Artificial intelligence is increasingly embedded in enterprise environments, creating new cybersecurity risks alongside operational benefits. To address this shift, the National Institute of Standards and Technology (NIST) has released a preliminary draft of guidance called the Cyber AI Profile, aimed at helping organizations align their cybersecurity strategies with AI adoption.
These draft NIST guidelines are presented in a new document known as the Cybersecurity Framework Profile for Artificial Intelligence (NISTIR 8596), commonly referred to as the Cyber AI Profile. The publication is intended to help organizations apply the NIST Cybersecurity Framework, specifically CSF 2.0, to the secure and responsible use of AI technologies. The goal is to accelerate AI adoption while mitigating the cybersecurity risks that accompany AI’s rapid advancement.
Why Do We Need AI Cybersecurity Guidelines?
According to NIST, AI affects cybersecurity in multiple ways. Organizations must secure AI systems themselves, consider how AI can strengthen cyber defense operations, and prepare for a growing class of AI-enabled cyberattacks. The Cyber AI Profile reflects this reality by organizing its guidance around three overlapping focus areas: securing AI systems, conducting AI-enabled cyber defense, and thwarting AI-enabled cyberattacks.
Barbara Cuthill, one of the authors of the profile, stresses that organizations cannot afford to treat AI as a distant concern. “Regardless of where organizations are on their AI journey, they need cybersecurity strategies that acknowledge the realities of AI’s advancement,” she said.
Inside the Cyber AI Profile and Its Three Focus Areas
The Cyber AI Profile is the result of a year-long collaborative effort involving NIST cybersecurity and AI specialists, supported by extensive public engagement. Over the course of the project, more than 6,500 individuals joined a community of interest to provide input. NIST released an initial concept paper in February 2025, followed by a workshop in April 2025 and a series of community meetings during the summer. This process led to the release of the preliminary draft, which is now open for a 45-day public comment period.
Each of the three focus areas addressed in the Cyber AI Profile serves a distinct role. Securing AI systems involves identifying cybersecurity challenges that emerge when AI is integrated into organizational infrastructure and ecosystems. Conducting AI-enabled cyber defense examines how AI can be used to strengthen cybersecurity operations while recognizing the risks associated with deploying AI in defensive roles. Thwarting AI-enabled cyberattacks focuses on building resilience against threats that use AI to increase their scale, speed, or effectiveness.
“The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Cuthill said. “But ultimately every organization will have to deal with all three.”
Applying CSF 2.0 and the NIST Cybersecurity Framework to AI
Through the lens of the NIST Cybersecurity Framework, the Cyber AI Profile helps organizations clarify their cybersecurity objectives related to AI and CSF 2.0. It offers structured insights to help organizations understand, evaluate, and address AI-related cybersecurity concerns while integrating AI into existing cybersecurity programs in a deliberate way.
NIST refers to the Cyber AI Profile as a “community profile,” meaning it applies to CSF 2.0 to shared goals across multiple sectors. The Cyber AI Profile joins similar community profiles developed for manufacturing, financial services, telecommunications, and other industries.
The preliminary draft is intended to gather public feedback before NIST releases an initial public draft in 2026. That version is expected to refine the guidance further and include expanded mappings to additional NIST resources. When finalized, the profile will help organizations incorporate AI into cybersecurity planning by identifying priority actions.
Cuthill said the authors hope the Cyber AI Profile will continue to evolve as a practical resource. “The Cyber AI Profile is all about enabling organizations to gain confidence in their AI journey,” she said. “We hope it will help them feel equipped to have conversations about how their cybersecurity environment will change with AI and to augment what they are already doing with their cybersecurity programs.”
