Tech group seeks additional context addressing AI risks in CSF 2.0 draft profile connecting frameworks

The Information Technology Industry Council is encouraging the National Institute of Standards and Technology to provide more guidance on risk management and agentic artificial intelligence, in comments on a preliminary draft profile of the NIST cybersecurity framework focused on AI.

ITI says the “the Profile could be strengthened by addressing cybersecurity risk management considerations for AI systems used to monitor and control critical infrastructure, including resilience, fail-safe behavior, and governance for AI-supported operational decision-making.” The draft profile was published on Dec. 17 and followed by a Jan. 14 workshop to get more stakeholder feedback.

“We recognize that the Center for AI Standards and Innovation (CAISI) has an open proceeding on agentic AI security, but we also suggest that NIST articulate that AI agents are becoming a more common characteristic of AI deployment,” ITI writes in Jan. 30 comments to NIST. The comment period for the profile closed on Jan. 30.

ITI writes, “This should include agent-specific considerations such as delegation tracking and auditability, behavioral monitoring of agent activity (including velocity/anomaly detection), and protecting sensitive data exchanged through agent workflows (e.g., tokenization).”

The preliminary draft profile contains questions for stakeholders on the document structure and topics, the focus area descriptions and the profile content.

ITI explains how its members have called the Cyber AI profile “valuable as a conceptual bridge between traditional cybersecurity practices and the unique characteristics of AI systems.” But the trade association says, “At the same time, companies have highlighted that there are practical challenges that organizations might face in operationalizing multiple overlapping frameworks simultaneously.”

“As such, we believe the Profile would benefit from including implementation guidance that demonstrates how organizations can establish unified governance structures that satisfy multiple framework controls and requirements,” ITI says.

Providing a “clearer differentiation between developers and deployers in the context of this Framework could be helpful,” ITI argues, explaining how “Certain controls and practices are more naturally the responsibility of developers, while others fall to deployers.”

One of NIST’s questions asks stakeholders to weigh in on how they expect the profile to their future practices and processes.

ITI responds, “We anticipate that the Cyber AI Profile will function as a practical reference for embedding AI-specific cybersecurity considerations into existing enterprise risk management and security programs, enabling organizations to:”

Integrate AI-related risks into established cybersecurity governance and oversight frameworks.
Define clear roles and responsibilities across security, engineering, risk, and compliance teams involved in AI systems.
Promote greater consistency in the cybersecurity assessment, deployment, monitoring, and maintenance of AI systems.

ITI adds, “We also expect the Cyber AI Profile to shape how organizations approach internal discussions, particularly with senior leadership and boards, by offering a common language for addressing AI-related cyber risks within a familiar cybersecurity framework, rather than treating them as a separate or entirely new domain.”

The profile is broken down into three focus areas: Secure, Defend and Thwart.

ITI says, “While the Focus Areas generally reflect characteristics of common AI usage, we believe the Secure Focus Area could be strengthened by explicitly addressing AI inference workloads in production both at scale (e.g. multi-tenant inference services and accelerator infrastructure) and in edge deployments.”

In addition, ITI says the “Secure Focus Area would better reflect real-world AI deployment by explicitly including orchestration and control-plane components (e.g., RAG pipelines, policy/guardrail enforcement, routing/fallback logic, agent controllers, and memory stores) as first-class AI system dependencies. Including these would contribute to more robust dependency mapping and more complete system inventories.”

The trade association also notes that the current Focus Area descriptions do not address the “multi-model, multi-agent reality of AI deployment.”

It says, “Many organizations operate multiple AI systems across business and security workflows (vendor-managed models, internal models, and embedded/edge inference), making manual validation a significant challenge, if not impossible. NIST should explicitly recognize that there will be an emerging need for continuous, cross-system assurance, and that AI can play a role in this.”

On making connections to other publications and standards, ITI suggests looking at NIST’s generative AI profile of the NIST AI risk management framework and to “more explicitly consider” how the NIST Secure Software Development Framework and its generative AI-focused profile can be incorporated into the Cyber AI profile.

“There are many NIST resources available, and one of the challenges member companies face is figuring out how all of them link together, which can, at times, make it difficult to operationalize them,” ITI says.

For informative references, ITI suggests looking to standards from the European Telecommunications Standards Institute and the International Organization for Standardization.

ITI also points to the United Kingdom’s AI Cyber Security Code of Practice, the OWASP Top 10 for Agentic Applications and the Cyber Risk Institute’s Cyber Profile.

The filing contains more specific feedback in a chart broken down by the CSF subcategories identified in the draft profile. -- Sara Friedman ([email protected])