Executive Summary
The CPMI-IOSCO 2016 Guidance on Cyber Resilience for Financial Market Infrastructures is the foundational international standard against which systemically important FMIs — central counterparties, payment systems, central securities depositories — benchmark their cyber risk frameworks and regulatory obligations. Lawyers advising FMIs or their regulators frequently turn to AI tools to answer precise questions about this guidance: what it requires, how its definitions align with later standards, what other frameworks it cites, and whether it remains operative.
Across seven questions put to AI assistants covering these exact topics, every single response contained a hallucination — the AI produced confident, detailed answers that overstated what the guidance contains, misattributed quotations or framework citations, misstated the relationship between this document and later standards, or — critically — asserted that the guidance is still current when CPMI-IOSCO had in fact published a consultative revision document for public comment in May 2026.
The errors are not marginal: they concern the document's explicit textual content, its relationship to FSB and NIST standards, and its current regulatory status — precisely the questions a Lawyer must answer correctly before advising a client.
How AI gets this regulation wrong
The failures on this regulation fall into two patterns that recur across multiple questions. Most frequently, AI assistants answered with unwarranted confidence — asserting explicit citations, precise definitional alignments, or specific textual content that the guidance either does not contain or that cannot be confirmed from the source document. In two cases the error was about currency: AI tools stated that the 2016 guidance remains the operative and unrevised international standard, a claim contradicted by a CPMI-IOSCO consultative revision published in May 2026.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 5 | Finding#1 · Finding#2 · Finding#3 · Finding#4 · Finding#5 |
| Outdated | 2 | Finding#6 · Finding#7 |
What that means for your practice
Because all seven findings in this cell are unclassified for risk impact under our current scoring taxonomy, the table below focuses on the finding-level exposure rather than a risk-category breakdown. For Lawyers in international jurisdictions, the risks are concentrated in two areas: advice built on fabricated or overstated textual content (leading to opinions that misrepresent what the guidance actually requires), and advice that treats a document under active revision as settled law (creating immediate exposure as the consultative process concludes and supersession becomes imminent).
| Risk Impact | Count | Affected findings |
|---|---|---|
| (unclassified) | 7 | Finding#1 · Finding#2 · Finding#3 · Finding#4 · Finding#5 · Finding#6 · Finding#7 |
When this affects Lawyers
Lawyers in international jurisdictions encounter the CPMI-IOSCO Cyber Resilience Guidance most often when advising FMIs on regulatory compliance programs, reviewing governance frameworks ahead of supervisory assessments, or preparing clients for cross-border regulatory dialogue where this guidance functions as the common reference standard. Because the guidance operates at the international level — influencing domestic frameworks across multiple jurisdictions simultaneously — a Lawyer practising cross-border FMI work may cite it in formal opinions, engagement letters, transaction due diligence reports, or regulatory submissions where precision about its exact text, its relationships to other standards, and its current status matters.
The AI errors on this regulation are particularly dangerous for Lawyers because they concern the document's textual foundation rather than its application. When AI tools assert that the guidance explicitly cites the NIST Cybersecurity Framework, or that its definition of "cyber resilience" is aligned with and drew upon the FSB Cyber Lexicon, they are making claims that a Lawyer might reasonably repeat in a memo or opinion — claims that, if wrong, expose the Lawyer to professional criticism if a counterparty or regulator checks the source.
Similarly, when AI tools characterise a section of the guidance as providing "detailed expectations" for incident response and recovery, a Lawyer relying on that characterisation to advise a client on compliance sufficiency may misstate the guidance's actual level of prescription.
The currency error (Findings 6 and 7) carries a distinct and immediate risk. A Lawyer advising an FMI client on whether their cyber resilience framework needs updating who is told by an AI tool that the 2016 guidance "has not been formally revised or superseded" will give advice that is factually wrong as of May 2026. With a consultative document now published for public comment, the revision timetable is live and material: clients need to be preparing for change, not told that the existing standard is stable.
The findings at a glance
The table below summarises all seven findings from AI testing of this regulation, covering the question topic, the type of error, and its relevance to Lawyers in international jurisdictions.
Aggregate impact
The seven findings on this regulation cluster around two structural vulnerabilities in how AI assistants handle international regulatory guidance. Five of the seven errors involve AI tools converting uncertainty into assertion — taking questions where the honest answer is "the document does not confirm this" and producing instead a confident, detailed answer that reads as authoritative. This is particularly pronounced on questions about cross-standard relationships: whether the guidance explicitly cites the NIST CSF, whether its definitions of key terms align with the later FSB Cyber Lexicon, whether it provides detailed operational expectations for incident response.
On each, the AI produced a well-formed answer that overstated what the document contains or what can be confirmed from it.
Two findings expose a different but equally serious vulnerability: AI tools whose training data predates May 2026 assert that the 2016 guidance "has not been formally revised or superseded" — a statement that was accurate until very recently but is now factually wrong. The CPMI-IOSCO consultative revision published in May 2026 places the guidance squarely under active revision, with public comment now open. AI tools with older training data have no way of knowing this, and both tools tested on this question gave the same incorrect answer with equal confidence.
For Lawyers in international jurisdictions, the aggregate picture is one of a regulation where AI assistance is unreliable across the entire range of questions a practitioner would typically ask: textual content, definitional relationships to other standards, cross-document attributions, and current regulatory status. The pattern is not concentrated in one topic area — it is broad and consistent, suggesting that AI tools are working from an incomplete or imprecisely recalled version of this document while presenting their responses as well-grounded in the source.
What your team should do
The default position for Lawyers in international jurisdictions should be to treat AI-generated responses about the CPMI-IOSCO 2016 Cyber Resilience Guidance as a starting point for research, not a reliable endpoint. The breadth of errors across this regulation — covering textual content, definitional relationships, cross-framework citations, and current status — means that AI output should not be quoted, paraphrased into opinions, or relied upon in regulatory submissions without independent verification against the published BIS source text. The guidance is publicly available on the BIS website, and given its importance as an international benchmark, direct source-checking is the professional standard.
On questions of cross-standard alignment — how the 2016 guidance relates to the FSB Cyber Lexicon, whether it explicitly references NIST or other frameworks, how its incident response requirements compare with later FSB operational guidance — AI tools consistently overclaim rather than acknowledge uncertainty. When preparing advice that depends on these relationships, Lawyers should obtain and read the relevant comparison documents directly rather than relying on AI characterisations of how the frameworks interrelate.
On the question of current status, AI tools should not be used to determine whether the guidance is under revision or has been superseded: this requires checking the BIS and IOSCO websites directly for press releases and new publications. As of May 2026, a consultative revision is open for public comment, and any legal advice touching on compliance obligations under this standard should flag that the document is under active revision with change imminent. AI tools tested on this question both failed to capture this development, confirming that currency checks must always go directly to the regulator's source.
How RLB Can Help
RegLeg's published Hallucination Research is available as a free pre-flight check for lawyers working across international regulatory portfolios. Before relying on AI-assisted output for regulatory interpretation, compliance advice, or transaction risk assessment, lawyers can consult the research to identify where AI tools have demonstrably mis-stated the rules — wrong thresholds, invented obligations, outdated text presented as current — and calibrate their review accordingly. The research covers specific regulations by jurisdiction and surfaces the precise questions where AI tools have failed, making it a practical reference rather than a general caution.
For firms where multiple lawyers are working the same regulatory portfolio, RegLeg offers bespoke deep-dives into individual regulations. These engagements go beyond the published findings to examine the full pattern of AI failure modes relevant to a particular instrument — the question types, the failure mechanisms, and the risk implications for legal advice, transaction structuring, or regulatory engagement. The output is designed to be shared across a practice group and used as a durable reference, reducing duplicated due-diligence effort and creating a consistent internal standard for AI-assisted regulatory work.
RegLeg also develops training and CPD-aligned content for legal teams. This material translates the failure-mode catalogue into practical guidance on the classes of error lawyers should watch for — confabulated cross-references, version confusion between superseded and current instruments, jurisdiction bleed between superficially similar regimes, and inference-driven elaboration that overstates what a regulation actually requires. Separately, RegLeg offers a confidential review of a firm's existing AI-use policy against the failure-mode catalogue, identifying gaps between the policy's assumptions and the documented evidence of how AI tools perform on regulatory questions in practice.