Logo
FrontierNews.ai

NIST's New AI Security Framework Is Coming This Summer. Here's What It Means for Your Organization

The National Institute of Standards and Technology (NIST) is launching a comprehensive Cyber AI Profile this summer to help organizations navigate the dual challenge of securing artificial intelligence systems while using AI to defend against increasingly sophisticated attacks. The new framework builds on NIST's Cybersecurity Framework 2.0 and addresses a growing gap between the rapid adoption of AI technologies and the lack of clear security guidance.

Why Is a New AI Security Framework Needed Right Now?

Organizations are adopting AI at breakneck speed, but the threat landscape is moving even faster. According to recent data, 63% of businesses have either fully operationalized or implemented AI within parts of their business, while 88% of organizations plan to implement AI-enabled defenses. Yet the risks are mounting: 53% of executives now rank AI-enabled cyber threats as a top three organizational risk, and 60% of organizations have likely experienced an AI-powered cyber attack in the last year.

The problem is that traditional security approaches are no longer sufficient. AI-enabled adversaries increased operations by 89% year-over-year, with the average time for attackers to break out into a network falling to just 29 minutes in 2025, according to CrowdStrike's 2026 Global Threat Report. In some cases, attackers achieved a complete network intrusion in just 27 seconds. This speed makes it nearly impossible for human-led security teams to respond using conventional methods.

What Does the NIST Cyber AI Profile Actually Cover?

The Cyber AI Profile is designed for any organization using AI-enabled systems, whether standalone systems like large language models (LLMs) and generative AI tools, or applications and infrastructure that incorporate AI capabilities such as predictive analytics or AI-enhanced security tools. The framework organizes guidance around three core focus areas:

  • Secure: Help organizations manage the unique cybersecurity challenges created when adopting AI technology, including securing AI systems themselves, their supply chains, data, machine learning infrastructure, and other systems the AI may rely on.
  • Defend: Identify opportunities to use AI for improving defensive capabilities, from sifting through security alerts and filtering noise to identifying serious threats and providing incident recommendations.
  • Thwart: Ensure resilience against AI-enabled attacks by understanding how threat actors are using AI to move faster, exploit vulnerabilities more efficiently, and craft hyper-realistic phishing campaigns.

For each subcategory within the framework, the Cyber AI Profile adds AI-specific considerations and recommended priorities, providing practical guidance for integrating AI into existing cybersecurity programs.

How Can Organizations Prepare for AI-Driven Threats?

The framework acknowledges that AI is reshaping how both attackers and defenders operate. Cybercriminals are exploiting generative AI tools like ChatGPT to craft large-scale, intricate, and personalized email attacks, while malicious AI variants such as FraudGPT and weaponized AI chatbots are reshaping cybercrime tactics. Meanwhile, AI-powered deepfakes and synthetic media are making it easier for attackers to impersonate executives and organizations at scale.

Organizations can take several concrete steps to strengthen their AI security posture:

  • Assess Your AI Footprint: Inventory all AI systems in your organization, including standalone systems and applications that incorporate AI capabilities, along with their supply chains and data dependencies.
  • Implement AI-Driven Detection: Deploy AI and machine learning-driven tools that detect threats based on behavior rather than signatures, analyze vast datasets to identify attack patterns, and automate routine threat triage tasks.
  • Prepare for Social Engineering at Scale: Train staff to recognize AI-generated phishing emails, voice phishing (vishing) attempts that impersonate executives, and synthetic media designed to manipulate or deceive.
  • Leverage AI for Proactive Defense: Use AI agents to coordinate defense before attacks occur, forecast end-of-life risks for assets, and automate incident response workflows.

What Opportunities Does AI Offer for Cybersecurity?

The Cyber AI Profile recognizes that AI is not just a threat; it is also a powerful defensive tool. Organizations that adopt AI-driven security strategies can streamline governance by aligning AI to organizational policies and supporting policy enforcement, reduce false positives through advanced anomaly detection, and accelerate incident response through automated workflows. AI can also help organizations identify and prioritize vulnerabilities before attackers discover them, turning historical and real-time global attack data into actionable threat intelligence.

The framework includes real-world use cases that illustrate how AI is already being deployed across industries: restaurants using AI to forecast demand, insurance companies determining risk and premiums, power grids balancing loads, and organizations using AI to filter, prioritize, and generate emails and reports.

When Will Organizations Be Able to Use the Framework?

NIST began developing the Cyber AI Profile with an initial concept paper in February 2025, held public workshops and working sessions through September, and reached the preliminary draft stage in December 2025. An initial public draft is expected in summer 2026, with virtual working sessions scheduled for April and May 2026 to refine technical content and improve usability for AI practitioners.

The framework builds on the foundation of NIST CSF 2.0, which was updated in 2024, and incorporates the NIST AI Risk Management Framework (AI RMF), a voluntary framework introduced in 2023 to help organizations design, develop, evaluate, and verify AI systems. By aligning industry standards and best practices into a single comprehensive framework, the Cyber AI Profile aims to bring clarity and consistency to an increasingly complex landscape.

As AI continues to lower the barrier to entry for threat actors, adopting the Cyber AI Profile will be critical for organizations to stay ahead of the curve and ensure that their AI investments strengthen rather than undermine their security posture.