NIST AI RMF Checklist

Free 10-point self-assessment for the NIST AI Risk Management Framework (AI RMF 1.0). Covering Govern, Map, Measure, and Manage functions with governance mapping.

Last updated June 14, 2026 · Interactive assessment →

Disclaimer: This checklist is for self-assessment and educational purposes. It does not constitute legal advice. NIST AI RMF is a voluntary framework. Consult a qualified attorney or compliance professional before making legal decisions.
Govern

1. Leadership & Accountability

1

Defined AI governance roles and responsibilities

Have you assigned specific individuals or teams responsible for AI risk governance, with documented roles and decision-making authority?

Governance mapping: HUMMBL's governance bus captures who authorized each decision, creating an immutable audit trail of accountability.

2

Organizational risk tolerance documented

Have you documented your organization's risk tolerance for AI systems, including acceptable thresholds for bias, privacy, safety, and performance failures?

Governance mapping: HUMMBL's cost governor enforces budget ceilings as a concrete expression of risk tolerance.

Map

2. Context & Risk Identification

3

AI system context documented

Have you documented the intended purpose, expected users, deployment environment, and intended benefits of each AI system?

Governance mapping: The delegation token system encodes scope and context directly into every authorization, preventing scope creep.

4

Stakeholders identified and engaged

Have you identified all stakeholders affected by the AI system (users, affected individuals, operators, regulators) and documented their concerns?

Governance mapping: The governance bus captures stakeholder intent through structured metadata on every bus message.

5

Risk categorization framework applied

Have you categorized AI risks by likelihood and impact, using a structured framework (e.g., NIST risk taxonomy or your organization's standard)?

Governance mapping: HUMMBL's kill switch uses 4 escalation modes (DISENGAGED → HALT_NONCRITICAL → HALT_ALL → EMERGENCY) as a graduated risk response.

Measure

3. Evaluation & Monitoring

6

Performance metrics defined and tracked

Have you defined quantitative metrics for AI system performance (accuracy, latency, fairness, robustness) and implemented continuous monitoring?

Governance mapping: The circuit breaker automatically trips when external adapter error rates exceed thresholds, providing automatic performance monitoring.

7

Bias and fairness assessments conducted

Have you assessed the AI system for demographic bias, fairness across subgroups, and disparate impact on protected classes?

Governance mapping: Regular bias audits should be logged as governance bus events with full provenance and results.

8

Human oversight mechanisms in place

Have you defined when and how humans review, override, or stop AI system outputs? Are there clear escalation paths for edge cases?

Governance mapping: HUMMBL's kill switch provides explicit human-in-the-loop control with file-system-persisted halt states that survive restarts.

Manage

4. Response & Improvement

9

Incident response plan for AI failures

Do you have a documented incident response plan specific to AI system failures, including containment, communication, and recovery procedures?

Governance mapping: The circuit breaker + kill switch chain provides automatic containment. The governance bus provides immutable incident logs.

10

Continuous improvement process established

Do you have a regular review cycle (e.g., quarterly) for reassessing AI risks, updating controls, and incorporating lessons learned?

Governance mapping: Governance bus logs enable longitudinal analysis of control effectiveness across review cycles.

Need a detailed gap analysis?

Our interactive NIST AI RMF Readiness Assessment provides 12 detailed questions with control-level remediation recommendations and a downloadable report.

Take the Interactive Assessment →