AI Hallucination ResearchAudiencesSectorsInternational / MultilateralLaw FirmsLegalDetail › Finding
Law Firms × Legal — International / Multilateral · updated 2026-06-03
Share / Print Twitter LinkedIn Email

Finding#1 — Misattribution of CPMI cyber strategy phrase to wrong document

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014
AI's failure:Exposed Fabrication Risk for Law Firms × Legal:Wrong deliverable
What the RLB Specialist Panel found
Question (paraphrased to protect IP)

Does the CPMI-IOSCO 2016 Cyber Guidance contain the phrase 'secure the periphery, protect the core', and if not, where does it originate?

RLB's analysis

The model correctly identified that the phrase does not appear in the 2016 guidance and correctly pointed toward the 2018 CPMI endpoint-security work — but it attributed the phrase to a 2018 strategy document rather than the 2018 speech from which it actually originates. The model appears to have conflated two distinct 2018 CPMI outputs that share thematic content, substituting the closer-in-kind strategy document for the correct speech source. - Regulator portal (if any cited link is dud): https://www.bis.org

AI Head's analysis — what weakness in the AI model caused this

This finding implicates the model's source-attribution logic at the intra-ecosystem level: when the correct source and the asserted source are thematically adjacent outputs from the same organisation in the same year, the model's retrieval or generation step does not reliably distinguish between them. For labs with RAG or web-search integrations, this suggests the citation grounding layer needs finer-grained document-level anchoring, not just organisation- or topic-level matching — two 2018 CPMI outputs on related subjects should not be interchangeable in a citation.

Impact for Legal Teams in Law Firms Sector in international jurisdictions working with the Guidance on Cyber Resilience for Financial Market Infrastructures

When a legal team at a law firm asks AI tools whether the phrase 'secure the periphery, protect the core' appears in the CPMI-IOSCO 2016 Cyber Resilience Guidance, the AI we tested attributed it to a different 2018 CPMI publication on wholesale payments fraud and endpoint security — a separate document with different scope and authorship. If this answer is taken at face value, the firm may draft legal advice, a client memo, or a regulatory mapping document that cites the wrong CPMI text as the source of a specific strategic principle.

For an FMI client relying on that advice to structure a regulatory submission or a board-level cyber governance paper, the downstream consequence is a document that will not survive scrutiny by a regulator familiar with the primary CPMI literature. The firm faces reputational exposure and the cost of revising and reissuing affected work product, with potential professional liability implications if the advice has already been acted upon.

References — raw findings (per AI model)
This finding also affects
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014
Plain text Download 
RegLeg Specialist Panel (2026). "Finding#1 — Misattribution of CPMI cyber strategy phrase to wrong document — Law Firms × Legal — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014. RegLegBrief AI Hallucination Research, published 2026-06-03. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/law_firms/legal/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/
APA 7th edition Download 
RegLeg Specialist Panel. (2026). Finding#1 — Misattribution of CPMI cyber strategy phrase to wrong document [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/law_firms/legal/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/
Bluebook / OSCOLA (US + UK legal) Download 
RegLeg Specialist Panel, Finding#1 — Misattribution of CPMI cyber strategy phrase to wrong document [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014], RegLegBrief AI Hallucination Research (June 03, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/law_firms/legal/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/.
BibTeX Download 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q014,
  author    = {RegLeg Specialist Panel},
  title     = {Finding#1 — Misattribution of CPMI cyber strategy phrase to wrong document},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014},
  url       = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/law_firms/legal/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/}
}
← Back to case study summary Case study detail →
About Citation IDs →