NIST has published the first cybersecurity framework specifically built for artificial intelligence. Most Australian businesses will not read it. The ones that do will pull ahead of competitors still treating AI security as an afterthought.
The Cybersecurity Framework Profile for Artificial Intelligence, formally NIST IR 8596, landed as a preliminary draft in February 2026. It is voluntary. It is American. It is also the most concrete attempt yet to answer a question every Australian business with an AI program needs to answer. How do we secure the AI systems we are deploying without inventing our own controls?
The honest read is that very few Australian businesses are ready for this conversation. We see two patterns. Organisations that have deployed AI without a single security review. And organisations that have not deployed AI because they cannot get a security review to happen. Both patterns have the same root cause. There has been no clear framework to anchor the conversation. That has now changed.
The Cyber AI Profile sits between two existing NIST frameworks. It is not a replacement for either. It is a bridge.
The first is the NIST Cybersecurity Framework version 2.0, the standard most enterprise security teams already use. CSF 2.0 organises cybersecurity work around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The 2.0 update added Govern specifically to address what most cyber programs were missing, which was leadership accountability, policy discipline, and supply chain risk management.
The second is the NIST AI Risk Management Framework, AI RMF for short. This addresses AI-specific risks across the full lifecycle, from data collection through model development through deployment and monitoring. AI RMF was first released in 2023 and remains the most widely adopted AI risk framework globally.
Until February 2026, those two frameworks sat alongside each other without explicit integration. Security teams used CSF 2.0. AI teams used AI RMF. Where the two overlapped, organisations stitched the controls together on their own, with predictable inconsistency.
NIST IR 8596 makes that integration explicit. It maps AI-specific cybersecurity risks against the six CSF 2.0 functions and organises those risks into three focus areas. Those focus areas are the new vocabulary every Australian business with an AI program needs to learn.
The first focus area is Secure. How do you protect the AI systems themselves? This covers the security of the model, the training data, the inference pipeline, the prompt history, and the connections an AI system has to other business systems. An AI agent that can read your CRM, send emails, and approve transactions has a vastly larger attack surface than a chatbot. Securing that surface is what the Secure category addresses.
The second focus area is Defend. How do you use AI to defend your environment? This is the operational use of AI in cyber defence. AI-driven threat detection, automated triage, log analysis at scale, behavioural anomaly identification. Done well, AI dramatically extends what a small security team can cover. Done badly, it generates alert fatigue and false positives that make defenders worse.
The third focus area is Thwart. How do you defend against attackers who are themselves using AI? This is the part most leaders find sobering. Attackers now use AI to write better phishing emails, automate reconnaissance, generate convincing voice clones, and tune malware to evade detection. The 2025 Verizon Data Breach Investigations Report data showed MFA fatigue attacks appearing in 14 per cent of incidents, fuelled significantly by AI-generated social engineering. The Thwart category is about staying ahead of that shift, not just reacting to it.
These three areas are not separate programs. They overlap heavily. The same controls often cover multiple categories. The reason NIST organised the Profile this way is to force conversations that most security and AI teams are not having yet inside the same room.
Released alongside the Cyber AI Profile, NIST also published a discussion draft of Control Overlays for Securing AI Systems, COSAiS. These sit underneath the Profile as implementation guidance.
COSAiS comprises two initial documents. NIST IR 8605 covers the overview and methodology. NIST IR 8605A covers using and fine-tuning predictive AI. Additional volumes are expected later in 2026 covering generative AI, foundation models, and AI agent systems.
The relationship between the Profile and COSAiS is straightforward. The Profile defines outcomes. COSAiS defines the controls that achieve those outcomes. An organisation using both can move from a stated security objective to a specific technical implementation without inventing the connecting layer themselves.
For Australian businesses, this matters because most security control frameworks in active use locally were not designed for AI. ISO 27001 is excellent for traditional information security but says nothing specific about model security or prompt injection. The Essential Eight is excellent for endpoint and identity hygiene but does not address training data integrity. COSAiS fills those gaps without forcing organisations to abandon the frameworks they already run.
There are two reasons Australian businesses should not ignore a US framework that does not legally apply to them.
First, voluntary becomes mandatory faster than most people expect. The original NIST CSF was voluntary when it dropped in 2014. It is now the de facto baseline for government suppliers, defence contractors, financial services, and most enterprise risk frameworks globally. Insurers reference it. Auditors reference it. Boards reference it. The Cyber AI Profile will follow the same trajectory. The window where it is voluntary and largely ignored is precisely the window in which early adopters get ahead.
Second, Australia has chosen not to legislate AI directly. The December 2025 National AI Plan confirmed that Australia will rely on existing laws and sector regulators rather than introducing a standalone AI Act. That leaves a vacuum where Australian businesses need an anchor framework to demonstrate they are taking AI security seriously. NIST IR 8596 fills that vacuum better than anything else available right now.
The regulatory pressure is real even without an AI Act. Western Australia’s Privacy and Responsible Information Sharing Act commences 1 July 2026, with IPP 10 sitting directly over automated decision-making. The federal Privacy Act amendments requiring disclosure of substantially automated decisions come into effect in December 2026. Both pieces of legislation will force every WA government supplier, and eventually every Australian business with a meaningful AI program, to demonstrate they have governed and secured their AI systems properly. The Cyber AI Profile is the most defensible framework an organisation can point to in that conversation.
For organisations already running on CSF 2.0, the Profile slots in as an overlay. Each AI-specific risk it identifies maps to one of the six core functions. A security team that already has Identify, Protect, and Detect controls in place can extend them to cover AI systems without rebuilding the program from scratch.
For organisations already running on AI RMF, the Profile fills the gap that AI RMF intentionally left open. AI RMF describes what AI risk management should look like at the program level. It does not prescribe specific technical controls. The Cyber AI Profile, together with COSAiS, provides the technical implementation layer that AI RMF was always going to need.
For organisations running neither, the question becomes which to adopt first. Our view is CSF 2.0 first, then AI RMF, then the Cyber AI Profile as the integration layer. The reverse order does not work. The Profile assumes the foundational frameworks are already in place. Trying to apply it cold is like trying to read a translation guide without speaking either language.
The Cyber AI Profile is still in draft. The version that lands as final later in 2026 or in 2027 will differ in specifics. Waiting for the final draft is not a strategy. Australian businesses that wait will be twelve to eighteen months behind organisations that engage with the preliminary draft now.
Five practical steps hold regardless of what changes in the final version.
We should be clear about what the Profile is not.
It is not a compliance certification. There is no audit, no badge, no formal recognition for adopting it. The value is the framework discipline and the conversation it forces, not external recognition.
It is not specifically calibrated to Australian regulation. References to US-specific frameworks like FedRAMP or CMMC will not directly map to Australian equivalents. Adopting the Profile in an Australian context requires translation work, particularly around how it maps to the Australian Privacy Principles and the Essential Eight.
It does not cover everything. The Profile focuses on cybersecurity risks specifically. Broader AI risks like bias, fairness, hallucination, and societal impact sit with the AI RMF and ISO 42001, not here. Treating the Profile as a complete AI risk management framework will leave gaps that show up later as audit findings or actual incidents.
And it is still a draft. The version dated February 2026 is preliminary. Significant changes are likely in the next iteration. Organisations need to engage with it as a working document, not a final standard.
We have already mapped the Cyber AI Profile against the controls we apply when helping Australian businesses deploy AI safely. The Profile largely confirms what we have been saying for two years. AI security is not separate from broader cybersecurity, but it requires controls and conversations that traditional security programs do not have today.
We are incorporating the Profile into our AI Readiness Assessment so that organisations going through that process have a defensible framework to point to in conversations with boards, insurers, and regulators. The assessment now references CSF 2.0, AI RMF, and the Cyber AI Profile alongside ISO 42001 and Australia’s Guidance for AI Adoption.
For organisations that want to start with the Profile directly, our AI Governance service includes a Profile-aligned uplift program. The starting point is a current-state inventory and risk tier mapping. From there, the gaps relative to the Profile become the work plan. We have written more broadly about why AI governance in Australia needs an anchor framework, and the Cyber AI Profile is now ours.
Our team can run an assessment against NIST IR 8596, identify the gaps in your current AI security controls, and build a remediation roadmap aligned to CSF 2.0 and AI RMF. We work with Perth and Australian businesses building AI programs that need to stand up to board, insurer, and regulator scrutiny.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Use.
