NIST AI RMF Evidence and Gap Assessment
Use this practitioner template to organize an internal review informed by the NIST AI Risk Management Framework functions: Govern, Map, Measure, and Manage.
This is not an official NIST artifact, implementation score, audit, profile, or certification. Begin from the official AI RMF material and select the categories and subcategories relevant to the actual system and organizational context.
1. Assessment scope
| Field | Value |
|---|---|
| Organization / team | [TBD] |
| System, use case, or portfolio | [TBD] |
| Versions / environments covered | [TBD] |
| User and affected populations | [TBD] |
| Lifecycle decision supported | [TBD] |
| Assessment owner | [TBD] |
| Required reviewers | [TBD] |
| Evidence cutoff | [TBD] |
| Explicit exclusions | [TBD] |
| Next review / invalidation trigger | [TBD] |
2. Authoritative references selected
Record the official function, category, and subcategory language used for this assessment. Do not rely on a secondary summary when the exact source affects the conclusion.
| Reference ID | Official source / version | Why relevant | Internal interpretation owner |
|---|---|---|---|
[TBD] |
[TBD] |
[TBD] |
[TBD] |
3. Evidence status vocabulary
Use evidence states rather than one function-level maturity number.
| Status | Meaning |
|---|---|
| Demonstrated | Current evidence shows the practice or outcome operating for the reviewed scope. |
| Partially demonstrated | Some scope or elements have evidence; limitations are material. |
| Documented, not demonstrated | A policy or design exists, but operating evidence is absent or insufficient. |
| Not demonstrated | Required evidence is absent or the practice is not operating. |
| Not applicable | The organization has a documented, reviewed rationale for the scoped decision. |
| Unknown | The assessor cannot determine the state from available evidence. |
A template, policy, or meeting is evidence that documentation or process exists—not automatically that the intended control or outcome is effective.
4. Evidence quality
For each item, record:
- source and location;
- system / process version;
- owner and date;
- method used;
- coverage and population;
- limitations and uncertainty;
- freshness and invalidation trigger;
- reviewer and disagreement;
- whether the evidence demonstrates design, operation, or outcome.
5. Govern review
Select the relevant official references and translate them into decision-relevant propositions for the reviewed scope.
| Source reference | Proposition to assess | Evidence and provenance | Status | Limitation / gap | Decision consequence | Owner / due |
|---|---|---|---|---|---|---|
[TBD] |
Are decision, control, incident, and residual-risk owners authorized and current? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
Are policies, review paths, exceptions, and change triggers operating for this scope? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
Are affected-party input, accountability, and redress responsibilities defined where relevant? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
6. Map review
| Source reference | Proposition to assess | Evidence and provenance | Status | Limitation / gap | Decision consequence | Owner / due |
|---|---|---|---|---|---|---|
[TBD] |
Are intended use, prohibited use, users, affected populations, and environment bounded? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
Are data, model, tool, supplier, and operational dependencies understood? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
Are foreseeable benefits, harms, misuse, failures, and reversibility contextualized? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
7. Measure review
| Source reference | Proposition to assess | Evidence and provenance | Status | Limitation / gap | Decision consequence | Owner / due |
|---|---|---|---|---|---|---|
[TBD] |
Do evaluation and monitoring methods measure the stated properties for the intended population? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
Are evaluator validity, uncertainty, slices, and critical failures visible? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
Are control and outcome results traceable to the reviewed system version? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
8. Manage review
| Source reference | Proposition to assess | Evidence and provenance | Status | Limitation / gap | Decision consequence | Owner / due |
|---|---|---|---|---|---|---|
[TBD] |
Are risks prioritized and treated through enforceable decisions and controls? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
Are release, hold, exception, residual-risk, incident, rollback, and retirement decisions accountable? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
Are treatments monitored, tested, and changed when evidence or context changes? | [TBD] |
[status] |
[TBD] |
[TBD] |
[TBD] |
9. Material gaps and dependencies
Prioritize by decision consequence, affected people, authority, and evidence—not by subtracting arbitrary maturity scores.
| Gap ID | Gap or uncertainty | Function / source | Decision affected | Consequence if unresolved | Evidence required | Owner | Due / trigger | Disposition |
|---|---|---|---|---|---|---|---|---|
| GAP-001 | [TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
blocker / action / condition / defer |
10. Strengths and reusable evidence
Record demonstrated practices and evidence that can be reused, including its scope and expiry.
| Practice / evidence | Scope | Why credible | Reuse conditions | Owner / location |
|---|---|---|---|---|
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
A gap assessment that records only deficiencies encourages inflated maturity claims later and discards useful operating evidence.
11. Decision and improvement plan
Decision supported: [TBD]
| Outcome: proceed | proceed with conditions | hold | redesign | defer | other |
Rationale:
[TBD]
Conditions, actions, and residual risks
| Item | Type | Owner | Due / expiry | Verification | Escalation / stop trigger |
|---|---|---|---|---|---|
[TBD] |
condition / action / exception / residual risk | [TBD] |
[TBD] |
[TBD] |
[TBD] |
Operating-model improvements
Separate system-specific remediation from improvements to the governance process itself.
| Improvement | Failure demand addressed | Owner | Evidence of improvement | Review date |
|---|---|---|---|---|
[TBD] |
[TBD] |
[TBD] |
[TBD] |
[TBD] |
12. Assessment limitations
- references not reviewed:
- evidence unavailable or stale:
- affected groups not represented:
- methods not independently reviewed:
- system or environment changes expected:
- other limitations:
Reviewer checklist
- Official source references and versions are recorded.
- Scope, decision, system version, populations, and exclusions are explicit.
- Status reflects evidence, not document existence or assessor impression.
- Not-applicable conclusions have reviewed rationale.
- Evidence provenance, limitations, and freshness are visible.
- Material gaps are tied to decision consequence.
- Conditions, exceptions, and residual risks have owners and expiry.
- System remediation and governance-process improvement are separated.
- The report does not claim NIST implementation or compliance solely from template completion.