Assessments & control testing
An assessment scores an AI system against the controls of a framework. Control testing goes a step further: it evidences that controls are not just designed, but operating effectively.
Assessments
Section titled “Assessments”An assessment connects an AI system to a framework and works through its controls, domain by domain. For each control you record:
- The current state, how well the control is met.
- The rationale, why you reached that conclusion.
- Evidence links, the proof that supports the conclusion.
Because an assessment records rationale and evidence per control, the result is defensible rather than just a score. See Run your first assessment for the steps.
Assessing against multiple frameworks
Section titled “Assessing against multiple frameworks”The same AI system can be assessed against more than one framework, for example GTSAF for depth and the EU AI Act for regulatory readiness. Gamut keeps each assessment distinct while sharing the underlying system, evidence and findings, so work done once is reused across frameworks rather than repeated. See Frameworks overview for how routing selects frameworks.
Control testing
Section titled “Control testing”Designing a control is not the same as operating it. A control test in Gamut captures the full testing record auditors expect:
- Test objective and test procedure, what was tested and how.
- Sample method and sample size, the basis for the conclusion.
- A design effectiveness score and an operating effectiveness score, kept separate, because a well-designed control can still fail in operation.
- A test result:
pass,partial,failornot_tested. - Exceptions: a count and a summary of what failed.
- Tester and reviewer, test date and next test date, and evidence references.
This turns an assertion (“we review model outputs”) into proof (“here are the reviews, sampled this way, on this cadence, by these people, with these exceptions”). Control tests produce the artefacts that back an assessment and that auditors rely on when they test your governance.
Findings
Section titled “Findings”Where an assessment or control test reveals a gap, raise a finding. A finding carries a severity, a root cause, a recommendation and a management response, and it links back to the control, the test and the system it relates to, then tracks through to remediation and closure. See Evidence & findings.
AI assistance
Section titled “AI assistance”Gamut can assist assessment work with AI, for example by helping analyse context or draft narrative. All AI analysis is proxied server-side, so model provider keys are never exposed to the browser. See AI assistance & data handling.
- Evidence & findings: capture proof and manage deficiencies.
- Reporting & exports: turn assessments into board and audit outputs.
- Model cards: document the models a system uses.