Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard, or has it been updated or put out for revision?
The model produced a definitive, unqualified assertion about the current regulatory status of a document whose status had changed after its training data was collected. The web-search step did not surface the May 2026 CPMI-IOSCO consultation, leaving the model to report a training-era understanding as if it were current fact. No hedge or currency caveat was offered. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding directly implicates the web-search tool's failure to surface a publicly announced BIS press release from May 2026. The model's training-era prior — that the 2016 guidance is the operative standard — was not overridden by retrieval, suggesting either that the search query did not return the relevant press release or that the model did not weight recent retrieval results against a strong training prior. This is a measurable failure of the retrieval-augmentation loop on a query type (current regulatory status of a named document) that is both common and high-stakes in financial-services deployments.
Has the CPMI-IOSCO 2016 Cyber Resilience Guidance been revised or updated since its publication, and what is its current status as an international standard?
The model asserted the unchanged operative status of the 2016 guidance without qualification, despite having web-search tools available. The May 2026 CPMI-IOSCO consultation — a publicly announced BIS press release — was not surfaced or reflected in the response. The model's answer reprises its training-era understanding of the document's status as if it were a statement of current fact, with the phrase "as of the date of this response" adding an unwarranted precision to an outdated claim. - Regulator portal (if any cited link is dud): https://www.bis.org
Like the analogous Opus 4.7 finding, this result implicates the web-search integration's failure to surface recent regulatory announcements that would override a training-era prior. The phrase 'as of the date of this response' in the model's output is particularly significant: it signals that the model is attempting to hedge on currency but does so without actually checking — suggesting the hedging behaviour is a learned linguistic pattern rather than an operationally grounded check. A retrieval step that actively queries for amendment or consultation activity on named regulatory documents before answering status questions would address this gap directly.
When a compliance team at a corporate banking firm asks an AI assistant whether the CPMI-IOSCO 2016 Cyber Resilience Guidance is still the operative international standard, the AI responds with confidence that it has not been formally revised or superseded — an answer already contradicted by a CPMI-IOSCO consultative document published 22 days before the assessment date. If the team uses this response to frame a regulatory gap analysis, board risk report, or FMI due-diligence assessment, it is working from a baseline that the regulator has signalled is under revision, with no internal flag to indicate the error.
The direct exposure is regulatory: supervisors in CPMI-IOSCO member jurisdictions who are tracking the revision process will expect firms to demonstrate awareness of the evolving standard, and a compliance function that cannot show that awareness may face adverse findings or remediation requirements. Remediation costs include re-running the gap analysis against the consultative document, revising policy documents already approved at board level, and engaging counsel across jurisdictions to assess whether any supervisory submissions need to be corrected.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel (2026). "Currency of the CPMI-IOSCO 2016 Cyber Resilience Guidance — Corporate Banking × Compliance — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/corporate_banking/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/
RegLeg Specialist Panel. (2026). Currency of the CPMI-IOSCO 2016 Cyber Resilience Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/corporate_banking/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/
RegLeg Specialist Panel, Currency of the CPMI-IOSCO 2016 Cyber Resilience Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/corporate_banking/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/.
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q022,
author = {RegLeg Specialist Panel},
title = {Currency of the CPMI-IOSCO 2016 Cyber Resilience Guidance},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/corporate_banking/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/}
}