Run your first assessment
An assessment scores a registered AI system against the controls of a framework and records why. This is where governance becomes defensible: not just a decision, but a decision with a documented rationale and evidence behind it. In Gamut, a good assessment is the end of a short chain that grounds the system first.
Ground the system before you score it
Section titled “Ground the system before you score it”A framework score is only as good as the context behind it. Before assessing, work through the chain that feeds it:
- AI System Records establishes what the system is.
- AI Use Case Intake & Approval explains what it does, who it affects, what data and decisions are involved, and records an accountable approval. See Intake & risk tiering.
- Risk Tiering Engine and ACRS Risk Assessment set the depth of governance expected, confirming the risk tier and capability band.
- Assessment Plan & Assurance Routing routes the system to the frameworks it actually needs.
By the time you open a framework, the system is grounded and routed, so you are scoring against the right controls rather than guessing which apply.
Choosing a framework
Section titled “Choosing a framework”Routing will suggest the frameworks that fit. Common starting points:
- EU AI Act readiness: to demonstrate readiness for the EU AI Act.
- GTSAF: for depth, 358 controls across 17 domains.
- NIST AI RMF or ISO/IEC 42001: if you align to those standards.
- ATF: for systems that take action as agents.
You can assess the same system against more than one framework; Gamut keeps each distinct while sharing the underlying system, evidence and findings. See Frameworks overview.
Scoring controls
Section titled “Scoring controls”Open the framework and work through its controls, domain by domain. Controls are scored on a maturity scale rather than a simple pass/fail. GTSAF, for example, uses a five-level scale:
| Level | Meaning |
|---|---|
| 1 Initial | Ad hoc, undocumented. |
| 2 Developing | Emerging but inconsistent. |
| 3 Defined | Documented and applied. |
| 4 Managed | Measured, monitored, tested. |
| 5 Optimizing | Continuously improved with data. |
For each control:
- Set the maturity level.
- Capture the rationale, why you reached that level.
- Attach or request evidence where relevant.
- Raise a finding for any gap, deficiency or exception.
Other frameworks use their own scales (for example ATF tracks control readiness toward each autonomy level), but the pattern is the same: a level, a reason, and the proof behind it.
Capture evidence, tests and findings
Section titled “Capture evidence, tests and findings”As you score, the supporting registers are one click away:
- Evidence Tracker: raise evidence requests and attach artefacts against controls.
- Testing Centre: record control tests with design and operating effectiveness.
- Findings Register: track gaps through root cause, remediation and validated closure.
After the assessment
Section titled “After the assessment”- Track any findings through to remediation.
- Produce a report from the Board Dashboard or a workpaper pack for leadership or audit.
- For agentic systems, continue with an ATF assessment and the agentic stack.