NIST AI RMF Self-Assessment

Self-assessment cross-reference of your governance to NIST AI Risk Management Framework 1.0 across 14 subcategories. GenAI Profile (NIST AI 600-1) NOT yet modelled.

This is a self-assessment tool, not a certified audit. It cross-references your in-process governance configuration against selected NIST AI RMF 1.0 subcategories. Consult qualified assessors before relying on this output for regulatory filings.

The NIST AI Risk Management Framework (AI RMF 1.0) organises AI risk management around four functions: Govern, Map, Measure, Manage. governance-sdk cross-references 14 subcategories against SDK features.

Scope

Modelled: 14 subcategories across all 4 functions.
NOT modelled yet: the 50+ GenAI-specific controls added in NIST AI 600-1 (GenAI Profile, July 2024) — data privacy, synthetic-content risks, environmental impact, human-AI configuration. These require signals outside the SDK's current visibility. On the roadmap.

4 Functions

GOVERN

Cultivate a culture of risk management. Policies, accountability, documentation. SDK mapping: policy rules with names and reasons, owner/framework metadata, version-controlled governance config.

MAP

Identify AI system context. Categorise risks, impacts, and affected parties. SDK mapping: agent registration metadata, 7-dimension scoring, repo-pattern detection for declared capabilities.

MEASURE

Analyse, assess, and monitor AI risks. SDK mapping: injection_guard condition (54 regex patterns), audit trail (count + query), dry-run simulation.

MANAGE

Prioritise and act on risks. Incident response, continuous monitoring. SDK mapping: kill switch (priority 999, unbeatable by user rules), graduated enforcement outcomes, behavioural drift tracking.

Run a Self-Assessment

import { createGovernance } from 'governance-sdk';
import { mapToNistAiRmf } from 'governance-sdk/nist-ai-rmf'; // or assessNistAiRmf — same function

const gov = createGovernance({ rules: [...] });
const agents = await gov.storage.listAgents();

const report = await mapToNistAiRmf({
  governance: gov,
  agents,
  auditIntegrity: true,
  policiesTested: true,
});

// report:
// {
//   overallScore: 68,
//   status: "partial",
//   functions: [...],     // per-function assessments (GOVERN, MAP, MEASURE, MANAGE)
//   criticalGaps: [...],
//   recommendations: [...],
//   standardVersion: "NIST AI RMF 1.0",
//   scope: "Covers 14 subcategories … Does NOT cover the NIST AI 600-1 GenAI Profile …"
// }