The NIST AI Risk Management Framework is the de facto baseline for AI governance in the US and far beyond. This template walks you through all 19 categories across GOVERN, MAP, MEASURE, and MANAGE: rate your maturity, capture evidence, log gaps, and build a prioritized remediation roadmap, with a dedicated overlay for the Generative AI Profile.
AI RMF 1.0 groups AI risk management into four functions. GOVERN is cross-cutting and underpins the other three, which apply to specific AI systems and use cases.
Establishes the policies, accountability structures, and risk culture that the rest of the framework depends on. Assessed once at the organization level.
Establishes the context of each AI system and identifies its risks: intended purpose, categorization, capabilities and costs, third-party components, and impacts on people.
Turns identified risks into assessments: metrics, evaluation against the trustworthy AI characteristics, risk tracking over time, and checks that measurement itself works.
Allocates resources to the risks that MAP and MEASURE surfaced: treatment decisions, benefit strategies, third-party risk management, and response and recovery plans.
A working assessment document, not an outline: every table is ready to fill in with your ratings, evidence, and owners.
All 19 categories with a maturity rating and columns for evidence, gaps, actions, and owner.
Not Started, Partially Met, Largely Met, and Fully Met, with clear definitions so ratings stay consistent across teams.
The twelve generative AI risks from NIST AI 600-1 as a relevance and coverage check on top of the core assessment.
A consolidated view of all category ratings for executive reporting and cycle-over-cycle comparison.
A single roadmap table with priorities, owners, target dates, and sequencing guidance.
Which systems to include, which teams to involve, and how often to reassess.
The two frameworks complement each other: most mature AI governance programs use the NIST AI RMF to structure risk thinking and ISO 42001 to certify the management system around it.
| Aspect | NIST AI RMF | ISO 42001 |
|---|---|---|
| What it is | Voluntary risk management framework published by NIST (January 2023) | Certifiable international management system standard (December 2023) |
| Structure | 4 functions (GOVERN, MAP, MEASURE, MANAGE) with 19 categories | Clauses 4 to 10 plus Annex A controls |
| Certification | None; self-assessment against the framework | Accredited third-party certification available |
| Focus | Identifying, measuring, and treating the risks of AI systems | An organization-wide AI management system with continual improvement |
| Best first step | Fast, flexible baseline; strong for US-market and federal-adjacent organizations | When customers or regulators expect certified assurance |
Running both gap analyses gives you a risk view and a management system view of the same program. The natural companion to this template: ISO 42001 Gap Analysis Template
GOVERN 1 asks for a complete AI inventory and MAP 4 asks what sits inside it. Aona discovers every AI tool in use across your organization, monitors what data flows into them, and keeps the evidence audit-ready.