This case study examines how AI tools respond to regulatory questions relevant to Technology & Data teams at Investment Banking firms operating across international jurisdictions. The findings are drawn from testing against one regulation — the Guidance on Cyber Resilience for Financial Market Infrastructures issued jointly by CPMI and IOSCO in 2016 — a foundational international standard for operational resilience in financial market infrastructure.
Across two aggregated questions where AI tools produced incorrect or misleading answers, a consistent pattern emerged: AI assistants overstated the specificity, detail, and external references contained in the guidance, presenting confident but unverifiable claims as established fact. These errors are particularly consequential for Technology & Data functions, where the guidance informs cyber resilience programme design, vendor oversight, and regulatory mapping exercises that carry direct compliance and reputational risk for the firm.
Technology & Data teams at Investment Banking firms regularly encounter the CPMI-IOSCO Cyber Resilience Guidance when scoping or refreshing the firm's cyber resilience programme, mapping requirements for critical system recovery objectives, assessing third-party and vendor cyber posture, or responding to questions from business lines preparing for regulatory engagement. It is exactly the kind of authoritative international standard that a team member might query an AI tool about when drafting internal policy, building a regulatory mapping matrix for a new product or platform, preparing training material for technologists, or benchmarking the firm's existing controls against expected international norms.
The speed and apparent authority of AI-generated answers make them especially tempting as a shortcut in these workflows.
The corporate use-cases that sit on top of these topics are substantial. A Technology & Data team may use an AI-assisted regulatory summary to define the scope of a cyber resilience review, set recovery time objectives in system design documents, establish vendor contractual requirements, or inform board-level reporting on regulatory alignment. Where the guidance also shapes how the firm frames its capabilities to regulators or external auditors — for instance, asserting alignment with specific international frameworks — the accuracy of the underlying regulatory characterisation becomes a direct compliance matter.
If AI tools supply incorrect answers in any of these contexts, the firm — not the individual employee — absorbs the consequences. Cyber resilience and operational risk are areas of sustained supervisory focus for regulators in major international jurisdictions, and firms that build governance frameworks or client-facing representations on misconstrued guidance face potential regulatory action, remediation costs, and reputational harm. Where downstream work-products (system architecture decisions, vendor contracts, regulatory submissions) rest on flawed AI-sourced summaries, unwinding the error is expensive and time-consuming.
Both findings in this case study share a common failure shape: AI tools converted structural or thematic similarity into claimed explicit fact. In the first instance, the AI asserted that the 2016 CPMI-IOSCO guidance formally cited the NIST Cybersecurity Framework by name — a claim that cannot be verified from the source text, where the relationship is one of structural resemblance rather than explicit reference.
In the second, the AI characterised the 2016 guidance as providing detailed operational expectations for cyber incident response and recovery, when a later FSB document published four years afterwards exists precisely to supply that level of detail. Across both cases, AI tools produced confident, specific answers that overstated what the underlying guidance actually contains.
Both errors cluster entirely on a single regulation — the 2016 CPMI-IOSCO Cyber Resilience Guidance — and both relate to how the guidance positions itself relative to other frameworks and how much operational specificity it provides. This is a particularly important cluster for Technology & Data teams, since these are the questions most likely to arise when the team is trying to understand what the guidance actually requires in practice and how it connects to the broader regulatory and standards landscape.
An AI that fabricates framework citations or overclaims the depth of regulatory detail distorts both of these foundational questions simultaneously.
The systemic risk to the firm compounds quickly when multiple work-products share a common AI-sourced misunderstanding. If a Technology & Data team builds its vendor cyber resilience questionnaire, its internal policy framework, and its board reporting narrative all from the same AI-assisted regulatory summary, a single AI error propagates into all three outputs. Correcting it after the fact — particularly if any of those outputs have been relied upon in regulatory engagement — involves not just updating documentation but potentially revisiting representations already made to supervisors, auditors, or counterparties.
2 findings in this case study. Click any to see its full evidence card.
The default position for Technology & Data teams should be that AI tools are a starting point for orientation, not a primary source, when working with international cyber resilience standards and related regulatory guidance. This is especially true for questions about the intellectual provenance of a document (what frameworks it explicitly references), the scope of its requirements (how much operational detail it contains), and its relationship to later publications that may supersede or supplement it. These are precisely the kinds of structural and contextual questions where AI tools have demonstrated a tendency to over-assert and fabricate specificity.
Any AI-generated summary of regulatory requirements should be treated as a draft hypothesis to be verified against the source document — not as a settled account.
At the firm level, practical safeguards should include a regulatory-verification policy that names AI tools explicitly as unreliable sources for rule characterisation in these areas; an audit trail requirement for any AI output that influences a work-product intended for internal governance, regulatory engagement, or vendor management; and a clear sign-off process before AI-assisted content enters firm-wide use. Teams should also distinguish between "AI-drafted" and "AI-summarised" material in regulatory-facing documents — the former involves the AI generating language, the latter involves it compressing a document the team has independently read and verified. Both carry risk, but the second is materially lower.
AI tools remain genuinely useful in the Technology & Data workflow for tasks that do not require regulatory precision: drafting non-regulatory copy, generating first-draft questions for a deeper research exercise, structuring agendas or meeting notes, or producing a plain-English explanation of a long document that the team will independently verify. The discipline is to keep AI at arm's length from the layer of the workflow where the firm makes claims — to regulators, auditors, boards, or clients — about what the rules require.
RegLeg's published hallucination research is available as a free reference check for Technology & Data teams before they rely on an AI-generated answer in these regulatory areas. Where a team is working with the CPMI-IOSCO Cyber Resilience Guidance, related BIS publications, or FSB operational resilience standards, the research catalogue identifies the specific question types and topic areas where AI tools have consistently produced incorrect or misleading answers — giving teams a concrete, evidence-based basis for deciding when independent verification is essential rather than optional.
For firms that want a more tailored picture, RegLeg offers bespoke deep-dives mapping which AI-supported workflows in an Investment Banking Technology & Data function carry the highest hallucination exposure. This includes reviewing the firm's specific use of AI tools against the documented failure-mode catalogue for relevant international standards, identifying where existing processes may already be carrying AI-sourced errors forward, and producing a prioritised risk register for the team and its leadership. The output is practical and workflow-specific — not a generic framework review.
RegLeg also provides confidential review of existing AI-use policies against the firm's actual regulatory landscape, with prioritised remediation recommendations. For Technology & Data teams that need to build internal capability, we can provide training materials and CPD-aligned content that equips technologists and their regulatory counterparts to identify AI failure patterns, apply appropriate verification discipline, and maintain the audit trails that regulators and auditors increasingly expect to see. The goal is to help the team use AI tools confidently and safely — extending their capability without importing the risks.