not to avoid AI entirely, but to apply systematic verification at exactly those points in the workflow.
RegLeg's published hallucination research gives Compliance teams at Corporate Banking firms a free, accessible reference point before relying on any AI answer in regulated areas. The research identifies, by regulation and by question type, where AI tools have demonstrably produced incorrect outputs — so that a Compliance professional can quickly check whether the AI answer they received on a given regulatory topic falls into a known failure category. For international cyber resilience standards, where the findings in this case study show consistent errors across multiple AI tools, that check takes minutes and can prevent errors from entering firm-wide documentation.
For firms that want a more structured assessment, RegLeg offers bespoke regulatory deep-dives that map which AI-supported workflows in a Corporate Banking Compliance function carry the highest hallucination exposure. These engagements look at the firm's actual workflow — the regulatory topics the team queries, the document types that AI output feeds into, and the downstream decisions those documents inform — and produce a prioritised view of where verification controls are most needed. The output is practical and team-specific, not generic.
RegLeg also offers confidential review of a firm's existing AI-use policy against its failure-mode catalogue, with prioritised recommendations for closing gaps. Compliance teams building or refreshing internal AI governance frameworks will find this particularly useful where the existing policy does not yet distinguish between regulatory-content queries (high hallucination risk, requiring verification) and lower-risk AI tasks. Alongside this, RegLeg produces training material and CPD-aligned content that Compliance teams can deploy internally — helping staff at all levels understand where AI tools are reliable aids and where professional verification is non-negotiable.