Public auditors testing FMI cyber-resilience controls and audit clients exposed to the CPMI-IOSCO 2016 Cyber Guidance are increasingly using AI to draft testing programmes, populate working-paper regulatory criteria sections, and prepare management-letter findings citing the 2016 framework. In practice, AI is used to draft testing programmes for FMI cyber controls, populate the regulatory criteria section of audit working papers, prepare management-letter findings citing CPMI-IOSCO 2016 expectations, and generate cyber-control walkthroughs against the 2016 guidance categories.
That workflow places the regulator-issued text of the 2016 guidance, its 2018-2020 derivative standards, and its current operative status at the centre of every AI-generated deliverable for public auditors.
Two frontier AI models tested by the RegLeg Brief Specialist Panel produced confident, citable reconstructions of the CPMI-IOSCO 2016 Cyber Guidance (June 2016) that the regulator-issued primary text directly contradicts across nine findings spanning four failure classes: Source-Credit Fabrication (an asserted NIST Cybersecurity Framework citation that the 2016 guidance does not contain), Misattribution (the slogan 'secure the periphery, protect the core' located inside CPMI-IOSCO 2016 guidance or its 2018 wholesale-payments paper rather than the actual 2018 speech source), Anachronistic Cross-Reference (the 2016 guidance asserted as definitionally aligned with the November 2018 FSB Cyber Lexicon and the October 2020 FSB Effective Practices that postdate it), and Outdated Standing Claim (the 2016 guidance presented as the unchanged operative standard when CPMI-IOSCO has issued a May 2026 consultative document under active revision).
Questions are prepared by the RLB Specialist Panel based on real practical AI usage in the workflows public auditors use AI for. The Panel binds each AI finding to verbatim regulator-issued source text held as primary substrate.
For public auditors testing FMI cyber controls, the failure pattern is operationally consequential. A regulatory-criteria section that records an asserted NIST CSF citation in the 2016 guidance documents the audit's reference framework on a wrong reading of the source. A testing programme that records the 2016 guidance as containing operational depth for forensic analysis or a cyber-attack database points the auditor at a specification level the 2016 text does not contain. A management-letter finding that records the 2016 guidance as the unchanged operative standard misstates the regulatory horizon at the reporting date.
The audit's nine findings are documented with immutable RLB Citation IDs. Representative entries include RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47, and RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Sonnet46. The full audit is documented at the CPMI-IOSCO 2016 Cyber Resilience Guidance hub on RegLegBrief.com.
This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
For public auditors testing management's cited cyber framework foundation, an asserted NIST CSF alignment of the 2016 guidance lands inside the audit-evidence package as a programme-foundation reference. The 2016 guidance does not contain the citation. Audit work programmes built on the asserted alignment will under-test the management assertion and create an audit-report exposure if the cited framework anchor is later challenged on review.
For public auditors testing management's cited cyber framework foundation, an asserted NIST CSF alignment of the 2016 guidance lands inside the audit-evidence package as a programme-foundation reference. The 2016 guidance does not contain the citation. Audit work programmes built on the asserted alignment will under-test the management assertion and create an audit-report exposure if the cited framework anchor is later challenged on review.
For public auditors examining cyber-strategy narrative in management commentary, attributing 'secure the periphery, protect the core' to the 2016 guidance or the 2018 fraud paper introduces a source-attribution error into the audit-evidence package. The phrase is from a 2018 speech, not a standards document. Audit testing that uses the wrong attribution to validate management commentary leaves an open audit-report finding waiting to be raised.
For public auditors examining cyber-strategy narrative in management commentary, attributing 'secure the periphery, protect the core' to the 2016 guidance or the 2018 fraud paper introduces a source-attribution error into the audit-evidence package. The phrase is from a 2018 speech, not a standards document. Audit testing that uses the wrong attribution to validate management commentary leaves an open audit-report finding waiting to be raised.
For public auditors testing the depth of incident response and recovery controls against the cited regulator framework, treating the 2016 guidance as the source of forensic-analysis-database depth misreads the standard's level of operational specification. The granular content is in FSB 2020 'Effective Practices'. Audit testing that anchors on the wrong source under-tests the gap to FSB 2020 and exposes the audit team if the gap is surfaced on review.
For public auditors checking definitions used in cyber policy and KRI work, an asserted consistency between the 2016 guidance and the November 2018 FSB Cyber Lexicon collapses a two-year gap in regulator vocabulary into a single asserted alignment. Audit testing that uses the asserted alignment as evidence of definitional grounding leaves the audit team exposed if the source documents are produced for inspection.
For public auditors checking definitions used in cyber policy and KRI work, an asserted consistency between the 2016 guidance and the November 2018 FSB Cyber Lexicon collapses a two-year gap in regulator vocabulary into a single asserted alignment. Audit testing that uses the asserted alignment as evidence of definitional grounding leaves the audit team exposed if the source documents are produced for inspection.
For public auditors reporting on cyber programme alignment as at the audit period, missing the May 2026 CPMI-IOSCO consultative document creates a subsequent-event gap in the audit-report communication. A statement that the 2016 guidance is the standing operative standard, without flagging the open consultation, exposes the audit team if the consultation is surfaced by another party during the audit-report review.
For public auditors reporting on cyber programme alignment as at the audit period, missing the May 2026 CPMI-IOSCO consultative document creates a subsequent-event gap in the audit-report communication. A statement that the 2016 guidance is the standing operative standard, without flagging the open consultation, exposes the audit team if the consultation is surfaced by another party during the audit-report review.
Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.