NIST AI RMF: what makes an AI risk report "audit-ready"

A threat model without a Document Control section is a worksheet, not a deliverable. The technical analysis can be excellent — and still earn no auditor's trust.

The three things checked first

Before reading a single section, an auditor asks:

• When was this done? A risk assessment from 18 months ago, never revisited, gives false confidence.
• Who did it? Not a name — a role. Were they qualified? Did they have system access, or were they guessing?
• Who accepts the residual risk? Residual risk always exists. The question is whether someone owns it, in writing, with a date.

These map straight to NIST AI RMF GOVERN 1.1 — the function easiest to skip because it feels administrative, not technical.

What to add

• A Document Control block at the top: date, version, author + role, reviewer, next review date.
• A sign-off line at the end of the residual-risk section: name, role, date of acceptance.
• A NIST AI RMF crosswalk : every section of the threat model maps to MAP / MEASURE / MANAGE / GOVERN.

The crosswalk does something subtle: it turns internal analysis into audit-ready evidence. Same work, different framing — and it ties to Article 19 record-keeping. It all starts with the right client questions.