NIST tees up AI security guidance

AI security has a weird problem. Everybody agrees it matters, but most security teams still run on checklists and controls built for ordinary software, not models, agents, and fine-tuning pipelines. NIST is trying to close that gap now. The move is not to invent an entirely new universe of AI rules, but to translate the security language enterprises already use into AI-specific guidance they can actually implement. ### What is NIST actually building? Two pieces matter here. One is the Cyber AI Profile — a draft profile that plugs AI systems into NIST’s Cybersecurity Framework 2.0. The other is COSAiS, short for Control Overlays for Securing AI Systems, which adapts SP 800-53 controls for AI deployments. In plain English, NIST is asking: if you already know how to audit identity, logging, change control, supply chain risk, and incident response, what do those same ideas look like when the system includes a model? (csrc.nist.gov) ### Why use old security frameworks at all? Because enterprises already run on them. CSF 2.0 is the broad risk-management map. SP 800-53 is the deeper control catalog agencies and contractors use to prove they did the basics. NIST’s bet is that AI security adoption will move faster if defenders do not have to learn a brand-new grammar first. They can start from controls they already recognize, then add AI-specific interpretations where the technology changes the threat model. (csrc.nist.gov) ### What makes AI the hard version? AI systems break the neat boundary around “the application.” The risk is not just buggy code. It is training data, model weights, prompts, retrieval layers, fine-tuning, external tools, and drift after deployment. A normal access-control question becomes: who can alter the model, the context window, the grounding data, or the agent’s permissions? A normal logging question becomes: can you reconstruct why the model produced a dangerous action? That is why a control overlay helps — it forces familiar controls onto unfamiliar surfaces. (nist.gov) ### How far along is this? Far enough that the work is public, but not finished. NIST posted a preliminary draft of the Cyber AI Profile in early 2026 and updated the COSAiS project with an annotated outline for discussion in January. The stated focus in the overlay draft is “using and fine-tuning predictive AI,” which tells you NIST is aiming first at practical enterprise deployments, not just frontier-model theory. ### Why does this land now? (csrc.nist.gov) Because the surrounding ecosystem is getting more concrete fast. The UK’s NCSC just published a 10-question checklist for teams using AI models to find vulnerabilities. The questions are operational, not philosophical — can you manage the volume of bugs AI may uncover, are you leaking sensitive information into the tooling, and have you sandboxed the system tightly enough? That is basically the same shift NIST is making: from “AI is risky” to “here is what your security team should check on Monday morning.” ### And what about Microsoft’s MDASH? That is the proof point for why this cannot stay abstract. Microsoft said on May 12 that its new multi-model agentic security system helped researchers find 16 previously unknown Windows vulnerabilities, including four critical remote-code-execution flaws in networking and authentication components. Great for defenders — but it also means AI can increase the speed and scale of vulnerability discovery, which puts more pressure on triage, patching, and containment processes. (ncsc.gov.uk) ### So what changes for security teams? Mostly, the center of gravity shifts from AI ethics decks to control evidence. Teams will need to show who can touch models, what data was used, how changes are approved, what gets logged, and how incidents are contained when the “software” is partly probabilistic. NIST is trying to make that auditable with tools organizations already understand. ### Bottom line? NIST is not writing a sci-fi constitution for AI. (microsoft.com) It is doing something more useful — turning mainstream cybersecurity controls into a practical security baseline for AI systems before enterprises get buried by model-specific risk. (csrc.nist.gov)