A structured assessment tool mapped directly to the NIST AI Risk Management Framework 1.0. Enter your AI system details to begin.
Configure your assessment
This tool is strictly scoped to NIST AI RMF 1.0. It evaluates any AI system across four functions: Govern, Map, Measure, and Manage โ and outputs a prioritised gap report with remediation actions.
NIST AI Risk Management Framework โ Version 1.0 (2023)
GovernMapMeasureManage
GV
Function 1 of 4
Govern
Assesses whether policies, accountability structures, and cultural practices are in place to support responsible AI use.
GV-1.1
Does [System] have a documented policy that defines roles and responsibilities for AI risk oversight?
GV-1.2
Is there a named AI risk owner accountable for [System]'s outcomes and escalation decisions?
GV-4.1
Have staff involved in reviewing AI outputs received training on AI limitations, bias risks, and fair decision-making?
GV-6.1
Are policies reviewed and updated when [System] is retrained, updated, or deployed to new contexts?
Section 1 of 4
MP
Function 2 of 4
Map
Assesses whether the context, use case, affected populations, and risk categories have been properly identified and documented.
MP-1.1
Has the intended use case of [System] been formally documented, including the populations it was designed to assess?
MP-2.3
Have potential harms to [Affected] been identified โ including false positives or incorrect outputs that could negatively impact them?
MP-4.1
Has the training data used by [System] been reviewed for demographic or representational gaps that could introduce bias?
MP-5.1
Are the legal and regulatory requirements applicable to this AI system documented and mapped to specific controls?
Section 2 of 4
MS
Function 3 of 4
Measure
Assesses whether identified risks are being actively analysed, tested, and quantified using appropriate metrics and methods.
MS-1.1
Are quantitative performance metrics tracked for [System] on a regular cadence?
MS-2.5
Has [System] been tested for bias across demographic groups to check whether outputs differ unfairly by population segment?
MS-3.3
Is there a process to detect model drift โ where [System]'s accuracy degrades as real-world conditions evolve over time?
MS-4.1
Are explainability mechanisms in place so that human reviewers understand why [System] produced a specific output?
Section 3 of 4
MG
Function 4 of 4
Manage
Assesses whether identified risks are being actively prioritised, treated, monitored, and communicated to relevant stakeholders.
MG-1.1
Is there a risk register where [System] risks are logged, prioritised, and assigned to named owners?
MG-2.2
Does a process exist for [Affected] to dispute or challenge an AI-driven output โ and is that process reviewed for fairness?
MG-3.1
Are [System] incidents and failures logged and reviewed to drive continuous improvement in performance and policy?
MG-4.2
Are senior stakeholders (e.g. CISO, CRO, or Board) receiving regular reporting on [System]'s risk posture and open remediation items?