New Guidance from NIST on AI in Cybersecurity
The draft Cybersecurity Framework Profile for Artificial Intelligence (Cyber AI Profile), published by the National Institute of Standards and Technology (NIST) in December 2025, serves as a pivotal resource for organizations looking to harness artificial intelligence (AI) effectively while managing related cybersecurity risks.
Purpose and Background
As AI technology advances, it presents both significant opportunities and new challenges for cybersecurity. The Cyber AI Profile aims to help organizations secure components of AI systems—such as models, agents, algorithms, and data—and improve their cybersecurity defenses. It also prepares organizations for an evolving threat landscape driven by adversarial uses of AI.
This profile is developed in collaboration with the Applied Cybersecurity Division of the Information Technology Laboratory, the National Cybersecurity Center of Excellence (NCCoE), and the MITRE Corporation. Public feedback is sought until January 2026 to refine its content and structure.
Integration with NIST Cybersecurity Framework 2.0
The Cyber AI Profile complements existing frameworks, particularly the NIST Cybersecurity Framework 2.0, by focusing on unique risks and opportunities related to AI.
Focus Areas of the Cyber AI Profile
The Cyber AI Profile is organized around three primary focus areas:
- Securing AI System Components (Secure): Addresses cybersecurity challenges related to integrating AI into organizational ecosystems, securing models, data, algorithms, and supply chains.
- Conducting AI-Enabled Cyber Defense (Defend): Identifies opportunities to leverage AI for enhancing cybersecurity processes, including threat detection, automated response, and risk management.
- Thwarting AI-Enabled Cyber Attacks (Thwart): Focuses on resilience against new threat vectors introduced by AI, such as AI-driven phishing and malware.
These focus areas integrate with the broader principles of the NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, and Recover.
Implementation Considerations
Organizations can tailor their implementation of the Cyber AI Profile based on risk tolerance, operational needs, and maturity. Each subcategory provides:
- General AI-related considerations for achieving outcomes.
- Focus area-specific priorities and considerations.
- Sample opportunities for leveraging AI, particularly in the defend focus area.
- Example informative references, including laws and research publications.
Public Feedback and Next Steps
NIST is actively seeking public comments on the draft, inviting input on document structure, focus area descriptions, and glossary terms. Comments can be submitted via email to cyberaiprofile@nist.gov by January 30, 2026. NIST also plans a workshop to discuss the guidance.
Conclusion
The Cyber AI Profile marks a significant advancement toward a unified, risk-based approach to managing the cybersecurity implications of AI. By incorporating AI-specific considerations with the established NIST CSF 2.0, it serves as a practical resource for organizations aiming to secure their AI systems and enhance their defenses against AI-enabled threats.
