Overview
Severity: MEDIUM | Affected: U.S. CISA | Category: policy
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with NIST, has finalized a new directive requiring mandatory AI red-teaming for all AI/ML systems deployed in critical infrastructure sectors. The policy, known as 'Directive AI-26-01,' mandates that operators in energy, finance, and healthcare conduct regular, structured adversarial testing against their AI systems to identify and mitigate potential vulnerabilities. This includes testing for evasion attacks, data poisoning, and model extraction. Organizations must submit compliance reports annually, detailing their testing methodologies and remediation efforts. The move is part of the government's broader strategy to secure AI systems against sophisticated threats and ensure their safe and reliable operation in sensitive environments. The directive will go into effect in 90 days, giving organizations time to establish their internal red-teaming capabilities or partner with certified security vendors.