Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

While inherently critical to today’s businesses that run on data, implementing and enforcing data security and privacy has never been straightforward. Between collecting different types of sensitive data and deploying unique architectures, organizations cannot adopt a one-size-fits-all solution, meaning that every security architecture is unique.

AI agents are likely already running inside your infrastructure. They triage alerts, remediate incidents, provision resources, and make decisions without waiting for a human to approve each step. For teams aligned to NIST’s Cybersecurity Framework (CSF) 2.0, this creates a problem: the framework assumes human actors, human-speed decisions, and human-readable audit trails. Autonomous systems break all three assumptions. The good news is that CSF 2.0 was designed to be adapted.

NIST CSF 2.0 expands the Cybersecurity Framework into a broader, risk-based model centered on governance, making leadership accountable for cybersecurity as an enterprise risk. It introduces a sixth core function, enhances supply chain and privacy integration, and improves usability for organizations of all sizes. Profiles, tiers, and new implementation resources help align security efforts with business objectives and evolving threat landscapes.

For many engineering and security teams, NIST SP 800-218 (Secure Software Development Framework, or SSDF) compliance feels like a hurdle that is too difficult to overcome. To meet these and other emerging regulations and be effective in today’s DevSecOps environment, organizations are moving toward codifying these standards into machine-readable rules, also known as Policy as Code (PaC).

NIST Special Publication 800-171 defines a precise set of security requirements for organizations that handle Controlled Unclassified Information (CUI) outside of federal systems. For defense contractors, subcontractors, and their engineering teams, these controls are non-negotiable with the advent of the Cybersecurity Maturity Model Certification (CMMC) program, which dictates how CUI must be accessed, logged, transmitted, and protected across every system in scope. That scope is shifting.

The NIST AI Risk Management Framework is a guide that helps organizations spot and reduce risks in AI systems. This framework was released in January 2023 by the U.S. National Institute of Standards and Technology. The framework is built around four key steps, namely: Govern, Map, Measure, and Manage, and is meant to help teams responsibly use AI. It doesn’t matter which industry you work in or which AI you use; this framework works everywhere.

Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI. Over the last 15 years, he has authored standards, guidance and best practices with ISO, NIST, and other governing bodies. Smith strives to create actionable resources for organizations seeking to minimize technological risk and increase value to customers.

AI is now widely used across security, automation, and digital infrastructure. With that shift, risk is no longer limited to technical failures – it also includes trust, data misuse, and system authenticity. This article explains what the NIST AI Risk Management Framework is, how AI risk affects security, the key risk categories, and how cybersecurity infrastructure supports trustworthy AI systems.