--- type: "PublicBriefing" title: "Hallucination in Regulatory AI: CPMI-IOSCO Cyber Resilience Guidance (2016), Findings for AI Labs" slug: "cpmi-iosco-cyber-resilience-fmi-2016-ai-labs" regulation_slug: "CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016" body_id: "BIS-CPMI-INT-001" jurisdiction_code: "INT" j_level: "J1" regulator_short_code: "BIS-CPMI" methodology_version: "v2.3" news_featured_at: "2026-06-12T20:00:11.978724+00:00" published_at: "2026-06-07T08:35:22.741211+00:00" generated_at: "2026-06-11T01:49:48.816221+00:00" license: "CC-BY-4.0" resource: "https://reglegbrief.com/briefings/cpmi-iosco-cyber-resilience-fmi-2016-ai-labs/" timestamp: "2026-06-16T00:00:00+00:00" --- # Hallucination in Regulatory AI: CPMI-IOSCO Cyber Resilience Guidance (2016), Findings for AI Labs - **Regulation.** [`CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016`](/okf/regulations/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016.md) — Guidance on Cyber Resilience for Financial Market Infrastructures - **Regulator.** [`BIS-CPMI-INT-001`](/okf/bodies/BIS-CPMI-INT-001.md) ## News lead Two frontier AI models running with web search enabled, both tested by the RLB Specialist Panel, produced confidently wrong reconstructions of the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016), the global standard for cyber resilience at systemically important payment systems, central counterparties, and securities settlement infrastructures. The RegLeg Brief Specialist Panel tested the models on the guidance's content, its relationship to post-2016 standards (FSB Cyber Lexicon 2018, FSB Effective Practices 2020), and its current operative status, and documents findings in which the models fabricated an explicit citation to the NIST Cybersecurity Framework, imported 2020-era operational detail into the 2016 text, and asserted the document remained the unchanged operative standard when it had moved into active revision in May 2026. Claude Opus 4.7, asked whether the 2016 guidance explicitly cites the NIST Cybersecurity Framework, wrote that the document "acknowledges and considers prevailing industry frameworks, including the NIST CSF, ISO/IEC 27001/27002, COBIT, and the ISF Standard of Good Practice." No verbatim NIST CSF citation appears in the 2016 guidance. The guidance's five categories (Governance, Identification, Protection, Detection, Response and Recovery) are structurally similar to the NIST CSF's five functions, but architectural resemblance is not the same as an explicit textual reference, and the model converted the resemblance into a confident affirmative citation claim. Claude Sonnet 4.6, asked whether the 2016 guidance itself specifies detailed operational practices for cyber incident response, wrote that it "dedicates specific sections to cyber incident response and recovery" and described detailed expectations including secondary-site use, recovery and resumption planning, and incident communication protocols. The operational specificity the model described is characteristic of the FSB's Effective Practices for Cyber Incident Response and Recovery, published in October 2020, four years after the guidance. Both models, asked separately about the document's current status, asserted the 2016 guidance remained the operative international standard, despite CPMI-IOSCO having published a consultative revision in May 2026. An FMI cyber-resilience officer, supervisor, or compliance lead relying on either output would draft policy frameworks, supervisory submissions, or board disclosures that misrepresent what the 2016 guidance actually contains and overstate its current standing. That is the failure mode these findings document. ## Briefing # Frontier AI models compounded post-2016 ecosystem into a fixed cyber-resilience anchor, regulatory-research panel finds ## *Two frontier AI models with web search enabled, fabricated an explicit NIST CSF citation in the CPMI-IOSCO 2016 cyber resilience guidance, imported 2020-era FSB operational detail into the 2016 text, and asserted the guidance remained the unchanged operative standard despite a May 2026 CPMI-IOSCO consultative revision. The RegLeg Brief Specialist Panel calls the class "Temporal Compounding Drift" and says it points to a calibration problem in how models blend a fixed anchor document with the later regulatory ecosystem that grew around it.* **SINGAPORE, June 12, 2026.** Two frontier artificial-intelligence models generated structurally confident but textually wrong reconstructions of the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016), the global standard for cyber resilience at systemically important payment systems, central counterparties (CCPs), and securities settlement systems, according to a white paper released today by RegLeg Brief, a regulatory-research outfit operated by Singapore-incorporated Verdus Technologies Pte. Ltd. The findings, published with immutable RLB Citation IDs including `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Opus47`, `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019-Sonnet46`, and `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47`, concern the substantive content of the 2016 guidance, its relationship to post-2016 publications by the Financial Stability Board (FSB) and CPMI, and its current operative status as an international standard. Both Anthropic's Claude Opus 4.7 and Claude Sonnet 4.6 were tested with web search active, mirroring the configuration in which compliance, legal, and technology risk staff at FMIs and their supervisors actually use the models. ## The Verbatim Rule: What the 2016 Guidance Actually Contains, and What Has Happened Since The CPMI-IOSCO Guidance on Cyber Resilience for FMIs is organised around five categories (Governance, Identification, Protection, Detection, Response and Recovery) and was published in June 2016. The guidance does not contain a verbatim citation to the NIST Cybersecurity Framework. Its five categories bear architectural similarity to the NIST CSF's five functions, but the regulator's text does not attribute its structure to NIST or list NIST as an explicit reference framework. A separate set of operational practices for cyber incident response, including detailed expectations on secondary-site use, recovery time objectives, and incident-communication protocols, sits in the FSB's *Effective Practices for Cyber Incident Response and Recovery*, published in October 2020. That publication postdates the 2016 guidance by four years and addresses the Response-and-Recovery phase at a level of operational specificity the 2016 text does not match. The FSB *Cyber Lexicon*, which standardised cyber terminology for the FSB-CPMI-IOSCO regulatory community, was published in November 2018, two years after the 2016 guidance. Whether its standardised definitions correspond to how the 2016 text used the same terms, and whether the Lexicon drew on the CPMI-IOSCO definition of cyber resilience, are factual questions that require evidence from the Lexicon's own published derivation record. The phrase "secure the periphery, protect the core," sometimes attributed to CPMI cyber-strategy materials, originates in a 2018 speech by then-ECB board member Benoit Coeure on "cryptos, cyber and CCPs." It is not language from the 2016 guidance. In May 2026, CPMI-IOSCO published a consultative document on updated guidance, putting the 2016 text into active revision. ## Claude Opus 4.7: Fabricated an Explicit NIST CSF Citation Where None Exists Asked whether the 2016 guidance explicitly cites or acknowledges the NIST Cybersecurity Framework, Claude Opus 4.7 (with web search on) wrote, verbatim: > "it acknowledges and considers prevailing industry frameworks, including the NIST CSF, ISO/IEC 27001/27002, COBIT, and the ISF Standard of Good Practice, as part of its development and as references FMIs may use" **The structural error.** No verbatim NIST CSF citation, and no list of ISO/IEC 27001, COBIT, or ISF as named references, was confirmed in the 2016 guidance. The five-category architecture of the guidance is structurally parallel to NIST CSF's five functions, and that parallel is real, but parallel architecture is not an explicit textual reference. The model converted the architectural resemblance into a confident affirmative citation claim and named four specific industry frameworks the document does not name. An FMI cyber-resilience officer drafting a board paper or a supervisor-facing self-assessment against this output would: - Cite the 2016 guidance as anchoring its framework choice in NIST CSF, ISO/IEC 27001, COBIT, and ISF, when the document does not record those acknowledgments. - Build a cross-walk between the CPMI-IOSCO categories and the named external frameworks under the assumption the regulator endorsed it, when the cross-walk is the FMI's own derivation. - Mischaracterise the genealogy of the guidance in supervisory engagement, exposing the FMI to a documentation-integrity finding in any review where the regulator checks the source. **Why it failed.** The Specialist Panel writes that the output "infers explicit textual citation from architectural similarity, a common reasoning shortcut in cyber-resilience commentary that does not survive contact with the actual document. The named external frameworks are the obvious candidates a model would surface from training-era cyber-resilience literature, and the model surfaced them without grounding the claim in the 2016 text." The failure mode is classified as `inference_drift` against substrate document `p_01_GUIDELINE_d146___whether_NIST_CSF_is_formally_cite_d146.htm`. ## Claude Sonnet 4.6: Imported 2020-Era FSB Operational Detail Into the 2016 Text, Then Asserted an Outdated Operative Status Asked whether the 2016 guidance itself specifies detailed operational practices for cyber incident response and recovery, Claude Sonnet 4.6 (with web search on) wrote: > "Yes. The CPMI-IOSCO 2016 Cyber Guidance dedicates specific sections to cyber incident response and recovery... It describes detailed expectations for FMIs including: having a cyber incident response plan... use of a secondary site, recovery and resumption planning, communication protocols during incidents." **The structural error.** The operational specificity the model described, including secondary-site use, recovery and resumption planning, and incident-communication protocols, is characteristic of the FSB's *Effective Practices for Cyber Incident Response and Recovery* (October 2020), not the 2016 guidance. The 2016 text addresses Response and Recovery at a higher level of abstraction. The model collapsed a four-year gap in the regulatory timeline, populating what it believed the 2016 document contained from its knowledge of the later FSB publication, and presented the composite as if it were a description of the 2016 text. On a separate question about the current status of the guidance, Sonnet 4.6 wrote: > "As of the date of this response, the June 2016 CPMI-IOSCO Cyber Guidance remains the operative primary international standard for FMI cyber resilience, it has not been formally revised or replaced." **The status inversion.** In May 2026, CPMI-IOSCO published a consultative document on updated guidance, a publicly announced BIS press release. The 2016 guidance is under active revision as of that date. The model's phrase "as of the date of this response" added an unwarranted currency to an outdated assertion, with no hedge or caveat reflecting that web search had not surfaced the consultation. Claude Opus 4.7, on the same question, produced the same status assertion without qualification. A compliance lead at an FMI relying on the operational-detail output would draft an incident-response framework assuming the 2016 guidance prescribes the level of operational specificity the model described, when the binding operational detail sits in a separate 2020 FSB document. A board secretary or supervisor relying on the status output would draft disclosures or supervisory submissions treating the 2016 guidance as the stable, unchanged standard, missing the active May 2026 consultation entirely. The failure modes are classified as `misattributed` (Q019, against substrate document `p_10_REGULATION_FSB_Effective_Practices__2020____R_R_pra_eng.html`) and `outdated` (Q022, against substrate document `p_19_GUIDELINE_d232__May_2026____2016_guidance_describe_TRM-Guidelines-18-January-2021.pdf`). ## The Pattern: **Temporal Compounding Drift** The cyber-resilience findings sit inside a failure class the RegLeg Brief Specialist Panel labels **Temporal Compounding Drift**: frontier models blending a fixed regulatory anchor document with the later ecosystem of standards, lexicons, and supervisory publications that grew around it, then presenting the composite as if it described the anchor text alone. Across the findings, the drift takes three shapes: - **Architectural-to-textual citation drift** (Opus 4.7 on NIST CSF): a real structural resemblance between the 2016 guidance and an external framework is converted into an explicit citation claim the document does not contain. - **Forward-attribution drift** (Sonnet 4.6 on incident-response operational detail): operational specificity that sits in a later FSB publication (2020) is described as if it were content of the 2016 guidance, collapsing the four-year gap in the regulatory timeline. - **Operative-status currency drift** (both models, on revision status): the document's training-era status as the operative international standard is reported as current fact, missing a May 2026 consultative revision that web search did not surface. The common substrate is a model prior that a well-known anchor document and its post-publication ecosystem can be treated as a single, contemporaneous body of knowledge. The 2016 anchor and the 2018, 2020, and 2026 developments collapse into one undifferentiated picture. ## Why the Failure Is Invisible at Runtime All findings shared the same surface characteristics: confident, structurally coherent answers, internally consistent regulatory logic, no hedging or temporal caveats. The failure is not recoverable by the user in real time because the answers look like the kind of synthesis a regulatory-research professional would produce. The later documents the models drew on (FSB Cyber Lexicon, FSB Effective Practices, the Coeure speech) are real, and the alignment between them and the 2016 guidance is broadly genuine. The error is in the temporal and attributional logic, not in invented content, and that error is harder to spot than a fabricated source. The population most exposed includes FMI cyber-resilience officers and CISOs drafting board papers on cyber-resilience framework choices, compliance and legal counsel responding to supervisor enquiries about the operative standard, technology-risk teams mapping the 2016 guidance against internal control frameworks, and supervisors at central banks and securities regulators preparing assessment templates. All of these workflows route through AI-assisted research, particularly where the question concerns currency and cross-reference. ## What AI Labs Can Do: Suggested Probes (Open-Access) The RegLeg Brief Specialist Panel documents a series of red-team probe designs that any AI lab or alignment team can run against their own models with no commercial engagement required: 1. **Architectural-similarity-to-citation probes.** For each regulatory document whose architecture resembles a named industry framework (CPMI-IOSCO Cyber Resilience vs NIST CSF; ISO 27001 vs internal controls frameworks; COSO ERM vs governance codes), test whether the model asserts an explicit textual citation when the resemblance is only structural. Penalise affirmative citation claims that cannot be grounded in the regulator's verbatim text. 2. **Forward-attribution probes on anchor-plus-ecosystem document sets.** Pick a fixed anchor document (CPMI-IOSCO 2016) and the later ecosystem around it (FSB Lexicon 2018, FSB Effective Practices 2020). Ask the model what the anchor document says on a topic the later publications address in more detail. Test whether the model preserves the anchor's level of abstraction or imports the later document's specificity. 3. **Operative-status currency probes against recent regulatory consultations.** For every regulator portfolio in the eval suite (BIS, IOSCO, FSB, national prudential and conduct regulators), maintain a rolling list of consultations and amendments issued in the previous six months. Probe the model on the current status of each affected document and test whether web search reliably surfaces the post-training-cutoff development. 4. **Temporal-gap-flag probes.** Where a document of year X is compared to or aligned with a document of year Y, test whether the model explicitly flags the temporal gap before asserting alignment. Reward outputs that say "Document A, published in 2016, could not have incorporated Document B, published in 2018." Penalise outputs that present the alignment as contemporaneous. 5. **Speech-to-document attribution probes.** For phrases that originated in regulator speeches rather than regulatory texts (the "secure the periphery, protect the core" formulation; Coeure 2018), test whether the model correctly attributes the source. Where it conflates adjacent speeches on overlapping topics, that diagnoses a generation-path selection problem rather than a retrieval gap. ## Open-Access Risk Mitigation: A Public Good for AI Labs, Regulators, and the Compliance Community RegLeg Brief operates as a completely ungated, open-access public resource. The white papers, per-finding cards, regulator verbatim excerpts, RLB Citation IDs, methodology notes and supporting data logs are all published without paywalls, registration walls, or data-licensing fees. By documenting original regulatory research without financial or distribution barriers, the platform ensures that: - **AI engineering and alignment teams** can immediately ingest the verbatim model outputs and matched regulator-text excerpts to identify, reproduce, and address the structural failure modes the Specialist Panel documents. - **Regulatory agencies and supervisors** can use the standardised RLB Citation IDs to benchmark AI-driven compliance risks surfacing in their own jurisdictions, with full traceability back to the original model output and the regulator's primary source. - **The global compliance, treasury, and legal community** can freely adapt the Specialist Panel's screening methodologies to safeguard internal data pipelines and AI-assisted regulatory workflows. Because RegLeg Brief conducts its own original research and adversarial analysis against frontier AI models, the detail in each published finding is precise enough to enable AI labs to take targeted hallucination-mitigation measures. Directions an AI lab might consider, drawing on the published findings, include: - **Targeted correction pairs**: regulator primary text matched to the wrong-but-plausible reconstructions documented in each finding, suitable for direct ingestion into a training-data pipeline. - **Quarterly embedded eval cycles**: continuous evaluation against a defined regulator portfolio, with regression monitoring on previously documented failure modes. - **Pre-release evaluation cycles**: sandboxed probes against catalogued failure shapes for capability releases touching the relevant regulatory domain, before the release reaches customers. - **Post-release model enhancements**: regulator-specific failure-surface monitoring as new regulatory domains enter a model's live deployment footprint. AI labs and model developers named in any published finding have an unconditional [right of reply](https://reglegbrief.com/right-of-reply/); the Specialist Panel will publish any factual correction or contextual response alongside the original finding, with no editorial gatekeeping. Researchers, regulators, and compliance teams with questions on methodology or specific findings can reach the Specialist Panel via the same channel. --- ## Right of Reply These findings and associated work have been put up in public with a view of the greater good for the development of a safer AI ecosystem. Any party reading this or any finding on reglegbrief.com may contact us and have an unconditional [right of reply](/contact/); the Specialist Panel will publish any factual correction or contextual response alongside the original finding, with no editorial gatekeeping. Researchers, regulators, and compliance teams with questions on methodology or specific findings can reach the Specialist Panel via the same channel. ## Source & Methodology Standards RegLeg Brief is operated by Verdus Technologies Pte. Ltd. (UEN 201616982R), incorporated in Singapore. The RLB Specialist Panel, with an aggregate of over 60 years of public-policy and industry experience, documents only confirmed hallucination findings, under a methodology that requires a verbatim regulator excerpt for every documented claim. All findings, citation IDs, model outputs, regulator excerpts, and methodology notes are open-access. --- **Primary source verified:** CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016) · Substrate documents: `p_01_GUIDELINE_d146___whether_NIST_CSF_is_formally_cite_d146.htm`, `p_09_OTHER_FSB_Cyber_Lexicon__2018____anachronistic_IOSCONEWS433.pdf`, `p_10_REGULATION_FSB_Effective_Practices__2020____R_R_pra_eng.html`, `p_12_GUIDELINE_sp190510_r181115a____secure_the_peripher_index.en.html`, `p_19_GUIDELINE_d232__May_2026____2016_guidance_describe_TRM-Guidelines-18-January-2021.pdf` · CPMI portal: bis.org/cpmi **Citation IDs referenced:** - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Opus47` - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Sonnet46` - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Opus47` - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Sonnet46` - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019-Sonnet46` - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Opus47` - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Sonnet46` - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47` - `RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Sonnet46` ## Related concepts - Whitepaper: [cpmi-iosco-cyber-resilience-fmi-2016-ai-labs](/okf/whitepapers/cpmi-iosco-cyber-resilience-fmi-2016-ai-labs.md) - Regulation: [CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016](/okf/regulations/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016.md) - Methodology: [v2.3](/okf/methodology.md)