30 Days Gen AI Risk Trial -Start Now
Book a demo
Free Template · NIST AI RMF

NIST AI RMF Gap Analysis TemplateHow Does Your AI Risk Management Measure Up?

The NIST AI Risk Management Framework is the de facto baseline for AI governance in the US and far beyond. This template walks you through all 19 categories across GOVERN, MAP, MEASURE, and MANAGE: rate your maturity, capture evidence, log gaps, and build a prioritized remediation roadmap, with a dedicated overlay for the Generative AI Profile.

How the NIST AI RMF Is Organized

AI RMF 1.0 groups AI risk management into four functions. GOVERN is cross-cutting and underpins the other three, which apply to specific AI systems and use cases.

GOVERN

6 categories
Culture, policies, accountability

Establishes the policies, accountability structures, and risk culture that the rest of the framework depends on. Assessed once at the organization level.

  • Policies and processes
  • Accountability structures
  • Workforce diversity and accessibility
  • Risk culture
  • Engagement with AI actors
  • Third-party and supply chain risk

MAP

5 categories
Context and risk identification

Establishes the context of each AI system and identifies its risks: intended purpose, categorization, capabilities and costs, third-party components, and impacts on people.

  • Context established
  • System categorization
  • Capabilities, benefits, and costs
  • Component and third-party risk mapping
  • Impact characterization

MEASURE

4 categories
Assessment, testing, tracking

Turns identified risks into assessments: metrics, evaluation against the trustworthy AI characteristics, risk tracking over time, and checks that measurement itself works.

  • Methods and metrics
  • Trustworthiness evaluation
  • Risk tracking
  • Measurement efficacy

MANAGE

4 categories
Prioritization, response, recovery

Allocates resources to the risks that MAP and MEASURE surfaced: treatment decisions, benefit strategies, third-party risk management, and response and recovery plans.

  • Risk prioritization and response
  • Benefit and impact strategies
  • Third-party risk management
  • Treatment, response, and recovery

What the Gap Analysis Covers

A working assessment document, not an outline: every table is ready to fill in with your ratings, evidence, and owners.

Category-by-category tables

All 19 categories with a maturity rating and columns for evidence, gaps, actions, and owner.

Four-point maturity scale

Not Started, Partially Met, Largely Met, and Fully Met, with clear definitions so ratings stay consistent across teams.

Generative AI Profile overlay

The twelve generative AI risks from NIST AI 600-1 as a relevance and coverage check on top of the core assessment.

One-page scoring summary

A consolidated view of all category ratings for executive reporting and cycle-over-cycle comparison.

Prioritized remediation roadmap

A single roadmap table with priorities, owners, target dates, and sequencing guidance.

Scoping guidance

Which systems to include, which teams to involve, and how often to reassess.

NIST AI RMF vs ISO 42001

The two frameworks complement each other: most mature AI governance programs use the NIST AI RMF to structure risk thinking and ISO 42001 to certify the management system around it.

AspectNIST AI RMFISO 42001
What it isVoluntary risk management framework published by NIST (January 2023)Certifiable international management system standard (December 2023)
Structure4 functions (GOVERN, MAP, MEASURE, MANAGE) with 19 categoriesClauses 4 to 10 plus Annex A controls
CertificationNone; self-assessment against the frameworkAccredited third-party certification available
FocusIdentifying, measuring, and treating the risks of AI systemsAn organization-wide AI management system with continual improvement
Best first stepFast, flexible baseline; strong for US-market and federal-adjacent organizationsWhen customers or regulators expect certified assurance

Running both gap analyses gives you a risk view and a management system view of the same program. The natural companion to this template: ISO 42001 Gap Analysis Template

Get started

Close the visibility gap first

GOVERN 1 asks for a complete AI inventory and MAP 4 asks what sits inside it. Aona discovers every AI tool in use across your organization, monitors what data flows into them, and keeps the evidence audit-ready.