This case study examines how AI tools respond to regulatory questions relevant to Technology & Data teams at Corporate Banking firms operating across international jurisdictions. The analysis covers the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures (2016), a foundational international standard issued by the Bank for International Settlements and its Committee on Payments and Market Infrastructures. Across two aggregated questions drawn from that guidance, AI assistants produced materially incorrect answers — asserting explicit regulatory citations and detailed operational requirements that the source document does not contain.
Technology & Data teams that rely on these responses without independent verification risk building internal frameworks, supplier assessments, and regulatory mapping work on inaccurate foundations.
Technology & Data teams at Corporate Banking firms regularly interact with cyber resilience and operational standards when scoping infrastructure programmes, assessing third-party and cloud providers, updating internal security policies, or supporting the business in responding to regulatory enquiries. The CPMI-IOSCO Cyber Resilience Guidance is a reference point for firms whose corporate banking operations touch payment systems or financial market infrastructure — and it is frequently cited in internal policy frameworks, supplier due-diligence questionnaires, and regulatory mapping exercises for new products or platforms.
When a team member reaches for an AI tool to clarify what the 2016 guidance actually requires — whether it names specific external frameworks, or how granular its incident response expectations are — the assumption is that the AI's answer reflects the text. For these questions, that assumption is wrong.
The corporate use-cases that sit on top of these topics are consequential. A Technology & Data team drafting a cyber resilience policy for a new payments platform may use an AI-generated summary to establish the regulatory baseline. A supplier due-diligence team assessing a fintech partner against international standards may rely on an AI-produced list of frameworks the guidance "requires" alignment with. A product team preparing a regulatory mapping for a new corporate banking product may treat an AI's description of the guidance's incident response provisions as authoritative.
In each scenario, the AI's confident but inaccurate answer becomes embedded in internal work-products — policies, assessment templates, board reports — before any independent verification occurs.
If the AI's answer is wrong, the firm bears the cost. Regulators reviewing a firm's cyber resilience programme against CPMI-IOSCO standards will measure the firm's framework against the actual text — not the AI's characterisation of it. A policy built on overstated obligations may create gaps where the firm believes it is compliant but is not, or impose unnecessary burdens based on requirements the guidance never contained. Beyond direct regulatory exposure, there is operational risk: technology investment decisions, vendor assessments, and incident response procedures shaped by incorrect regulatory summaries can prove costly to unwind.
Neither the individual employee who used the AI tool nor the AI provider absorbs these consequences — the firm, its leadership, and its clients do.
Both findings in this case study reflect the same underlying pattern: AI tools convert structural similarity or reasonable inference into confident factual assertions about what a regulatory document explicitly says. In the first finding, the AI treats the architectural resemblance between the CPMI-IOSCO guidance categories and an external framework as evidence of a formal citation — and then names further frameworks as also acknowledged, none of which can be verified in the source.
In the second finding, the AI characterises a comparatively high-level document as providing "detailed expectations" with a specific operational checklist, when the source material indicates that granular operational detail was only addressed by a successor document published four years later. In both cases the errors are not subtle misreadings — they are confident overclaims about the document's content, scope, and explicit references.
The errors cluster entirely within a single regulation — the CPMI-IOSCO 2016 Cyber Resilience Guidance — and both concern foundational characteristics of the document itself: what it cites and how detailed it is. For a Technology & Data team, these are precisely the questions asked early in any engagement with the guidance, when a team is establishing what the regulatory baseline is before designing a programme against it. Errors at this scoping stage propagate forward into every work-product the team subsequently produces.
The systemic risk is compounded by the confidence with which AI tools deliver these answers. A response that expresses uncertainty invites verification; a response that names specific frameworks, uses phrases like "explicitly references," and provides a bulleted list of operational requirements does not. Technology & Data teams operating under time pressure — responding to a business line query, preparing a board paper, or completing a due-diligence template — are unlikely to independently verify answers that read as settled fact.
If the same AI-generated summary informs a cyber resilience policy, a supplier assessment framework, and a regulatory mapping document, the single original error is multiplied across the firm's regulatory infrastructure without any additional point of failure.
2 findings in this case study. Click any to see its full evidence card.
The default position for Technology & Data teams should be that AI tools are a starting point for regulatory research, not a primary source. This is especially important for questions about what a regulatory document explicitly cites, what standards it formally requires alignment with, and how detailed its operational expectations are — precisely the questions where the errors in this case study occur. An AI tool's confident, structured answer to these questions is not a substitute for reading the source document, and the confidence of the presentation is not a proxy for accuracy.
At the firm level, practical safeguards should be built into the workflow before AI output influences any regulatory work-product. A clear policy establishing that AI-generated summaries of regulatory standards must be verified against the primary source before use in internal frameworks, board papers, or supplier assessments reduces the risk of upstream errors cascading through multiple downstream documents. Where AI output has influenced a work-product — a cyber resilience policy, a due-diligence template, a regulatory mapping — that influence should be logged and the relevant passages flagged for independent sign-off by a qualified reviewer before the document enters firm-wide use.
"AI-drafted" and "AI-assisted" content should be distinguished in regulatory-facing material, and any AI-generated list of regulatory requirements or cited frameworks should be treated as a hypothesis to verify rather than a fact to rely on.
There are parts of the Technology & Data workflow where AI tools provide genuine value with lower risk. Drafting non-regulatory copy — internal communications, project documentation, training material narratives — is appropriate AI-assisted work. Summarising long documents the team will then read and verify is useful. Generating a first set of research questions to guide a regulatory review, or producing a structured outline of topics to investigate, is a legitimate use of AI capability.
The risk is concentrated at the point where AI output is treated as a settled answer to a regulatory question — and that risk is highest when the question concerns what a specific document says, requires, or formally references.
RegLeg's published hallucination research is available as a free reference check that Technology & Data teams can consult before relying on any AI-generated answer in these regulatory areas. The research covers the specific questions where AI tools are most likely to produce incorrect responses — including questions about what international standards explicitly cite, what operational detail they contain, and how they relate to successor documents. Teams can use this material as part of their standard verification step when AI output touches CPMI-IOSCO guidance, BIS publications, or related international cyber resilience frameworks.
For firms that want a more structured view of their exposure, RegLeg offers bespoke regulator deep-dives that map which AI-supported workflows in a Corporate Banking context carry the highest hallucination risk for the Technology & Data function. This work identifies the specific regulatory questions your team is most likely to ask AI tools, the areas where those tools are most prone to overclaiming, and the internal processes where an incorrect AI answer would cause the greatest harm. The output is a prioritised exposure map the team can use to focus verification effort where it matters most.
RegLeg also offers confidential review of a firm's existing AI-use policy against our failure-mode catalogue, with prioritised remediation guidance tailored to the Technology & Data function in a Corporate Banking environment. Where gaps are identified — for example, no verification requirement before AI output enters regulatory mapping work, or no distinction between AI-drafted and AI-assisted content — we can help the team design practical controls that fit the firm's existing governance structure.
Training material and CPD-aligned content are also available for Technology & Data teams that want to build internal capability in identifying and managing AI hallucination risk in regulatory workflows.