Why the NIST Cyber AI Profile will not save your business
NIST's draft AI cybersecurity framework is thoughtful, slow, and aimed at a level of AI maturity most businesses do not have. The work you need to do is more boring than that.
NIST published a draft of its Cybersecurity Framework Profile for Artificial Intelligence (NISTIR 8596) at the end of 2025, and the 45-day comment window closed on January 30, 2026. The headline framing of the profile, securing AI systems, using AI for cyber defense, and thwarting AI-enabled attacks, is exactly the framing you would expect from a thoughtful standards body. The problem is that almost none of it matches the operational reality I see when I sit down with a midsize business and ask what AI is actually running in their environment.
The Cyber AI Profile assumes a maturity baseline most companies do not have. It assumes you can inventory the AI systems integrated into your stack, identify the data they consume, classify the decisions they make, and reason about the threat model of each. In practice, most companies I talk to are still discovering that marketing has been pasting customer lists into ChatGPT, that sales is using a third-party email assistant nobody approved, that customer support has stood up a chatbot on a vendor platform whose model card nobody has read, and that a product team is fine-tuning something against production data without a documented retention policy. The profile is written for the world after that inventory exists. Most companies are in the world before.
The other gap is timeline. The current draft will go through revisions, an initial public draft is expected sometime in 2026, and the final guidance probably arrives in late 2026 at the earliest. Meanwhile, the AI attack surface is moving in months. Phishing payloads generated by frontier models, prompt-injection attacks against retrieval-augmented systems, model-supply-chain compromises, and credential theft routed through agentic browsers are already in active use against real targets. By the time NIST finalizes the framework, the threat catalog will have rotated at least once. That does not mean the profile is wasted work. It means the profile is a reference architecture, not a runbook.
The right reading is that the operational work you need to do this quarter is not waiting on NIST. It is asset management applied to AI. Build a list of every AI tool, model API, embedded assistant, and agent framework in use across the company, including the ones that arrived through SaaS vendors you already had. Label each one with three pieces of information: what data it touches, what decisions it influences or makes, and what contractual posture the vendor has taken on model training, retention, and incident notification. That single document does more for your real risk posture than any framework deliverable, and it is the prerequisite to using a framework when one finally arrives.
A second piece of practical work is updating two contract templates: your vendor security addendum and your acceptable use policy for employees. Vendor agreements signed two years ago almost never address whether the vendor processes your data through third-party models, whether your inputs are used to train shared models, and what notification obligations exist when a model the vendor relies on suffers a breach. Employee policies almost never tell people which AI tools are approved, which are not, and what data may or may not be put into either category. These two documents are not exciting, but they are where most AI security incidents either get prevented or get amplified.
The third piece is incident response. Existing playbooks do not contain scenarios for accidental disclosure of sensitive data to a chatbot, for a vendor’s model being compromised, or for an agentic workflow taking unintended action against a connected system. Adding those scenarios is a one-afternoon exercise that gives the team something to do other than improvise during the actual incident.
The Cyber AI Profile will eventually be useful. It will be a defensible reference when a regulator asks what framework you mapped your controls to, and it will give security teams a shared vocabulary for AI-specific threats. None of that helps until the underlying inventory, contracts, and incident response work has been done. The companies that get into trouble in this cycle will not be the ones that ignored NIST. They will be the ones that waited for NIST while their AI footprint quietly grew underneath them.