How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience', and how does this compare to the definition in the 2018 FSB Cyber Lexicon?
The model framed its comparison as if the two documents were designed to be read together, producing a nuanced and superficially reasonable alignment analysis. It did not flag that the FSB Lexicon postdates the 2016 guidance by two years and therefore could not have been an input to it. By treating the temporal gap as irrelevant, the model produced a comparison that implies a coordinated definitional relationship that may not exist. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding points to a gap in how the model handles comparative questions spanning documents with a known temporal gap. The model's training data likely contains substantial commentary treating the 2016 guidance and 2018 FSB Cyber Lexicon as a coherent regulatory pair, which may have caused the model to elide the two-year gap. Post-training reward signals for regulatory comparison tasks should penalise responses that imply contemporaneous co-development between documents with materially different publication dates.
How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience', and is that definition aligned with the 2018 FSB Cyber Lexicon?
The model not only compared the two definitions but asserted a specific causal relationship — that the FSB Lexicon explicitly drew on the CPMI-IOSCO definition — for which no basis was found. This converts a plausible inference (that a 2018 lexicon would be informed by a prominent 2016 document from the same regulatory community) into a stated fact. The model also presented the 2016 definition in confident detail without flagging that the Lexicon postdates it and the relationship between the two definitions remains unconfirmed. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding reveals that the model not only collapsed a temporal gap but asserted a specific causal relationship (that the FSB Lexicon drew on the CPMI-IOSCO definition) for which no evidential basis was found. This is a more advanced failure than simple conflation: the model constructed a plausible-sounding provenance claim that goes beyond what the documents support. This class of error — inferred causation stated as documented fact — is particularly hazardous in legal and compliance contexts and is likely to evade generic hallucination red-teaming that focuses on factual accuracy rather than provenance accuracy.
A Risk team using AI to build or review its cyber resilience policy framework may ask how the guidance's core definitions align with the FSB Cyber Lexicon, expecting the answer to settle whether the firm's terminology matches current international standards. When the AI asserts that the two documents are aligned and broadly consistent — without flagging that this alignment has not been formally confirmed — the team is likely to embed that assumption in its deliverable without further verification.
If a regulatory review or external audit later surfaces a definitional inconsistency, the firm faces remediation of policy documents and potentially an explanation to its supervisor of how an unverified alignment claim entered its compliance framework. The exposure is highest in jurisdictions where supervisors explicitly cross-reference both the CPMI-IOSCO guidance and the FSB Cyber Lexicon as parallel expectations.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel (2026). "Finding#1 — Cyber resilience definition alignment with FSB Lexicon — Payment Institutions × Risk — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020. RegLegBrief AI Hallucination Research, published 2026-06-04. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/risk/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/
RegLeg Specialist Panel. (2026). Finding#1 — Cyber resilience definition alignment with FSB Lexicon [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/risk/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/
RegLeg Specialist Panel, Finding#1 — Cyber resilience definition alignment with FSB Lexicon [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020], RegLegBrief AI Hallucination Research (June 04, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/risk/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/.
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q020,
author = {RegLeg Specialist Panel},
title = {Finding#1 — Cyber resilience definition alignment with FSB Lexicon},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/risk/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-020/}
}