Practitioners — Public Auditors · Last updated 26 May 2026 · methodology v2.1 · Hallucination Register

Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008

AI's failure:Inference Drift Risk for Public Auditors:Wrong deliverable on cybersecurity framework alignment

What the RLB Specialist Panel found

1. Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance

Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance explicitly cite or formally align with the NIST Cybersecurity Framework?
Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016)
What AI assistants typically say: AI tools stated that the 2016 Cyber Guidance explicitly references the NIST Cybersecurity Framework as one of several industry best-practice frameworks that informed its development, listing NIST alongside ISF, COBIT, and ISO/IEC 27001 as acknowledged frameworks.
What the regulator actually says: Whether a verbatim NIST citation exists in the 2016 guidance is unconfirmed. The five guidance categories are structurally similar to the NIST CSF five functions but may be independently derived rather than expressly drawn from the NIST framework.
Why the AI went wrong: The AI inferred an explicit citation from the observable structural similarity between the guidance's five categories and the NIST CSF's five functions, then stated that inference as a confirmed fact. This is a straightforward case of the AI treating architectural resemblance as documentary evidence of formal citation.
Cited source(s): Regulator portal: https://www.bis.org

Impact for Public Auditors in international jurisdictions advising on the Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016)

For public auditors testing management's cited cyber framework foundation, an asserted NIST CSF alignment of the 2016 guidance lands inside the audit-evidence package as a programme-foundation reference. The 2016 guidance does not contain the citation. Audit work programmes built on the asserted alignment will under-test the management assertion and create an audit-report exposure if the cited framework anchor is later challenged on review.

References — raw findings (per AI model)

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Opus47 Claude Opus 4.7 (web search on)
RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Sonnet46 Claude Sonnet 4.6 (web search on)

This finding also affects

Next finding → Depth of incident response and recovery detail in the 2016 Cyber Guidance

Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008

Plain text Download

RegLeg Specialist Panel (2026). "Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance — Practitioners — Public Auditors." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008. RegLegBrief AI Hallucination Research, published 2026-05-26. https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/practitioners/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/

APA 7th edition Download

RegLeg Specialist Panel. (2026). Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/practitioners/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/

Bluebook / OSCOLA (US + UK legal) Download

RegLeg Specialist Panel, Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008], RegLegBrief AI Hallucination Research (May 26, 2026), https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/practitioners/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/.

BibTeX Download

@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q008,
  author    = {RegLeg Specialist Panel},
  title     = {Explicit NIST framework citation in the CPMI-IOSCO 2016 Cyber Guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008},
  url       = {https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/practitioners/public-auditors/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/}
}

← Back to case study summary Case study detail →

About Citation IDs →

Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.