CISO
Enterprise Architect
Compliance Officer
Industry relevance
Financial Services
Healthcare
Government
Energy
DECEMBER 16, 2025
NIST's Cybersecurity Framework now has an AI extension — AI systems are formally in scope for cybersecurity controls, not outside them.
NIST NCCoE published the preliminary draft of NIST IR 8596, Cybersecurity Framework Profile for Artificial Intelligence (Cyber AI Profile), in December 2025. The profile extends the NIST Cybersecurity Framework to AI systems across three focus areas: securing AI system components, conducting AI-enabled cyber defense, and governing AI across the enterprise. Public comment closed January 30, 2026.
GOVERNANCE IMPLICATION
The NIST Cybersecurity Framework Profile for Artificial Intelligence establishes that AI systems are within the CSF scope — not a separate domain governed by different frameworks. For regulated organizations that use the NIST CSF as their compliance baseline, the Cyber AI Profile creates an expectation that AI deployments are assessed against the same Identify, Protect, Detect, Respond, and Recover functions as any other technology system. Organizations that have treated AI governance as separate from their CSF program now have a documented gap between what NIST expects and what their program covers.
SCENARIO
A regional bank uses the NIST Cybersecurity Framework as its primary compliance baseline submitted to OCC examiners each cycle. In December 2025, NIST publishes the preliminary Cyber AI Profile extending CSF to AI systems. By the time the bank's next examination arrives in Q3 2026, the examiner references the profile and asks which CSF functions have been applied to the bank's Copilot and agent deployments. The bank's CSF program has no AI-specific controls mapped to any CSF function.
THE GOVERNANCE QUESTION
The NIST Cyber AI Profile establishes that AI systems require cybersecurity controls as first-class requirements — not add-ons addressed after deployment. If your organization uses the NIST Cybersecurity Framework as a compliance or audit baseline, the Cyber AI Profile creates the expectation that your AI deployment inherits that framework. Has your security team assessed which CSF controls apply to your agent deployments, or is AI still being treated as outside the framework boundary?
CONTROL GAP
Most NIST CSF implementations were built before AI agents existed as an enterprise risk category. The Cyber AI Profile creates a mapping expectation that existing CSF programs have not fulfilled — AI is not in the asset inventory, not in the risk register, and not in the incident response playbook.
REGULATORY RELEVANCE
NIST Ai RMF
FFIEC
OCC
FINRA
SEC Cyber
PRIMARY SOURCE
NIST releases preliminary draft of Cyber AI Profile
NIST NCCoE
Read the primary source →(opens in new tab)CONTINUE READING
MAY 8, 2026
ComplianceNIST published the final SP 800-70 Revision 5 on May 8, 2026 via CSRC, updating the National Checklist Program for IT Products. Revision 5 introduces expanded coverage for cloud platforms, IoT, and AI systems; enhanced mapping to NIST CSF 2.0 outcomes and SP 800-53 controls; explicit support for automated checklist formats; and detailed guidance for tailoring checklists to stand-alone, enterprise, and legacy environments. The document is intended for both checklist users and developers who participate in the National Checklist Program.
MAY 4, 2026
ComplianceNIST published SP 800-234 final on May 4, 2026 via CSRC, introducing a High-Performance Computing security overlay built on the NIST SP 800-53B moderate baseline. The document tailors 60 SP 800-53 security controls with supplemental HPC guidance. The publication explicitly identifies HPC as infrastructure for large-scale simulations, big data analysis, and the training of AI and machine learning models. Audience includes IT security managers, compliance officers, HPC system administrators, and agency program managers responsible for securing HPC environments.
APRIL 14, 2026
ComplianceMicrosoft's April 14, 2026 Patch Tuesday addressed CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server that allows an unauthenticated network attacker to perform spoofing and gain read and write access to sensitive information. The vulnerability is under active exploitation in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on April 14 with a mandatory remediation deadline of April 28, 2026 for Federal Civilian Executive Branch agencies. The same Patch Tuesday release also addressed CVE-2026-33825, a Microsoft Defender elevation of privilege vulnerability rated CVSS 7.8 that was publicly disclosed before the patch shipped.