9 finding cards across
2 AI Models —
covering 9 Response Hallucinations +
19 Citation Hallucinations
(28 hallucination failures total).
Each card pairs the AI's answer against the authenticated regulator-text excerpt that contradicts it, and flags every AI-cited source as Fabricated / Pretextual / Contradictory.
Model: Claude Opus 4.7 (web search on)
· published 2026-05-30
· Inference Drift
Does the CPMI-IOSCO 2016 Cyber Guidance explicitly reference or align with the NIST Cybersecurity Framework?
Claude Opus 4.7 (web search on) answered
The 2016 Guidance is principles-based and does not explicitly adopt or normatively cross-reference the NIST Cybersecurity Framework in its text, although it was developed in awareness of NIST CSF, ISO/IEC 27000 series, COBIT and similar bodies of practice.
Regulator text says
Unknown — searches did not confirm a verbatim NIST citation in the 2016 Cyber Resilience Guidance. The five guidance categories are structurally similar to the NIST CSF five functions but may be independently derived.
Verbatim source
p_01_GUIDELINE_d146___whether_NIST_CSF_is_formally_cite_d146.htm — d146 — whether NIST CSF is formally cited
Does the CPMI-IOSCO 2016 Cyber Guidance use the phrase 'secure the periphery, protect the core', and if not, where does the phrase originate?
Claude Opus 4.7 (web search on) answered
The exact slogan 'secure the periphery, protect the core' is associated with later CPMI work on reducing the risk of wholesale payments fraud relating to endpoint security (notably the CPMI's 2018 'Reducing the risk of wholesale payments fraud related to endpoint security' strategy)
Regulator text says
The phrase 'secure the periphery and protect the core' is from Cœuré's 2018 speech (BIS review r181115a) on 'cryptos, cyber and CCPs'. It describes the CPMI's strategic approach but does not appear in the 2016 Cyber Resilience Guidance.
Verbatim source
p_12_GUIDELINE_sp190510_r181115a____secure_the_peripher_index.en.html — sp190510/r181115a — 'secure the periphery, protect the core' attributed to d146
How does the CPMI-IOSCO 2016 Cyber Guidance define 'cyber resilience', and is that definition consistent with the FSB Cyber Lexicon published in November 2018?
Claude Opus 4.7 (web search on) answered
So the two are aligned and broadly consistent, but the FSB Lexicon version is slightly broader (mission-continuity framing, organisation-agnostic) than the FMI-specific 2016 formulation.
Regulator text says
The FSB Cyber Lexicon was published November 2018 — two years after the 2016 Cyber Resilience Guidance. Its standardised definitions postdate the 2016 guidance and may not match how the 2016 guidance used those terms in 2016.
Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard for FMI cyber resilience, or has it been updated or revised?
Claude Opus 4.7 (web search on) answered
the 2016 CPMI-IOSCO Cyber Resilience Guidance remains the operative international standard for FMI cyber resilience. It has not been formally revised or superseded... As of my knowledge cutoff (Jan 2026), no successor revision has been issued.
Regulator text says
BIS press release of 6 May 2026: CPMI-IOSCO published a consultative document for public comment on updated guidance. The 2016 guidance is under active revision as of May 2026.
Verbatim source
p_19_GUIDELINE_d232__May_2026____2016_guidance_describe_TRM-Guidelines-18-January-2021.pdf — d232 (May 2026) — 2016 guidance described as current when under active revision
Does the CPMI-IOSCO 2016 Cyber Guidance formally cite or reference the NIST Cybersecurity Framework?
Claude Sonnet 4.6 (web search on) answered
Yes. The CPMI-IOSCO 2016 Cyber Guidance explicitly references and takes into consideration the NIST Cybersecurity Framework as one of several industry best-practice frameworks informing its development. Other frameworks acknowledged include the ISF Standard of Good Practice, COBIT, and ISO/IEC 27001.
Regulator text says
Unknown — searches did not confirm a verbatim NIST citation in d146. The five guidance categories are structurally similar to the NIST CSF five functions but may be independently derived.
Verbatim source
p_01_GUIDELINE_d146___whether_NIST_CSF_is_formally_cite_d146.htm — d146 — whether NIST CSF is formally cited
Does the 2016 CPMI-IOSCO Cyber Resilience Guidance use the phrase 'secure the periphery, protect the core,' and if not, what is the actual source of that characterisation?
Claude Sonnet 4.6 (web search on) answered
It is language used in a May 2019 BIS/CPMI speech titled 'Cyber resilience as a global public good,' where it describes CPMI's overarching strategy: 'secure the periphery' (endpoints and networks of institutions connecting to FMIs) and 'protect the core'
Regulator text says
The phrase 'secure the periphery and protect the core' is from Cœuré's 2018 speech (BIS review r181115a) on 'cryptos, cyber and CCPs'. It describes the CPMI's strategic approach but does not appear in [d146].
Verbatim source
p_12_GUIDELINE_sp190510_r181115a____secure_the_peripher_index.en.html — sp190510/r181115a — 'secure the periphery, protect the core' attributed to d146
What level of operational detail does the 2016 CPMI-IOSCO Cyber Resilience Guidance provide for incident response and recovery, and how does that compare to subsequent international publications on the same topic?
Claude Sonnet 4.6 (web search on) answered
Yes, the 2016 guidance does describe specific practices for the response and recovery phases... preparing communication and notification plans...conducting forensic analysis to understand the anatomy of a breach; maintaining a database recording cyber attacks
Regulator text says
FSB published 'Effective Practices for Cyber Incident Response and Recovery' in October 2020 — four years after d146. This contains operational detail for the Response and Recovery phase that goes beyond d146.
How does the 2016 CPMI-IOSCO Cyber Resilience Guidance define 'cyber resilience,' and is that definition consistent with the FSB Cyber Lexicon definition published two years later in 2018?
Claude Sonnet 4.6 (web search on) answered
The two definitions are substantively consistent, with the FSB Lexicon adding language around 'adapting to changes in the environment' that slightly broadens the scope. The FSB explicitly drew on the CPMI-IOSCO guidance as a source when developing its Lexicon terminology.
Regulator text says
The FSB Cyber Lexicon was published November 2018 — two years after d146. Its standardised definitions (e.g., of 'cyber resilience', 'cyber incident', 'critical functions') postdate d146 and may not match d146's definitions exactly.
Is the 2016 CPMI-IOSCO Cyber Resilience Guidance still the operative international standard for FMI cyber resilience, or has CPMI-IOSCO commenced a formal revision process?
Claude Sonnet 4.6 (web search on) answered
No formal revision or replacement of d146/FR07/2016 has been published by CPMI-IOSCO... A second Level 3 monitoring report (d228) has been referenced, suggesting ongoing monitoring rather than a revision cycle.
Regulator text says
BIS press release of 6 May 2026: CPMI-IOSCO published a consultative document (the May 2026 CPMI-IOSCO consultative document) for public comment on updated guidance. The 2016 guidance is under active revision as of May 2026.
Verbatim source
p_19_GUIDELINE_d232__May_2026____2016_guidance_describe_TRM-Guidelines-18-January-2021.pdf — d232 (May 2026) — 2016 guidance described as current when under active revision
The CPMI-IOSCO 2016 Cyber Guidance publication page states it 'is intended to be supplemental to the Principles on Financial Market Infrastructures (PFMI), primarily in the context of governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality (Principle 8), operational risk (Principle 17) and FMI links (Principle 20).'
The IOSCO Board published its Final Report on Cyber Security in Securities Markets in April 2016, two months before the joint CPMI-IOSCO guidance for FMIs specifically (June 2016); both are 2016 IOSCO-linked international standards addressing cyber resilience in financial markets. The IOSCO report addresses securities markets broadly while the CPMI-IOSCO guidance addresses FMIs specifically. Relationship inferred from concurrent publication and topic alignment; the IOSCO Final Report PDF returned HTTP 403 on direct fetch so explicit cross-reference text could not be verified.
Bank of Canada risk management standards page states the October 2021 Expectations document 'provides additional clarity on how to implement the CPMI-IOSCO Cyber Guidance within the Canadian context.'
The ECB December 2018 press release states: 'The cyber resilience oversight expectations are based on the global guidance on cyber resilience for financial market infrastructures. This guidance was published by the Committee on Payments and Market Infrastructures and the Board of the International Organisation of Securities Commissions (CPMI-IOSCO) in June 2016.'
The RBA 2021 Payments System Board Annual Report Box B states: 'In the same year [2016], CPMI and IOSCO issued guidance to the PFMI for FMIs to increase their cyber resilience. This guidance was adopted by the Reserve Bank, and all Australian-licensed FMIs have since been assessed against it.'
The MAS 'Supervision of Financial Market Infrastructures in Singapore' monograph (2020) and search-derived metadata from the MAS website describe the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures as an applicable requirement for FMI supervision in Singapore; the January 2021 MAS Technology Risk Management Guidelines adapted the CPMI-IOSCO cyber guidance for the Singapore context. Direct MAS website fetch returned a service unavailability error.
Every finding on this page compares an AI subject's account of the rule
against the regulator's verbatim text from the regulator's own portal.
Both are linked. Each delta, its root causes, and impact analysis are
documented and published with immutable Citation IDs.