How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience', and how does this compare to the definition in the 2018 FSB Cyber Lexicon?
The model framed its comparison as if the two documents were designed to be read together, producing a nuanced and superficially reasonable alignment analysis. It did not flag that the FSB Lexicon postdates the 2016 guidance by two years and therefore could not have been an input to it. By treating the temporal gap as irrelevant, the model produced a comparison that implies a coordinated definitional relationship that may not exist. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding points to a gap in how the model handles comparative questions spanning documents with a known temporal gap. The model's training data likely contains substantial commentary treating the 2016 guidance and 2018 FSB Cyber Lexicon as a coherent regulatory pair, which may have caused the model to elide the two-year gap. Post-training reward signals for regulatory comparison tasks should penalise responses that imply contemporaneous co-development between documents with materially different publication dates.
How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience', and is that definition aligned with the 2018 FSB Cyber Lexicon?
The model not only compared the two definitions but asserted a specific causal relationship — that the FSB Lexicon explicitly drew on the CPMI-IOSCO definition — for which no basis was found. This converts a plausible inference (that a 2018 lexicon would be informed by a prominent 2016 document from the same regulatory community) into a stated fact. The model also presented the 2016 definition in confident detail without flagging that the Lexicon postdates it and the relationship between the two definitions remains unconfirmed. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding reveals that the model not only collapsed a temporal gap but asserted a specific causal relationship (that the FSB Lexicon drew on the CPMI-IOSCO definition) for which no evidential basis was found. This is a more advanced failure than simple conflation: the model constructed a plausible-sounding provenance claim that goes beyond what the documents support. This class of error — inferred causation stated as documented fact — is particularly hazardous in legal and compliance contexts and is likely to evade generic hallucination red-teaming that focuses on factual accuracy rather than provenance accuracy.
A Compliance team that accepts AI's assertion that the 2016 Guidance and the FSB Cyber Lexicon definitions are broadly aligned may use that claim to justify not conducting a formal reconciliation between the two documents in a controls framework or gap analysis. In practice, the two documents were produced two years apart and whether their definitions were designed to correspond is uncertain.
If a regulator asks the firm to map its programme to both standards and the definitions diverge materially, the firm's inability to demonstrate that it conducted the reconciliation — relying instead on an unverified AI claim — represents a gap in its compliance process. The risk is especially acute for Payment Institutions firms seeking to demonstrate regulatory equivalence across multiple international frameworks.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel (2026). "Finding#4 — FSB Cyber Lexicon alignment — uncertain presented as confirmed — Payment Institutions × Compliance — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020. RegLegBrief AI Hallucination Research, published 2026-06-04. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/
RegLeg Specialist Panel. (2026). Finding#4 — FSB Cyber Lexicon alignment — uncertain presented as confirmed [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/
RegLeg Specialist Panel, Finding#4 — FSB Cyber Lexicon alignment — uncertain presented as confirmed [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020], RegLegBrief AI Hallucination Research (June 04, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/.
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q020,
author = {RegLeg Specialist Panel},
title = {Finding#4 — FSB Cyber Lexicon alignment — uncertain presented as confirmed},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/}
}