By ByteBot
NIST released a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence on December 16, 2025—the first official guidance mapping its widely-adopted CSF 2.0 to AI system security. This isn’t bureaucratic paperwork. It’s structured defense against real attacks already hitting production AI systems, developed with input from 6,500+ security professionals over the past year.
The draft tackles a problem 81% of organizations admit to: knowingly shipping vulnerable code. AI amplifies that risk. Data poisoning, adversarial attacks, and model extraction aren’t theoretical—they’re active threats targeting the AI systems developers are building right now.
Three Focus Areas: Secure, Defend, Thwart
The Cyber AI Profile organizes guidance around three overlapping security objectives:
Securing AI Systems addresses threats to models, training data, and inference pipelines. Attackers tamper with training datasets to corrupt outputs—a technique called data poisoning that now extends across the entire LLM lifecycle, from pre-training to RAG pipelines to agent tooling. Model extraction attacks replicate proprietary models by observing their outputs, threatening both intellectual property and creating malicious copies.
AI-Enabled Cyber Defense flips the script: using AI to enhance security capabilities through automated threat detection and continuous monitoring. The catch? New dependencies. Organizations adopting AI for defense need to understand the accuracy limitations and false positive risks that come with those capabilities.
Thwarting AI-Enabled Attacks recognizes that adversaries are already weaponizing AI for phishing campaigns, automated vulnerability exploitation, and supply chain attacks through poisoned dependencies. Defense requires zero-trust policies for AI agent access and regular adversarial testing—not just at deployment, but throughout the AI lifecycle.
Real Threats Require Different Defenses
Machine learning security isn’t just traditional cybersecurity with a new coat of paint. The threat landscape diverges sharply: data-centric attacks like poisoning and biased labeling compromise what models learn, while code-centric attacks exploit third-party ML dependencies and model serving infrastructure.
Consider adversarial attacks: carefully crafted inputs that fool AI models into incorrect decisions while appearing normal to humans. These can misclassify sensitive data, manipulate recommendation engines, or bypass fraud detection systems entirely. Traditional security controls don’t catch them because the attacks operate at the model logic level, not the network or application layer.
CISA, the NSA, and FBI released joint guidance in May 2025 addressing these gaps with 10 best practices: dataset provenance tracking, quantum-resistant digital signatures for authenticating training data, Zero Trust architecture for data processing, and differential privacy to prevent extraction of training data through model queries. The NIST Cyber AI Profile now provides the framework structure to implement those controls systematically.
Integration Reduces Friction
The profile maps AI security to CSF 2.0’s six Functions—Govern, Identify, Protect, Detect, Respond, Recover—using the same Categories and Subcategories structure organizations already know. Developers familiar with CSF 2.0 can apply existing cybersecurity knowledge to AI systems without learning an entirely new framework.
It also connects to NIST’s AI Risk Management Framework, which evolved in 2025 to address generative AI, supply chain vulnerabilities, and new attack models. The alignment simplifies cross-framework compliance and gives developers a common language to discuss AI security with stakeholders beyond engineering teams.
Public Comment Through January 30
NIST is accepting public comments on the preliminary draft until January 30, 2026, via cyberaiprofile@nist.gov. A virtual workshop scheduled for January 14 will discuss the framework before final publication expected in the first half of 2026.
The timeline matters. As AI adoption accelerates—65% of developers now use AI coding tools weekly—organizations face mounting pressure to implement AI systems securely. The Cyber AI Profile provides actionable structure for security by design, not security as an afterthought when vulnerabilities surface in production.
Why Developers Should Care
Compliance requirements will follow NIST guidance. Organizations building AI systems will expect implementations that map to this framework. Beyond compliance, the profile offers practical controls that protect against attacks happening now: tamper-evident storage with immutable records, adversarial testing protocols, dataset provenance checks.
Seventy-four percent of cybersecurity professionals report AI-powered threats as a major challenge for their organizations. The gap between AI innovation and AI security continues widening. This framework addresses that gap with concrete, implementable guidance developed by practitioners facing these threats daily.
The broader context reinforces urgency: BlackRock forecasts $5-8 trillion in AI-related capital expenditure through 2030. That investment flows into systems that become targets the moment they reach production. The NIST Cyber AI Profile isn’t red tape—it’s structured defense against adversaries already exploiting the AI systems developers are shipping today.
