This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
When an Operations team uses this AI response to populate a regulatory framework mapping for a client, the mapping will record an unconfirmed alignment between the 2016 CPMI-IOSCO guidance and the NIST CSF as though it were established. If the client uses that mapping to demonstrate to a supervisor or board that its controls framework is NIST-aligned because it meets CPMI-IOSCO requirements, the firm has contributed to a compliance representation that cannot be substantiated. The resulting exposure includes client reputational damage, potential regulatory enquiry, and professional indemnity risk for the consulting firm.
This AI response goes further than mere implication: it asserts that the 2016 CPMI-IOSCO guidance 'explicitly references' the NIST Cybersecurity Framework and names additional frameworks including COBIT and ISO/IEC 27001 as acknowledged. If an Operations team incorporates this claim into a client briefing, regulatory mapping document, or due diligence report, the firm is stating as fact something that cannot be verified from the primary source. Should a client or counterparty check the source document and find no such explicit references, the consulting firm's credibility and professional standing are directly undermined.
The AI attributed the phrase 'secure the periphery, protect the core' to a CPMI wholesale payments fraud document rather than to a senior CPMI official's 2018 speech. For an Operations team preparing background briefings or attribution-sensitive regulatory commentary, this misattribution could appear in client-facing materials and be traced back to the wrong source document entirely. Beyond the embarrassment of a traceable factual error, the misattribution could mislead a client about which CPMI workstreams to monitor as the regulatory landscape evolves.
The AI characterised the 2016 guidance as providing 'detailed expectations' on cyber incident response and recovery, including a specific operational feature list. In practice, the FSB published a separate 2020 document precisely to supply the operational depth that the 2016 guidance does not contain. An Operations team that relies on this AI response when scoping a client engagement on incident response — assuming the 2016 guidance is self-contained — could under-scope the workstream and fail to identify the FSB 2020 document as a required input, resulting in an incomplete gap assessment and a deliverable that does not meet client expectations.
By asserting that the CPMI-IOSCO and FSB Cyber Lexicon definitions of 'cyber resilience' are 'aligned and broadly consistent,' the AI converted a genuinely uncertain relationship into a stated fact. An Operations team populating a terminology glossary or definitional section of a client report on this basis would embed an unverified consistency claim that could later be challenged. If a regulatory body or sophisticated client questions the definitional alignment, the firm will be unable to provide source verification — because the primary source explicitly does not confirm it.
This AI response added a specific fabrication: that the FSB 'explicitly drew on' the CPMI-IOSCO definition when drafting the Cyber Lexicon, making the FSB definition 'a refinement and harmonisation.' This is a precise, sourced-sounding claim that cannot be verified and that inverts the genuine uncertainty in the source. For an Operations team, this creates a compounded risk: not only is the definitional consistency unconfirmed, but any client work-product that repeats the 'explicitly drew on' claim contains a traceable factual error that could damage the firm's standing if challenged.
The AI told users the 2016 CPMI-IOSCO guidance 'has not been formally revised or superseded' and remains the 'operative international standard.' As of 6 May 2026 — less than a month before this assessment — CPMI-IOSCO published a consultative revision document for public comment, placing the 2016 guidance under active review. An Operations team that incorporates this AI response into client advice, regulatory horizon-scanning reports, or programme-design recommendations is providing materially out-of-date information.
When the updated guidance is finalised, clients who planned around the 2016 text on the basis of this advice will face an immediate need to reassess — and may hold the consulting firm responsible for the oversight.
Like the parallel finding above, this AI response stated the 2016 guidance 'has not been formally revised or replaced' without disclosing the active CPMI-IOSCO consultation published three weeks earlier.
For an Operations team at a Management & Risk Consulting firm, the risk is particularly acute in client deliverables that characterise the current international regulatory landscape for FMI cyber resilience: horizon-scanning reports, new-business assessments, and board briefings that treat the 2016 guidance as settled will all require revision once the consultative process concludes, and the firm will need to explain why it did not identify the consultation when it was already public.