NIST's Cyber AI Profile aims to help agencies and organisations defend against AI-enabled attacks and secure AI systems, complementing the AI Risk Management Framework (AI RMF) and the Generative AI Profile. Useful for audit mappings and security controls.
Why this matters
The Cyber AI Profile extends the AI RMF with security-specific guidance for threat modelling, adversarial testing, and supply-chain assurance. It helps deployers align AI security with broader cybersecurity frameworks.
Impact on obligations
Provider
Document threat models, adversarial testing, and supply-chain attestations for AI components.
Deployer
Integrate Cyber AI Profile controls into security audits and vulnerability management programmes.
What to evidence
- Threat models
- Adversarial testing logs
- Supply-chain attestations
- Vulnerability disclosures
Key artefacts explained:
- DSSE: Dead Simple Signing Envelope — portable signature format
- STH: Signed Tree Head — tamper-evident checkpoint in transparency log
- TSA: Time-Stamp Authority — independent timestamp receipt
- WORM: Write Once Read Many — immutable storage for audit trails