BlogLine

A first look at NIST’s new cyber AI framework

1/26/26

By: Jacob Berlinger and Jason Weiss

The National Institute of Standards and Technology (NIST) recently released their initial preliminary draft of NIST IR 8596, also known as the Cybersecurity Framework Profile for Artificial Intelligence. This new cybersecurity framework signals a meaningful shift in how organizations should think about cybersecurity risk in the age of AI. Rather than treating AI as a purely operational tool, this draft frames AI systems as a distinct and evolving cyber risk category requiring tailored governance. It should be noted that this new AI draft framework is still open for public comments through January 30, 2026.

Built on NIST Cybersecurity Framework (CSF) 2.0, the Cyber AI Profile does not replace existing cybersecurity standards. Instead, it extends them by “mapping” AI-specific risks and controls to familiar CSF functions, categories, and outcomes. The goal is to help organizations integrate AI into their cybersecurity risk management programs without reinventing their entire control frameworks.

NIST IR 8596 highlights three core focus areas:

1. Securing AI System Components (Secure): Focuses on identifying cybersecurity challenges when integrating AI into organizational ecosystems and infrastructure.
2. Conducting AI-Enabled Cyber Defense (Defend): Focuses on identifying opportunities to use AI to enhance cybersecurity processes and activities, and understanding challenges when leveraging AI to support defensive operations.
3. Thwarting AI-Enabled Cyber Attacks (Thwart): Focuses on building resilience to protect against new AI-enabled threat vectors.

Why This Matters to Legal and Compliance Teams

For legal and compliance teams, this new Cyber AI Profile is particularly relevant as an emerging benchmark for reasonable AI based security practices. While voluntary, it is likely to influence regulatory expectations, contractual standards, vendor risk assessments, and incident response evaluations, especially where AI systems process sensitive or regulated data.

As can be seen here, AI based cyber-attacks are emerging quickly and could now present an unfortunate expansion of enterprise risk to your organization. In 2025, according to DeepStrike, the number of AI-enabled cyber-attacks rose 47% globally. Microsoft’s Cyber Signals 2025 recorded a 46% rise in AI-generated phishing content, while SlashNext observed a 25% increase in phishing messages that bypass traditional filters.

Legal counsel and compliance officers should view the Cyber AI Profile not merely as technical guidance, but as emerging risk management practices that will increasingly shape expectations around:

• Reasonable cybersecurity practices for organizations using or providing AI systems.
• Zero Trust, must extend to AI systems if organizations expect to maintain control in AI-enabled environments.
• Regulatory and contractual benchmarking, especially in sectors where AI adoption is accelerating.
• Enterprise risk assessments that must now consider AI-specific vector exposures.
• Vendor risk and procurement governance, given how third-party AI services can introduce systemic risks.
• Supply Chain Transparency, expanding to include models and data, not just software.

The Cyber AI Profile appears to signal where industry’s best practices are headed — and where regulators may look for consensus standards in the near term.  AI adoption is no longer just a strategic advantage — it’s a cybersecurity risk that demands structured, risk-managed integration.

For guidance on how your organization can implement AI, reach out to the attorneys at Freeman Mathis & Gary, who can help navigate innovation, risk and regulatory compliance. Reach out to Jacob Berlinger, Jason G. Weiss or your local FMG attorney.

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.