This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
When an Operations team asks AI tools whether the CPMI-IOSCO 2016 Cyber Resilience Guidance was developed in awareness of NIST CSF, AI assistants we tested asserted an affirmative — stating the guidance was developed in awareness of NIST CSF alongside ISO/IEC 27000 and COBIT — when the actual regulatory source characterises the relationship as structurally similar but potentially independently derived. A compliance mapping exercise built on this answer may treat NIST CSF alignment as implicitly endorsed by the regulator, creating a gap that only surfaces during an examination.
For a Cybersecurity firm advising clients on regulatory alignment, delivering a mapping document that mischaracterises a framework cross-reference is a professional-liability risk, and correcting it once it has been shared or incorporated into policy requires a full sweep of downstream documents.
When an Operations team asks AI tools whether the 2016 guidance formally cites the NIST Cybersecurity Framework, AI assistants we tested answered 'Yes' and named additional frameworks — COBIT and ISO/IEC 27001 — as also explicitly acknowledged, when no verbatim NIST citation in the 2016 text can be confirmed. An Operations team that relies on this answer to close a compliance mapping gap is building on a fabricated foundation: if the explicit citation does not exist, any regulatory submission or client-facing deliverable that asserts it does is factually wrong.
The CPMI-IOSCO guidance is issued at the J1 (international) level, meaning this error is not jurisdiction-specific — it affects every client engagement or internal policy that references the 2016 guidance across any of the firm's markets.
When an Operations team asks AI tools whether the CPMI-IOSCO 2016 guidance provides detailed operational expectations for cyber incident response and recovery, AI assistants we tested answered 'Yes' and listed specific requirements — recovery time objectives, secondary-site requirements, communication protocols — characterising the 2016 document as prescriptive on this topic. The regulatory record indicates the FSB published 'Effective Practices for Cyber Incident Response and Recovery' in October 2020 specifically to provide the operational detail that goes beyond what the 2016 guidance specifies, implying the 2016 text is comparatively high-level in this area.
An Operations team that stops its research at the 2016 guidance, believing it to be sufficient, will miss a materially relevant document — and an incident response plan or client deliverable produced without reference to the FSB 2020 guidance may be inadequate by current regulatory standards.