NIST AI RMF

Gamut supports assessment aligned to the NIST AI Risk Management Framework (AI RMF), using product-safe summaries and assessment prompts based on its public concepts.

Not NIST-endorsed

Gamut’s NIST AI RMF support is based on public NIST AI RMF concepts and is not NIST-endorsed. It does not reproduce or replace NIST publications. Refer to the official framework for authoritative guidance.

The four functions

The NIST AI RMF organises AI risk management around four core functions. Gamut structures assessment around the same four, each broken into categories:

Function	Purpose	Categories
GOVERN	Establish accountability, policy and culture for AI risk across the organisation.	6
MAP	Understand context, purpose and where risk arises.	5
MEASURE	Assess, analyse and track AI risk with evidence.	4
MANAGE	Prioritise, treat and act on AI risk over time.	4

GOVERN is cross-cutting and informs the other three; MAP, MEASURE and MANAGE follow the arc of understanding, quantifying and then acting on risk. This maps naturally onto Gamut’s own governance lifecycle.

How you use it in Gamut

1. Register and run intake on the system.
2. Start a NIST AI RMF assessment.
3. Work through the functions and their categories, recording rationale and evidence.
4. Raise findings and track remediation.
5. Report on your risk posture across the four functions.

Crosswalk

Every GTSAF control carries NIST AI RMF anchors, and the NIST functions map to GTSAF domains: GOVERN aligns with the governance and accountability domains, MAP with intake and risk identification, MEASURE with monitoring and validation, and MANAGE with treatment, resilience and incident response. A single body of governance work therefore supports NIST AI RMF, GTSAF, the EU AI Act and ISO/IEC 42001 at once. See the GTSAF crosswalk table.

Next

• Assessments & control testing, the assessment workflow.
• ISO/IEC 42001, a management-system aligned route.
• Frameworks overview, how routing and crosswalks work.