NIST releases preliminary draft of Cyber AI Profile
The National Institute of Standards and Technology (NIST) has taken a significant step in addressing the evolving cybersecurity challenges posed by artificial intelligence (AI). On December 16, 2025, NIST released its preliminary draft of the Cyber AI Profile (NIST IR 8596, Cybersecurity Framework Profile for Artificial Intelligence). This framework aims to guide organizations in managing AI-related risks while aligning with NIST’s updated Cybersecurity Framework (CSF) 2.0.
With AI now deeply integrated into business operations, products, and workflows, organizations face new risks as both attackers and defenders increasingly employ AI. While adversaries use AI to scale phishing campaigns and create deepfakes, defenders rely on it for threat detection and response. Given these challenges, NIST developed the Cyber AI Profile to help businesses adopt a structured approach to securing AI systems, leveraging AI for cybersecurity, and preparing for AI-enabled threats.
Balancing risk management with AI opportunities
The draft Cyber AI Profile builds upon two foundational NIST frameworks – CSF 2.0 and the AI Risk Management Framework (AI RMF) – to address AI-specific security risks. By applying the CSF 2.0 framework to AI considerations, the Cyber AI Profile provides organizations with a common language and practical guidance to enhance their cybersecurity defenses. It focuses on integrating AI-related risks into existing security programs without defining "AI" itself, allowing flexibility as the field continues to evolve.
The framework centers on three practical "focus areas" for organizations:
- Securing AI System Components (Secure): Addressing the cybersecurity challenges of integrating AI into systems and infrastructure.
- Conducting AI-Enabled Cyber Defense (Defend): Leveraging AI for improved cybersecurity while maintaining human oversight and compliance.
- Thwarting AI-Enabled Cyber Attacks (Thwart): Enhancing resilience against cyber threats that exploit AI.
The draft provides detailed tables aligned with the six CSF "functions" – Govern, Identify, Protect, Detect, Respond, and Recover. These tables outline AI-specific considerations for each focus area and assign priority levels to guide planning. Additionally, it offers examples of how AI can help achieve cybersecurity objectives and references existing resources where traditional practices remain effective.
sbb-itb-9b7603c
Addressing AI-specific challenges
The Cyber AI Profile outlines several unique considerations for managing AI risks. For instance, NIST emphasizes the importance of maintaining accurate inventories of AI models, data flows, and permissions to support effective monitoring and anomaly detection. Organizations are also encouraged to verify the provenance and integrity of training and input data as rigorously as they would for software or hardware.
Supply chain risk management must extend to AI-specific components, including models, datasets, and associated terms in contracts. NIST also highlights the need for human accountability, recommending that organizations assign clear ownership for AI system actions and ensure human oversight in AI-assisted decision-making processes.
Notably, the framework acknowledges the dynamic nature of AI threats, which can increase the speed and scale of cyberattacks. To stay ahead, organizations are advised to standardize AI risk assessments and conduct more frequent policy reviews. NIST also recommends measures such as AI-assisted penetration testing and red teaming to address AI-enabled vulnerabilities.
Industry collaboration and next steps
NIST is inviting public feedback on the preliminary draft through a 45-day comment period ending on January 30, 2026. This input will inform revisions before the release of the initial public draft. In parallel, NIST is developing SP 800-53 "Control Overlays for Securing AI Systems" (COSAiS) to complement the outcome-oriented guidance of the Cyber AI Profile with implementation-level recommendations.
The draft emphasizes the need for clear leadership accountability, cross-functional collaboration, and ongoing training for staff on AI capabilities and threats. Organizations are encouraged to act proactively, performing gap assessments and updating their risk management strategies to align with the guidance.
The Cyber AI Profile represents NIST’s broader effort to help businesses adapt to the realities of AI while reinforcing the effectiveness of existing cybersecurity practices. By addressing the unique challenges posed by AI, the framework aims to ensure that organizations can confidently navigate the rapidly evolving threat landscape.