Home Navigating the Labyrinth: A Cybersecurity Specialist's Guide to Frameworks and AI Risk
Post
Cancel

Navigating the Labyrinth: A Cybersecurity Specialist's Guide to Frameworks and AI Risk

Posted May 12, 2025 Updated May 13, 2025
Preview Image
By Dr Piotr Gryko
6 min read

As artificial intelligence transforms how we work, the security challenges multiply exponentially.

This blog post is based off lectures presented at WWSI 2025 in Warsaw, Poland, as part of their Artificial Intelligence - Machine Learning Engineering postgraduate program.

Talk was given by (Alicja Grochocka-Dorocinska)[https://www.linkedin.com/in/alicja-grochocka-dorocinska/], an Information Security Professional with a history of working in finance and academia, including institutions such as Goldman Sachs and the Warsaw University of Technology. Many thanks to her for taking the time to share her expertise.

This post explores key cybersecurity frameworks that help organizations navigate these challenges, with particular focus on how these structures apply to AI systems.

The NIST Cybersecurity Framework: A Foundation for Security

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a comprehensive approach to managing and reducing cybersecurity risk. In its latest version, the framework consists of six core functions:

1. Governance

Before implementing any security measures, organizations must establish a clear governance structure that:

  • Defines the operational context, mission, and strategic priorities
  • Determines risk tolerance and appetite
  • Identifies key roles and responsibilities
  • Develops appropriate policies and procedures

Rather than beginning with policy creation, a more effective approach involves analyzing organizational risk first, then defining policies that address specific threats.

2. Identify

This function focuses on developing an understanding of systems, assets, data, and capabilities to manage cybersecurity risk effectively. Key activities include:

  • Cataloging digital assets (data, equipment, software, and user identities)
  • Creating and maintaining asset inventories
  • Implementing dynamic data detection and classification
  • Conducting risk analysis and vulnerability assessments
  • Managing the attack surface

3. Protect

After identifying what needs protection, organizations implement safeguards to limit or contain potential cybersecurity events. This function draws on the classic CIA triad:

  • Confidentiality: Ensuring data is accessible only to authorized users
  • Integrity: Maintaining data accuracy and reliability
  • Availability: Ensuring systems and data are operational when needed

Protection measures typically include:

  • Data encryption
  • Identity and access management (including multi-factor authentication)
  • Backup systems

4. Detect

Even with strong protections, organizations need mechanisms to identify security incidents quickly. This function includes:

  • Continuous monitoring of IT environments
  • Analysis of unusual events
  • Implementation of specialized tools such as:
    • Endpoint Detection and Response (EDR)
    • Network Detection and Response (NDR)
    • Threat intelligence feeds
    • Security Information and Event Management (SIEM) systems

5. Respond

When threats are detected, organizations need established processes to take action:

  • Opening incident cases and assigning responsibility
  • Gathering evidence and indicators of compromise (IoCs)
  • Implementing mitigation measures
  • Using dynamic playbooks for common scenarios (automating responses to recurring incidents)
  • Implementing Security Orchestration, Automation, and Response (SOAR) tools

6. Recover

This function focuses on restoring systems and capabilities impaired by cybersecurity incidents:

  • Utilizing and validating backup data
  • Verifying data integrity
  • Managing internal and external communications
  • Notifying clients or regulatory authorities when required

The NIST Cybersecurity Framework is widely recognized and adopted globally for its structured approach to managing cybersecurity risks and enhancing organizational resilience[4][10].

NIST AI Risk Management Framework (AI RMF)

As AI systems become more prevalent, NIST has developed a specialized framework for managing AI-specific risks. The AI RMF is designed for organizations developing or deploying AI systems and consists of two primary components:

Guiding Principles

These core values should inform all AI development and deployment:

  • Trustworthiness: AI systems should inspire confidence in users and stakeholders
  • Verifiability: Systems should operate as intended under various conditions
  • Security: AI should be resistant to attacks and failures
  • Accountability: Clear responsibilities for AI decisions should be established
  • Transparency: AI operations should be understandable
  • Fairness: Systems should avoid reinforcing biases or harming social groups
  • Privacy: User data must be protected at every stage

Core Functions

The framework outlines four primary functions for managing AI risk:

1. Govern

Establish organizational governance with:

  • Clear policies and procedures aligned with legal and organizational values
  • Well-defined responsibilities throughout the AI system lifecycle
  • Diverse teams with varied perspectives and experiences
  • Regular documentation and risk approach updates
  • Consideration of external partners and technology providers

2. Map

Understand the context before implementation:

  • Define implementation goals and expectations
  • Identify direct and indirect system users and affected parties
  • Assess potential benefits, threats, and limitations
  • Consider legal provisions and social norms
  • Make initial “go/no-go” decisions based on risk assessment

3. Measure

Assess and quantify risks:

  • Select appropriate metrics and analysis tools
  • Verify system operation against assumptions
  • Evaluate accuracy, safety, fairness, and transparency
  • Test systems before and during operation
  • Incorporate user, expert, and community feedback

4. Manage

Respond to emerging risks:

  • Implement risk reduction strategies
  • Address incidents and unexpected threats
  • Determine if systems require modification, suspension, or withdrawal
  • Regularly update strategies based on lessons learned
  • Review the entire process thoroughly

The AI RMF was developed through a transparent, collaborative process involving public comments, workshops, and input from private and public sectors, ensuring broad applicability and effectiveness[3][5].

Securing Business Models Based on AI

The rise of generative AI has significantly expanded the attack surface for cybercriminals. Research shows that four out of five business leaders express concerns about using AI systems for critical organizational activities due to security, privacy, and accuracy concerns[6].

A comprehensive security approach for AI systems should address three key elements:

1. Securing Data

AI systems learn from data, making data security paramount. Key threats include:

  • Data poisoning: Introduction of manipulated data that leads to erroneous outputs
  • Data theft (exfiltration): Unauthorized access and stealing of sensitive data
  • Data leakage: Accidental exposure due to misconfiguration

Countermeasures include:

  • Data identification and classification with severity levels
  • Strong encryption protocols
  • Robust access controls (including multi-factor authentication)
  • Continuous system monitoring

2. Securing Models

Many organizations use pre-built models rather than developing their own, introducing several risks:

  • Uncertain sources: Models from untrusted or modified locations
  • Model backdoors: Embedded malicious code that enables system takeover
  • Vulnerable API plugins: Poorly secured communication channels
  • Copyright infringement: Legal consequences from using models trained on protected materials

Protection strategies include:

  • Source verification from reputable providers
  • Antivirus scanning of models
  • System hardening (disabling unnecessary services, changing default passwords)
  • Implementing least-privilege access principles
  • Regular authorization reviews
  • Legal compliance verification

3. Securing Usage

Even with secure data and models, threats can emerge during system use:

  • Prompt injection: Special commands designed to break model boundaries
  • Denial of Service (DoS): System overload through excessive queries
  • Model theft: Reconstructing model structure through pattern analysis

Defense mechanisms include:

  • Query monitoring and analysis
  • Implementation of semantic guardrails
  • Deployment of Machine Learning Detection and Response (MLDR) tools
  • Integration with SIEM or SOAR systems for continuous monitoring

The Two-Way Street of AI Security

AI security represents a dual challenge:

  1. AI for Security: Leveraging artificial intelligence to strengthen cybersecurity systems and counter AI-powered threats from cybercriminals

  2. Security for AI: Developing safeguards that protect data, models, and their use from emerging threats

AI-driven cybersecurity tools can detect anomalies and potential attacks in real time, acting as vigilant defenders. However, AI also introduces new vulnerabilities such as data poisoning, adversarial attacks, model theft, and bias, which require specialized mitigation strategies[7][8][9].

For more information on these frameworks, visit NIST’s Cybersecurity Framework[2][4][10] and NIST’s AI Risk Management Framework[3][5].

Citations:

[3] https://www.nist.gov/cyberframework

[4] https://hyperproof.io/navigating-the-nist-ai-risk-management-framework/

[5] https://techresearchs.com/cybersecurity/what-is-nist-cybersecurity-everything-you-need-to-know-in-2025/

[6] https://www.nist.gov/system/files/documents/2024/10/07/09-24-about-the-ai-rmf-for-distro-9-25_508-edit.pdf

[7] https://www.ibm.com/think/insights/secure-ai-business-models

[8] https://hiddenlayer.com/innovation-hub/ai-security-2025-predictions-recommendations/

[9] https://aijourn.com/the-impact-of-ai-on-data-security/

[10] https://sysdig.com/learn-cloud-native/top-8-ai-security-best-practices/

[11] https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0

cybersecurity, ai, risk-management, nist
csf ai-rmf data-security model-security governance
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents