Does the CPMI-IOSCO 2016 Cyber Guidance contain the phrase 'secure the periphery, protect the core', and if not, where does it originate?
The model correctly identified that the phrase does not appear in the 2016 guidance and correctly pointed toward the 2018 CPMI endpoint-security work — but it attributed the phrase to a 2018 strategy document rather than the 2018 speech from which it actually originates. The model appears to have conflated two distinct 2018 CPMI outputs that share thematic content, substituting the closer-in-kind strategy document for the correct speech source. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding implicates the model's source-attribution logic at the intra-ecosystem level: when the correct source and the asserted source are thematically adjacent outputs from the same organisation in the same year, the model's retrieval or generation step does not reliably distinguish between them. For labs with RAG or web-search integrations, this suggests the citation grounding layer needs finer-grained document-level anchoring, not just organisation- or topic-level matching — two 2018 CPMI outputs on related subjects should not be interchangeable in a citation.
A Compliance team using AI to trace the provenance of regulatory phrases for briefing notes, training materials, or right-of-reply submissions will obtain a confident but incorrect attribution. The AI attributed the phrase to a different 2018 CPMI publication on wholesale payments fraud and endpoint security, rather than the correct source, a 2018 BIS speech by Benoît Cœuré. If that misattribution appears in a client-facing or regulator-facing document, the firm's credibility on regulatory detail is at risk.
More practically, a training programme or internal briefing built around an incorrect source attribution will mislead staff about the guidance's scope and strategic intent, generating rework costs when the error is identified.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel (2026). "Finding#2 — Phrase origin — wrong 2018 source document — Payment Institutions × Compliance — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014. RegLegBrief AI Hallucination Research, published 2026-06-04. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/
RegLeg Specialist Panel. (2026). Finding#2 — Phrase origin — wrong 2018 source document [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/
RegLeg Specialist Panel, Finding#2 — Phrase origin — wrong 2018 source document [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014], RegLegBrief AI Hallucination Research (June 04, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/.
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q014,
author = {RegLeg Specialist Panel},
title = {Finding#2 — Phrase origin — wrong 2018 source document},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/}
}