Emerging NIST guidance suggests that the long-standing practice of treating AI as “just software” for cybersecurity purposes is giving way to more novel approaches to managing AI risks.