NIST AI RMF Gap Assessment
Use this template to assess current AI governance maturity against the NIST AI RMF functions: Govern, Map, Measure, and Manage.
This is a practitioner template. It is not an official NIST artifact and is not a compliance certification.
| Field |
Value |
| Organization / team |
[TBD] |
| AI system or portfolio |
[TBD] |
| Assessment date |
[TBD] |
| Assessor |
[TBD] |
| Scope |
[single system / product line / portfolio] |
| Risk tier |
[low / medium / high] |
| Review cadence |
[TBD] |
2. Summary Rating
| RMF Function |
Current maturity |
Target maturity |
Gap severity |
Priority |
| Govern |
[0-5] |
[0-5] |
[low/medium/high] |
[low/medium/high] |
| Map |
[0-5] |
[0-5] |
[low/medium/high] |
[low/medium/high] |
| Measure |
[0-5] |
[0-5] |
[low/medium/high] |
[low/medium/high] |
| Manage |
[0-5] |
[0-5] |
[low/medium/high] |
[low/medium/high] |
Maturity scale
| Score |
Meaning |
| 0 |
Not started |
| 1 |
Ad hoc and undocumented |
| 2 |
Documented but inconsistent |
| 3 |
Implemented for priority systems |
| 4 |
Standardized and measured |
| 5 |
Continuously improved |
3. Govern
| Control area |
Current state |
Evidence |
Gap |
Action owner |
Due date |
| AI policy and principles |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Roles and accountability |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| System inventory |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Risk-tiering process |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Governance review cadence |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
4. Map
| Control area |
Current state |
Evidence |
Gap |
Action owner |
Due date |
| Use-case context |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Stakeholder and impact mapping |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Data and dependency mapping |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Harm and failure-mode identification |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Regulatory or policy context |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
5. Measure
| Control area |
Current state |
Evidence |
Gap |
Action owner |
Due date |
| Performance evaluation |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Fairness and subgroup testing |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Robustness and red-team testing |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Monitoring and drift metrics |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Traceability and auditability |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
6. Manage
| Control area |
Current state |
Evidence |
Gap |
Action owner |
Due date |
| Risk treatment plan |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Release gate decision process |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Incident response and escalation |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Post-release review |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
| Retirement or rollback criteria |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
7. Top Gaps
| Gap |
RMF function |
Severity |
Recommended action |
Owner |
Due date |
[TBD] |
[Govern/Map/Measure/Manage] |
[low/medium/high] |
[TBD] |
[TBD] |
[TBD] |
8. Improvement Roadmap
Next 30 days
Next 90 days
Next 180 days
9. Review Decision
Decision rationale:
[TBD]