NIST AI RMF 1.0 โ€” Locked Framework

AI Risk Maturity
Assessment Tool

A structured assessment tool mapped directly to the NIST AI Risk Management Framework 1.0. Enter your AI system details to begin.

Configure your assessment

This tool is strictly scoped to NIST AI RMF 1.0. It evaluates any AI system across four functions: Govern, Map, Measure, and Manage โ€” and outputs a prioritised gap report with remediation actions.

NIST AI Risk Management Framework โ€” Version 1.0 (2023)
Govern Map Measure Manage
GV
GV-1.1
Does [System] have a documented policy that defines roles and responsibilities for AI risk oversight?
GV-1.2
Is there a named AI risk owner accountable for [System]'s outcomes and escalation decisions?
GV-4.1
Have staff involved in reviewing AI outputs received training on AI limitations, bias risks, and fair decision-making?
GV-6.1
Are policies reviewed and updated when [System] is retrained, updated, or deployed to new contexts?
MP
MP-1.1
Has the intended use case of [System] been formally documented, including the populations it was designed to assess?
MP-2.3
Have potential harms to [Affected] been identified โ€” including false positives or incorrect outputs that could negatively impact them?
MP-4.1
Has the training data used by [System] been reviewed for demographic or representational gaps that could introduce bias?
MP-5.1
Are the legal and regulatory requirements applicable to this AI system documented and mapped to specific controls?
MS
MS-1.1
Are quantitative performance metrics tracked for [System] on a regular cadence?
MS-2.5
Has [System] been tested for bias across demographic groups to check whether outputs differ unfairly by population segment?
MS-3.3
Is there a process to detect model drift โ€” where [System]'s accuracy degrades as real-world conditions evolve over time?
MS-4.1
Are explainability mechanisms in place so that human reviewers understand why [System] produced a specific output?
MG
MG-1.1
Is there a risk register where [System] risks are logged, prioritised, and assigned to named owners?
MG-2.2
Does a process exist for [Affected] to dispute or challenge an AI-driven output โ€” and is that process reviewed for fairness?
MG-3.1
Are [System] incidents and failures logged and reviewed to drive continuous improvement in performance and policy?
MG-4.2
Are senior stakeholders (e.g. CISO, CRO, or Board) receiving regular reporting on [System]'s risk posture and open remediation items?
Assessment complete
Gap Report
Overall AI Risk Maturity Score
โ€”
Govern
โ€”
Map
โ€”
Measure
โ€”
Manage
โ€”
Prioritised Remediation Roadmap