Technology and Data teams at cybersecurity firms supporting FMI architecture reviews and cyber-tooling baselines are increasingly relying on AI to design architecture review documents, generate cyber-control-mapping artefacts, prepare configuration baselines, and draft architecture review papers against the CPMI-IOSCO 2016 framework. In practice, AI is used to design FMI cyber-resilience architecture review documents, generate cyber-control-mapping artefacts against the CPMI-IOSCO 2016 categories, prepare cyber-tooling configuration baselines citing the 2016 expectations, and draft cyber-architecture review papers for FMI client engagements.
That workflow places the regulator-issued text of the 2016 guidance, its 2018-2020 derivative standards, and its current operative status at the centre of every AI-generated deliverable for cybersecurity technology and data teams.
Two frontier AI models tested by the RegLeg Brief Specialist Panel produced confident, citable reconstructions of the CPMI-IOSCO 2016 Cyber Guidance (June 2016) that the regulator-issued primary text directly contradicts across nine findings spanning four failure classes: Source-Credit Fabrication (an asserted NIST Cybersecurity Framework citation that the 2016 guidance does not contain), Misattribution (the slogan 'secure the periphery, protect the core' located inside CPMI-IOSCO 2016 guidance or its 2018 wholesale-payments paper rather than the actual 2018 speech source), Anachronistic Cross-Reference (the 2016 guidance asserted as definitionally aligned with the November 2018 FSB Cyber Lexicon and the October 2020 FSB Effective Practices that postdate it), and Outdated Standing Claim (the 2016 guidance presented as the unchanged operative standard when CPMI-IOSCO has issued a May 2026 consultative document under active revision).
Questions are prepared by the RLB Specialist Panel based on real practical AI usage in the workflows cybersecurity technology and data teams use AI for. The Panel binds each AI finding to verbatim regulator-issued source text held as primary substrate.
For cybersecurity-firm technology and data teams, the failure pattern is operationally consequential. An architecture review document that records the 2016 guidance as containing an explicit NIST CSF citation documents the engagement's reference framework on a wrong reading of the source. A cyber-control-mapping artefact that records the 2016 guidance as containing forensic-analysis-database operational depth points the client at a specification level the 2016 text does not contain.
The audit's nine findings are documented with immutable RLB Citation IDs. Representative entries include RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Opus47, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020-Sonnet46, RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47, and RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Sonnet46. The full audit is documented at the CPMI-IOSCO 2016 Cyber Resilience Guidance hub on RegLegBrief.com.
This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
For Technology & Data teams at Cybersecurity firms, an asserted NIST CSF alignment of the 2016 guidance lands inside the programme-foundation evidence package as a regulator-grounded reference. The 2016 guidance does not contain the citation the model asserts. A deliverable that records the asserted alignment as the framework anchor for cyber controls or compliance attestation misstates the regulatory foundation of the programme and creates product reference exposure on subsequent supervisory or internal review.
For Technology & Data teams at Cybersecurity firms, an asserted NIST CSF alignment of the 2016 guidance lands inside the programme-foundation evidence package as a regulator-grounded reference. The 2016 guidance does not contain the citation the model asserts. A deliverable that records the asserted alignment as the framework anchor for cyber controls or compliance attestation misstates the regulatory foundation of the programme and creates product reference exposure on subsequent supervisory or internal review.
For Technology & Data teams at Cybersecurity firms, attributing 'secure the periphery, protect the core' to the 2016 guidance or to a 2018 fraud paper places a regulator strategic frame inside the deliverable with the wrong source attribution. The phrase is from a 2018 speech, not a guidance document. A control narrative, board paper, or training pack that rests on the wrong attribution carries direct review exposure as soon as the citation is tested.
For Technology & Data teams at Cybersecurity firms, attributing 'secure the periphery, protect the core' to the 2016 guidance or to a 2018 fraud paper places a regulator strategic frame inside the deliverable with the wrong source attribution. The phrase is from a 2018 speech, not a guidance document. A control narrative, board paper, or training pack that rests on the wrong attribution carries direct review exposure as soon as the citation is tested.
For Technology & Data teams at Cybersecurity firms, characterising the 2016 guidance as carrying forensic-analysis-database depth on incident response misreads the standard's level of operational specification and points the deliverable at the wrong source for operational depth. The granular content is in FSB 2020 'Effective Practices'. A programme design or attestation that anchors on the 2016 guidance for that level of detail understates the FSB 2020 gap supervisors will expect to see addressed.
For Technology & Data teams at Cybersecurity firms, an asserted consistency between the 2016 guidance and the November 2018 FSB Cyber Lexicon collapses a two-year vocabulary gap into a single asserted alignment. A definitional reference in policy, KRI documentation, or control library tagging that uses the asserted alignment as evidence of vocabulary grounding imports terminology that may not match the 2016 source, and exposes the team on a definition-by-definition test against either document.
For Technology & Data teams at Cybersecurity firms, an asserted consistency between the 2016 guidance and the November 2018 FSB Cyber Lexicon collapses a two-year vocabulary gap into a single asserted alignment. A definitional reference in policy, KRI documentation, or control library tagging that uses the asserted alignment as evidence of vocabulary grounding imports terminology that may not match the 2016 source, and exposes the team on a definition-by-definition test against either document.
For Technology & Data teams at Cybersecurity firms, missing the May 2026 CPMI-IOSCO consultative document removes an open consultation from the regulatory horizon and misstates the operative status of the standard. A deliverable that records the 2016 guidance as standing without active revision will read as accurate until the consultation is surfaced by a supervisor or internal challenger, and the team is then explaining a missed regulator development that was public from May 2026 onward.
For Technology & Data teams at Cybersecurity firms, missing the May 2026 CPMI-IOSCO consultative document removes an open consultation from the regulatory horizon and misstates the operative status of the standard. A deliverable that records the 2016 guidance as standing without active revision will read as accurate until the consultation is surfaced by a supervisor or internal challenger, and the team is then explaining a missed regulator development that was public from May 2026 onward.
Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.