NIST Cyber Center Advances AI Security Standards for Agents

The National Institute of Standards and Technology is accelerating work on two major AI security initiatives this summer: a comprehensive "Cyber AI Profile" and standards for securing autonomous AI agents that can take actions independently across computer networks.

Cherilyn Pascoe, director of NIST's National Cybersecurity Center of Excellence (NCCoE), said artificial intelligence now touches virtually every aspect of the center's work. "AI is going to be part, if not a leading part, of every project going forward at the center," Pascoe said in an interview first reported by Federal News Network. "It is becoming so foundational to cybersecurity."

The NCCoE currently runs six dedicated AI-cyber projects, but the technology is appearing across initiatives spanning incident response, governance, architecture, and software development security.

Adapting existing frameworks for AI

The Cyber AI Profile represents NIST's effort to apply established cybersecurity frameworks to AI systems without creating entirely new guidance documents. The project maps how existing standards, including NIST's widely-adopted Cybersecurity Framework, can address AI-specific security challenges.

NIST is currently reviewing public comments on an initial draft. Recent community feedback during webinars covered governance issues, applying zero-trust security principles to AI, supply chain security, and tools like AI bills of materials. Pascoe said the NCCoE expects to release an updated draft incorporating this feedback this summer.

The goal is to aggregate resources from multiple standards bodies into a single roadmap organizations can use to deploy AI securely.

Securing autonomous AI agents

The center's "Software and AI Agent Identity and Authorization" project tackles a newer challenge: how to securely identify and authorize AI agents that can act autonomously rather than simply generating outputs for human review.

Traditional identity security standards have focused on human users. AI agents raise fundamentally different questions about how to identify the agent separately from its human operator, what authority it should have, which systems and data it can access, and what changes it can make.

A draft concept released earlier this year drew comments from more than 600 organizations, according to Pascoe. The NCCoE plans to publish a formal project description this summer based on that input.

The work arrives as standards and protocols for agentic AI remain in active development. "Organizations are still deploying agents in different use cases that are changing as more agents start to be deployed, and so we're relying on that expertise from the community to guide us on these efforts," Pascoe said.

Why it matters

Recent AI models have demonstrated the ability to find software vulnerabilities and create exploits significantly faster than human security researchers. President Trump signed an executive order addressing these risks earlier in June, followed by a CISA directive requiring agencies to prioritize high-risk software vulnerabilities. NIST's practical guidance will help organizations implement these mandates while taking advantage of AI's defensive capabilities in areas like DevSecOps and secure software development.

The details were first reported by Federal News Network.