Executive Summary
For Compliance teams at Statutory Boards & Agencies firms operating in international jurisdictions, the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures (2016) is a foundational international standard that shapes how firms assess, document, and report their cyber resilience posture to regulators and counterparties. Across four aggregated findings, AI assistants failed on every question tested against this regulation.
The failures split into two distinct patterns: AI tools invented confident but unsupported claims about how the 2016 guidance relates to later international definitions — then backtracked when challenged — and AI tools presented the 2016 guidance as the current operative standard without disclosing that CPMI-IOSCO had published a consultative revision document in May 2026 placing the guidance under active review.
No finding in this cell represents a minor nuance; each involves a core compliance question — definitional alignment and currency of the standard — where an incorrect AI answer, if acted upon, would produce flawed work product or regulatory risk for the firm.
How AI gets this regulation wrong
AI assistants queried on this regulation made two kinds of errors: they stated invented claims as established fact and retracted them only under direct challenge, and they treated the 2016 guidance as currently operative without detecting that a public consultation on revised guidance had recently been announced. Both failure types are silent — the AI does not flag uncertainty unless pressed — which is precisely when Compliance teams are most at risk of carrying a wrong answer forward into deliverables.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
| Outdated | 1 | Finding#2 |
What that means for your team
The risk exposures in this cell divide between producing a wrong deliverable — where flawed definitional analysis is embedded in policies, gap assessments, or regulatory submissions — and regulatory enforcement risk, where compliance programmes are calibrated to a standard that is no longer current. For a Statutory Boards & Agencies firm with direct obligations under international FMI standards, either category can translate into enforcement action, remediation costs, or reputational damage with the regulators whose assessments the guidance informs.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 1 | Finding#2 |
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Compliance teams at Statutory Boards & Agencies firms in international jurisdictions routinely turn to the CPMI-IOSCO Cyber Resilience Guidance when drafting or updating internal cyber resilience policies, preparing regulatory submissions, or benchmarking the firm's controls against recognised international standards. The guidance is also a reference point when mapping obligations across overlapping frameworks — for example, assessing whether the firm's cyber resilience framework satisfies both the CPMI-IOSCO standard and national or regional requirements that expressly incorporate it.
In each of these workflows, teams may ask AI assistants to explain key definitions, compare the guidance to related frameworks, or confirm whether the document remains the operative standard.
If the AI's answer is wrong in any of these contexts, the consequences are material. An incorrect claim about how the 2016 guidance defines "cyber resilience" — or how that definition compares to the FSB Cyber Lexicon — can produce a flawed gap analysis, an inaccurate regulatory submission, or training materials that embed a false account of the firm's obligations. CPMI-IOSCO guidance is taken seriously by national regulators that supervise systemically important FMIs; a Compliance function that relies on a fabricated interpretation of it has less protection against adverse supervisory findings.
The currency risk is equally acute. A Compliance team that is unaware the 2016 guidance is under active revision may continue building programmes, investment cases, or external communications around a document that is about to change. Regulatory examiners expect Compliance functions to track the status of the standards they implement; discovering through an examination that the firm's cyber resilience framework was designed without awareness of a publicly announced consultation would itself be a supervisory concern, independent of whether the final revised guidance ultimately differs materially from the 2016 version.
The findings at a glance
The table below summarises each finding: the question asked, what AI assistants said, what the source material actually shows, and the failure type involved.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Fabricated alignment between 2016 guidance and FSB Cyber Lexicon | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020 |
| 2 | Outdated status claim — 2016 guidance presented as unrevised | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022 |
Aggregate impact
The four findings cluster on two specific questions within the regulation: the relationship between the 2016 guidance's key definitions and those of the FSB Cyber Lexicon, and whether the 2016 guidance remains the operative international standard. These are not peripheral compliance questions; both sit at the heart of how a Compliance team uses this regulation in practice. The concentration of errors on exactly these questions suggests that AI assistants struggle with the guidance precisely where its status in a broader regulatory ecosystem is in play — inter-standard relationships and currency over time.
On the definitional findings, the AI tools did not hedge. They asserted that the two frameworks were "broadly consistent" or that the FSB Lexicon "explicitly drew on" the CPMI-IOSCO definition, converting genuine uncertainty into fabricated fact. The underlying source material preserves the uncertainty explicitly — the FSB definitions "may not match" how the 2016 guidance used those terms — but the AI dropped that qualifier entirely.
For a Compliance team, this matters most when the firm operates under national frameworks that cross-reference both the CPMI-IOSCO guidance and the FSB Cyber Lexicon: an assumption of alignment that is actually unverified can lead to gaps in the firm's definition mapping that only surface during an examination.
On the currency findings, both AI tools stated with confidence that the 2016 guidance had not been revised or superseded, when a CPMI-IOSCO consultative document on updated guidance had been published just weeks before the assessment. This is a structural limitation of AI tools whose training data does not capture very recent regulatory developments: they answer questions about the current status of a standard as if no developments have occurred since their knowledge was last updated.
For a Statutory Boards & Agencies firm, the systemic risk is that Compliance programmes, board-level reporting, and regulatory submissions may be designed around a standard that is about to change — with no AI-generated flag that a consultation process is actively under way.
What your team should do
The default position for Compliance teams using AI assistants on the CPMI-IOSCO Cyber Resilience Guidance should be: treat any AI-generated statement about the currency of this standard as requiring independent verification against the BIS website before it enters any deliverable. The consultative revision announced in May 2026 is precisely the kind of very recent regulatory development that AI tools with fixed training data cannot reliably detect. Before relying on AI output to confirm that the 2016 guidance is operative, check the CPMI publications page at bis.org directly.
This is a five-minute check that eliminates the most consequential risk in this cell.
For definitional questions — particularly any analysis of how the guidance's key terms compare to the FSB Cyber Lexicon or other post-2016 standards — treat AI responses as a starting point for desk research rather than a conclusion. The AI's tendency to assert consistency between frameworks without acknowledging that the FSB Lexicon postdates the 2016 guidance means it will routinely overstate certainty. When the firm's compliance mapping depends on definitional alignment between these two frameworks, that mapping should be grounded in a side-by-side reading of both source documents, not an AI summary.
AI assistants remain useful for Compliance work on this regulation in lower-stakes contexts: generating a first-draft outline of the guidance's seven key components, explaining the structure of the framework to business-line colleagues unfamiliar with international FMI standards, or flagging the broad topics a gap assessment should cover. Where AI is helpful here, it is acting as a scaffolding tool rather than an authoritative source.
The pattern of errors in this cell — confident assertions about inter-standard relationships and standard currency that unravel under challenge — confirms that any substantive compliance conclusion about this regulation must be traced back to primary sources.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Statutory Boards and Agencies a practical pre-flight check before placing weight on AI-assisted output for regulatory questions. Because the research is openly available, it can be incorporated into existing review workflows without additional licensing or procurement — teams can consult the relevant failure-mode findings at the point where AI tools are being used to interpret obligations, draft submissions, or assess enforcement exposure, and adjust their reliance accordingly.
Where published research is not granular enough for a specific operating context, RLB offers bespoke regulator deep-dives tailored to the Compliance function's actual workflow. These engagements map the AI-supported tasks that carry the highest hallucination exposure for a Statutory Board or Agency — typically areas such as multi-jurisdictional obligation mapping, condition-of-licence interpretation, and regulatory correspondence drafting — and produce a prioritised picture of where human verification effort should be concentrated.
RLB also conducts confidential reviews of a firm's existing AI-use policy against RegLeg's failure-mode catalogue, identifying gaps and producing a prioritised remediation roadmap that the Compliance team can action within its normal governance cycle.
To support capability building within the team, RLB develops training material and CPD-aligned content that Compliance staff can use internally. This content is designed to be delivered by the team's own leads rather than requiring ongoing external facilitation, and is calibrated to the regulatory environment and AI tools already in use at the firm. The aim is to leave the Compliance function better equipped to make its own informed judgements about AI reliability — not dependent on external sign-off each time a new workflow is introduced.