We’ve seen a wave of cybersecurity shakeups in 2025, and it’s not even over yet. From AI-specific threat models to tightening supply chain mandates, this year hasn’t just been about patching holes, it’s been about redefining how security frameworks even think about risk. And 2026? The writing’s already on the wall: more regulation, less tolerance for inaction, and sharper teeth behind compliance.
We'll walk you through what’s already shifted across major frameworks like NIST, ISO, and CIS, what caught the industry off guard, and what to expect in the second half of the year and beyond.
1. NIST’s major overhaul: 800-53 rev. 6 and AI-specific guidance
NIST has long been the backbone of U.S. cybersecurity policy. In April 2025, they dropped a long-anticipated update:NIST SP 800-53 Rev. 6. It’s being called the most significant revamp since 2013, not because it added dozens of new controls, but because it reshaped how we think about responsibility.
For the first time, NIST has baked in AI-specific controls, covering things like adversarial ML attacks, model poisoning, and data integrity for training datasets. These aren’t recommendations anymore; they’re marked as “baseline” for agencies and federal contractors.
2. CIS controls v9: modular, leaner, smarter
CIS Controls v9, released in February, didn’t get the splashy headlines that NIST’s update did, but for mid-sized and private orgs, it might be the more practical shift.
CIS introduced a modular approach this year, allowing you to choose your track: SMB, Enterprise, or Cloud-Native. The controls are now tailored, not just stacked, which makes life a little easier for security teams drowning in checklists.
What do we find refreshing? The new Cloud-Native profile includes workload identities, ephemeral resources, and guidance on securing Infrastructure-as-Code (IaC) environments.
3. ISO/IEC 27001:2025 – Now with “trust architecture” principles
ISO also stepped into the modernization ring this year. The 2025 revision ofISO/IEC 27001 added an entirely new domain: Trust Architecture. It covers zero trust principles, behavioral analytics, and continuous risk scoring.
If that sounds fluffy, it’s because it is for now. But the shift is philosophical as much as operational. The guidance encourages firms to evaluate access controls and the trustworthiness of users and assets in real time.
What does that mean in practice?
Think about a scenario where an employee logs in from a new location using a new device and suddenly starts accessing unusual files. Old ISO might’ve shrugged. New ISO expects that access to be challenged, reauthenticated, or blocked entirely.
4. SEC cyber disclosure rules: Reality hits the 8-K
One of the biggest disruptors of 2025 came from outside the typical framework players: the U.S. Securities and Exchange Commission. TheSEC’s cyber incident disclosure rule, which came into effect in January, now mandates that public companies report material cybersecurity incidents within four business days via Form 8-K.
This might not sound like a “framework” update in the traditional sense, but it's already changing how CISOs think about governance. If you have to tell Wall Street about a breach before you’ve even finished containing it, your entire communication strategy, risk classification logic, and even logging pipeline need to be in shape.
5. Supply chain security: SBOM becomes non-negotiable
Another major theme in 2025: software supply chain transparency. The push forSoftware Bills of Materials (SBOMs), sparked by the 2021 U.S. Executive Order, has finally matured into policy. The Minimum Elements for SBOM is no longer just a guideline—it’s now required for federal contracts under new CISA procurement mandates.
Private companies are also feeling the ripple. We’ve heard from multiple SaaS teams that enterprise clients are now requesting SBOMs upfront in security questionnaires.
By 2026, we expect third-party SBOM verification services to go mainstream, and SBOM formats like SPDX and CycloneDX will become table stakes, not optional.
What to expect in the second half of 2025 and into 2026
If the first half of 2025 was about new expectations, the second half is shaping up to be about enforcement and interoperability.
1. Convergence between frameworks
NIST, ISO, and CIS aren’t moving in isolation anymore. We’re seeing language harmonization especially around zero trust, real-time telemetry, and AI governance. There’s growing momentum toward unified mappings like NIST’s new integration with MITRE ATT&CK and ISO 27001 crosswalks.
By 2026, we might finally get what security teams have long wished for: framework interoperability that doesn’t require three full-time analysts to keep up.
2. More teeth behind data protection laws
The EU’s Cyber Resilience Act, passed in early 2025, will enter its first enforcement phase in 2026. It will require mandatory vulnerability management and secure-by-design product development, not just for cloud vendors but for any “digital product” sold in Europe.
In parallel, the U.S. is inching closer to federal privacy legislation that ties breach fines to specific NIST control failures. That’s right—expect a direct link between framework compliance and regulatory risk.
3. AI security frameworks take shape
While 2025 brought the first wave of AI-specific controls, 2026 is expected to see full-on AI security frameworks emerge, possibly a dedicated NIST AI security baseline and sector-specific guidance (e.g., for healthcare, finance).
Expect new frameworks to focus on:
- Model versioning and lineage
- Dataset drift detection
- Inference-time adversarial defense
- And human-in-the-loop override mechanisms
Modern rules for modern systems
If there’s a theme to 2025's cybersecurity frameworks, it’s this: We’re finally aligning security practices with how modern systems work. AI models aren’t treated like magic anymore, and software supply chains aren’t just "dev problems."
But more than anything, there’s been a shift in tone—from optional maturity models to mandatory controls, from checklists to live telemetry, from guidelines to regulations with real deadlines.
