Contact Us Request Consultation
Back to Blog
IT Governance and Compliance

NIST CSF 2.0 and AI RMF: The Compliance Convergence CISOs Must Master

NIST CSF 2.0 converges with the AI Risk Management Framework through the new Cyber AI Profile released December 2025. The Govern function elevates cybersecurity to board-level strategic accountability. The profile applies CSF structure across three focus areas: Secure AI systems, Defend with AI, and Thwart AI-enabled attacks. CISOs who anchor governance in CSF 2.0 build a single compliance backbone mapping to NIS2, EU AI Act, ISO 42001, and sector mandates -- eliminating framework sprawl. 106 subcategories, six functions, continuous compliance replacing static audits.

IT Governance and Compliance
Insights
10 min read
4 views

NIST CSF 2.0 is converging with the AI Risk Management Framework to create a unified compliance architecture that every CISO must master in 2026. In December 2025, NIST released the preliminary draft of the Cyber AI Profile, a framework that synthesizes NIST CSF 2.0 and the AI RMF by applying the six core functions — Govern, Identify, Protect, Detect, Respond, and Recover — directly to AI-specific risks. Furthermore, the addition of the Govern function in NIST CSF 2.0 elevates cybersecurity from a technical discipline to a strategic operating model with explicit board-level accountability. However, this convergence arrives amid a landscape of framework sprawl where organizations must simultaneously navigate the EU AI Act, NIS2, DORA, ISO 42001, and multiple sector-specific mandates. In this guide, we break down why the convergence of NIST CSF 2.0 and AI RMF matters, what the Cyber AI Profile requires, and how CISOs should build an integrated compliance program.

6
Core Functions in NIST CSF 2.0 Including New Govern
3
Focus Areas in the Cyber AI Profile
106
Subcategories Across All CSF 2.0 Functions

What Changed in NIST CSF 2.0 and Why It Matters

This update represents the first major revision to the Cybersecurity Framework since its creation in 2014. Specifically, it transforms cybersecurity governance in three fundamental ways that CISOs must understand and act on.

First, the addition of the Govern function makes cybersecurity strategy, risk ownership, and executive accountability explicit. In version 1.1, governance was scattered across the Identify function without clear structure. Now, Govern sits at the center of the framework wheel, informing how organizations implement all other functions. Consequently, CISOs are expected to demonstrate not just control coverage but how cybersecurity decisions connect to enterprise strategy and board oversight.

Second, the framework scope expanded from critical infrastructure operators to all organizations regardless of size, sector, or maturity. Therefore, organizations that previously considered the framework optional now face growing pressure to adopt it as regulators, customers, and cyber insurers reference the CSF as the baseline standard. Third, subcategories were reorganized from 108 to 106, with overlapping outcomes consolidated and language rewritten to focus on measurable results rather than prescriptive controls.

The Six Core Functions of NIST CSF 2.0

NIST CSF 2.0 organizes cybersecurity outcomes across six functions. Govern establishes strategy, policy, oversight, and supply chain risk management. Identify determines which assets, data, and systems require protection. Protect implements safeguards for those assets. Detect identifies cybersecurity events and anomalies. Respond takes action when incidents are detected. Recover restores capabilities after incidents. All six functions should be addressed concurrently as a continuous process, not a sequential checklist.

How the Cyber AI Profile Bridges NIST CSF 2.0 and AI RMF

The Cyber AI Profile released in December 2025 is the critical bridge between NIST CSF 2.0 and the AI Risk Management Framework, creating a unified approach for managing AI-related cybersecurity risks without building an entirely separate compliance program.

Secure: Protecting AI Systems
The Secure focus area addresses cybersecurity risks to AI systems themselves — from model manipulation and data poisoning to unauthorized access to training data and adversarial attacks on inference endpoints. Consequently, organizations must maintain inventories of models, agents, APIs, datasets, and embedded AI integrations.
Defend: Using AI for Cyber Defense
The Defend area identifies opportunities to use AI to enhance cybersecurity processes, including advanced threat detection, zero trust modeling, predictive analysis of threat actors, and adversarial simulation. Furthermore, organizations can leverage AI to strengthen security governance and improve incident response capabilities.
Thwart: Defending Against AI-Enabled Attacks
The Thwart area builds resilience against new AI-enabled threat vectors by understanding how adversaries use AI to advance their capabilities. As a result, organizations prepare defenses against deepfakes, AI-generated phishing, automated vulnerability exploitation, and agentic attack tools.
Governance Integration Across All Three
Moreover, the Govern function applies across all three focus areas, requiring organizations to establish AI risk ownership, align with enterprise risk tolerance, and maintain executive accountability. Therefore, AI governance is embedded within existing cybersecurity governance rather than operating as a separate program.

“Every organization will ultimately have to deal with all three focus areas as AI enters their operations.”

— NIST Cyber AI Profile Author, 2025

The Compliance Convergence CISOs Must Navigate with NIST CSF 2.0

The convergence of NIST CSF 2.0, AI RMF, and the Cyber AI Profile does not happen in isolation. CISOs must simultaneously manage an expanding landscape of overlapping frameworks and regulations.

Framework or Regulation Scope NIST CSF 2.0 Alignment
NIST AI RMF AI trustworthiness: govern, map, measure, manage ✓ Bridged through Cyber AI Profile
ISO 42001 First certifiable AI Management System standard ✓ Complements CSF with lifecycle oversight
EU AI Act Legal requirements for AI ethics, safety, transparency ◐ Maps to CSF outcomes but adds regulatory mandates
NIS2 EU network and information security for critical sectors ✓ Pillars closely aligned with CSF functions
CSA AICM Cloud-specific AI controls: 243 objectives, 18 domains ◐ Operationalizes NIST strategies with specific controls

Notably, these frameworks do not introduce entirely new requirements. Instead, they expose weaknesses in static, siloed compliance programs and reward organizations that demonstrate continuous oversight, measurable outcomes, and executive ownership. Meanwhile, regulators are moving away from periodic audits toward continuous compliance models, making a unified framework structure critical. Therefore, CISOs who anchor governance in the framework and extend it through the Cyber AI Profile can build a single compliance backbone that maps to multiple regulatory requirements rather than maintaining separate programs for each mandate.

Framework Sprawl Is a Liability

Organizations that attempt to implement every framework independently create compliance overhead that consumes resources without proportionally reducing risk. Instead, the most effective approach is to deliberately layer a small set of foundational frameworks anchored in NIST CSF 2.0, extend them with AI governance through the Cyber AI Profile and ISO 42001, and apply regulatory overlays only where specific mandates require additional controls. This layered model reduces duplication while ensuring coverage across cybersecurity, AI governance, and regulatory compliance simultaneously.

Practical Steps for Integrating NIST CSF 2.0 with AI Governance

Specifically, for organizations that do not have unlimited compliance resources, the intersection of NIST CSF 2.0 and AI RMF can be addressed through a focused, practical approach that starts small and scales methodically. The key is beginning with the Govern function intersection, where both frameworks share common ground in establishing organizational accountability, risk ownership, and policy structures that connect security operations to business strategy and executive oversight.

Start With These Actions
Form a cross-functional committee covering security, legal, governance, and engineering
Build AI inventories covering models, agents, APIs, datasets, and embedded integrations
Map end-to-end AI data flows to support boundary enforcement and anomaly detection
Establish policies governing how employees use and interact with AI systems
Avoid These Common Mistakes
Treating AI governance as separate from cybersecurity governance programs
Implementing frameworks in isolation without mapping controls across standards
Relying on static annual audits when regulators demand continuous compliance
Delegating AI risk entirely to technology teams without executive ownership

Five Priorities for NIST CSF 2.0 Compliance in 2026

Based on the framework updates and regulatory landscape, here are five priorities for CISOs building integrated compliance programs around NIST CSF 2.0:

  1. Build out the Govern function first: Because formalizing governance is the primary gap for most organizations, audit existing practices and map them to the six Govern categories. Consequently, you establish executive accountability.
  2. Integrate the Cyber AI Profile into your existing CSF program: Since the profile applies CSF structure to AI risks, extend your current framework rather than creating a parallel AI compliance program. As a result, AI governance operates within existing processes.
  3. Create comprehensive AI asset inventories: With the profile requiring inventories of models, agents, APIs, and datasets, begin cataloging all AI systems. Furthermore, map data flows for exposure analysis.
  4. Use NIST CSF 2.0 as the backbone for multi-framework compliance: Because frameworks like NIS2, DORA, and ISO 42001 map to CSF outcomes, build one integrated program rather than separate compliance silos. Therefore, you reduce duplication while meeting multiple mandates.
  5. Transition from periodic audits to continuous compliance: Since regulators are moving toward continuous oversight models, invest in automation for control monitoring. In addition, this keeps you ahead of expectations.
Key Takeaway

NIST CSF 2.0 and the AI RMF are converging through the Cyber AI Profile, creating a unified framework for managing both cybersecurity and AI risks. The new Govern function elevates cybersecurity to a board-level strategic discipline. The Cyber AI Profile applies CSF structure across three focus areas: Secure AI systems, Defend with AI, and Thwart AI-enabled attacks. CISOs who anchor governance in CSF 2.0 and extend it through the Cyber AI Profile can build a single compliance backbone mapping to NIS2, EU AI Act, ISO 42001, and sector-specific mandates — eliminating framework sprawl while ensuring comprehensive coverage.

Looking Ahead: NIST CSF 2.0 and AI Governance Beyond 2026

The framework will become the universal anchor for cybersecurity and AI governance as regulatory convergence accelerates globally. Furthermore, the AI RMF is currently in revision per the AI Action Plan, and future versions will integrate more deeply with CSF structure. Meanwhile, continuous compliance models will replace static audits as the regulatory norm, making framework integration a competitive necessity rather than a compliance checkbox.

However, the speed of AI evolution will continuously challenge governance frameworks. In contrast, organizations that build adaptable, layered compliance architectures will navigate regulatory changes more effectively than those locked into rigid, single-framework approaches. The CISOs who succeed in this era will treat frameworks as interconnected systems for decision intelligence rather than obligations to satisfy.

For compliance and risk leaders, the framework is therefore the foundation upon which all other governance requirements should be built. The framework’s outcome-oriented, sector-agnostic design makes it the natural backbone for programs that must span cybersecurity, AI governance, privacy, and operational resilience across multiple jurisdictions, regulatory regimes, and the rapidly evolving AI governance requirements that will continue to rapidly expand in scope and complexity.

Related Guide
Our IT GRC Services: Governance, Risk and Compliance Advisory

Frequently Asked Questions

Frequently Asked Questions
What is NIST CSF 2.0?
NIST CSF 2.0 is the first major revision to the Cybersecurity Framework since 2014. Published in February 2024, it adds a sixth Govern function, expands scope to all organizations, and reorganizes 106 subcategories across six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. It serves as the governance backbone for enterprise cyber risk management.
What is the NIST Cyber AI Profile?
The Cyber AI Profile (NIST IR 8596) bridges CSF 2.0 and the AI Risk Management Framework. Released as a preliminary draft in December 2025, it applies CSF structure to AI-specific risks across three focus areas: Secure (protecting AI systems), Defend (using AI for cyber defense), and Thwart (defending against AI-enabled attacks).
How do NIST CSF 2.0 and AI RMF work together?
The clear intersection is their respective Govern functions. CSF 2.0 establishes cybersecurity governance while AI RMF establishes AI trustworthiness through govern, map, measure, and manage functions. The Cyber AI Profile integrates both by applying CSF structure to AI risks, enabling organizations to manage AI governance within existing cybersecurity programs.
Is NIST CSF 2.0 mandatory?
NIST CSF 2.0 is voluntary. However, it is increasingly referenced by regulators, cyber insurers, and contractual requirements as the baseline standard for cybersecurity maturity. The US national cybersecurity strategy recommends anchoring security programs in NIST frameworks. NIST has set no mandatory adoption deadline.
How should CISOs handle framework sprawl?
CISOs should anchor governance in NIST CSF 2.0, extend AI accountability through the Cyber AI Profile and ISO 42001, and apply regulatory overlays only where specific mandates require additional controls. This layered approach reduces duplication while ensuring coverage across cybersecurity, AI governance, and regulatory compliance.

References

  1. Cyber AI Profile Draft, Three Focus Areas, CSF 2.0 + AI RMF Integration, AI Inventories: National Law Review — NIST Issues Preliminary Draft of Cyber AI Profile
  2. Framework Convergence, Layered Operating Model, ISO 42001, Regulatory Pressures: CyberSaint — Top Security, Risk, and AI Governance Frameworks for 2026
  3. CSF 2.0 Structure, Six Functions, 106 Subcategories, Govern Function, Implementation: Isora GRC — NIST CSF 2.0 Complete Guide 2026
Weekly Briefing
Security insights, delivered Tuesdays.

Join 1 million+ security professionals. Practical, vendor-neutral analysis of threats, tools, and architecture decisions.

Related Articles
Thought Leadership

Compliance Automation Is the Only Way to Scale Governance in a Multi-Regulation World

Compliance automation is the only path to scale across 400+ regulations. GRC market reaches $57.3B by 2033. AI saves $2.2M…

IT Governance and Compliance
10 min
Thought Leadership

Why AI Governance Must Be Built Into the System — Not Bolted On After Deployment

AI governance by design produces better outcomes than bolted-on compliance. Organizations with embedded governance see 10% higher ROI. 60% of…

IT Governance and Compliance
10 min
Thought Leadership

The CISO Is Becoming the Chief Compliance Officer — And That’s a Problem

CISO compliance scope expands unsustainably as 45% of remits grow beyond cybersecurity by 2027. 84% of boards equate security with…

IT Governance and Compliance
10 min
Thought Leadership

GRC Is No Longer a Back-Office Function — It’s a Strategic Business Enabler

GRC strategy has transformed from back-office compliance to strategic business enabler. The market reaches $57.1B in 2026 growing to $129.45B…

IT Governance and Compliance
10 min