ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
READ ME. Methodology, sources and what this does not cover
2
How I built this, which version of each framework I have used, and where I am confident in a mapping against where I am really making a judgement call.
3
4
WHAT THIS IS
5
When I started this, the question I kept in front of me was a simple one. If a small AI safety organisation had to build its security from nothing, which policies would it actually need to write, and what would each one be worth. This workbook is my answer to that. I began with the RAND report on securing AI model weights, because it is the most thorough work in this area, and then I scaled it down to the threat these organisations really face. After that I checked every policy against both the AI risk frameworks and the security frameworks I already work with. The reason I went to that trouble is that one policy can usually be made to count towards several standards at once, and when an organisation is short on both time and money, that is the part that matters most.
6
7
THE FRAMEWORKS I USED, with the version current as of June 2026
8
FrameworkVersionWhere it sits in this work
9
NIST AI Risk Management FrameworkAI 100-1, version 1.0 (Jan 2023)The main AI alignment
10
NIST Generative AI ProfileAI 600-1 (Jul 2024)Used for the agentic layer
11
NIST Cybersecurity FrameworkCSF 2.0 (Feb 2024)Adds the Govern function
12
NIST SP 800-53Revision 5 (2020, patched 5.1.1 2023 and 5.2 2025)The control catalogue
13
SOC 2
14
ISO/IEC 270012022, including the 2024 climate amendmentThe Annex A controls
15
UK Cyber EssentialsVersion 3.3, the Danzell question set (in force 27 Apr 2026)Replaced version 3.2, Willow
16
RANDRRA2849-1, Securing AI Model Weights The source for the threats and controls
17
Cyber Insurance
18
19
One thing is worth flagging, because it is recent and easy to miss. Cyber Essentials moved to version 3.3 on the 27th of April 2026, with a new question set called Danzell, replacing version 3.2. The five technical controls themselves have not changed, but two things in the new version matter for these organisations. Multi factor authentication is now required on any cloud service that offers it, and if it is missing the whole assessment fails. Cloud services can also no longer be left out of scope, which means a small organisation's Google Workspace now sits firmly inside the assessment. I have written the Cyber Essentials column to reflect version 3.3.
20
21
HOW I DID THE MAPPING, worth reading before you quote any cell
22
The two NIST AI frameworks are not like the others, so I was careful about how I used them. They describe outcomes an organisation should reach rather than controls it should put in place, and there is no official list telling you which security policy meets which part of them. So when you see a policy tagged against one of these, read it as me saying the policy genuinely helps reach that outcome, not that it ticks a defined box. For the generative AI guidance I simply named the risk the policy speaks to, such as information security, rather than claiming a precision the document itself does not offer.
23
The other four frameworks are the opposite, and these mappings I am confident about. Cyber Essentials, ISO 27001, the NIST Cybersecurity Framework and 800-53 all list named controls, so each policy points to the control it puts into practice. When I cite something like 800-53 control AC-6 for least privilege, I mean the policy backs that control, not that the organisation has already built it out in full.
24
The last thing I did was tie each policy back to the RAND report itself, naming the attack it most reduces and the least capable attacker for whom that attack becomes a genuine worry. That sits on the RAND Threat Linkage sheet, and I included it so you can see the set is driven by real threats rather than by a generic checklist.
25
26
WHAT I SCOPED OUT, and where I am being honest about gaps
27
I rebalanced the scope, and this was the decision I thought hardest about. RAND is written for frontier laboratories, so I kept the lower security levels in full, took a realistic slice of the middle level, and left the top two mapped but not written. A small organisation will almost certainly never face a nation state, and could not build those defences even if it tried, so writing them out in detail would have looked impressive and helped no one.
28
The AI framework tags are my considered judgement, not a certified mapping. An assessor might reasonably place a policy under a neighbouring part of the framework, and I would not argue with them.
29
Everything here is right as of June 2026. Cyber Essentials 3.3, the Cybersecurity Framework 2.0 and ISO 27001:2022 are the current editions, but these things move, so it is worth a quick check before any audit.
30
I have left fairness and wider social impact deliberately light, and I want to be open about that. They matter, but they sit outside what a security policy can honestly claim to cover, so I would rather hand them to whoever owns ethics in the organisation than stretch this work to pretend it reaches them.
31
32
CHANGE LOG
33
Version 1, the gap analysisWhere I first listed the policies across all five security levels and worked out what each one earned towards Cyber Essentials, ISO 27001 and SOC 2.
34
Version 2, aligned to NIST AI RMFWhere I rebalanced the scope, brought in the AI risk framework and the generative AI guidance, and sorted the policies into build tiers.
35
Version 3, this oneWhere I added the Cybersecurity Framework, 800-53, ISO 27001 Annex A and Cyber Essentials 3.3, tied everything back to RAND, and wrote the methodology and coverage sheets.
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100