CYBERSECURITY FRAMEWORK UPDATES FOR 2025–2026

Cybersecurity framework updates show a clear shift toward stronger identity assurance, verifiable controls, cloud accountability, and AI security.

Cybersecurity frameworks rarely change dramatically or overnight. More often, a standards body publishes 80 pages of revised controls, changes three important definitions, reorders a few sections, and waits for the rest of us to notice.

Over the past year, however, several updates now point in the same direction. Security frameworks are moving beyond broad statements about protecting systems and toward a more practical question:

Who, or what, is allowed to act, and can we prove that access remains appropriate?

Professionally, I keep an eye on new standards and frameworks, and this noticeable shift runs through the most important updates of 2025 and 2026. Identity assurance has become more detailed. Cloud responsibility must be easier to audit. Software supply-chain controls are getting stricter. AI is being absorbed into mainstream security governance rather than treated as a novelty.

The frameworks themselves haven’t suddenly become identity frameworks. But identity is increasingly the thread holding them together. Here are some of our findings to save you some time:

NIST SP 800-63-4 modernizes digital identity assurance

The most significant identity update is ⁠NIST SP 800-63-4, published back in July 2025. It replaces Revision 3, which had been the foundation of NIST’s digital identity guidance since 2017.

Revision 4 covers identity proofing, authentication, authenticator management, federation, account recovery, privacy, and fraud resistance. NIST developed it over nearly four years and considered around 6,000 public comments. [⁠NIST]

The important change isn’t just stronger authentication or better support for passkeys. NIST separates three different forms of assurance:

  • Identity Assurance Level: how confidently an identity has been established.
  • Authentication Assurance Level: how confidently the person or system presenting a credential can be authenticated.
  • Federation Assurance Level: how confidently one system can trust an identity assertion from another.

That distinction means successful authentication doesn’t automatically make access appropriate. An account can be genuine, strongly authenticated, and still possess permissions it no longer needs.

This is where digital identity guidance meets ⁠identity risk. Strong authentication reduces one kind of risk. It doesn’t resolve stale entitlements, unnecessary administrative access, weak offboarding, or privileges inherited from several job roles ago.

ISO refreshed its identity management framework

The updated ISO/IEC 24760 identity management series received far less attention, despite being especially relevant to modern identity programs.

ISO/IEC 24760-1:2025 defines core identity concepts and terminology. Part 2 establishes a reference architecture and system requirements, while Part 3 provides practical guidance for managing identity information and ensuring conformity with the wider framework. [⁠ISO]

This treats identity management as an enterprise-wide system rather than a login function. It supports clearer thinking around authoritative identity sources, federation, identity data quality, lifecycle management, and the relationship between identity information and access decisions.

That distinction is particularly apparent when considering ⁠machine identity. Service accounts, workloads, applications, APIs, and AI agents don’t have HR records or annual access reviews. Their identities still require ownership, purpose, lifecycle controls, and accountability.

NCSC CAF 4.0 makes security more threat-informed

The UK National Cyber Security Centre released ⁠Cyber Assessment Framework 4.0 in August ‘25.

The update introduced four main changes: a greater focus on attacker methods and motivations, stronger expectations for secure software development, updated monitoring and threat-hunting guidance, and broader consideration of AI-related cybersecurity risk. [⁠National Cyber Security Centre]

CAF 4.0 is a wider shift across ⁠international cybersecurity standards. It isn’t enough to show that a control exists. We increasingly need to demonstrate that it operates against realistic threats.

For access management, that means knowing more than whether privileged accounts require approval. We need evidence showing who received access, why it was granted, what they did, and when the privilege was removed.

Policies are fine. Auditors, however, remain stoically fond of evidence.

Software supply-chain controls move into the mainstream

In August 2025, NIST issued ⁠SP 800-53 Release 5.2.0, a targeted update addressing the security and reliability of software updates and patches.

The new release added controls covering resilient software design, developer testing, update deployment, patch management, integrity validation, and the monitoring of components during updates. [⁠NIST Computer Security Resource Center]

This sounds like software engineering territory, but update pipelines depend on highly privileged identities: build accounts, signing credentials, deployment agents, CI/CD services, and endpoint-management administrators.

The security question isn’t just whether an update is available. It is whether trusted identities built, approved, signed, and deployed it, and whether those identities had more power than they needed.

That brings the ⁠principle of least privilege directly into software integrity.

Cloud frameworks are clarifying shared responsibility

The Cloud Security Alliance’s ⁠Cloud Controls Matrix 4.1 expands its cloud security framework to 207 controls across 17 domains. Its updates improve control clarity, auditability, supply-chain coverage, and the assignment of responsibility between cloud providers and customers. [⁠Cloud Security Alliance]

“Shared responsibility” has traditionally been a phrase capable of meaning everything and therefore, occasionally meaning nothing. Modern cloud assurance now requires us to identify who (across the cloud provider, data center owner, and the business deployed in the cloud) owns each control, who supplies the evidence, and where responsibilities overlap. Identity and access management remain central because cloud controls depend on account lifecycle management, privileged access, segregation of duties, access reviews, and service identities.

AI security is becoming ordinary cybersecurity

The emerging ⁠NIST Cyber AI Profile may be the clearest sign of where cybersecurity frameworks are heading.

Published as a preliminary draft in December 2025, it organizes AI cybersecurity around three areas: securing AI systems, using AI for cyber defense, and combating AI-enabled attacks. It applies the existing NIST Cybersecurity Framework 2.0 structure rather than creating an entirely separate AI security universe. [⁠NIST Computer Security Resource Center]

The Cloud Security Alliance has gone further with its ⁠AI Controls Matrix 1.1, released in June 2026, with 247 control objectives across 18 domains. [⁠Cloud Security Alliance]

AI security isn’t just about model behavior, prompt injection, or data poisoning. It is also about the APIs, tokens, service accounts, cloud roles, and delegated permissions through which AI systems can act.

Effective ⁠AI access controls must therefore answer some familiar but nuanced questions. What can the agent reach? Who approved that access? How long should it last? Can its actions be audited? Can the permissions be removed without dismantling the entire workflow and blaming “innovation”?

Cybersecurity frameworks expect proof, not promises

The most important change isn’t found in any single control.

Across these cybersecurity framework updates, I see a move toward continuous assurance, stronger identity architecture, measurable outcomes, and operational evidence. Frameworks increasingly expect us to ⁠prove least privilege, not just include it in a policy document.

Authentication remains essential, but it is only the beginning. The harder task is governing access after authentication: ensuring permissions reflect current responsibilities, limiting privileged access, tracking machine identities, and removing access when its purpose expires.

And that’s where cybersecurity frameworks are converging. The perimeter hasn’t entirely disappeared. It’s just become a little less interesting than the identities walking through it.

Modern cybersecurity frameworks expect organizations to demonstrate who has access, why they have it, and whether that access remains appropriate. Start a ⁠free Trustle trial to discover cloud access, reduce standing privileges, automate reviews, and create a clearer record of access decisions.

Nik Hewitt

Industry

July 15, 2026

Don't fall behind the curve

Discover powerful features designed to simplify access management, track progress, and achieve frictionless JIT.

Free trial