QUESTK2 logo
    Back to Issue 5
    The Governance Room Issue 5

    NIST’s Cyber AI Profile Draft: How CSF 2.0 Is Being Extended to AI Cybersecurity

    February 11, 2026
    NIST’s Cyber AI Profile Draft: How CSF 2.0 Is Being Extended to AI Cybersecurity
    [ AI GRC, Data, Privacy & Policy ]

    NIST just tried to solve a problem every enterprise AI program keeps tripping over: how to talk about AI cybersecurity in the same control language as everything else. The draft Cyber AI Profile overlays “Secure, Defend, Thwart” onto CSF 2.0 outcomes, which sounds simple until you see what it forces you to inventory, log, and govern.

    If your org is doing AI without turning it into a parallel security universe, this is the blueprint NIST is testing.

    [ From the Issue ]

    The Enterprise AI Brief | Issue 5

    View all articles in this issue
    [ Keep Reading ]

    More from The Governance Room

    Issue 7

    NIST Launches Initiative to Define Identity and Security Standards for AI Agents

    AI agents are already operating inside enterprise systems, calling APIs, accessing internal data, and executing actions across multiple services autonomously. That creates an unsolved governance problem: how do you authenticate an agent, scope its permissions, and audit what it did? In February 2026, NIST launched an initiative to establish identity, security, and interoperability standards for autonomous agents. The work is early-stage, but agent identity, authorization, and traceability are emerging as targets for standardization. For enterprises deploying agents ahead of those standards, the governance gap is theirs to close.

    Read article
    Issue 6

    The Evidence Problem: State AI Laws Are Asking for Documents Most Enterprises Don’t Have

    State AI laws are turning governance into operational work with deadlines, documentation requirements, and user rights obligations. Colorado, Connecticut (pending), and Maryland define the pattern: classify high-risk AI, assign obligations to developers and deployers, and require evidence that those obligations were met. California layers in ADMT assessments and a frontier-model transparency regime. For AI systems touching hiring, lending, housing, healthcare, or education, the governing question is no longer whether frameworks exist. It is whether the documentation, monitoring, and rights infrastructure are already in place.

    Read article
    Issue 4

    The AI You Didn’t Approve Is Already Inside

    Ask a compliance team how AI is used across their organization. Then check the network logs. The gap between those two answers is where regulatory risk now lives, and EU AI Act enforcement is about to make that gap harder to explain away.

    Read article

    Have a Project in Mind?

    Talk to our team about how we can put these ideas to work in your organization.

    Contact Us