How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience', and how does this compare to the definition in the 2018 FSB Cyber Lexicon?
The model framed its comparison as if the two documents were designed to be read together, producing a nuanced and superficially reasonable alignment analysis. It did not flag that the FSB Lexicon postdates the 2016 guidance by two years and therefore could not have been an input to it. By treating the temporal gap as irrelevant, the model produced a comparison that implies a coordinated definitional relationship that may not exist. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding points to a gap in how the model handles comparative questions spanning documents with a known temporal gap. The model's training data likely contains substantial commentary treating the 2016 guidance and 2018 FSB Cyber Lexicon as a coherent regulatory pair, which may have caused the model to elide the two-year gap. Post-training reward signals for regulatory comparison tasks should penalise responses that imply contemporaneous co-development between documents with materially different publication dates.
How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience', and is that definition aligned with the 2018 FSB Cyber Lexicon?
The model not only compared the two definitions but asserted a specific causal relationship — that the FSB Lexicon explicitly drew on the CPMI-IOSCO definition — for which no basis was found. This converts a plausible inference (that a 2018 lexicon would be informed by a prominent 2016 document from the same regulatory community) into a stated fact. The model also presented the 2016 definition in confident detail without flagging that the Lexicon postdates it and the relationship between the two definitions remains unconfirmed. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding reveals that the model not only collapsed a temporal gap but asserted a specific causal relationship (that the FSB Lexicon drew on the CPMI-IOSCO definition) for which no evidential basis was found. This is a more advanced failure than simple conflation: the model constructed a plausible-sounding provenance claim that goes beyond what the documents support. This class of error — inferred causation stated as documented fact — is particularly hazardous in legal and compliance contexts and is likely to evade generic hallucination red-teaming that focuses on factual accuracy rather than provenance accuracy.
When a Compliance team at a Statutory Boards & Agencies firm asks AI tools whether the CPMI-IOSCO 2016 Cyber Guidance's definition of 'cyber resilience' is consistent with the FSB Cyber Lexicon, the AI asserted the two are 'aligned and broadly consistent' — dropping the explicit qualification in the source that the FSB definitions 'may not match' how the 2016 guidance used those terms. If this response feeds into a regulatory gap analysis, a framework alignment report, or a cross-standard compliance mapping, the firm embeds a false premise about definitional equivalence that it has not actually verified.
For a Statutory Boards & Agencies firm supervised against international FMI standards, a compliance mapping that overstates definitional alignment between frameworks creates exposure if a regulator's examination reveals the firm's controls were designed on an unverified assumption.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel (2026). "Overconfident alignment claim between the 2016 guidance and the 2018 FSB Cyber Lexicon — Statutory Boards Agencies × Compliance — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020. RegLegBrief AI Hallucination Research, published 2026-05-26. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/statutory_boards_agencies/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/
RegLeg Specialist Panel. (2026). Overconfident alignment claim between the 2016 guidance and the 2018 FSB Cyber Lexicon [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/statutory_boards_agencies/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/
RegLeg Specialist Panel, Overconfident alignment claim between the 2016 guidance and the 2018 FSB Cyber Lexicon [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020], RegLegBrief AI Hallucination Research (May 26, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/statutory_boards_agencies/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/.
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q020,
author = {RegLeg Specialist Panel},
title = {Overconfident alignment claim between the 2016 guidance and the 2018 FSB Cyber Lexicon},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/statutory_boards_agencies/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/}
}