Executive Summary
For Operations teams at Management & Risk Consulting firms advising across international jurisdictions, the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures is a foundational reference point: it sets out the principles and expectations that major FMIs — clearing houses, payment systems, central securities depositories — are required to meet on cyber governance, identification, protection, detection, response, and recovery. Across eight questions put to AI assistants on this regulation, every single response contained a hallucination.
The dominant failure pattern was confident misstatement: AI tools presented unverifiable cross-framework alignments as established fact, misattributed regulatory phrases to the wrong documents, overstated the operational detail the 2016 guidance provides, and — critically — told users the 2016 guidance is still the operative international standard when, as of May 2026, CPMI-IOSCO has published a consultative revision document placing the guidance under active review. For an Operations function that relies on AI to brief client-facing teams, scope engagements, or map regulatory frameworks, this pattern of error carries direct commercial and reputational risk.
How AI gets this regulation wrong
The failures AI assistants produced on this regulation fall into two distinct patterns. The more pervasive involves AI presenting invented or unverifiable connections between the 2016 guidance and external frameworks — asserting explicit citations that do not exist, fabricating definitional alignments, and misattributing regulatory phrases to the wrong documents, all with apparent confidence. A smaller but operationally significant group of failures involved AI presenting the 2016 guidance as the current, unrevised international standard without acknowledging a CPMI-IOSCO consultative revision published in May 2026.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 6 | Finding#1 · Finding#2 · Finding#3 · Finding#4 · Finding#5 · Finding#6 |
| Outdated | 2 | Finding#7 · Finding#8 |
What that means for your team
Every error identified in this cell carries the same operational consequence: a wrong deliverable — a briefing note, regulatory mapping, framework comparison, or client-facing analysis that is factually incorrect. For an Operations function at a Management & Risk Consulting firm, the delivery of flawed regulatory intelligence is not an abstract risk; it undermines client trust, exposes the firm to professional liability, and may cause clients to make materially incorrect compliance decisions.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 8 | Finding#1 · Finding#2 · Finding#3 · Finding#4 · Finding#5 · Finding#6 · Finding#7 · Finding#8 |
When this affects your department
Operations teams at Management & Risk Consulting firms regularly encounter the CPMI-IOSCO Cyber Resilience Guidance when supporting clients that are financial market infrastructures — or clients that connect to, depend on, or provide services to FMIs. Typical touchpoints include scoping cyber resilience gap assessments, drafting regulatory mapping materials that align a client's existing controls framework against CPMI-IOSCO expectations, preparing briefing packs for new clients entering the FMI space, and responding to client questions about how international standards compare to domestic cyber requirements.
In each of these situations, the Operations function may turn to AI assistants to accelerate research, generate first-draft content, or verify their understanding of the regulation before circulating material internally or to clients.
The commercial stakes are significant. Consulting engagements built on inaccurate regulatory analysis expose the firm to professional indemnity claims if the client acts on flawed advice. Cross-framework mapping documents that incorrectly state the 2016 guidance explicitly references or is formally aligned with NIST CSF or the FSB Cyber Lexicon will mislead clients undertaking multi-framework compliance programmes — potentially causing them to over-count their coverage or to miss gaps that a correct mapping would have flagged.
Similarly, a briefing that presents the 2016 guidance as the settled, unrevised international standard — without noting the active CPMI-IOSCO consultation process underway since May 2026 — could lead a client to make resourcing or programme-design decisions that will need immediate revision once the updated guidance is finalised.
The professional and reputational exposure is compounded by the international scope of the work. Management & Risk Consulting firms advising FMIs or FMI participants across multiple jurisdictions are expected to track the regulatory landscape accurately. An error on a cross-cutting international standard issued by the BIS is not easily attributed to a "local rule misread" — it reflects directly on the quality of the firm's regulatory intelligence capability.
The findings at a glance
The table below summarises each of the eight findings identified on this regulation, the question topic, the AI failure type, and the resulting risk to an Operations team relying on that response.
Aggregate impact
The errors in this cell cluster around two specific analytical tasks that Operations teams at Management & Risk Consulting firms carry out most frequently: cross-framework mapping and regulatory currency checks. Six of the eight findings involve AI confidently asserting relationships between the 2016 CPMI-IOSCO guidance and other frameworks — NIST CSF, the FSB Cyber Lexicon, and a separate CPMI payments fraud publication — that either cannot be confirmed from the source text or are demonstrably incorrect. Two findings involve AI presenting the 2016 guidance as current and unrevised when it is under active consultative revision as of May 2026.
Both clusters are individually high-impact; combined, they mean an Operations team using AI to research this regulation could simultaneously produce a flawed framework map and an out-of-date status assessment.
The cross-framework misstatements follow a consistent pattern: AI assistants take structural similarities between the 2016 guidance's five categories and the NIST CSF five functions — a genuine observation — and convert that similarity into a claimed explicit citation or formal alignment. On the FSB Cyber Lexicon question, multiple AI tools went further, asserting not only that the 2016 guidance and the 2018 Lexicon are "broadly consistent" but that the FSB explicitly drew on the CPMI-IOSCO definition when drafting the Lexicon — a specific derivation claim that cannot be verified and that the AI invented.
These are not minor nuance errors; they are the difference between "these documents share conceptual territory" and "these documents formally cross-reference each other," which matters greatly in a client regulatory mapping exercise.
For a consulting firm, the systemic risk is that multiple work-products produced in parallel — different client engagements, different practice areas — could all carry the same underlying errors if AI-generated research is not independently verified. The currency error on regulatory status (findings 7 and 8) is particularly acute: a firm that tells a client the 2016 guidance is the settled operative standard, while a consultative revision is already open for comment, will need to revise that advice within months — and the client will reasonably ask why the firm did not know.
What your team should do
The default position for an Operations team on this regulation is straightforward: do not rely on AI-generated output for cross-framework mapping claims or regulatory status assessments without independent verification against the primary source documents. The errors identified here are not edge cases — they affected every question tested, and several recur across multiple AI tools, indicating these are systematic failure modes rather than one-off mistakes.
Any analysis that attributes an explicit citation, formal alignment, or derivation relationship between the 2016 CPMI-IOSCO guidance and another framework must be checked against the actual text of that guidance before it is included in client work-product.
For regulatory currency checks — questions about whether a piece of international guidance is still operative, under revision, or superseded — AI assistants should be treated as a starting point only. The CPMI-IOSCO consultation published in May 2026 is a concrete example of a development that multiple AI tools missed entirely: the BIS press release is publicly accessible, but AI tools without current retrieval capability presented the 2016 guidance as unrevised with apparent confidence.
The Operations team's workflow for any engagement touching this regulation should include a direct check of the BIS website (https://www.bis.org) for current publications and press releases, particularly before finalising any document that characterises the regulatory landscape.
AI tools are useful on this regulation for lower-stakes tasks where accuracy can be verified quickly: summarising the general structure of the guidance's five categories, generating a first-draft outline of a gap assessment framework, or drafting client communication templates that will be reviewed before issue. The structural content of the guidance — what the five categories are, what an FMI is, the general thrust of the resilience expectations — is stable and well-represented in AI training data. The risk sits at the edges: inter-framework relationships, definitional precision, and current regulatory status. On those questions, independent verification is not optional.
How RLB Can Help
RegLeg's published Hallucination Research gives Operations teams at Management & Risk Consulting firms a practical pre-flight check before acting on AI-assisted regulatory analysis. Each research entry documents a confirmed failure mode against a specific regulation — the type, the mechanism, and the context in which it arose. Before an engagement team relies on AI output to support a client deliverable, operations staff can cross-reference the relevant regulation in RegLeg's catalogue to understand which questions the AI has demonstrably answered incorrectly and where its reasoning has drifted from the authoritative source.
Where published research covers the regulations most relevant to a firm's active work, RegLeg also conducts bespoke regulator deep-dives scoped to a firm's specific operational footprint. These engagements map AI-supported workflows — from regulatory horizon-scanning and compliance gap analysis to client briefing and risk reporting — against RegLeg's failure-mode catalogue, identifying which steps carry the highest hallucination exposure and where human review should be concentrated. The output is a ranked risk register the Operations function can use to set internal protocols and brief engagement leads before work begins.
For firms that already have an AI-use policy in place, RegLeg offers a confidential review against its full failure-mode catalogue, with prioritised remediation recommendations. We also provide training material and CPD-aligned content the Operations team can use internally — covering how AI assistants fail on regulatory questions, what the observable patterns look like, and how to build review habits that catch errors before they reach client outputs.