Threat actor profiling characterizes the motivations, capabilities, and likely attack methods of potential adversaries. In AI risk management, understanding who the likely attackers are and what they seek enables the design of controls specifically matched to the actual threat landscape.

Why B is Correct: According to ISACA AAIR threat-based risk management guidance, the most important reason for threat actor profiling is to tailor controls to adversary motivations and capabilities. Different threat actors—nation-state attackers, criminal organizations, competitors, insiders, activists—have different objectives (espionage vs. financial gain vs. disruption), capabilities (sophisticated vs. opportunistic), and methods. Controls calibrated to actual threat actor profiles are significantly more effective than generic controls that may not address the specific threats the organization actually faces.

Why A is Wrong: Aligning AI threats with IT control taxonomy is a governance integration activity that improves control consistency but does not capture the threat actor-specific tailoring value of profiling. Taxonomy alignment is an administrative benefit; threat-tailored controls are a security effectiveness benefit.

Why C is Wrong: Response metrics for cybersecurity incidents are developed for incident management planning. Threat actor profiling informs control design and incident response strategies but is not primarily used to develop response metrics.

Why D is Wrong: Prioritizing external threats over internal threats is a security strategy choice that threat actor profiling does not prescribe. Many AI attacks, including insider threats and social engineering, are internal. Profiling should result in appropriate prioritization based on actual threat likelihood, not a blanket prioritization of external threats.