CISO
Enterprise Architect
Compliance Officer
Industry relevance
Financial Services
Healthcare
Government
Energy
DECEMBER 16, 2025
NIST's Cybersecurity Framework now has an AI extension — AI systems are formally in scope for cybersecurity controls, not outside them.
NIST NCCoE published the preliminary draft of NIST IR 8596, Cybersecurity Framework Profile for Artificial Intelligence (Cyber AI Profile), in December 2025. The profile extends the NIST Cybersecurity Framework to AI systems across three focus areas: securing AI system components, conducting AI-enabled cyber defense, and governing AI across the enterprise. Public comment closed January 30, 2026.
GOVERNANCE IMPLICATION
The NIST Cybersecurity Framework Profile for Artificial Intelligence establishes that AI systems are within the CSF scope — not a separate domain governed by different frameworks. For regulated organizations that use the NIST CSF as their compliance baseline, the Cyber AI Profile creates an expectation that AI deployments are assessed against the same Identify, Protect, Detect, Respond, and Recover functions as any other technology system. Organizations that have treated AI governance as separate from their CSF program now have a documented gap between what NIST expects and what their program covers.
SCENARIO
A regional bank uses the NIST Cybersecurity Framework as its primary compliance baseline submitted to OCC examiners each cycle. In December 2025, NIST publishes the preliminary Cyber AI Profile extending CSF to AI systems. By the time the bank's next examination arrives in Q3 2026, the examiner references the profile and asks which CSF functions have been applied to the bank's Copilot and agent deployments. The bank's CSF program has no AI-specific controls mapped to any CSF function.
THE GOVERNANCE QUESTION
The NIST Cyber AI Profile establishes that AI systems require cybersecurity controls as first-class requirements — not add-ons addressed after deployment. If your organization uses the NIST Cybersecurity Framework as a compliance or audit baseline, the Cyber AI Profile creates the expectation that your AI deployment inherits that framework. Has your security team assessed which CSF controls apply to your agent deployments, or is AI still being treated as outside the framework boundary?
CONTROL GAP
Most NIST CSF implementations were built before AI agents existed as an enterprise risk category. The Cyber AI Profile creates a mapping expectation that existing CSF programs have not fulfilled — AI is not in the asset inventory, not in the risk register, and not in the incident response playbook.
REGULATORY RELEVANCE
NIST Ai RMF
FFIEC
OCC
FINRA
SEC Cyber
PRIMARY SOURCE
NIST releases preliminary draft of Cyber AI Profile
NIST NCCoE
Read the primary source ->(opens in new tab)CONTINUE READING
MAY 19, 2026
ComplianceOn May 19, 2026, the European Commission published draft guidelines on classifying high-risk AI systems under Article 6 of the EU AI Act and opened a stakeholder consultation running until June 23, 2026 (European Commission, Shaping Europe's Digital Future, May 19, 2026). Issued under Article 6(5), the three-part guidance covers general classification principles, the Annex I product-safety route, and the Annex III use-case route across eight domains including biometrics, employment, and essential services. The draft addresses anti-circumvention for modular and agentic systems and clarifies that human oversight under Article 14 does not by itself remove a system from the high-risk category.
MAY 8, 2026
ComplianceNIST published the final SP 800-70 Revision 5 on May 8, 2026 via CSRC, updating the National Checklist Program for IT Products. Revision 5 introduces expanded coverage for cloud platforms, IoT, and AI systems; enhanced mapping to NIST CSF 2.0 outcomes and SP 800-53 controls; explicit support for automated checklist formats; and detailed guidance for tailoring checklists to stand-alone, enterprise, and legacy environments. The document is intended for both checklist users and developers who participate in the National Checklist Program.
MAY 7, 2026
ComplianceOn May 7, 2026, EU legislators reached political agreement on the Digital Omnibus revisions to the EU AI Act. The agreement introduces a 16-month postponement for most high-risk Annex III AI systems, covering employment screening, credit decisions, biometric identification, education, and law enforcement applications, moving the effective deadline to approximately December 2027. Product-embedded high-risk AI systems receive a 12-month postponement to approximately August 2027. Transparency obligations for AI-generated content shift to December 2026 (three-month delay only). The agreement remains subject to formal adoption by the European Parliament and Council. Source: European Commission digital-strategy.ec.europa.eu, updated May 2026.