Overview
Severity: MEDIUM | Affected: U.S. CISA | Category: policy
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with NIST, has issued a new directive mandating continuous, automated red-teaming for AI models designated as 'systemically important.' The policy, known as Directive AI-25-01, applies to companies developing or deploying foundation models with over 10^25 FLOPs of training compute or those used in critical infrastructure sectors like finance, energy, and healthcare. The directive requires affected organizations to implement automated frameworks for continuously testing their models against known and emerging threats, including jailbreaking, data poisoning, and model evasion. Companies must submit quarterly reports on their red-teaming findings and mitigation strategies. This marks a significant shift from voluntary safety commitments to a regulated compliance framework, aiming to proactively identify and patch vulnerabilities in powerful AI systems before they can be widely exploited.