Cybersecurity is a constantly evolving field, and so are the tools we use to navigate it. At the Cybersecurity Risk Foundation (CRF), our mission is to help organizations build practical, resilient security programs that can keep pace with modern threats and technologies. That mission inspired the latest updates to the 2025 CRF Safeguards Assessment Tool.
The most exciting change? The addition of a brand-new domain focused entirely on Artificial Intelligence (AI). This forward-looking enhancement is not just timely—it’s a powerful step toward responsible innovation. I’d like to share why we felt this update was needed, how it supports your existing safeguards, and how you can take advantage of the free tools and resources available on the CRF website.
Why AI, and Why Now?
AI is transforming our world. Whether you’re using machine learning to detect anomalies, automate customer service, or accelerate software development, AI is rapidly becoming embedded into every layer of business operations.
With these opportunities come new considerations: How do we ensure transparency in AI decisions? How do we respond to unexpected outcomes or changes in behavior? How do we align AI practices with our existing policies and values?
Rather than approaching AI with caution or concern, we see this moment as an opportunity to empower organizations. With the right safeguards in place, AI can be both innovative and secure.
Introducing the AI Management Domain
The new Artificial Intelligence Management domain in the 2025 CRF-Safeguards includes 17 purpose-built safeguards. These are designed to help teams:
- Identify where and how AI is used.
- Define ownership and governance responsibilities.
- Ensure AI systems align with ethical and compliance frameworks.
- Monitor and maintain AI performance over time.
These safeguards fit naturally into the rest of your security program. They’re practical, actionable, and adaptable to organizations of all sizes and maturity levels. From initial inventory to ongoing risk assessment and transparency practices, the new AI safeguards are designed to integrate seamlessly into your workflows.
What It Means for Your Team
Whether you’re leading a security team, designing systems, or managing risk, the addition of AI safeguards gives you a valuable new lens to assess and improve your program.
Think of it as an enhancement—not an overhaul. You don’t need to rethink your entire program to start benefiting from this update. These AI safeguards offer a way to align your organization’s innovation with governance, ensuring that as you move forward with AI, you do so with confidence.
Acknowledging Other Key Updates
In addition to the AI enhancements, we’ve also fine-tuned several existing areas:
- Third-Party Risk Management now emphasizes prioritizing third-party relationships based on risk.
- Resilience Management clarifies the importance of defined roles and recovery actions.
- Data Inventory Management introduces accountability through clear data ownership.
- Development Safeguards reflect a more thoughtful approach to vulnerability prioritization.
These refinements may be subtle, but they speak volumes about where cybersecurity is headed: more clarity, more alignment, and more confidence in our safeguards.
Moving Forward Together
Cybersecurity isn’t just about responding to threats. It’s about building trust, enabling innovation, and supporting the people behind the technology. The 2025 CRF-Safeguards reflects this mindset.
We invite you to explore the new AI Management domain and consider how it might strengthen your organization’s risk posture. And while you’re at it, be sure to check out the full library of free resources and tools available on our website under the Resource tab.
Whether you’re just getting started or looking to refine a mature program, these updates are designed to help you take the next step with confidence.
Thank you for being part of the CRF community. Let’s keep building a safer, smarter, and more secure future—together.