Skip to the content.

NIST AI RMF Evidence and Gap Assessment

Use this practitioner template to organize an internal review informed by the NIST AI Risk Management Framework functions: Govern, Map, Measure, and Manage.

This is not an official NIST artifact, implementation score, audit, profile, or certification. Begin from the official AI RMF material and select the categories and subcategories relevant to the actual system and organizational context.

1. Assessment scope

Field Value
Organization / team [TBD]
System, use case, or portfolio [TBD]
Versions / environments covered [TBD]
User and affected populations [TBD]
Lifecycle decision supported [TBD]
Assessment owner [TBD]
Required reviewers [TBD]
Evidence cutoff [TBD]
Explicit exclusions [TBD]
Next review / invalidation trigger [TBD]

2. Authoritative references selected

Record the official function, category, and subcategory language used for this assessment. Do not rely on a secondary summary when the exact source affects the conclusion.

Reference ID Official source / version Why relevant Internal interpretation owner
[TBD] [TBD] [TBD] [TBD]

3. Evidence status vocabulary

Use evidence states rather than one function-level maturity number.

Status Meaning
Demonstrated Current evidence shows the practice or outcome operating for the reviewed scope.
Partially demonstrated Some scope or elements have evidence; limitations are material.
Documented, not demonstrated A policy or design exists, but operating evidence is absent or insufficient.
Not demonstrated Required evidence is absent or the practice is not operating.
Not applicable The organization has a documented, reviewed rationale for the scoped decision.
Unknown The assessor cannot determine the state from available evidence.

A template, policy, or meeting is evidence that documentation or process exists—not automatically that the intended control or outcome is effective.

4. Evidence quality

For each item, record:

5. Govern review

Select the relevant official references and translate them into decision-relevant propositions for the reviewed scope.

Source reference Proposition to assess Evidence and provenance Status Limitation / gap Decision consequence Owner / due
[TBD] Are decision, control, incident, and residual-risk owners authorized and current? [TBD] [status] [TBD] [TBD] [TBD]
[TBD] Are policies, review paths, exceptions, and change triggers operating for this scope? [TBD] [status] [TBD] [TBD] [TBD]
[TBD] Are affected-party input, accountability, and redress responsibilities defined where relevant? [TBD] [status] [TBD] [TBD] [TBD]

6. Map review

Source reference Proposition to assess Evidence and provenance Status Limitation / gap Decision consequence Owner / due
[TBD] Are intended use, prohibited use, users, affected populations, and environment bounded? [TBD] [status] [TBD] [TBD] [TBD]
[TBD] Are data, model, tool, supplier, and operational dependencies understood? [TBD] [status] [TBD] [TBD] [TBD]
[TBD] Are foreseeable benefits, harms, misuse, failures, and reversibility contextualized? [TBD] [status] [TBD] [TBD] [TBD]

7. Measure review

Source reference Proposition to assess Evidence and provenance Status Limitation / gap Decision consequence Owner / due
[TBD] Do evaluation and monitoring methods measure the stated properties for the intended population? [TBD] [status] [TBD] [TBD] [TBD]
[TBD] Are evaluator validity, uncertainty, slices, and critical failures visible? [TBD] [status] [TBD] [TBD] [TBD]
[TBD] Are control and outcome results traceable to the reviewed system version? [TBD] [status] [TBD] [TBD] [TBD]

8. Manage review

Source reference Proposition to assess Evidence and provenance Status Limitation / gap Decision consequence Owner / due
[TBD] Are risks prioritized and treated through enforceable decisions and controls? [TBD] [status] [TBD] [TBD] [TBD]
[TBD] Are release, hold, exception, residual-risk, incident, rollback, and retirement decisions accountable? [TBD] [status] [TBD] [TBD] [TBD]
[TBD] Are treatments monitored, tested, and changed when evidence or context changes? [TBD] [status] [TBD] [TBD] [TBD]

9. Material gaps and dependencies

Prioritize by decision consequence, affected people, authority, and evidence—not by subtracting arbitrary maturity scores.

Gap ID Gap or uncertainty Function / source Decision affected Consequence if unresolved Evidence required Owner Due / trigger Disposition
GAP-001 [TBD] [TBD] [TBD] [TBD] [TBD] [TBD] [TBD] blocker / action / condition / defer

10. Strengths and reusable evidence

Record demonstrated practices and evidence that can be reused, including its scope and expiry.

Practice / evidence Scope Why credible Reuse conditions Owner / location
[TBD] [TBD] [TBD] [TBD] [TBD]

A gap assessment that records only deficiencies encourages inflated maturity claims later and discards useful operating evidence.

11. Decision and improvement plan

Decision supported: [TBD]

Outcome: proceed proceed with conditions hold redesign defer other

Rationale:

[TBD]

Conditions, actions, and residual risks

Item Type Owner Due / expiry Verification Escalation / stop trigger
[TBD] condition / action / exception / residual risk [TBD] [TBD] [TBD] [TBD]

Operating-model improvements

Separate system-specific remediation from improvements to the governance process itself.

Improvement Failure demand addressed Owner Evidence of improvement Review date
[TBD] [TBD] [TBD] [TBD] [TBD]

12. Assessment limitations

Reviewer checklist