AI Hallucination ResearchAudiencesPractitionersInternational / MultilateralPublic AuditorsDetail › Finding
Practitioners — Public Auditors · published 2026-05-26 · methodology v2.1

Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008
What the RLB Specialist Panel found

1. Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance explicitly cite or formally align with the NIST Cybersecurity Framework?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016)
  • What AI assistants typically say: AI tools stated that the 2016 Cyber Guidance explicitly references the NIST Cybersecurity Framework as one of several industry best-practice frameworks that informed its development, listing NIST alongside ISF, COBIT, and ISO/IEC 27001 as acknowledged frameworks.
  • What the regulator actually says: Whether a verbatim NIST citation exists in the 2016 guidance is unconfirmed. The five guidance categories are structurally similar to the NIST CSF five functions but may be independently derived rather than expressly drawn from the NIST framework.
  • Why the AI went wrong: The AI inferred an explicit citation from the observable structural similarity between the guidance's five categories and the NIST CSF's five functions, then stated that inference as a confirmed fact. This is a straightforward case of the AI treating architectural resemblance as documentary evidence of formal citation.
  • Cited source(s): Regulator portal: https://www.bis.org
Impact for this audience

A Public Auditor who includes in an audit report or compliance gap analysis an assertion that the CPMI-IOSCO 2016 guidance explicitly cites the NIST Cybersecurity Framework is making a factual claim about the document's content that cannot be supported by the text. If a client or regulator challenges that assertion, the auditor has no source to produce. In an environment where audit opinions on cyber resilience controls increasingly reference international frameworks, a false citation claim — even if originating from an AI tool — reflects on the auditor's professional diligence and could be raised in any subsequent review of the engagement.

References — raw findings (per AI model)
This finding also affects
Next finding → Finding 2. Depth of incident response and recovery detail in the 2016 Cyber Guidance
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text 
RegLeg Specialist Panel (2026). "Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance — Practitioners — Public Auditors." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008. RegLegBrief AI Hallucination Research, published 2026-05-26. https://reglegbrief.com/audiences/practitioners/int/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
APA 7th edition 
RegLeg Specialist Panel. (2026). Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/practitioners/int/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
Bluebook / OSCOLA (US + UK legal) 
RegLeg Specialist Panel, Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008], RegLegBrief AI Hallucination Research (May 26, 2026), https://reglegbrief.com/audiences/practitioners/int/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/.
BibTeX 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q008,
  author    = {RegLeg Specialist Panel},
  title     = {Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008},
  url       = {https://reglegbrief.com/audiences/practitioners/int/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/}
}
← Back to case study summary Case study detail →
About Citation IDs →