AI Hallucination ResearchAudiencesSectorsInternational / MultilateralStatutory Boards Agencies › Compliance
Statutory Boards Agencies × Compliance — International / Multilateral · published 2026-05-26 · methodology v2.1

AI Hallucinations Affecting Compliance at Statutory Boards & Agencies Firms in International Jurisdictions

Findings — impact summary

This is the consolidated view of findings. Click 'see details →' on any item for the full details for each finding.

  1. Finding 1. Misattributed source for a CPMI strategic phraseRLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014

    A Compliance team at a Statutory Boards and Agencies firm that asks AI tools to trace the origin of CPMI strategic language — for example, when drafting a board paper on cyber resilience strategy or preparing a response to a regulatory enquiry — risks citing the wrong source document. If the firm characterises a phrase as originating in a specific CPMI endpoint security publication when it actually appeared in a senior official's speech, a regulator reviewing that characterisation may identify the error as evidence of inadequate due diligence. Correcting the record after submission carries both direct administrative cost and reputational exposure in an ongoing supervisory relationship.

    see details →
  2. Finding 2. Overconfident alignment claim between the 2016 guidance and the 2018 FSB Cyber LexiconRLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020

    A Compliance function that uses AI tools to compare the 2016 CPMI-IOSCO guidance with the 2018 FSB Cyber Lexicon — for example, to map the firm's definitional framework or to assess whether internal policy language aligns with both standards — may unknowingly adopt a false equivalence between the two. The 2018 Lexicon's definitions postdate the 2016 guidance and may not correspond; AI tools that assert confident alignment effectively suppress this documented uncertainty. A regulatory mapping exercise built on this incorrect alignment could result in a gap analysis that fails to surface a real definitional divergence, exposing the firm to a finding of non-compliance if the regulator applies the Lexicon's definitions to assess the firm's framework.

    see details →
  3. Finding 3. False assertion that the 2016 guidance remains the operative standardRLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022

    Multiple AI tools are unaware that CPMI-IOSCO published a consultative document on updated cyber resilience guidance in May 2026, and will tell Compliance teams that the 2016 guidance remains the operative standard. A firm that relies on this answer when drafting a cyber resilience framework, assessing regulatory obligations for a new product, or responding to a supervisory enquiry about its international standard alignment will be working from a materially incorrect premise. If the updated guidance introduces substantive changes — as consultation processes typically anticipate — any internal framework or regulatory submission built on the assumption that the 2016 text is current could require significant remediation at short notice, at material cost to the Compliance function and the firm.

    see details →
← Other sector case studies in International / Multilateral The detailed Case study →