Skip to Content

Live Panel: Navigating AI Compliance in 2026-Which Framework is Right for Your Organization? Register

Dark teal and black gradient

Blog

AI Meets NIST CSF 2.0: A Glimpse into the Upcoming Cyber AI Profile 

In early 2026, the National Institute of Standards and Technology (NIST)’s National Cybersecurity Center of Excellence (NCCoE) announced a new Cyber Artificial Intelligence (AI) Profile to address the growing risks that accompany the increasing proliferation of Artificial Intelligence technologies. The highly anticipated launch is being closely watched by cybersecurity and technology experts across the country, as adoption and development of AI outpaces the development of corresponding compliance frameworks. 

The upcoming Cyber AI Profile builds on the NIST Cybersecurity Framework (CSF) 2.0 by focusing on securing AI technologies across the organization, identifying opportunities for AI-driven defense, and building resiliency against AI-enabled threats. By providing guidance on these areas of concern in existing cybersecurity programs, it brings clarity and consistency. AI risk embedded in enterprise environments requires new strategies to address these evolving challenges. Traditional security approaches are not sufficient and require specialized guidance.  

Why the NIST Cyber AI Profile is Needed Now 

The integration of AI technologies in enterprise environments through stand-alone systems or AI-enabled tools has introduced new operational benefits and security challenges. Organizations need clearer strategies to address real-world threats. Adoption and use of AI in operations varies across organizations, but AI-enabled threats are increasing in speed, scale, and sophistication. The following examples highlight how AI is reshaping enterprise risk and the threat landscape: 

  • 53% of executives ranked AI-enabled cyber threats as a top three organizational risk 
  • 60% of organizations have likely experienced an AI-powered cyber attack in the last year 
  • 63% of businesses have either fully operationalized or implemented AI within parts of their business 
  • 88% of organizations plan to implement AI-enabled defenses 

Source: Gallagher Attitudes to AI Adoption and Risk Survey, BCG Cyber x AI Report 2025 (n=500) 

Recap: What is the NIST Profile? Recap 

The NIST Cybersecurity Framework, originally released in 2014 and updated to version 2.0 in 2024, establishes a baseline for cybersecurity for organizations. Over the years, several profiles have been developed using NIST CSF and associatedwith different technologies, industries, and threats. The upcoming Cyber AI Profile incorporates both the NIST CSF 2.0 and the NIST AI Risk Management Framework (AI RMF). Introduced in 2023, the AI RMF is a voluntary framework designed to help organizations design, develop, evaluate, and verify AI systems. Through the lens of AI and cybersecurity, the Cyber AI Profile aligns industry standards and best practices into a single, comprehensive framework.  

Starting with an initial concept paper in February 2025, NIST held public workshops and working sessions through September, reaching the preliminary draft stage in December 2025. An initial Public Draft is expected in Summer 2026.Meanwhile, NIST is running 2026 Virtual Working Sessions in April and May to refine technical content and improve usability for AI practitioners. 

Cyber AI Profile Explained 

The Profile is intended for organizations that use any AI-enabled systems, whether stand-alone AI systems (e.g., LLMs, generative AI, agentic systems) or applications, infrastructure, or processes that incorporate AI capabilities (e.g., predictive analytics, AI-enhanced security tools). Using three focus areas, the profile intends to secure AI systems, leverage AI defenses, and thwart AI-enabled attacks.  

The profile builds on the foundation of NIST CSF 2.0 which is organized into functions, categories, and subcategories. For each subcategory, the Cyber AI Profile adds AI-specific considerations and recommended priorities, providing organizations with practical guidance for integrating AI into their cybersecurity programs. Example considerations for subcategories include asset management, risk assessment, and continuous monitoring.  

Secure 

The Secure focus of the Cyber AI Profile can help organizations accommodate the unique cybersecurity challenges created when adopting AI technology. Organizations may need to adapt their cybersecurity program to manage and integrate a spectrum of AI systems in an organization’s ecosystem or infrastructure. The scope is not limited to the AI systems themselves, but also their supply chains, data, and machine learning infrastructure and other data or systems the AI may rely on.  
 
Key AI use cases described in the NIST preliminary draft include1: 

  • Restaurants to forecast demand and take/make orders 
  • Insurance companies to determine risk and premiums 
  • Power grids to balance loads 
  • Companies and individuals to filter, prioritize, summarize, generate, and proofread emails, reports, and other documents 
  • Customer service organizations to perform initial interactions with customers 

Defend 

Defend acknowledges the unique advantages and opportunities provided by AI for improving defensive capabilities. It focuses on identifying these opportunities while simultaneously understanding the challenges of adopting AI in cybersecurity processes. By securing AI systems and layering AI-driven defenses, organizations are better able to find and react to threats. This approach supports teams by handling everything from sifting through alerts and filtering noise to identifyingserious threats and providing incident recommendations. Meanwhile, other emerging approaches experiment with AI agents coordinating both attack identification and defensive actions.  

 
Opportunities for AI-enabled defensive capabilities in the NIST preliminary draft include1: 

  • Streamlining Governance: Aligning AI to organizational policies and supporting policy enforcement, information sharing, and communication to reduce administrative overhead. 
  • Proactive Threat Management: Using AI agents to coordinate defense before attacks occur and forecasting end-of-life (EOL) risks as well as asset maintenance. 
  • Advanced Detection: Analyzing anomalies, user behavior and malicious activity while reducing noise and false positives. 
  • Automated Response: Supporting teams through adversarial training, automated incident response, and drafting reports. 

Thwart 

Thwart recognizes the role AI plays in helping threat actors be faster, more efficient, and more sophisticated in their attacks. It offers security programs the insight to ensure resilience is embedded by design. With increasing reports of AI-enabled attacks, Thwart focuses on how these newly enhanced adversary capabilities affect the cybersecurity landscape. The impact spans the entire life cycle, from discovering exploitable vulnerabilities in the environment to accelerating the path from initialfoothold to data exfiltration. Phishing is also undergoing disruptive changes as the effort required decreases and the content complexity increases with hyper-realistic images, links, websites, and narratives. The barrier to entry has lowered as low-skilled actors now wield increasingly advanced capabilities. 

Challenges posed by AI-enabled capabilities described in the NIST preliminary draft include1: 

  • Speed and scale with which the attacks occur, making countermeasures harder to implement within typical timelines 
  • Ease with which adversaries could deploy AI-enabled attacks 
  • Dynamic and optimized nature of AI 

Figure 1. Source: NIST1 
 
As AI continues to lower the barrier to entry for threat actors, adopting the Cyber AI Profile will be critical for organizations to stay ahead of the curve. 

How Tevora Can Help 

As you transition your organization to use AI-enabled tools and processes, Tevora can act as a strategic partner to streamline your AI Security Program. With a tailored approach to the needs of your business and industry-specific requirements, we can help your organization: 

  • Seize AI-related opportunities to streamline operations and reduce human error 
  • Address high-risk vulnerabilities and ensure safe AI practices going forward 
  • Assess your organization’s use of AI tools and identify new threats opened by AI 
  • Evaluate gaps in compliance using the most recent AI-related compliance frameworks such as ISO 42001, NIST AI Framework, or the EU AI Act 

References: 

1 Megas K, Cuthill B, Snyder JN, Patrick B, Khemani I, Dotter M, Garris M, Zarei M, Schiro N (2025) Cybersecurity AI  

2 Profile: NIST Community Profile. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Internal  

3 Report (IR) NIST IR 8596 iprd. https://doi.org/10.6028/NIST.8596.iprd