AI Hallucination ResearchFindings by audienceSectorsInternational / MultilateralPayment InstitutionsTechnology DataDetail › Finding
Payment Institutions × Technology Data — International / Multilateral · Last updated 28 May 2026 · methodology v2.1 · Hallucination Register
Share / Print X LinkedIn Email

NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008
AI's failure:Inference Drift Risk for Payment Institutions × Technology Data:Wrong deliverable on cybersecurity framework alignment
What the RLB Specialist Panel found

1. NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance formally cite or reference the NIST Cybersecurity Framework?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
  • What AI assistants typically say: AI assistants confidently state that the 2016 Cyber Guidance explicitly references the NIST Cybersecurity Framework as one of several industry best-practice frameworks informing its development, often adding that the document also acknowledges COBIT and ISO/IEC 27001 alongside the NIST CSF.
  • What the regulator actually says: Whether the 2016 guidance contains a verbatim NIST citation has not been confirmed from the source text. The guidance's five categories are structurally similar to the NIST CSF's five functions but may be independently derived rather than explicitly attributed.
  • Why the AI went wrong: AI tools translated an observable structural resemblance between the two frameworks into a claimed explicit citation. The similarity in organisation is real; the assertion of a formal reference is not supported by the document text.
  • Cited source(s):
Impact for Technology & Data Teams in Payment Institutions Sector in international jurisdictions working with the Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016)

For Technology & Data teams at Payment Institutions, an asserted NIST CSF alignment of the 2016 guidance lands inside the programme-foundation evidence package as a regulator-grounded reference. The 2016 guidance does not contain the citation the model asserts. A deliverable that records the asserted alignment as the framework anchor for cyber controls or compliance attestation misstates the regulatory foundation of the programme and creates programme architecture deliverable exposure on subsequent supervisory or internal review.

References — raw findings (per AI model)
This finding also affects
Next finding → Origin of the phrase 'secure the periphery, protect the core'
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008
Plain text Download 
RegLeg Specialist Panel (2026). "NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance — Payment Institutions × Technology Data — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
APA 7th edition Download 
RegLeg Specialist Panel. (2026). NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/
Bluebook / OSCOLA (US + UK legal) Download 
RegLeg Specialist Panel, NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/.
BibTeX Download 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q008,
  author    = {RegLeg Specialist Panel},
  title     = {NIST Cybersecurity Framework citation in the 2016 CPMI-IOSCO guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008},
  url       = {https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-008/}
}
← Back to case study summary Case study detail →
About Citation IDs →

Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.