⚠️

重要前提

安装AI Skills的关键前提是：必须科学上网，且开启TUN模式，这一点至关重要，直接决定安装能否顺利完成，在此郑重提醒三遍：科学上网，科学上网，科学上网。查看完整安装教程 →

NIST AI RMF 1.0 人工智能风险评估框架 | 全面AI风险管理与合规指南

nist-ai-rmf by mastepanoski/claude-skills

49 周安装量

14 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/mastepanoski/claude-skills --skill nist-ai-rmf

AI/机器学习法律合规风险管理

🇨🇳中文介绍

NIST 人工智能风险管理框架 (AI RMF 1.0)

此技能使 AI 代理能够使用美国国家标准与技术研究院于 2023 年 1 月发布的 NIST 人工智能风险管理框架 (AI RMF 1.0) 执行全面的 AI 风险评估。

AI RMF 是一个自愿的、与技术及行业无关的框架，旨在帮助组织管理 AI 系统在其整个生命周期中相关的风险。它通过解决影响个人、组织和社会的风险，促进可信赖 AI 的开发。

使用此技能来识别、评估和管理 AI 风险；建立治理结构；确保可信赖 AI 的特性；并与国际 AI 风险管理最佳实践保持一致。

结合使用“ISO 42001 AI 治理”以获得全面的合规覆盖，或结合“OWASP LLM Top 10”进行以安全为重点的评估。

何时使用此技能

在以下情况调用此技能：

在部署前评估 AI 系统的风险
建立 AI 治理和问责结构
评估 AI 产品和服务的可信度
为法规遵从性做准备（欧盟 AI 法案、各州 AI 法律）
进行定期的 AI 风险审查
评估第三方 AI 工具和供应商
建立组织 AI 风险管理计划
为利益相关者记录 AI 系统风险

所需输入

执行此评估时，收集以下信息：

ai_system_description : AI 系统描述（目的、能力、部署环境、用户、数据源）[必需]
system_lifecycle_stage : 当前阶段（设计、开发、部署、监控、停用）[可选，默认为部署]
organization_context : 组织规模、行业、风险承受能力、监管环境 [可选]
existing_controls : 现有的风险管理流程或控制措施 [可选]
specific_concerns : 已知风险、事件或关注领域 [可选]
stakeholders : 关键利益相关者和受影响的群体 [可选]

可信赖 AI 特性

AI RMF 确定了可信赖 AI 的七个特性，作为所有功能的评估标准：

有效且可靠 : 系统按预期执行，结果一致

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 1：系统理解（15 分钟）

审查 AI 系统：
- 分析 ai_system_description 和 system_lifecycle_stage
- 识别系统类型（分类器、生成式、推荐系统、自主系统等）
- 记录数据源、模型和部署环境
- 注意利益相关者和受影响的群体
理解背景：
- 审查 organization_context 和监管环境
- 识别适用的法律和标准
- 注意风险承受能力和现有控制措施
定义范围：
- 确定要评估的功能和类别
- 根据生命周期阶段和关注点确定优先级

步骤 2：治理功能评估（20 分钟）

评估组织治理：

G1 : AI 风险政策是否到位且透明？
G1.1 : 法律/监管要求是否被理解和记录？
G1.2 : 可信赖 AI 特性是否纳入组织政策？
G1.5 : 监控和审查流程是否已规划？
G1.6 : AI 系统清单是否得到维护？
G2 : 问责结构是否已定义？
G2.1 : 角色和职责是否清晰？
G2.3 : 执行领导层是否负责？
G3.1 : 多元化团队是否参与决策？
G4 : 是否培养了风险文化？
G5 : 利益相关者参与流程是否到位？
G6 : 第三方风险是否得到解决？

步骤 3：映射功能评估（20 分钟）

评估风险识别和背景：

M1.1 : 预期目的和部署环境是否已记录？
M1.5 : 风险承受能力是否已确定？
M2.1 : AI 任务和方法是否已定义？
M2.2 : 知识限制和人工监督是否已记录？
M3.1 : 收益是否已审查并记录？
M3.2 : AI 错误导致的成本是否已记录？
M3.5 : 人工监督流程是否已定义？
M4.1 : 组件风险是否已映射？
M5.1 : 影响可能性和程度是否已记录？

步骤 4：衡量功能评估（25 分钟）

评估风险衡量和监控：

ME1.1 : 风险指标是否已选择和应用？
ME2.3 : 性能标准是否已衡量？
ME2.4 : 生产环境行为是否已监控？
ME2.5 : 有效性和可靠性是否已证明？
ME2.6 : 安全风险是否已评估？
ME2.7 : 安全性和韧性是否已评估？
ME2.9 : 模型可解释性是否已记录？
ME2.10 : 隐私风险是否已审查？
ME2.11 : 公平性和偏见是否已评估？
ME3.1 : 风险跟踪是否到位？
ME3.3 : 用户反馈机制是否已建立？

步骤 5：管理功能评估（20 分钟）

评估风险响应和处理：

MA1.1 : 系统是否达到预期目的？
MA1.2 : 风险处理是否已确定优先级？
MA1.3 : 是否有针对高风险优先级的响应计划？
MA2.1 : 是否考虑了非 AI 替代方案？
MA2.3 : 是否有未知风险响应程序？
MA2.4 : 停用机制是否到位？
MA3.1 : 第三方风险是否已监控？
MA4.1 : 部署后监控是否已实施？
MA4.3 : 事件沟通和恢复是否已记录？

步骤 6：报告生成（20 分钟）

汇总评估结果，包括评级和建议。

生成一份全面的 NIST AI RMF 评估报告：

# NIST AI RMF 评估报告

**AI 系统**: [名称/描述]
**组织**: [名称]
**日期**: [日期]
**生命周期阶段**: [设计/开发/部署/监控]
**评估者**: [AI 代理或人员]
**AI RMF 版本**: 1.0 (2023年1月)

---

## 执行摘要

### 总体风险概况: [低 / 中 / 高 / 严重]

**系统类型**: [分类器 / 生成式 / 推荐系统 / 自主系统 / 其他]
**部署环境**: [内部 / 面向客户 / 公共 / 关键基础设施]
**法规适用性**: [欧盟 AI 法案风险等级、各州法律、行业法规]

### 关键发现
- **问题总数**: [X]
  - 严重: [X] (需要立即行动)
  - 高: [X] (需要在 30 天内行动)
  - 中: [X] (需要在 90 天内行动)
  - 低: [X] (建议改进)

### 可信度摘要
| 特性 | 状态 | 评级 |
|---|---|---|
| 有效且可靠 | [状态] | [1-5] |
| 安全 | [状态] | [1-5] |
| 安全且有韧性 | [状态] | [1-5] |
| 可问责且透明 | [状态] | [1-5] |
| 可解释且可理解 | [状态] | [1-5] |
| 隐私增强 | [状态] | [1-5] |
| 公平（偏见受管理） | [状态] | [1-5] |

---

## 治理功能评估

### 治理 1：政策和流程
**评级**: [未实施 / 部分 / 基本 / 完全]

**发现:**
- [发现 1 及证据]
- [发现 2 及证据]

**差距:**
- [ ] [差距描述]

**建议:**
- [建议及优先级]

### 治理 2：问责结构
**评级**: [未实施 / 部分 / 基本 / 完全]

[为所有治理类别继续...]

---

## 映射功能评估

### 映射 1：建立背景
**评级**: [未实施 / 部分 / 基本 / 完全]

**发现:**
- [发现及证据]

**差距:**
- [ ] [差距描述]

**建议:**
- [建议及优先级]

[为所有映射类别继续...]

---

## 衡量功能评估

### 衡量 1：方法与指标
**评级**: [未实施 / 部分 / 基本 / 完全]

**发现:**
- [发现及证据]

**差距:**
- [ ] [差距描述]

**建议:**
- [建议及优先级]

[为所有衡量类别继续...]

---

## 管理功能评估

### 管理 1：风险优先级排序
**评级**: [未实施 / 部分 / 基本 / 完全]

**发现:**
- [发现及证据]

**差距:**
- [ ] [差距描述]

**建议:**
- [建议及优先级]

[为所有管理类别继续...]

---

## 风险登记册

| ID | 风险描述 | 功能 | 可能性 | 影响 | 优先级 | 缓解措施 |
|---|---|---|---|---|---|---|
| R1 | [描述] | [G/M/ME/MA] | [L/M/H] | [L/M/H] | [P0-P3] | [策略] |
| R2 | [描述] | [G/M/ME/MA] | [L/M/H] | [L/M/H] | [P0-P3] | [策略] |

---

## 修复路线图

### 阶段 1：严重 (0-30 天)
1. [行动项，包含负责人和截止日期]
2. [行动项，包含负责人和截止日期]

### 阶段 2：高优先级 (30-90 天)
1. [行动项，包含负责人和截止日期]

### 阶段 3：中优先级 (90-180 天)
1. [行动项，包含负责人和截止日期]

### 阶段 4：持续改进
1. [持续实践]

---

## 合规性对应

### 法规映射
| 法规 | 相关 AI RMF 功能 | 状态 |
|---|---|---|
| 欧盟 AI 法案 | 治理, 映射, 衡量 | [状态] |
| NIST CSF 2.0 | 治理, 管理 | [状态] |
| 各州 AI 法律 | 治理, 映射 | [状态] |
| 行业法规 | [相关功能] | [状态] |

---

## 后续步骤

### 立即行动
1. [ ] 处理严重发现
2. [ ] 分配风险负责人
3. [ ] 建立监控节奏

### 短期 (1-3 个月)
1. [ ] 实施阶段 1 修复
2. [ ] 建立治理结构
3. [ ] 对人员进行 AI RMF 培训

### 长期 (3-12 个月)
1. [ ] 完成所有修复阶段
2. [ ] 进行后续评估
3. [ ] 整合到组织风险管理中

---

## 资源

- [NIST AI RMF 1.0](https://www.nist.gov/itl/ai-risk-management-framework)
- [NIST AI RMF 手册](https://www.nist.gov/itl/ai-risk-management-framework/nist-ai-rmf-playbook)
- [NIST AI RMF 生成式 AI 配置文件](https://airc.nist.gov/Docs/1)
- [NIST 可信赖 AI 资源中心](https://airc.nist.gov/)

---

**评估版本**: 1.0
**日期**: [日期]

使用此量表进行子类别评级：

评级	描述
未实施	没有活动或文档证据
部分	有一些活动但不一致或不完整
基本	大部分已实施，存在微小差距
完全	完全实施并定期维护

使用此量表进行可信赖特性评分：

分数	描述
1	未涉及
2	最低限度涉及
3	部分涉及
4	基本涉及
5	完全涉及并监控

对于生成式 AI 系统，额外评估（根据 NIST AI 600-1 GenAI 配置文件，2024 年 7 月）：

内容来源 : 追踪 AI 生成内容来源的机制
虚构风险 : 对幻觉或捏造输出的控制
数据隐私 : 训练数据保护和同意
环境影响 : 计算资源消耗
信息安全 : 提示注入和对抗性鲁棒性
有害内容 : 对有毒或危险输出的过滤器和防护措施
第三方风险 : 基础模型和 API 依赖
人机交互 : 用户意识到他们正在与 AI 交互

从治理开始 : 在映射风险之前建立治理
持续迭代 : 风险管理是持续性的，而非一次性
吸引利益相关者 : 在评估中包含多元化视角
记录一切 : 为问责制保留证据
与现有框架保持一致 : 与 NIST CSF、ISO 42001、SOC 2 整合
根据背景定制 : 根据系统风险级别调整评估深度
在生产环境中测试 : 监控已部署系统，而不仅仅是部署前
为失败做计划 : 制定事件响应和停用程序
考虑社会影响 : 超越组织风险
保持更新 : 监控不断发展的 AI 法规和标准

1.0 - 初始版本（符合 NIST AI RMF 1.0）

请注意 : NIST AI RMF 是自愿的、基于风险的框架。并非所有子类别都适用于每个系统。请根据系统的风险概况和组织背景调整评估深度。

🇺🇸English

NIST AI Risk Management Framework (AI RMF 1.0)

This skill enables AI agents to perform a comprehensive AI risk assessment using the NIST AI Risk Management Framework (AI RMF 1.0) , published January 2023 by the National Institute of Standards and Technology.

The AI RMF is a voluntary, technology- and sector-agnostic framework designed to help organizations manage risks associated with AI systems throughout their lifecycle. It promotes trustworthy AI development by addressing risks that affect individuals, organizations, and society.

Use this skill to identify, assess, and manage AI risks; establish governance structures; ensure trustworthy AI characteristics; and align with international AI risk management best practices.

Combine with "ISO 42001 AI Governance" for comprehensive compliance coverage or "OWASP LLM Top 10" for security-focused assessment.

When to Use This Skill

Invoke this skill when:

Assessing risks of AI systems before deployment
Establishing AI governance and accountability structures
Evaluating trustworthiness of AI products and services
Preparing for regulatory compliance (EU AI Act, state AI laws)
Conducting periodic AI risk reviews
Evaluating third-party AI tools and vendors
Building organizational AI risk management programs
Documenting AI system risks for stakeholders

Inputs Required

When executing this assessment, gather:

ai_system_description : Description of the AI system (purpose, capabilities, deployment context, users, data sources) [REQUIRED]
system_lifecycle_stage : Current stage (design, development, deployment, monitoring, decommissioning) [OPTIONAL, defaults to deployment]
organization_context : Organization size, industry, risk tolerance, regulatory environment [OPTIONAL]
existing_controls : Current risk management processes or controls in place [OPTIONAL]
specific_concerns : Known risks, incidents, or areas of focus [OPTIONAL]
stakeholders : Key stakeholders and affected communities [OPTIONAL]

Trustworthy AI Characteristics

The AI RMF identifies seven characteristics of trustworthy AI that serve as evaluation criteria across all functions:

Valid and Reliable : System performs as intended with consistent results
Safe : System does not endanger human life, health, property, or the environment
Secure and Resilient : System withstands adverse events and recovers gracefully
Accountable and Transparent : Information about the system is available to stakeholders
Explainable and Interpretable : Mechanisms and outputs can be understood
Privacy-Enhanced : Human autonomy and data rights are protected
Fair with Harmful Bias Managed : System does not produce discriminatory outcomes

The 4 Core Functions

The AI RMF Core is composed of four functions, each broken into categories and subcategories:

GOVERN Function

Establishes organizational policies, processes, and accountability for AI risk management. GOVERN is cross-cutting and applies across all other functions.

GOVERN 1: Policies and Processes

Policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks are in place, transparent, and implemented effectively.

GOVERN 1.1 : Legal and regulatory requirements involving AI are understood, managed, and documented
GOVERN 1.2 : Trustworthy AI characteristics integrated into organizational policies, processes, and practices
GOVERN 1.3 : Processes to determine needed risk management activity levels based on organizational risk tolerance
GOVERN 1.4 : Risk management process and outcomes established through transparent policies, procedures, and controls
GOVERN 1.5 : Ongoing monitoring and periodic review of risk management process with clear roles and responsibilities
GOVERN 1.6 : Mechanisms to inventory AI systems resourced by organizational risk priorities
GOVERN 1.7 : Processes for decommissioning and phasing out AI systems safely

GOVERN 2: Accountability Structures

Accountability structures ensure appropriate teams and individuals are empowered, responsible, and trained for AI risk management.

GOVERN 2.1 : Roles, responsibilities, and communication lines documented and clear
GOVERN 2.2 : Personnel receive AI risk management training
GOVERN 2.3 : Executive leadership takes responsibility for AI decisions

GOVERN 3: Workforce Diversity and Inclusion

Workforce diversity, equity, inclusion, and accessibility processes are prioritized in AI risk management.

GOVERN 3.1 : Decision-making informed by diverse team (demographics, disciplines, expertise)
GOVERN 3.2 : Policies define roles for human-AI configurations and oversight

GOVERN 4: Risk Culture

Organizational teams are committed to a culture that considers and communicates AI risk.

GOVERN 4.1 : Policies foster critical thinking and safety-first mindset
GOVERN 4.2 : Teams document and communicate risks and impacts broadly
GOVERN 4.3 : Practices enable AI testing, incident identification, and information sharing

GOVERN 5: Stakeholder Engagement

Processes are in place for robust engagement with relevant AI actors.

GOVERN 5.1 : Policies collect, consider, and integrate external feedback on impacts
GOVERN 5.2 : Mechanisms regularly incorporate adjudicated feedback into system design

GOVERN 6: Third-Party Risk

Policies and procedures address AI risks from third-party software, data, and supply chain.

GOVERN 6.1 : Policies address risks from third-party entities including IP infringement
GOVERN 6.2 : Contingency processes handle failures in high-risk third-party systems

MAP Function

Identifies and contextualizes AI system risks within the operational environment.

MAP 1: Context Established

Context is established and understood.

MAP 1.1 : Intended purposes, beneficial uses, laws, norms, and deployment settings documented
MAP 1.2 : Interdisciplinary AI actors with demographic diversity participate and documented
MAP 1.3 : Organization's mission and goals for AI technology understood and documented
MAP 1.4 : Business value or context clearly defined or re-evaluated
MAP 1.5 : Organizational risk tolerances determined and documented
MAP 1.6 : System requirements elicited with socio-technical considerations

MAP 2: System Categorization

Categorization of the AI system is performed.

MAP 2.1 : Specific tasks and methods defined (classifiers, generative models, recommenders)
MAP 2.2 : System knowledge limits and human oversight documented
MAP 2.3 : Scientific integrity and TEVV considerations identified

MAP 3: Capabilities and Costs

AI capabilities, targeted usage, goals, expected benefits, and costs are understood.

MAP 3.1 : Potential benefits of intended functionality examined and documented
MAP 3.2 : Potential costs (monetary and non-monetary) from AI errors documented
MAP 3.3 : Targeted application scope specified based on capability
MAP 3.4 : Operator and practitioner proficiency assessed
MAP 3.5 : Human oversight processes defined and documented

MAP 4: Component Risks

Risks and benefits are mapped for all components including third-party.

MAP 4.1 : Approaches for mapping technology and legal risks documented
MAP 4.2 : Internal risk controls for components identified and documented

MAP 5: Impact Characterization

Impacts to individuals, groups, communities, organizations, and society are characterized.

MAP 5.1 : Likelihood and magnitude of impacts (beneficial and harmful) documented
MAP 5.2 : Practices for regular engagement with relevant AI actors documented

MEASURE Function

Employs tools, techniques, and methodologies to assess, benchmark, and monitor AI risk.

MEASURE 1: Methods and Metrics

Appropriate methods and metrics are identified and applied.

MEASURE 1.1 : Approaches and metrics selected starting with most significant risks
MEASURE 1.2 : Appropriateness of metrics regularly assessed and updated
MEASURE 1.3 : Internal experts or independent assessors involved in assessments

MEASURE 2: Trustworthiness Evaluation

AI systems are evaluated for trustworthy characteristics.

MEASURE 2.1 : Test sets, metrics, and tool details documented during TEVV
MEASURE 2.2 : Evaluations with human subjects meet requirements and represent relevant populations
MEASURE 2.3 : Performance or assurance criteria measured and demonstrated
MEASURE 2.4 : Functionality and behavior monitored in production
MEASURE 2.5 : System demonstrated valid and reliable with generalizability limitations documented
MEASURE 2.6 : System regularly evaluated for safety risks with residual risk within tolerance
MEASURE 2.7 : Security and resilience evaluated and documented
MEASURE 2.8 : Transparency and accountability risks examined
MEASURE 2.9 : AI model explained, validated, and output interpreted within context
MEASURE 2.10 : Privacy risk examined and documented
MEASURE 2.11 : Fairness and bias evaluated with results documented
MEASURE 2.12 : Environmental impact and sustainability assessed
MEASURE 2.13 : Effectiveness of TEVV metrics evaluated

MEASURE 3: Risk Tracking

Mechanisms for tracking identified AI risks over time are in place.

MEASURE 3.1 : Approaches track existing, unanticipated, and emergent risks
MEASURE 3.2 : Risk tracking considered for settings where assessment is difficult
MEASURE 3.3 : Feedback processes for end users to report problems and appeal outcomes

MEASURE 4: Measurement Efficacy

Feedback about efficacy of measurement is gathered and assessed.

MEASURE 4.1 : Measurement approaches informed by domain experts and end users
MEASURE 4.2 : Results validated for consistency with intended performance
MEASURE 4.3 : Measurable performance improvements or declines identified

MANAGE Function

Allocates resources to mapped and measured risks on a regular basis.

MANAGE 1: Risk Prioritization

AI risks based on assessments are prioritized, responded to, and managed.

MANAGE 1.1 : Determination made whether AI system achieves intended purposes
MANAGE 1.2 : Treatment of risks prioritized based on impact, likelihood, and resources
MANAGE 1.3 : Responses to high-priority risks developed (mitigate, transfer, avoid, accept)
MANAGE 1.4 : Negative residual risks documented for downstream users

MANAGE 2: Benefit Maximization

Strategies to maximize AI benefits and minimize negative impacts are planned and documented.

MANAGE 2.1 : Resources to manage risks considered alongside non-AI alternatives
MANAGE 2.2 : Mechanisms to sustain value of deployed systems
MANAGE 2.3 : Procedures to respond to and recover from unknown risks
MANAGE 2.4 : Mechanisms to supersede, disengage, or deactivate inconsistent systems

MANAGE 3: Third-Party Risk Management

AI risks and benefits from third-party entities are managed.

MANAGE 3.1 : Third-party risks regularly monitored with controls applied
MANAGE 3.2 : Pre-trained models monitored as part of regular maintenance

MANAGE 4: Communication and Monitoring

Risk treatments and communication plans are documented and monitored.

MANAGE 4.1 : Post-deployment monitoring plans with user input, appeal, and decommissioning mechanisms
MANAGE 4.2 : Continual improvement activities integrated into updates
MANAGE 4.3 : Incidents communicated to relevant actors; tracking and recovery documented

Audit Procedure

Follow these steps systematically:

Step 1: System Understanding (15 minutes)

Review AI system:
- Analyze ai_system_description and system_lifecycle_stage
- Identify system type (classifier, generative, recommender, autonomous, etc.)
- Document data sources, models, and deployment environment
- Note stakeholders and affected communities
Understand context:
- Review organization_context and regulatory environment
- Identify applicable laws and standards
- Note risk tolerance and existing controls
Define scope:
- Determine which functions and categories to assess
- Prioritize based on lifecycle stage and concerns

Step 2: GOVERN Assessment (20 minutes)

Evaluate organizational governance:

G1 : Are AI risk policies in place and transparent?
G1.1 : Legal/regulatory requirements understood and documented?
G1.2 : Trustworthy AI characteristics in organizational policies?
G1.5 : Monitoring and review processes planned?
G1.6 : AI system inventory maintained?
G2 : Accountability structures defined?
G2.1 : Roles and responsibilities clear?
G2.3 : Executive leadership accountable?
G3.1 : Diverse team informing decisions?
G4 : Risk culture fostered?
G5 : Stakeholder engagement processes in place?
G6 : Third-party risks addressed?

Step 3: MAP Assessment (20 minutes)

Evaluate risk identification and context:

M1.1 : Intended purposes and deployment context documented?
M1.5 : Risk tolerances determined?
M2.1 : AI tasks and methods defined?
M2.2 : Knowledge limits and human oversight documented?
M3.1 : Benefits examined and documented?
M3.2 : Costs from AI errors documented?
M3.5 : Human oversight processes defined?
M4.1 : Component risks mapped?
M5.1 : Impact likelihood and magnitude documented?

Step 4: MEASURE Assessment (25 minutes)

Evaluate risk measurement and monitoring:

ME1.1 : Risk metrics selected and applied?
ME2.3 : Performance criteria measured?
ME2.4 : Production behavior monitored?
ME2.5 : Validity and reliability demonstrated?
ME2.6 : Safety risks evaluated?
ME2.7 : Security and resilience evaluated?
ME2.9 : Model explainability documented?
ME2.10 : Privacy risk examined?
ME2.11 : Fairness and bias evaluated?
ME3.1 : Risk tracking in place?
ME3.3 : User feedback mechanisms established?

Step 5: MANAGE Assessment (20 minutes)

Evaluate risk response and treatment:

MA1.1 : System achieves intended purposes?
MA1.2 : Risk treatment prioritized?
MA1.3 : Response plans for high-priority risks?
MA2.1 : Non-AI alternatives considered?
MA2.3 : Unknown risk response procedures?
MA2.4 : Deactivation mechanisms in place?
MA3.1 : Third-party risks monitored?
MA4.1 : Post-deployment monitoring implemented?
MA4.3 : Incident communication and recovery documented?

Step 6: Report Generation (20 minutes)

Compile assessment findings with ratings and recommendations.

Output Format

Generate a comprehensive NIST AI RMF assessment report:

# NIST AI RMF Assessment Report

**AI System**: [Name/Description]
**Organization**: [Name]
**Date**: [Date]
**Lifecycle Stage**: [Design/Development/Deployment/Monitoring]
**Evaluator**: [AI Agent or Human]
**AI RMF Version**: 1.0 (January 2023)

---

## Executive Summary

### Overall Risk Profile: [Low / Medium / High / Critical]

**System Type**: [Classifier / Generative / Recommender / Autonomous / Other]
**Deployment Context**: [Internal / Customer-facing / Public / Critical infrastructure]
**Regulatory Applicability**: [EU AI Act risk level, state laws, sector regulations]

### Key Findings
- **Total Issues**: [X]
  - Critical: [X] (immediate action required)
  - High: [X] (action required within 30 days)
  - Medium: [X] (action required within 90 days)
  - Low: [X] (improvements recommended)

### Trustworthiness Summary
| Characteristic | Status | Rating |
|---|---|---|
| Valid & Reliable | [Status] | [1-5] |
| Safe | [Status] | [1-5] |
| Secure & Resilient | [Status] | [1-5] |
| Accountable & Transparent | [Status] | [1-5] |
| Explainable & Interpretable | [Status] | [1-5] |
| Privacy-Enhanced | [Status] | [1-5] |
| Fair (Bias Managed) | [Status] | [1-5] |

---

## GOVERN Function Assessment

### GOVERN 1: Policies and Processes
**Rating**: [Not Implemented / Partial / Substantial / Full]

**Findings:**
- [Finding 1 with evidence]
- [Finding 2 with evidence]

**Gaps:**
- [ ] [Gap description]

**Recommendations:**
- [Recommendation with priority]

### GOVERN 2: Accountability Structures
**Rating**: [Not Implemented / Partial / Substantial / Full]

[Continue for all GOVERN categories...]

---

## MAP Function Assessment

### MAP 1: Context Established
**Rating**: [Not Implemented / Partial / Substantial / Full]

**Findings:**
- [Findings with evidence]

**Gaps:**
- [ ] [Gap description]

**Recommendations:**
- [Recommendation with priority]

[Continue for all MAP categories...]

---

## MEASURE Function Assessment

### MEASURE 1: Methods and Metrics
**Rating**: [Not Implemented / Partial / Substantial / Full]

**Findings:**
- [Findings with evidence]

**Gaps:**
- [ ] [Gap description]

**Recommendations:**
- [Recommendation with priority]

[Continue for all MEASURE categories...]

---

## MANAGE Function Assessment

### MANAGE 1: Risk Prioritization
**Rating**: [Not Implemented / Partial / Substantial / Full]

**Findings:**
- [Findings with evidence]

**Gaps:**
- [ ] [Gap description]

**Recommendations:**
- [Recommendation with priority]

[Continue for all MANAGE categories...]

---

## Risk Register

| ID | Risk Description | Function | Likelihood | Impact | Priority | Mitigation |
|---|---|---|---|---|---|---|
| R1 | [Description] | [G/M/ME/MA] | [L/M/H] | [L/M/H] | [P0-P3] | [Strategy] |
| R2 | [Description] | [G/M/ME/MA] | [L/M/H] | [L/M/H] | [P0-P3] | [Strategy] |

---

## Remediation Roadmap

### Phase 1: Critical (0-30 days)
1. [Action item with owner and deadline]
2. [Action item with owner and deadline]

### Phase 2: High Priority (30-90 days)
1. [Action item with owner and deadline]

### Phase 3: Medium Priority (90-180 days)
1. [Action item with owner and deadline]

### Phase 4: Continuous Improvement
1. [Ongoing practices]

---

## Compliance Alignment

### Regulatory Mapping
| Regulation | Relevant AI RMF Functions | Status |
|---|---|---|
| EU AI Act | GOVERN, MAP, MEASURE | [Status] |
| NIST CSF 2.0 | GOVERN, MANAGE | [Status] |
| State AI Laws | GOVERN, MAP | [Status] |
| Sector Regulations | [Relevant functions] | [Status] |

---

## Next Steps

### Immediate Actions
1. [ ] Address critical findings
2. [ ] Assign risk owners
3. [ ] Establish monitoring cadence

### Short-term (1-3 months)
1. [ ] Implement Phase 1 remediation
2. [ ] Establish governance structure
3. [ ] Train personnel on AI RMF

### Long-term (3-12 months)
1. [ ] Complete all remediation phases
2. [ ] Conduct follow-up assessment
3. [ ] Integrate into organizational risk management

---

## Resources

- [NIST AI RMF 1.0](https://www.nist.gov/itl/ai-risk-management-framework)
- [NIST AI RMF Playbook](https://www.nist.gov/itl/ai-risk-management-framework/nist-ai-rmf-playbook)
- [NIST AI RMF Generative AI Profile](https://airc.nist.gov/Docs/1)
- [NIST Trustworthy AI Resource Center](https://airc.nist.gov/)

---

**Assessment Version**: 1.0
**Date**: [Date]

Scoring Guide

Use this scale for subcategory ratings:

Rating	Description
Not Implemented	No evidence of activity or documentation
Partial	Some activity but inconsistent or incomplete
Substantial	Mostly implemented with minor gaps
Full	Fully implemented and regularly maintained

Use this scale for trustworthiness characteristics:

Score	Description
1	Not addressed
2	Minimally addressed
3	Partially addressed
4	Substantially addressed
5	Fully addressed and monitored

Generative AI Considerations

For generative AI systems, additionally evaluate (per NIST AI 600-1 GenAI Profile, July 2024):

Content provenance : Mechanisms to track AI-generated content origin
Confabulation risk : Controls for hallucinated or fabricated outputs
Data privacy : Training data protections and consent
Environmental impact : Computational resource consumption
Information security : Prompt injection and adversarial robustness
Harmful content : Filters and safeguards for toxic or dangerous outputs
Third-party risks : Foundation model and API dependencies
Human-AI interaction : User awareness that they are interacting with AI

Best Practices

Start with GOVERN : Establish governance before mapping risks
Iterate continuously : Risk management is ongoing, not one-time
Engage stakeholders : Include diverse perspectives in assessments
Document everything : Maintain evidence for accountability
Align with existing frameworks : Integrate with NIST CSF, ISO 42001, SOC 2
Tailor to context : Adapt depth of assessment to system risk level
Test in production : Monitor deployed systems, not just pre-deployment
Plan for failure : Have incident response and decommissioning procedures
Consider societal impact : Look beyond organizational risks
Stay current : Monitor evolving AI regulations and standards

Version

1.0 - Initial release (NIST AI RMF 1.0 compliant)

Remember : The NIST AI RMF is voluntary and risk-based. Not all subcategories apply to every system. Tailor the assessment depth to the system's risk profile and organizational context.

Weekly Installs

Repository

mastepanoski/cl…e-skills

GitHub Stars

First Seen

Feb 5, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

github-copilot47

opencode47

gemini-cli46

codex46

kimi-cli44

amp44

AI界面设计评审工具 - 全面评估UI/UX设计质量、检测AI生成痕迹与优化用户体验

58,500 周安装

NIST AI RMF 1.0 人工智能风险评估框架 | 全面AI风险管理与合规指南

🇨🇳中文介绍

NIST 人工智能风险管理框架 (AI RMF 1.0)

何时使用此技能

所需输入

可信赖 AI 特性

相关 Skills

四大核心功能

治理功能

治理 1：政策和流程

治理 2：问责结构

治理 3：员工多样性与包容性

治理 4：风险文化

治理 5：利益相关者参与

治理 6：第三方风险

映射功能

映射 1：建立背景

映射 2：系统分类

映射 3：能力与成本

映射 4：组件风险

映射 5：影响特征描述

衡量功能

衡量 1：方法与指标

衡量 2：可信度评估

衡量 3：风险跟踪

衡量 4：衡量有效性

管理功能

管理 1：风险优先级排序

管理 2：收益最大化

管理 3：第三方风险管理

管理 4：沟通与监控

审计程序