Executive Summary
When Governance & Company Secretarial teams at internationally active investment banks use AI tools to navigate the CPMI-IOSCO 2026 consultation on initial margin transparency, they encounter a specific and consequential failure pattern: AI assistants fabricate granular disclosure obligations that the consultation text does not contain. Across the question set tested against this regulation, AI tools got the substance wrong in ways that would not be self-evidently wrong to a reader unfamiliar with the verbatim consultation text, the invented content is plausible, structured, and delivered with apparent authority.
The failure we documented concerns the override framework disclosure obligations for CCPs, where AI assistants extrapolated a detailed three-part enumeration of public disclosure requirements from a single, generic regulatory obligation, producing output that reads like settled regulatory text but is not. For Governance & CoSec teams whose function touches margin governance, disclosure policy design, and internal board-facing MI, an error of this kind embeds a fabricated compliance standard into firm records before anyone thinks to check the source.
How AI gets this regulation wrong
The dominant failure mode we identified on this regulation is confident fabrication: AI tools generate specific, structured answers to questions about disclosure obligations, then, when pushed, acknowledge they were reconstructing plausible content rather than citing what the consultation actually says. The table below breaks down how that pattern manifests across the override framework disclosure question, where AI tools invented enumerated sub-obligations from a source that contains only a generic directive.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
What that means for your team
For Governance & CoSec teams at investment banks, the dominant risk from these failures sits in the regulatory enforcement category: policies, board papers, and disclosure frameworks built on fabricated regulatory text create compliance gaps that regulators, and internal audit, can readily expose. The table below maps how that exposure lands across the workflows most likely to carry an AI-generated error forward.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 1 | Finding#1 |
When this affects your department
The CPMI-IOSCO 2026 initial margin consultation lands squarely on the Governance & CoSec function in the context of CCP-facing governance obligations, specifically when teams are scoping changes to the firm's own internal governance frameworks for margin model oversight, preparing board or risk committee MI on CCP counterparty risk, or advising product teams on what CCPs will now be required to publicly disclose.
In internationally active investment banks, Governance & CoSec also frequently fields queries from Legal, Prime Brokerage, and Capital Markets desks about what the consultation will require CCPs to publish, because those disclosures feed directly into counterparty due-diligence packs and client-facing materials. AI tools get consulted because the consultation is lengthy, the override framework section is technical, and there is often pressure to turn a "what does this mean for us" briefing around quickly.
The risk of an AI-assisted error in this context is not theoretical. If a Governance & CoSec team uses an AI-generated summary of the CCP override disclosure obligations to anchor an internal governance briefing, for a risk committee pack, a board paper on CCP counterparty risk, or a policy update on model override standards, the fabricated enumeration gets embedded into firm records.
Once a board paper cites a three-part disclosure test that does not exist in the consultation text, the firm has committed to a compliance framing that may not survive a regulatory review or a regulator's questions about how the firm assessed CCP transparency obligations. The remediation cost of retracting and correcting board-level records after the fact is significant, and the reputational exposure with the relevant prudential regulator is real.
The CCP override framework question also arises in a supplier due-diligence and counterparty-monitoring context: teams assessing whether a CCP's public disclosures are adequate against the consultation's requirements need to know what the consultation actually requires. An AI tool that invents a detailed enumeration creates a false benchmark, the firm's assessment of CCP disclosure adequacy looks rigorous but is measuring against a standard the regulator never set. That gap is exactly the kind of thing that surfaces in a thematic review or an enforcement action where the regulator asks the firm to demonstrate how it assessed CCP governance standards.
The findings at a glance
The table below summarises the finding documented on this regulation for the Governance & Company Secretarial function at investment banks, including the question area, the nature of the AI failure, and the risk category it maps to.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | CCP override framework public disclosure obligations | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-INITIAL-MARGIN-DISCLOSURE-CONSULT-2026-Q005 |
Aggregate impact
The failure documented on this regulation follows a pattern that is particularly dangerous for governance functions: AI tools generate enumerated, structured output from vague source material. The CPMI-IOSCO consultation uses high-level language about CCP override framework disclosures, "CCPs should publicly disclose relevant information on their override framework", that is generic by design, because the consultation is seeking feedback on what that disclosure should include. An AI tool receives that question, recognises the topic, and fills the gap with a plausible-sounding enumeration (circumstances warranting overrides, authorised decision-makers, permissible adjustment types) drawn from adjacent regulatory discourse rather than the consultation text itself.
The result looks like settled regulatory guidance when it is not.
For Governance & CoSec teams, this failure clusters precisely where the consultation is most unsettled, the override framework transparency obligations, which is also where the function is most likely to be asked for a quick briefing. The consultation is a live document inviting comment, not a finalised rule, and the AI's tendency to extrapolate finalised-rule-like specifics from consultation-stage language means the firm risks building governance positions around a version of the regulation that does not exist and may never exist in that form.
The systemic risk to the firm is one of layered propagation: an AI-generated briefing note becomes a risk committee paper which becomes a board approval which becomes a supplier due-diligence standard which becomes a regulatory submission. At each stage the fabricated enumeration looks more authoritative, because it has been reviewed by senior people who assumed it was verified, and becomes harder to retract.
For internationally active banks subject to multiple prudential supervisors, the exposure compounds: a fabricated three-part disclosure standard embedded in a CCP counterparty-assessment framework may be cited in regulatory returns or supervisory submissions across jurisdictions, each of which creates a separate enforcement risk.
What your team should do
The default position for Governance & CoSec teams using AI on this consultation should be: treat any AI-generated enumeration of disclosure sub-obligations as unverified until checked against the source text. The consultation is publicly available on the BIS website, and the override framework section is short. Any briefing that attributes a specific numbered list of disclosure requirements to the consultation should require the author to paste the verbatim paragraph alongside the list before it travels beyond the drafting stage.
This is not an onerous ask, it is the equivalent of a citation check, but it needs to be made explicit as a workflow requirement rather than assumed.
For work-products that will reach board or risk committee level, or that will anchor a CCP counterparty-assessment framework, the verification step should happen before the draft is circulated, not after. AI tools are genuinely useful for orienting a team to the consultation's structure, identifying which sections are most relevant to the firm's CCP relationships, and drafting questions for a regulatory consultation response. They are not reliable for attributing specific enumerated obligations to consultation text that does not contain them.
The distinction to draw for junior team members is between "what does this consultation cover" (AI is useful) and "what exactly does this consultation require" (verify independently).
Where AI tools are safe on this regulation: summarising the broad thematic structure of the consultation (margin model transparency, public disclosure of assumptions, stress-testing disclosures) for orientation purposes; identifying analogous frameworks from prior CPMI-IOSCO guidance for comparative context; drafting a stakeholder communication that accurately conveys the consultation is ongoing and final requirements are not yet settled. The fabrication risk is highest when a question asks AI to specify what a CCP must disclose, because that is precisely where the consultation is silent on specifics and the AI fills the gap with invented detail.
How RLB Can Help
RegLeg's published Hallucination Research gives Governance & Company Secretarial teams a structured pre-flight check before relying on AI tools for regulatory questions. Before an AI-assisted board pack, disclosure review, or statutory filing is finalised, the research identifies precisely which areas of the regulatory text, filing deadlines, directorship thresholds, consent and notification triggers, have historically generated confident but incorrect AI output. That forewarning lets the team apply targeted human scrutiny rather than blanket scepticism, making AI assistance genuinely efficient without importing undetected compliance risk into governance workflows.
Beyond the published research, RegLeg works with Investment Banking firms on bespoke regulator deep-dives that map AI-supported workflows within the Governance & Company Secretarial function to their actual hallucination exposure. Activities such as drafting board resolutions, tracking regulatory change for director briefings, or coordinating cross-border subsidiary compliance carry different risk profiles, and the deep-dive surfaces which ones warrant additional controls or independent verification steps.
RegLeg also conducts a confidential review of the firm's existing AI-use policy against the RegLeg failure-mode catalogue, delivering a prioritised remediation plan that distinguishes low-risk efficiency gains from higher-risk applications where AI output should be treated as a first draft only.
For teams that want to build durable in-house capability, RegLeg develops training material and CPD-aligned content tailored to the Governance & Company Secretarial context. This covers how to interpret AI-generated regulatory summaries critically, how to structure escalation where AI confidence is high but human verification is essential, and how to document AI-assisted decision-making in a manner consistent with good governance standards. The material can be delivered as standalone workshops or integrated into the firm's existing compliance training calendar.