TL;DR
- Cisco released a comprehensive AI security framework in December 2025, addressing gaps in existing technical frameworks like NIST AI RMF, OWASP Top 10 for LLMs 2025, and ISO 42001.
- Technical frameworks address what CISOs need to monitor but miss the critical human vulnerabilities attackers exploit.
- AI social engineering attacks manipulate trust and context the same way phishing does, targeting people, not just systems.
- Organizations need security awareness training focused on AI-specific human vulnerabilities.
- Cybrary's AI security training bridges the gap between technical controls and human-layer defenses.
Imagine this scenario: An executive receives an email that appears to be from their CFO, requesting an urgent wire transfer. The writing style matches perfectly. The usual greeting, the signature sign-off, even the slightly formal tone their CFO always uses. The executive approves the transfer. Hours later, they discover the entire email was AI-generated by an attacker who had been training a language model on scraped executive communications for weeks.
This isn't theoretical - it's happening now. New AI security frameworks from Cisco, NIST, OWASP, and ISO provide excellent technical guidance for managing AI risks. Cisco's new framework is particularly comprehensive, addressing gaps in existing approaches. But here's what they all miss: the humans actually interacting with AI tools.
Security frameworks tell CISOs what to monitor. They don't tell employees how to recognize when they're being manipulated.
But who's training employees to recognize AI-generated manipulation? Who's preparing staff to understand that the "helpful" AI chatbot on a vendor's website might be collecting sensitive information through seemingly innocent conversation? The same cognitive biases that make phishing successful are being weaponized through AI, and most organizations aren't preparing their people for it. According to Verizon's 2025 DBIR, 60% of breaches involve the human element, and AI weaponizes these vulnerabilities at unprecedented scale.
The Landscape of AI Security Frameworks
NIST AI Risk Management Framework
NIST released its AI RMF 1.0 in January 2023 through a consensus-driven process involving more than 240 organizations. The framework provides voluntary guidance organized into four functions: Govern, Map, Measure, and Manage. In July 2024, NIST released the Generative AI Profile to address GenAI-specific risks. The framework emphasizes trustworthy AI characteristics like transparency, fairness, accountability, and robustness. However, it provides high-level governance guidance rather than specific threat taxonomies.
NIST AI 100-2
NIST's AI 100-2 provides a taxonomy of attack primitives and adversarial machine learning (ML) techniques. The framework explicitly states its definitions aren't exhaustive, leaving gaps in coverage of emerging AI threats.
MITRE ATLAS
MITRE ATLAS is a knowledge base of adversary tactics and techniques targeting machine learning systems. It catalogs attack methods throughout the ML lifecycle, providing a common taxonomy for discussing AI-specific attacks. However, it focuses primarily on adversarial tactics and doesn't comprehensively address content safety or multi-modal attacks.
OWASP Top 10 for LLM and Agentic Applications
The OWASP Top 10 for Large Language Model Applications 2025 identifies the most critical security vulnerabilities in LLM applications based on community input from over 500 security experts. In December 2025, OWASP released the Top 10 for Agentic Applications 2026, addressing autonomous AI agents that plan, act, and make decisions across complex workflows.
Key OWASP-identified risks include prompt injection, sensitive information disclosure, supply chain vulnerabilities, data and model poisoning, improper output handling, excessive agency, and system prompt leakage. The 2025 LLM update expanded coverage of Retrieval-Augmented Generation (RAG) vulnerabilities and agentic architectures. While comprehensive for LLM applications, the framework faces limitations in lifecycle awareness and comprehensive coverage of multi-modal deployments.
ISO 42001 AI Management System
ISO/IEC 42001:2023, published in December 2023, is the world's first international standard for AI management systems. It includes 38 specific controls organized into nine objectives covering risk assessment, AI policies, lifecycle management, and data governance. The standard works alongside ISO 27001 for information security, providing a structured approach to managing AI-specific risks. Like NIST AI RMF, it focuses on management systems and governance rather than specific threat identification.
Cisco's Integrated AI Security and Safety Framework
Recognizing these gaps, Cisco unveiled its framework in December 2025 as a unified response to fragmented coverage. According to Cisco's analysis, existing frameworks each provide valuable perspectives but miss critical elements: MITRE ATLAS lacks content safety coverage, NIST AI 100-2 acknowledges its taxonomy isn't exhaustive, and OWASP faces limitations in lifecycle and multi-modal coverage.
Cisco's framework maps threats across five design elements: threat/harm integration, lifecycle awareness, multi-agent coordination, multimodality, and audience-aware utility. It covers nearly 20 threat categories including prompt injection, jailbreaking, training data poisoning, model extraction, supply chain vulnerabilities, and agentic risks, providing the comprehensive, lifecycle-aware taxonomy that addresses gaps in existing frameworks.
Cisco's comprehensive framework provides the technical foundation organizations need. Like NIST AI RMF, ISO 42001, and OWASP before it, these frameworks tell security teams how to detect prompt injection, monitor for jailbreaking, and assess third-party AI services. They provide crucial technical guidance for protecting AI systems.
But technical controls protect systems. Human training protects people. The executive who approves a wire transfer from an AI-generated email, the developer who clicks an AI-personalized phishing link, and the finance worker who trusts what they see on a deepfake video call aren't experiencing technical failures. They're experiencing human vulnerabilities that AI attackers specifically target. Complete AI security requires both layers working together.
Building Human-Layer AI Security Defenses
Organizations implementing AI tools need security awareness training addressing AI-specific threats:
AI-Specific Threat Recognition: Training should cover identifying AI-generated phishing, recognizing deepfakes and synthetic media, understanding AI-personalized attacks, and questioning unexpectedly perfect communications.
Safe AI Tool Usage: Organizations need policies aligned with ISO 42001 and NIST AI RMF covering data classification for AI interactions, recognizing shadow AI adoption, and verification procedures for AI-generated outputs.
AI Social Engineering Defense: Training on the psychology of AI-enhanced manipulation, multi-factor verification for high-value requests, understanding AI's ability to impersonate communication styles, and building cultures that normalize verification.
Practical Red Team Scenarios: Training aligned with OWASP recommendations should include hands-on exercises with simulated AI attacks, practice identifying prompt injection, and experience with AI-generated misinformation.
Cybrary's AI security training addresses these human-layer vulnerabilities. While technical frameworks provide structural foundation, Cybrary courses prepare people to recognize and respond to AI-enabled threats.
The Integration Challenge: Technical + Human Security
Effective AI security programs integrate technical controls with human training:
Technical Layer: Implement technical controls for things like prompt injection detection (OWASP), model access controls (ISO 42001), jailbreaking monitoring (Cisco framework), and third-party AI assessments (NIST AI RMF).
Human Layer: Train employees on AI social engineering recognition, establish verification procedures for AI-generated requests, create safe reporting channels, and build cultural norms around questioning AI outputs.
Integration Points: The power emerges when these layers work together in a continuous feedback loop. When technical controls detect anomalous model behavior, they trigger enhanced user verification procedures that simultaneously block the attack and educate employees about the threat. Those trained employees then recognize similar patterns in other contexts, reporting suspicious AI interactions that inform and refine technical monitoring rules. As security teams identify new attack patterns, they update both technical defenses and training scenarios in parallel, ensuring the organization evolves holistically against emerging threats. Training exercises that expose human vulnerabilities drive implementation of compensating technical controls, completing the cycle of mutual reinforcement.
Organizations implementing only technical controls remain vulnerable to attacks exploiting human trust, while organizations training employees without technical safeguards can't detect sophisticated attacks at scale.
Real-World Examples: When Technical Controls Aren't Enough
Several recent incidents demonstrate that comprehensive technical frameworks, while essential, require human training to create complete defense. These cases show organizations with strong technical controls that still suffered breaches because employees weren't prepared for AI-enabled social engineering.
Arup: The $25.6 Million Deepfake Video Conference
In February 2024, a finance worker at global engineering firm Arup was tricked into transferring $25.6 million to fraudster-controlled accounts. The attack wasn't a simple phishing email. The employee attended a multi-person video conference call featuring AI-generated deepfakes of the company's CFO and other senior executives. Every person on the call except the victim was an AI-generated deepfake.
The AI-Specific Attack Vector: Attackers used sophisticated video deepfake technology to create real-time, convincing likenesses of multiple executives simultaneously. This wasn't voice-only. This was a full video conference where the victim could see their colleagues' faces, expressions, and body language.
The Human Failure: The finance worker trusted what they saw on video. Traditional security awareness training teaches employees to verify requests through separate communication channels, but how many organizations have trained employees that "seeing is no longer believing”? The employee followed established protocols for video verification but didn't know those protocols were now obsolete.
What Was Missing: While NIST AI RMF and ISO 42001 provide guidance for AI system trustworthiness and risk assessments, organizations need specific training programs teaching employees to recognize deepfake-enabled impersonation. OWASP's Agentic Top 10 identifies "ASI09: Human-Agent Trust Exploitation," but technical frameworks require human training to complete the defense. Employees need new verification procedures for high-stakes requests, regardless of how convincing the video appears.
What's needed: Employees need new verification procedures for high-stakes requests, regardless of how convincing the video appears. Training programs should teach that "seeing is no longer believing" and establish multi-channel verification protocols for financial transactions.
The NPM Supply Chain Attack: AI-Personalized Developer Targeting
In September 2025, attackers used AI-written spear phishing to target a developer at a leading software company. The email wasn't generic phishing. It referenced specific GitHub commits, used the developer's preferred coding terminology, and included a convincing fake security vulnerability report. The developer clicked, leading to credential theft and hijacking of NPM packages with billions of weekly downloads.
The AI-Specific Attack Vector: AI analyzed the developer's public GitHub activity, coding style, and communication patterns to generate perfectly contextualized phishing. Nearly 82.6% of phishing emails now use AI language models, achieving a 60% overall success rate against humans with 54% clicking malicious links (nearly four times higher than traditional phishing).
The Human Failure: The developer was trained to spot generic phishing but not AI-personalized attacks that reference their actual work. Traditional phishing awareness training teaches employees to look for poor grammar and generic greetings. This email had neither. It appeared to come from official NPM support, used a convincing domain, and created urgent pressure around required 2FA updates by a specific deadline.
What Was Missing: OWASP LLM Top 10 2025 and Cisco's framework provide comprehensive coverage of supply chain vulnerabilities and technical attack vectors. But frameworks need to be paired with training that prepares developers to recognize AI-personalized social engineering. Technical staff are specifically targeted because AI can analyze their public code contributions to craft convincing attacks.
What's needed: Developers need training on verifying urgent security requests, even when they appear to come from legitimate domains and use professional formatting. Training should emphasize multi-factor verification for credential-related requests and skepticism toward artificial urgency.
Shadow AI: The Unauthorized Tools Creating $670,000 Breaches
IBM's 2025 Cost of Data Breach Report revealed that shadow AI breaches cost an average of $670,000 more than traditional data breaches. Of the 13% of organizations that experienced AI-related breaches, 97% lacked proper AI access controls. One in five organizations experienced a cyberattack specifically because of shadow AI.
The AI-Specific Attack Vector: Employees use unauthorized AI coding assistants, chatbots, and productivity tools without understanding data classification policies. These tools log inputs to third-party services that mine the data for intellectual property, security vulnerabilities, and sensitive information. The most common attack origin was supply-chain intrusion through compromised AI apps, APIs, or plug-ins.
The Human Failure: Employees don't recognize AI tools as security risks. A developer uses an AI coding assistant to debug faster. A finance analyst uploads sensitive data to an AI tool for analysis. A product manager pastes customer information into ChatGPT to draft communications. Each action seems productive on the surface. None has been addressed in traditional security awareness training.
What Was Missing: ISO 42001 and NIST AI RMF provide strong governance frameworks requiring AI oversight and data classification. Organizations implementing these frameworks have technical controls in place.
What's needed: practical employee training programs that translate those governance requirements into everyday decisions. Employees need to understand shadow AI risks and how data classification policies apply to AI tool usage.
Conclusion
Think back to our executive who approved that fraudulent wire transfer based on an AI-generated email. The company probably had excellent technical controls, maybe even implementing NIST AI RMF, ISO 42001, or Cisco's comprehensive framework. What was missing? Training for the executive to recognize that AI can perfectly mimic writing styles and exploit trust in familiar communication patterns.
According to Verizon's 2025 DBIR, 60% of breaches involve the human element. AI weaponizes the same cognitive biases that make phishing successful, but at unprecedented scale.
Complete AI security requires both technical controls and human training working together. Organizations implementing Cisco's framework alongside NIST, OWASP, and ISO guidance have the technical foundation. Adding comprehensive human training creates complete defense against AI-enabled threats targeting both systems and people.
Ready to complete your AI security program? Explore courses like Cybrary's Agentic AI security course and prepare your team to defend against AI-enabled threats targeting both systems and people.
