Ship AI without shipping risk.
glossary

What Is NIST?

What Is NIST?

Summary#

NIST frameworks (CSF 2.0, 800-207, 800-63, and the AI RMF) set the bar for how security programs handle identity, access, and risk. They're not static: CSF 2.0's addition of the Govern function in 2024 reflects how the security community's thinking has matured. As AI agents enter enterprise environments, the intersection of identity governance and AI risk management is only going to grow.

NIST (the National Institute of Standards and Technology) is the federal agency whose frameworks most security and IT teams are measured against. Its guidelines aren't mandates, but in practice they're treated like them: auditors reference them, vendors align to them, and security teams build programs around them. For regulated industries such as HIPAA in healthcare and GLBA in financial services, NIST frameworks often form the technical backbone of compliance requirements.

If you're working in identity and access management, four NIST resources matter most.

NIST Cybersecurity Framework 2.0#

The original NIST CSF, released in 2014, gave security teams a common language: Identify, Protect, Detect, Respond, Recover. Version 2.0, released in February 2024, adds a sixth function: Govern.

That addition isn't cosmetic. Govern puts organizational accountability (policies, roles, risk tolerance, and oversight) at the center of the framework, not as an afterthought. For security and GRC teams, it's a formal recognition that security isn't a technical problem alone; it's a governance problem.

The six CSF 2.0 functions:

  • Govern: establish and monitor your organization's cybersecurity risk management strategy and policies
  • Identify: understand your assets, risks, and environment
  • Protect: implement safeguards to limit the impact of incidents
  • Detect: identify cybersecurity events when they occur
  • Respond: act on a detected incident
  • Recover: restore capabilities after an incident

Identity sits across all six. Who has access to what, and whether that access is governed, affects every function.

NIST SP 800-207: Zero Trust Architecture#

NIST 800-207 defines Zero Trust Architecture (ZTA): the model that replaces implicit trust based on network location with explicit, continuous verification of every request.

The core principle: no user, device, or system is trusted by default. Access is granted based on identity, device posture, and context, and it's re-evaluated continuously, not just at login.

Key ZTA components from 800-207:

  • Policy Decision Point (PDP): evaluates access requests against policy
  • Policy Enforcement Point (PEP): grants or denies access based on PDP decisions
  • Continuous verification: authentication doesn't end at login
  • Least privilege: every principal gets only the access they need, when they need it
  • Micro-segmentation: resources are isolated to contain lateral movement

Zero Trust is an architecture, not a product. Implementing it means applying these principles to every identity in your environment, including the non-human ones.

NIST SP 800-63: Digital Identity Guidelines#

800-63 defines how organizations should handle digital identity, from how you verify someone's identity (identity proofing) to how you authenticate them (authentication assurance levels) and manage federation.

It establishes three levels of assurance (IAL1, IAL2, IAL3 for identity; AAL1, AAL2, AAL3 for authentication) that map to the risk of what's being accessed. High-sensitivity systems require higher assurance.

This framework becomes increasingly important as organizations deal with more complex identity ecosystems: contractors, partners, and non-human identities (AI agents, service accounts, automation workflows) that don't fit neatly into traditional user categories.

NIST AI Risk Management Framework (AI RMF)#

Released in January 2023 and gaining significant adoption, the NIST AI RMF gives organizations a structure for governing AI systems. Its four core functions: Map, Measure, Manage, Govern.

As AI agents become part of enterprise operations (calling APIs, accessing data, and executing tasks), the AI RMF is increasingly intersecting with identity security. An AI agent that can access your CRM, your code repos, or your financial systems is an identity with permissions. Governing that identity is an access management problem as much as an AI governance problem.

In February 2026, NIST's National Cybersecurity Center of Excellence (NCCoE) published a concept paper specifically on this intersection: "Accelerating the Adoption of Software and AI Agent Identity and Authorization." It's the clearest signal yet that NIST considers AI agent identity governance a distinct and urgent security problem, not a subset of general AI risk management.

How identity and access governance connects to NIST#

NIST frameworks describe what good looks like. Identity governance is how you get there.

  • CSF 2.0 Govern function (PR.AC-1): Requires regular review of identities and roles to validate adherence to access policies, which means having structured access review processes, not manual spot-checks.
  • Zero Trust (800-207) / PR.AC-5: Requires enforcing least privilege and continuous verification: access decisions must be policy-driven, role-based, and auditable.
  • CSF PR.AC-4: Restricts access dynamically based on business need, including time-bound access grants, which is exactly what just-in-time access delivers.
  • CSF DE.CM-3: Tracks all system activity, including JIT access events, for compliance and audits.
  • AI RMF + NCCoE Feb 2026: Requires governance of AI systems and agent identities: the access AI agents have must be governed with the same rigor as human access.

C1 helps organizations put NIST principles into practice. Intelligent Access Reviews automate the review campaigns that map to CSF Govern requirements, scoped, routed, and completed with AI-driven automation, with evidence captured automatically for auditors. Just-in-Time Access eliminates standing privileges (95% reduction in standing access for C1 customers), replacing them with time-bound grants that auto-revoke at expiry. AI Access Management governs every MCP tool call in real time: every AI agent action is logged, policy-enforced, and auditable, directly supporting both Zero Trust and AI RMF requirements. All of it runs on one identity graph covering humans, machines, and agents.

For organizations in regulated industries, NIST frameworks form the technical backbone of compliance requirements across HIPAA, GLBA, and HITRUST. C1's Compliance & Risk Management solution maps those framework requirements to documented, auditable controls. For a deeper look at putting these principles into practice, see the identity governance best practices guide.

Stay in touch

The best way to keep up with identity security tips, guides, and industry best practices.

Explore more posts

 Identity Security: Processes, Use Cases & How to Implement

Identity Security: Processes, Use Cases & How to Implement

11 Best Access Governance Software for Identity Management in 2026

11 Best Access Governance Software for Identity Management in 2026

How to Stay Compliant with User Access Reviews

How to Stay Compliant with User Access Reviews