AI Risk Meets Cyber Governance: NIST’s Draft Cyber AI Profile
On December 16, 2025, the National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce, released a preliminary draft of its forthcoming Cyber AI Profile. This profile aims to assist organizations in enhancing their artificial intelligence (AI) governance by leveraging NIST’s Cybersecurity Framework 2.0 (CSF) as a foundational guide to the cybersecurity of AI systems and utilizing AI to bolster cybersecurity.
Although the Cyber AI Profile is voluntary for most organizations, those that integrate their risk management practices with these resources are often perceived by customers, investors, and regulators as more secure, resilient, and responsible.
Key Focus Areas of the Cyber AI Profile
The Cyber AI Profile identifies three overarching themes related to organizational AI governance:
- Securing AI System Components (“Secure”): Organizations are encouraged to enhance their existing risk management strategies to address the new challenges posed by AI system integration, including AI supply chains and infrastructure dependencies.
- Conducting AI-Enabled Cyber Defense (“Defend”): Companies should leverage AI to fortify their cybersecurity defenses. This includes managing a heightened volume of threat intelligence, employing agentic AI for automated collaborative incident response, and improving efficiencies in IT operations.
- Thwarting AI-Enabled Cyber Attacks (“Thwart”): Organizations must prepare for the sophisticated threats posed by adversarial AI. This includes addressing risks such as deepfake attacks, generative AI-enabled fraud, and autonomous agent-driven vulnerability exploitation.
Implementation Recommendations
Rather than delineating specific requirements, the Cyber AI Profile offers recommended considerations for embedding AI governance within the CSF. Each AI focus area is mapped onto the six core functions of the CSF: Govern, Identify, Protect, Detect, Respond, and Recover. For instance, under the Govern function, the profile advises prioritizing “Secure” AI by ensuring relevant teams understand the business outcomes reliant on AI and can effectively assess AI decisions and respond to errors.
Regulatory Context
The Cyber AI Profile is part of a broader trend merging AI governance with cybersecurity risk governance. Both federal and state regulators have acknowledged this correlation.
For instance, the New York State Department of Financial Services (NYDFS) has highlighted the interconnected nature of cybersecurity and AI, advising covered entities under its Part 500 regulations to incorporate AI-related risks into their frameworks. This guidance also underscores the need for robust cybersecurity assessments that account for AI-related risks.
Public companies regulated by the U.S. Securities and Exchange Commission (SEC) may find the Cyber AI Profile particularly beneficial. Although the SEC has proposed more prescriptive AI disclosure frameworks, the Cyber AI Profile offers a valuable tool to contextualize AI-powered risks within broader cybersecurity governance.
Next Steps
The comment period for the draft Cyber AI Profile is open until January 30, 2026. The draft is anticipated to evolve following feedback from industry stakeholders. Organizations are encouraged to monitor NIST’s progress toward final publication.
In the interim, businesses aiming to synchronize their cybersecurity and AI risk management should consider using the Cyber AI Profile to evaluate and refine existing programs. Those familiar with the CSF Profiles might begin integrating elements of the Cyber AI Profile into their cybersecurity assessments, while others can use it as a guide for prioritizing AI-related risks and informing resource allocation decisions.
