NIST AI RMF Self-Assessment
Score your AI risk-management maturity across the four NIST AI RMF functions in about ten minutes. Twenty subcategory questions, four maturity bands, a per-function heatmap, and a prioritized list of where to invest next — exportable as Markdown.
GOVERN function
Cultivate a culture of risk management — policies, processes, roles, accountability, and oversight aligned to AI.
Legal and regulatory requirements affecting your AI systems are identified, documented, and monitored.
Covers EU AI Act, GDPR, sector rules (HIPAA, SR 11-7, EEOC), and emerging guidance — with a designated owner.
AI risk-management roles and responsibilities are assigned across the lifecycle.
Named accountable owners for design, training, evaluation, deployment, monitoring, and incident response.
An AI risk-management governance structure exists with defined escalation paths.
Steering committee, review boards, or equivalent — with clear criteria for when AI use-cases go to which body.
External feedback channels exist for affected individuals and third parties.
Bug bounties, red-teaming, complaint intake, ombuds, or external advisory boards.
Third-party AI risk policies (vendors, foundation-model providers) are in place.
Due-diligence questionnaires, contractual controls, ongoing monitoring of supplier model changes.
Common questions
What does this tool measure?
Maturity against the four core functions of the NIST AI Risk Management Framework 1.0 — GOVERN, MAP, MEASURE, MANAGE — using twenty subcategory triage questions drawn from the AI RMF Core. Each question is answered as Not in place, Partial, or Documented + operating, producing a per-function 0–100 score and an overall maturity band.
Is this a substitute for a formal NIST AI RMF assessment?
No. The AI RMF is non-prescriptive by design — full implementation requires alignment with the AI RMF Playbook (NIST AI 100-1A), sector-specific overlays, and your own organizational context. This tool produces a fast heatmap to surface where to invest first.
How are maturity bands defined?
Initial (0–25): ad-hoc, reactive. Developing (26–50): informal, individual-driven. Defined (51–75): documented, repeatable across most work. Optimized (76–100): continuously measured and improved. The bands map loosely to CMMI / capability-maturity conventions, adapted for AI risk practice.
Does the assessment data leave my browser?
No. Answers, scoring, and Markdown generation all run client-side. Nothing is transmitted, logged, or persisted server-side.
How does the AI RMF relate to the EU AI Act?
The AI RMF is the dominant US framework — non-binding but widely adopted across federal contracting and regulated sectors. The EU AI Act is binding law in the EU. The two overlap on core practices (risk management, documentation, monitoring, human oversight) and most organizations operating in both jurisdictions use the AI RMF as the operational backbone for AI Act conformity.
How does this support AIGP exam prep?
The IAPP AIGP exam covers the NIST AI RMF in detail — including the four functions, trustworthiness characteristics (valid + reliable, safe, secure + resilient, accountable + transparent, explainable + interpretable, privacy-enhanced, fair with bias managed), and the role of the AI RMF Playbook. Working through this assessment mirrors the kind of practical reasoning the exam tests.