This case study examines how AI tools respond to regulatory questions relevant to Technology & Data teams working within Statutory Boards & Agencies in international jurisdictions. Testing covered the CPMI-IOSCO 2016 Guidance on Cyber Resilience for Financial Market Infrastructures, a framework published by the Bank for International Settlements' Committee on Payments and Market Infrastructures that sets out baseline expectations for operational and cyber resilience across financial market infrastructures. Across the questions reviewed, AI tools produced at least one materially incorrect response — confidently asserting regulatory details that cannot be confirmed in the source text.
For Technology & Data functions that routinely consult AI tools to support cyber policy work, regulatory mapping, or governance documentation, these failures represent a live operational risk rather than a theoretical concern.
Technology & Data teams at Statutory Boards & Agencies encounter the CPMI-IOSCO 2016 Cyber Resilience Guidance in several ordinary workflow contexts. The most common include drafting or reviewing internal cyber resilience policies that must align with international standards, preparing regulatory mapping documents for new technology infrastructure or data-processing arrangements, conducting due-diligence on third-party technology suppliers whose resilience posture is assessed against recognised frameworks, and responding to internal requests from Audit, Risk, or Compliance colleagues who need a clear picture of which external standards apply to the organisation's systems.
When teams use AI tools to accelerate these tasks — pulling together background context, confirming which frameworks a regulation references, or summarising how a guidance document relates to other industry standards — inaccuracies in the AI's response flow directly into those work-products.
The corporate use-cases sitting on top of this content are consequential. A regulatory mapping exercise that incorrectly records the frameworks formally cited in the CPMI-IOSCO guidance could produce a gap analysis that points teams toward unnecessary controls or, more dangerously, creates false confidence that existing controls satisfy requirements they do not address. Similarly, training materials for technical staff or briefing notes for board-level technology risk committees that repeat an AI's unverified assertion about the guidance's framework alignment carry that error into governance decisions.
The firm bears the cost of these errors in full. Statutory Boards & Agencies operating as financial market infrastructure or adjacent to it face supervisory scrutiny from the relevant domestic authority and, in cross-border arrangements, from multiple regulators simultaneously. A demonstrably flawed regulatory self-assessment — one that can be traced to unverified AI output — creates regulatory exposure that may result in mandatory remediation programmes, supervisory undertakings, or formal censure.
Beyond regulatory consequences, the operational risk of building technology resilience programmes on mischaracterised regulatory baselines is significant: remediation after a cyber incident will be judged against what the firm was actually required to do, not what it believed it was required to do.
The pattern seen across this finding is a characteristic one: AI tools convert structural or thematic similarity between documents into confident assertions of an explicit formal relationship. Where a regulator's guidance and an industry framework happen to share a similar organisational structure or category set, AI tools tend to conclude — and state with apparent authority — that one formally cites or endorses the other.
The AI does not flag this as uncertain or as its own inference; it presents the claim as established fact, often adding further detail (naming additional frameworks, describing how they were incorporated) that compounds the original error. This kind of confabulation is particularly difficult to catch because the AI's answer is directionally plausible: the structural similarity is real, even if the formal citation is not confirmed.
In this dataset, the errors cluster on the CPMI-IOSCO 2016 Cyber Resilience Guidance and its relationship to other well-known cybersecurity frameworks. This is a topic area where Technology & Data teams are especially likely to rely on AI tools, precisely because mapping between frameworks is a research-intensive task that AI appears well-suited to accelerate. The irony is that the task's apparent suitability for AI assistance makes the risk harder to perceive.
The systemic risk to the firm lies in how downstream work-products inherit the error. A single incorrect AI assertion about framework alignment — if accepted without verification — can cascade through a supplier assessment template, an internal audit questionnaire, a board risk report, and an external regulatory submission before anyone checks the source text. At that point the remediation cost is not just correcting one answer; it is revisiting every work-product that rested on that answer, with potential regulatory implications for each.
For Technology & Data teams operating under resource pressure, the temptation to treat an AI's confident, detailed response as sufficient is high — and the gap between that assumption and the actual regulatory text is exactly where the firm's exposure lives.
1 finding in this case study. Click any to see its full evidence card.
The default position for any Technology & Data team using AI tools on these regulatory topics should be that AI output is a research starting point, not a primary source. This is particularly important for questions about which external frameworks a regulation formally references, what conditions or obligations a specific rule imposes, and what a regulator has or has not said in a specific document. AI tools can produce detailed, authoritative-sounding answers on all of these questions while being materially wrong.
The source text — the regulation itself, downloaded directly from the regulator's published portal — must be the basis for any work-product that will be relied upon internally or submitted externally.
At the firm level, practical safeguards should include a clear policy that designates AI as an unreliable source for regulatory attribution questions in this area, and requires verification against primary sources before AI output influences a firm work-product. Audit trails matter: when AI output is used as a starting point for a regulatory mapping document, due-diligence report, or governance paper, that provenance should be recorded and the verification step documented. Any AI-drafted content that enters firm-wide use — policy templates, training materials, supplier questionnaires — should require a named sign-off from someone who has checked the underlying regulatory text.
Distinguishing "AI-drafted" from "AI-summarised" content in regulatory-facing material is a useful internal discipline, but neither label substitutes for verification.
AI tools remain genuinely useful in the Technology & Data workflow for tasks that do not depend on regulatory precision: drafting non-regulatory internal communications, generating first-draft interview questions or workshop agendas, summarising long documents that the team will then read and verify, and structuring the outline of a policy before subject-matter experts fill in the substantive content.
The risk is concentrated in the step where an AI answer about what a regulation says or requires is accepted without checking the source — and that step is common enough in busy Technology & Data teams that the policy guardrails are worth making explicit.
RegLeg's published hallucination research is available as a free reference check that Technology & Data teams can consult before relying on any AI answer touching the regulatory areas covered here. The research documents, on a finding-by-finding basis, where AI tools have been shown to produce incorrect responses on specific regulatory questions — including the precise nature of the error and what the source text actually says.
For a team about to use AI to support work on cyber resilience frameworks, international standards alignment, or CPMI-IOSCO obligations, the published research provides an independent data point on whether that particular question is one where AI tools have a demonstrated track record of failure.
For firms that want a more structured assessment, RegLeg offers bespoke regulatory deep-dives mapped to the specific workflows a Statutory Boards & Agencies organisation runs through its Technology & Data function. These engagements identify which AI-supported processes in the firm carry the highest hallucination exposure — typically framework-mapping, regulatory attribution, and obligation-scoping tasks — and produce a prioritised view of where verification controls are most needed. This is not a theoretical exercise: it works from the firm's actual AI use patterns and the regulatory perimeter the Technology & Data team operates within.
RegLeg can also provide a confidential review of the firm's existing AI-use policy against its hallucination failure-mode catalogue, with prioritised remediation recommendations that reflect the specific regulatory areas most relevant to the Technology & Data function. For teams that want to build internal capability, RegLeg produces training material and CPD-aligned content that equips Technology & Data professionals to recognise AI hallucination patterns in regulatory contexts, apply appropriate verification disciplines, and document their approach in a way that satisfies internal governance and, where relevant, regulatory expectations.