AI Hallucination ResearchAudiencesSectorsInternational / MultilateralStatutory Boards AgenciesTechnology DataDetail › Finding
Statutory Boards Agencies × Technology Data — International / Multilateral · updated 2026-05-28 · methodology v2.1
Share / Print Twitter LinkedIn Email

NIST Cybersecurity Framework citation in CPMI-IOSCO Cyber Guidance

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008
What the RLB Specialist Panel found

1. NIST Cybersecurity Framework citation in CPMI-IOSCO Cyber Guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance formally cite or reference the NIST Cybersecurity Framework?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
  • What AI assistants typically say: AI tools confidently assert that the CPMI-IOSCO 2016 Cyber Guidance explicitly references the NIST Cybersecurity Framework as one of several industry best-practice frameworks informing its development, and go on to name additional frameworks — including COBIT and ISO/IEC 27001 — as also acknowledged in the document.
  • What the regulator actually says: Whether the guidance formally cites the NIST Cybersecurity Framework has not been confirmed from the source text. The five guidance categories are structurally similar to the NIST CSF five functions but may be independently derived rather than explicitly referencing NIST.
  • Why the AI went wrong: AI tools appear to have treated the structural resemblance between the guidance's five categories and the NIST CSF's five functions as evidence of a formal citation, then stated that inference as confirmed fact. The addition of further named frameworks (COBIT, ISO/IEC 27001) extends the error by supplying supporting detail that is not drawn from the source document.
  • Cited source(s):
Impact for Technology Data Teams in Statutory Boards Agencies Sector in International / Multilateral working with the AI Hallucinations Affecting Technology & Data at Statutory Boards & Agencies Firms in International Jurisdictions

A Technology & Data team that accepts the AI's assertion at face value may record in its regulatory mapping documentation that the CPMI-IOSCO guidance formally aligns to the NIST CSF, COBIT, and ISO/IEC 27001 — and may then structure its cyber resilience programme, supplier due-diligence criteria, and internal audit frameworks around that characterisation. If the formal citation does not exist in the source document, the firm has built its compliance posture on a fabricated regulatory baseline.

In the event of a supervisory review or cyber incident, the regulator will assess the firm's controls against the guidance as written, not as the AI described it; a demonstrable gap between the two could result in mandatory remediation, supervisory undertakings, or formal findings against the firm's technology risk governance.

References — raw findings (per AI model)
This finding also affects
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008
Plain text Download 
RegLeg Specialist Panel (2026). "NIST Cybersecurity Framework citation in CPMI-IOSCO Cyber Guidance — Statutory Boards Agencies × Technology Data — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/statutory_boards_agencies/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
APA 7th edition Download 
RegLeg Specialist Panel. (2026). NIST Cybersecurity Framework citation in CPMI-IOSCO Cyber Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/statutory_boards_agencies/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
Bluebook / OSCOLA (US + UK legal) Download 
RegLeg Specialist Panel, NIST Cybersecurity Framework citation in CPMI-IOSCO Cyber Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/statutory_boards_agencies/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/.
BibTeX Download 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q008,
  author    = {RegLeg Specialist Panel},
  title     = {NIST Cybersecurity Framework citation in CPMI-IOSCO Cyber Guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008},
  url       = {https://reglegbrief.com/audiences/sectors/int/statutory_boards_agencies/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/}
}
← Back to case study summary Case study detail →
About Citation IDs →