NIST Releases Cybersecurity Framework AI Profile to Guide Secure AI Adoption

What happened

The National Institute of Standards and Technology (NIST) published a draft of its Cybersecurity Framework Profile for Artificial Intelligence, a new companion to the long‑used NIST Cybersecurity Framework (CSF). The profile maps AI‑specific cybersecurity considerations to the CSF, helping organizations address risks associated with securing AI systems, using AI defensively, and countering AI‑powered attacks. The draft is open for public comment through January 30, 2026, with a virtual workshop planned for January 14. 

Who is affected

This guidance targets security leaders, risk managers, and technology teams across sectors that are deploying or planning to deploy AI technologies. Because the CSF is widely adopted by enterprises, government agencies, and critical infrastructure operators globally, the new AI profile will influence a broad range of organizations. 

Why CISOs should care

AI systems introduce novel risk vectors, from model vulnerabilities to malicious use of generative tools, that traditional cybersecurity frameworks don’t fully address. By incorporating AI‑specific guidance into the familiar CSF structure, the profile offers CISOs a practical way to align AI risks with existing risk management processes rather than reinventing their security programs from scratch. Early engagement with the draft can also help security leaders shape evolving expectations before the guidance is finalized. 

3 practical actions

1. Review and comment on the draft: Encourage your security and risk teams to assess the published draft and submit feedback before the Jan. 30 deadline to help shape industry‑wide best practices.
2. Inventory AI assets: Map current and planned AI systems to your CSF‑aligned risk profiles to identify gaps in governance, protection, detection, and response relative to the new AI considerations.
3. Update risk and control frameworks: Use the AI profile to refine threat models and control sets, ensuring your cybersecurity program explicitly accounts for AI‑related threats and defensive opportunities.