NIST Releases Draft Framework for AI Cybersecurity, Solicits Public Comment
The National Institute of Standards and Technology (NIST) has recently announced the release of draft guidelines aimed at applying its Cybersecurity Framework to organizations that are adopting artificial intelligence (AI). These guidelines, known as the Cyber AI Profile, are open for public comment until midnight on January 30, 2026.
Significance of the Cyber AI Profile
While the Cyber AI Profile is nonbinding, its importance lies in providing organizations with a structured approach to manage cybersecurity risks associated with AI systems. This document represents NIST’s first comprehensive effort to incorporate AI-specific risks and opportunities into the longstanding NIST Cybersecurity Framework 2.0 (CSF), which is widely utilized for managing cybersecurity risks.
Organizations involved in the development, deployment, procurement, or use of AI systems should consider the Cyber AI Profile as a preliminary indicator of how regulators, auditors, plaintiffs, and other stakeholders may assess reasonable cybersecurity and governance practices concerning AI-enabled systems.
Key Areas of Focus
The Cyber AI Profile addresses three crucial areas where the intersection of AI and cybersecurity presents notable challenges and opportunities:
- Securing AI System Components: This section emphasizes identifying cybersecurity challenges when integrating AI into organizational ecosystems and infrastructure.
- Conducting AI-Enabled Cyber Defense: This area focuses on identifying opportunities to leverage AI for enhancing cybersecurity processes and activities.
- Thwarting AI-Enabled Cyber Attacks: This segment is dedicated to building resilience against new AI-enabled threat vectors.
Key Takeaways
- This is an Initial Preliminary Draft of the Cyber AI Profile. It is designed to reflect current thinking on AI governance, and feedback will inform future iterations.
- The Cyber AI Profile does not replace existing cybersecurity or AI governance frameworks; rather, it adds AI-specific priorities and considerations to the CSF 2.0.
- This profile has the potential to become a de facto benchmark for regulators and agencies assessing cybersecurity diligence involving AI.
Overview of the Cyber AI Profile
The Cyber AI Profile is a NIST Cybersecurity Framework Community Profile that helps organizations prioritize cybersecurity outcomes in the context of AI systems. Notably, NIST intentionally avoids a narrow definition of “AI,” using the term “AI systems” to encompass all systems utilizing AI capabilities, whether they are standalone or integrated into other applications, infrastructure, and organizations.
In essence, the Cyber AI Profile:
- Utilizes the CSF 2.0 Functions, Categories, and Subcategories (Govern, Identify, Protect, Detect, Respond, Recover) to group similar cybersecurity measures.
- Incorporates AI-specific considerations and proposed priorities for each Subcategory, such as the necessity of conducting AI audits to address needs like explainability.
- Recognizes that organizations may be at various stages of AI adoption, ranging from limited machine learning tools to fully agentic or generative AI deployments.
Applications and Related Initiatives
The Cyber AI Profile targets a wide array of organizations, including those developing or utilizing AI technologies, whether as standalone systems or as AI-enabled capabilities integrated into other systems. It also serves organizations interested in understanding and leveraging the cybersecurity benefits that AI can offer, or in better defending against AI-enabled cyber-attacks.
To complement the Cyber AI Profile, NIST is developing a series of Control Overlays for Securing AI Systems (COSAiS) based on the NIST Special Publication (SP) 800-53 controls. This initiative will enable organizations to customize their baseline security measures to fit their specific contexts and needs.
Additionally, NIST has initiated a Request for Information concerning how to measure and improve the secure development and deployment of agentic AI systems, paving the way for more detailed guidance in the future.
Conclusion
The release of NIST’s Cyber AI Profile sends a clear message: AI is now a critical aspect of cybersecurity governance. Organizations that delay adapting their programs until formal regulations emerge may find themselves lagging behind evolving expectations.
As developments regarding the Cyber AI Profile and NIST’s COSAiS continue to unfold, stakeholders are encouraged to remain informed about how these frameworks might impact their AI deployments, cybersecurity posture, regulatory exposure, or contractual obligations.
