NSPM-11 Elevates AI Security from Best Practice to National Security Requirement

On June 5, 2026, the White House released National Security Presidential Memorandum-11 (NSPM-11), establishing a framework for accelerating AI adoption across the national security enterprise. One detail stands out from a security perspective: Section 4(c) explicitly directs leaders to secure advanced AI systems, including protection against malicious distillation attacks.

Presidential directives rarely reference specific attack techniques. By naming model distillation directly, NSPM-11 acknowledges a reality security teams have been confronting for years: AI systems are now strategic assets and attack targets. Protecting those systems from theft, manipulation, and misuse is a national security requirement.

The memorandum organizes the national security enterprise around four pillars: Adoption, Adaptation, Assurance, and Accountability. While much of the discussion around NSPM-11 has focused on accelerating AI deployment, the Assurance pillar deserves equal attention. It is the foundation that enables organizations to adopt AI confidently and securely.

Understanding the Three AI Challenges

Discussions about AI security often blur together three distinct disciplines:

• AI for Cybersecurity: Using AI to improve security operations, threat detection, vulnerability management, and defensive capabilities.
• Responsible AI: Ensuring AI systems operate safely, ethically, and in compliance with applicable laws, policies, and governance requirements.
• AI Security: Protecting AI systems themselves from theft, manipulation, compromise, and adversarial attacks.

While these disciplines are complementary, they address different risks and require different controls.

Responsible AI programs help organizations manage governance and compliance risks, but they are not designed to identify model backdoors or model theft. AI-powered cybersecurity tools may improve detection and response capabilities, but they do not inherently protect the models themselves from attack.

AI security focuses on a different question entirely: Can an adversary manipulate, steal, poison, or otherwise compromise the model?

That distinction is central to NSPM-11's Assurance pillar and highlights why AI security has emerged as its own cybersecurity discipline.

The Significance of NSPM-11's Definitions

One of the most important aspects of NSPM-11 is how it defines AI security. The memorandum defines AI security as applying protection mechanisms across the AI technology stack to ensure the confidentiality, integrity, and availability of AI systems from design through deployment.

This aligns AI security with established cybersecurity principles while recognizing that AI introduces unique attack surfaces. The policy also broadens the concept of AI incident response to include adversarial attacks against AI systems themselves, reinforcing the need to monitor, defend, and validate AI models like any other critical technology asset.

This shift is significant because it formally recognizes AI systems as operational assets that require dedicated security controls. Threats such as prompt injection, model extraction, training data poisoning, and model backdoors are no longer theoretical concerns. They are security risks that organizations must be prepared to detect, investigate, and respond to.

Assurance Requires Independent Verification

The Assurance pillar emphasizes maintaining visibility and control over mission-critical AI systems.

NSPM-11 requires mechanisms that prevent AI systems from being materially modified without government knowledge and approval. This reflects two realities facing organizations adopting AI at scale.

First, AI systems can be intentionally manipulated. Adversaries may attempt to alter a model's behavior through tampering, poisoning, or the introduction of hidden functionality.

Second, organizations must maintain independent visibility into the AI systems they rely on. As agencies deploy models from commercial providers, open-source communities, and internal development teams, they need the ability to verify model integrity regardless of where the model originated.

This requirement naturally favors security capabilities that operate independently of any single model vendor. As the AI ecosystem becomes increasingly diverse, organizations need assurance mechanisms that can evaluate and secure AI systems consistently across different model architectures, deployment environments, and suppliers.

Equally important, those assurance mechanisms should align with established frameworks such as MITRE ATLAS, the NIST AI Risk Management Framework (AI RMF), and emerging federal AI security guidance. Aligning AI security programs with recognized frameworks enables organizations to consistently evaluate risk, validate security controls, and demonstrate assurance through transparent, repeatable methodologies.

What AI Security Looks Like in Practice

The threats addressed by NSPM-11 are not hypothetical.

HiddenLayer researchers demonstrated this challenge through ShadowLogic, a technique that embeds malicious behavior directly within a model's computational graph rather than in traditional software components.

Because these manipulations exist within the model itself, they can evade conventional malware detection approaches and persist through common model transformations. Research has demonstrated that these types of backdoors can remain dormant until triggered by specific conditions, highlighting a key challenge for AI security: many AI threats lie beyond the visibility of traditional security controls, making specialized model analysis and validation essential before deployment.

However, securing AI systems extends beyond model artifacts alone.

At deployment and runtime, organizations must contend with attacks such as prompt injection, jailbreaks, sensitive data extraction, and other adversarial techniques that target model behavior through inference interactions. Many of these risks are now well documented within industry frameworks, including the OWASP Top 10 for LLM Applications and MITRE ATLAS. These resources provide a common language for understanding AI attack techniques and reinforce the need for security controls that continuously monitor model interactions and behavior in production environments.

At the strategic level, NSPM-11 specifically calls out model distillation attacks, in which an adversary repeatedly queries a deployed model to replicate its capabilities in another system. In these cases, the attacker may never gain direct access to model weights or infrastructure. Instead, they extract value through interaction.

These threats occur at different stages of the AI lifecycle, which is why effective AI security requires a layered approach. Model integrity validation, runtime monitoring, adversarial testing, and continuous assessment each address different aspects of the attack surface.

The principle is familiar to every security practitioner: defense in depth applies to AI just as it does to traditional systems.

Why AI Security Is a Distinct Discipline

NSPM-11 reinforces why AI security has emerged as a dedicated cybersecurity discipline.

Traditional security controls remain essential, but they were not designed to identify model backdoors, detect attempts to extract models, or analyze machine learning artifacts for signs of tampering.

Addressing these risks requires capabilities focused specifically on AI systems, including:

• Model scanning and artifact analysis
• Runtime monitoring for AI-specific attacks
• Adversarial testing and AI red teaming
• Continuous validation of model integrity
• AI-focused incident response and investigation

These capabilities should operate independently of any single model provider, enabling organizations to evaluate and secure AI systems consistently across a diverse technology ecosystem.

This challenge becomes even more important within national security environments. A model can be protected by strong network controls and still be compromised before deployment if the model artifact itself contains malicious modifications. Security must therefore extend beyond infrastructure and include the AI system itself.

Additionally, many mission-critical AI deployments operate in disconnected, classified, or air-gapped environments. Security controls that require continuous communication with vendor-hosted cloud services may not be practical in these settings. Effective AI security must be able to operate within the organization's environment and security boundaries.

The Bottom Line

NSPM-11 reinforces a principle that security teams already understand: trust requires verification.

As agencies accelerate AI adoption, security leaders must evaluate not only model performance but also their ability to verify model integrity, understand model behavior under adversarial conditions, and deploy security controls that operate within mission environments.

Before deploying a model, organizations should be able to answer three fundamental questions:

• Can we verify the integrity of this model?
• Can we understand how it behaves under attack?
• Can security controls operate within our environment, including disconnected or classified networks?

NSPM-11 makes clear that AI assurance is no longer optional. As AI becomes foundational to mission execution, securing the model itself must become a foundational part of the security strategy.

The organizations that can answer these questions with confidence will be best positioned to adopt AI at scale while maintaining trust, resilience, and operational readiness.

‍