This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
A Technology & Data team that asks AI tools whether the CPMI-IOSCO 2016 guidance aligns with the NIST Cybersecurity Framework may receive a confident answer asserting contemporaneous awareness of NIST — a claim that goes beyond what the source text supports. If that claim is embedded in a regulatory mapping document, a third-party risk policy, or a board risk paper, the firm faces the risk of a regulator or external auditor identifying the assertion as unsupported and questioning the rigour of the team's compliance analysis.
CPMI-level guidance is referenced by multiple national regulators, and a fabricated cross-reference claim in a submission or regulatory correspondence could invite formal scrutiny of the firm's compliance methodology.
A Technology & Data team scoping the firm's cyber incident response and recovery obligations against CPMI-IOSCO standards may ask AI tools whether the 2016 guidance provides detailed operational requirements or whether a later document is needed. AI tools tested on this question answered that the 2016 guidance itself provides detailed expectations — including specific recovery time objectives and secondary-site requirements — without acknowledging that the FSB's 2020 Effective Practices document is where that operational detail actually sits.
A gap analysis or remediation programme built on this AI answer will be scoped to the wrong document, potentially missing obligations that only appear in the 2020 FSB guidance, and producing a deliverable that mis-identifies where the firm stands against the correct standard. Rework costs and the risk of a delayed or deficient regulatory submission are the direct consequences.