The new Cybersecurity Framework Profile for Artificial Intelligence, published Tuesday, is designed to help organizations map AI-specific security considerations onto the CSF, one of the most commonly used cybersecurity blueprints across government and industry.
The new Cybersecurity Framework Profile for Artificial Intelligence, published Tuesday, is designed to help organizations map AI-specific security considerations onto the CSF, one of the most commonly used cybersecurity blueprints across government and industry. The profile outlines how organizations can both protect AI systems and use AI to strengthen cyber defenses, while also guarding against AI-enabled attacks.
NIST groups its guidance into three core categories: “secure,” “defend,” and “thwart.” These reflect the different ways AI is entering enterprise environments—from internally deployed models, to AI-powered security tools, to threats posed by adversaries leveraging AI.
“AI is entering organizations’ awareness in different ways,” said Barbara Cuthill, one of the profile’s authors. “But ultimately every organization will have to deal with all three.”
The document provides AI-specific guidance for every component of the Cybersecurity Framework, spanning areas such as intrusion detection, vulnerability management, supply chain security, and incident response. Rather than replacing existing controls, the profile shows how AI considerations should be layered onto established cybersecurity practices.
In announcing the release, NIST said the profile is intended to help organizations “understand, examine and address the cybersecurity concerns related to AI and thoughtfully integrate AI into their cybersecurity strategies.”
The draft was developed with extensive input from industry, academia, and government. More than 6,500 contributors submitted ideas on how AI risks and use cases should align with the CSF. NIST is now soliciting public comments through January 30 and plans to host a virtual workshop on January 14 to gather additional feedback.
The AI-focused CSF profile is the latest addition to NIST’s growing body of AI governance and security guidance. In recent years, the agency has released an AI Risk Management Framework (2023), a generative AI profile for that framework (2024), and a separate publication in August aimed at securing AI systems using NIST’s existing security controls catalog.
Together, these efforts reflect NIST’s expanding role at the center of U.S. AI governance—an assignment reinforced across multiple administrations. Former President Joe Biden directed the agency to develop standards for AI security testing and synthetic content, while President Donald Trump has rolled back some directives and issued new ones, including instructing NIST to help federal agencies evaluate their AI models.
For organizations already aligned with the Cybersecurity Framework, the new AI profile offers a practical bridge between traditional cyber risk management and the rapidly evolving realities of AI deployment—without requiring a wholesale rethink of existing security programs.
Sara Montes de Oca is the Editor in Chief of TechEchelon. Previously a correspondent and producer in Washington, D.C., covering business, finance, and politics.
More from Sara →CISA has confirmed active exploitation of CVE-2026-20253, a critical Splunk Enterprise flaw that allows unauthenticated remote attackers to manipulate files, and ordered federal civilian agencies to patch by Sunday under Binding Operational Directive 26-04.
Market intelligence platform Klue has confirmed attackers stole OAuth tokens connected to customer Salesforce environments on June 12, as the newly emerged Icarus extortion group publicly claims responsibility and the list of affected organizations continues to grow.
Human Rights Watch obtained Bulgarian export licensing records showing surveillance firm Circles sold phone-interception and geolocation tools to ten governments — including the UAE, Bahrain, and Azerbaijan — between 2018 and 2023, raising fresh questions about the EU's export control enforcement.
Written for readers who already know the basics — markets, AI, and the policy decisions that shape both.