This paper examines the NIST Cyber AI Profile process as a case study in how governance architectures can be pre‑decided before “working sessions” ever convene. Drawing on first-hand participation in the NCCoE workshops and virtual sessions, it argues that the choice of a CSF Community Profile format, an 800‑53 control baseline, and pre-defined focus areas constituted an architectural pre‑commitment that effectively foreclosed alternative ontologies for governing AI in cybersecurity. The paper introduces the concepts of legitimation rituals and architectural capture to describe how open procedures can produce predetermined outcomes, and it traces the governance debt this design choice shifts onto organizations least equipped to carry it. Finally, it outlines what a genuinely architectural process would require if we are to build AI-cybersecurity governance that matches the behavior and risk profile of agentic systems, rather than retrofitting them into legacy control catalogs.
Narnaiezzsshaa Truong (Tue,) studied this question.