AI Governance Assessment  ·  NIST AI RMF 1.0

← Back to Home

User Guide

How to complete the AI governance assessment effectively and get the most out of your risk report and governance package.

What You'll Get

The assessment produces two tiers of output.

Free — available immediately after submission:

  • NIST AI RMF Risk Tier (Tier 1–4) with inherent risk score and scoring rationale
  • Governance Maturity Score across GOVERN, MAP, MEASURE, and MANAGE domains
  • Active Risk Flags with plain-language explanations
  • Deployment Recommendation — proceed, proceed with conditions, or do not proceed

Full Governance Package (paid) — 18 tailored documents:

  • Gap analysis across all four RMF functions
  • Prioritized findings register with remediation guidance
  • 30/60/90-day implementation roadmap
  • Executive risk memorandum for leadership review
  • System risk profile
  • 13 AI governance policies (POL-001 through POL-013)
  • 5 supporting artifacts — compliance matrix, RACI matrix, AI system inventory, vendor risk questionnaire, assumptions & evidence register

Before You Begin

Set aside 20–30 minutes to complete the assessment in one session. Your progress saves automatically in the browser, but the best answers come from having the right information in front of you.

Gather this information beforehand:

  • The name, type, and deployment status of the AI system you are assessing
  • Who built it — internal team, vendor, or open-source — and if a vendor, their name and product version
  • What decisions it influences and who it affects
  • What data it uses and where that data comes from
  • Names and titles of your AI risk owner, executive sponsor, and relevant team leads
  • Whether your organization has any existing AI policies, risk management frameworks, or prior AI assessments
  • Any applicable regulations or frameworks your organization operates under (GDPR, EU AI Act, state AI laws, sector-specific rules)

How the Assessment Works

The assessment covers 10 sections aligned to the NIST AI RMF 1.0 structure:

  1. Organization & AI ProfileYour organization, industry, size, and AI governance context
  2. AI System OverviewThe system being assessed: what it does, who built it, how it's deployed
  3. Data GovernanceWhat data the system uses, its quality, provenance, and privacy considerations
  4. Stakeholder & Impact AnalysisWho is affected, how, and at what severity
  5. Technical ControlsPerformance, safety, security, transparency, privacy, fairness, and explainability controls
  6. Organizational GovernancePolicies, roles, approval processes, vendor management, and human oversight
  7. Pre-Deployment TestingTesting, go/no-go criteria, and independent review
  8. Production MonitoringOngoing monitoring, alerting, and issue tracking
  9. Incidents & Risk TreatmentPrior incidents, treatment decisions, and residual risk acceptance
  10. Regulatory & Legal ContextApplicable laws and open-ended notes

Tips for Best Results

Answer Based on Current State, Not Goals

The system generates governance documents based on where you are today. If you answer based on aspirations rather than current reality, the policies won't address your actual gaps.

Does your organization have a formal AI governance policy?

✗ "Yes" — because you are planning to write one next quarter

✓ "No" — the governance policy document in your package will then be drafted as a new policy to establish, not an update to an existing one. The roadmap will include the adoption step with a realistic timeline.

Be Specific in Open-Text Fields

Open-text fields are where the AI learns about your specific context. Specific answers produce substantially more tailored documents.

System Description:

✗ "We use AI for emails"

✓ "We use Claude (Anthropic) to help administrative staff improve the clarity and tone of internal and external communications. The system recommends edits — employees review and decide whether to accept them."

Be Honest About Gaps

This assessment is not an audit. Acknowledging missing controls is exactly how the tool generates policies that address your real needs — not a generic organization's.

It's expected and fine to select:

  • "Not implemented"
  • "No formal process"
  • "Ad hoc"
  • "No" to governance questions

Organizations with few controls in place often get the most value — the gap analysis and roadmap are more substantive when there is more to address.

Use Exact Role Titles

The governance package uses the role titles you enter — policy approver blocks, RACI matrices, and the executive memo all reference them directly. Entering "CEO" or "IT Manager" will produce documents that match your actual org structure.

One System at a Time

Each assessment covers a single AI system. If your organization has multiple AI systems with different risk profiles, complete a separate assessment for each. The system inventory artifact in the package will capture all of them once you have completed individual assessments.

Section-by-Section Guidance

Section 1: Organization & AI Profile

  • Organization Name — Used throughout all policy documents; enter it exactly as you want it to appear
  • Industry — Shapes which regulatory references appear in the compliance matrix
  • Jurisdictions — Where you operate; state-level AI laws (Colorado, Texas, Illinois, etc.) fire based on this
  • Existing Frameworks — If you already follow NIST CSF, ISO 27001, or SOC 2, the policies will reference these rather than duplicate them
  • Contact Details — Appears in the document headers and executive memo signature block

Section 2: AI System Overview

  • System Description — The most important free-text field. Describe what it does, not just its category.
  • Decision Role — Whether the AI makes autonomous decisions, recommends to humans, or provides information only. This drives the autonomy risk dimension significantly.
  • End User Direct Access — Whether external users interact with the AI directly. External-facing systems carry substantially higher risk than internal-only tools.
  • Vendor Details — For third-party systems, the vendor name and product appear in the vendor risk sections of the package

Section 3: Data Governance

  • Data Types — Personal data, financial data, health data, and biometric data each trigger specific privacy and compliance requirements
  • Protected Classes — Whether the data includes race, gender, age, or other protected attributes; drives the fairness testing requirements in the TEVV policy
  • Third-Party Data — Whether you mix your own data with external data sources affects data governance requirements
  • Data Agreements — The absence of formal data agreements is flagged as a governance gap

Section 4: Stakeholder & Impact Analysis

  • Primary and Secondary Users — Who uses the system and who is indirectly affected
  • Impact Dimensions — Rate likelihood and severity across nine harm categories (civil rights, discrimination, financial, safety, psychological, reputation, operational, environmental, security). "N/A" is a valid choice if the harm type genuinely does not apply.
  • Vulnerable Populations — Whether the system affects children, elderly individuals, or people with disabilities elevates risk tier

Section 5: Technical Controls

This is the longest section and drives a substantial portion of the maturity score. Go through each domain carefully:

  • Performance & Reliability — Accuracy testing, bias testing, robustness, and monitoring
  • Safety — Human intervention capabilities, graceful degradation, safety incident tracking
  • Security — Adversarial testing, access controls, threat modeling, incident response
  • Transparency & Accountability — Documentation, user disclosure, audit logs, accountable owner
  • Explainability — Whether the system can explain its outputs
  • Privacy — PIAs, data minimization, de-identification, individual rights processes
  • Fairness — Bias testing categories, fairness metrics, disaggregation analysis

Section 6: Organizational Governance

  • AI Governance Policy — Whether a formal policy exists
  • Executive Owner — The title of the person with ultimate accountability. Appears in the executive memo and RACI matrix.
  • AI Risk Owner — If this role exists, their title appears throughout the governance documents. If not assigned, the package includes placeholder language to designate one.
  • Vendor Management — Whether you assess AI vendors is a significant governance gap; the vendor risk questionnaire artifact is generated regardless
  • Human Oversight Policies — Whether your organization has policies governing when humans must be in the loop

Section 7: Pre-Deployment Testing

  • Representativeness Testing — Whether the system was tested on diverse data before deployment
  • Independent Review — Whether external parties reviewed the system
  • Go/No-Go Criteria — Whether formal criteria existed for the deployment decision; the absence of this is a Tier A governance flag

Section 8: Production Monitoring

  • Production Monitoring — Whether the system is monitored after deployment
  • Alert Thresholds — Whether performance degradation triggers alerts
  • User Reporting — Whether users can report issues with the system
  • Metrics — What performance metrics are tracked post-deployment

Section 9: Incidents & Risk Treatment

  • Prior Adverse Events — Honest answers here calibrate the incident response plan to your actual history
  • Risk Treatment — How you have addressed identified risks (acceptance, mitigation, transfer, avoidance)
  • Suspend Process — Whether a process exists to pause or shut down the system if issues emerge

Section 10: Regulatory & Legal Context

  • Applicable Regulations — Select all that apply. GDPR and EU AI Act selections will appear in the compliance matrix with their specific requirements.
  • Open-Ended Notes — Use the free-text fields here to capture concerns, planned changes, or context the structured questions didn't cover. This information informs the executive memo and risk narrative.

Understanding Your Risk Report

Risk Tier

Your system is classified into one of four tiers based on inherent risk:

  • Tier 1 — Minimal: Limited potential for harm. Basic oversight is sufficient for responsible use.
  • Tier 2 — Controlled: Moderate potential for harm. Documented governance, accountability, and regular oversight are required.
  • Tier 3 — Significant: Significant potential to impact rights, finances, health, or wellbeing. Rigorous governance and independent testing required.
  • Tier 4 — Critical: Severe or irreversible harm potential. Deployment is not recommended without fundamental redesign.

Governance Maturity Score

Your maturity score (0–3.0) across four domains reflects the current state of your AI governance program:

  • Policy & Oversight (GOVERN): Formal policies, risk owners, approval workflows, AI system inventory
  • Data Management (MAP): Training data quality, documentation, and data usage agreements
  • Testing & Monitoring (MEASURE): Pre-deployment testing, go/no-go criteria, and production monitoring
  • Safety & Compliance (MANAGE): Safety controls, security, fairness, explainability, and privacy

Risk Flags

Risk flags identify specific governance gaps. Each flag maps to one or more findings in the paid governance package. Hover over any flag to see a plain-language explanation of what it means for your organization.

Deployment Recommendation

Based on the combination of inherent risk tier and control maturity score, the system recommends one of three outcomes: Proceed, Proceed with Conditions, or Do Not Proceed. The recommendation is not a regulatory determination — it is a governance posture assessment based on your self-reported controls.

Frequently Asked Questions

Can I save my progress and return later?

Yes. Your answers save automatically in your browser as you work. Return to the same browser on the same device and your progress will be there.

What if I made a mistake in my answers?

Use the section tracker at the top of the assessment to navigate back to any section and update your answers before submitting.

How long does package generation take?

Typically 7–10 minutes total. Phase 1 (analysis documents) takes about 2 minutes; Phase 2 (13 policies and 5 artifacts) takes 5–8 minutes. The progress bar updates in real time so you can track it.

What does "Do Not Proceed" mean?

"Do Not Proceed" means the combination of your system's inherent risk level and your current governance controls is insufficient for responsible deployment. It is a governance posture signal, not a legal prohibition. The roadmap in your package shows exactly what needs to be in place before reconsidering deployment.

The policies contain bracketed placeholders. What are those?

Bracketed items like [Organization-defined: proposed 48 hours; must be validated by leadership] are intentional. They indicate thresholds, timelines, or commitments that your organization must formally decide — the document cannot make those decisions for you. Replace the bracket with your organization's chosen value after leadership review.

Are my answers stored?

Assessment data is retained for 30 days for support purposes, then deleted. It is encrypted in transit and at rest and is never used for AI model training.

Can I use these policies directly or do they need legal review?

These documents are a substantive starting point — they are tailored to your assessment responses and aligned to NIST AI RMF 1.0. However, they are not legal advice. Organizations in regulated industries or subject to specific state and international AI laws should have legal counsel review the policies before formal adoption.

What if a policy doesn't match my organization?

All documents are designed to be edited. Role titles, thresholds, timelines, and scope statements may need adjustment. The bracketed placeholders are the most common customization points.

Need Help?

  • Technical issues: info@strategydms.com
  • Questions about your results: info@strategydms.com
  • Implementation guidance: Schedule a consultation at strategydms.com/contact-us