Blog Series: Securing Artificial Intelligence with the NIST Cybersecurity Framework (CSF) 2.0
Artificial Intelligence is rapidly becoming embedded in modern business operations, from customer service automation and analytics platforms to software development and decision-support systems.
While AI offers tremendous opportunities for innovation and efficiency, it also introduces new cybersecurity risks that organizations must address. Attackers are already leveraging AI to improve phishing, automate reconnaissance, accelerate vulnerability discovery, and automate exploit creation.
To manage these emerging risks, organizations can extend their existing cybersecurity programs using the NIST Cybersecurity Framework (CSF) 2.0.
This blog series explores how organizations can secure AI systems by aligning security practices with specific NIST CSF 2.0 categories.
Part 1: AI Governance (GV.RM / GV.SC)
Why AI Governance Matters
Artificial intelligence adoption is accelerating across enterprises, but governance often lags behind innovation. Without clear oversight, organizations risk introducing vulnerabilities, compliance violations, or unintended data exposure through AI systems.
The Govern function of NIST CSF 2.0 emphasizes the importance of establishing policies, risk management processes, and accountability structures to manage cybersecurity risks—including those introduced by AI.
GV.RM – Risk Management Strategy
Organizations must incorporate AI into their enterprise risk management framework.
This includes:
Defining acceptable AI use policies
Establishing risk tolerance for AI-driven decisions
Integrating AI risk assessments into security reviews
Ensuring leadership visibility into AI adoption
Security leaders should collaborate with legal, privacy, and data governance teams to ensure AI initiatives align with regulatory requirements and organizational risk appetite.
GV.SC – Cybersecurity Supply Chain Risk Management
Many AI systems rely on external vendors, cloud platforms, or third-party models.
This introduces supply chain risks such as:
Vulnerabilities in third-party AI models
Exposure of proprietary data through AI APIs
Unverified training data sources
Security weaknesses in AI SaaS platforms
Organizations should extend vendor risk management programs to include AI platform security assessments and data handling reviews.
Strong governance ensures AI innovation occurs within a controlled and secure framework.
Final Thoughts on the series
Artificial intelligence represents one of the most significant technology shifts in decades. While it offers tremendous opportunities for innovation, it also introduces new cybersecurity risks that organizations must address proactively.
I would even say it highlights and accelerates the need to address the problem of data governance and least privilege that organizations might have been ignoring.
By aligning AI security practices with NIST CSF 2.0, organizations can incorporate AI risk management into their existing cybersecurity programs while maintaining strong governance, visibility, and resilience.
As AI continues to evolve, the organizations that succeed will be those that approach AI adoption with both innovation and security in mind.
William Tulaba is a cybersecurity executive and security engineering leader focused on enterprise security strategy, cloud risk, and security operations.