Working Checklists for the NIST AI RMF: A Practical Tips Series: MEASURE
NIST AI RMF MEASURE checklist: practical guidance for AI risk metrics, trustworthy evaluation, risk tracking, and measurement validation.

MEASURE
Part 3 of 4 — GOVERN, MAP, MEASURE, MANAGE
MEASURE is where AI governance stops being a story and starts being a number. MEASURE asks for evidence: what did you actually test, what did the test show, and would that evidence survive someone else trying to reproduce it?
This is also where practitioner fatigue sets in hardest, because measurement is genuinely difficult for AI systems in a way it isn’t for most software. There’s no fixed spec to test against. Behavior drifts. “Fairness” and “safety” don’t reduce to a single metric without losing something. None of that is a reason to skip MEASURE. It’s the reason MEASURE has to be deliberate rather than default. Here’s the checklist, organized by NIST’s four MEASURE categories.
MEASURE 1: You Have Actual Methods and Metrics, Not Vibes
- Specific metrics exist for each risk identified in MAP
- The metrics you’re using have themselves been evaluated for whether they measure what you think they measure. For example, a fairness metric optimized in isolation can hide the exact harm it was meant to catch
- Internal domain experts are consulted on whether the metrics make sense for this specific use case
- You can say, for any given risk in your register, what evidence would change your assessment of it
Theater vs. real:Theater is a dashboard full of model metrics that don’t map to any of the risks you identified in MAP. Real is a metric that has actually changed a go/no-go decision.
MEASURE 2: The System Is Actually Evaluated for Trustworthy Characteristics
- Test sets and evaluation methods are documented well enough that someone else could run the same evaluation and get a comparable result
- Testing conditions match deployment conditions. A benchmark run on clean, curated data tells you little about behavior on the messy inputs your system will actually see
- Security and resilience testing has been done against realistic adversarial behavior, not just accidental misuse
- Privacy risk has been assessed specifically for this system’s data flows, not inherited wholesale from a general privacy review
- Bias and fairness testing has been done against the populations affected by this system, not a generic benchmark dataset that happens to be convenient
- Human-AI configurations have been tested for how they actually perform, not just how they’re designed to perform on paper
- Where relevant, environmental and resource costs of running the system have been considered, not treated as someone else’s problem
Theater vs. real:Theater is bias testing run once, at model selection, on a demo dataset, and never revisited. Real is bias testing run against your actual production data, on a cadence, with a documented history of results — including the ones that were bad.
MEASURE 3: Risk Tracking Actually Happens Over Time
- There are named people, with allocated time, responsible for tracking identified risks
- Tracking mechanisms include a real channel for external input including user reports, customer complaints, incident disclosures from similar systems elsewhere
- Feedback about system performance, especially negative feedback, reaches the people who can act on it, on a timescale that matters
- You can produce a timeline, for any material risk, showing how your understanding of it has changed since deployment
Theater vs. real:Theater is a risk register that was populated once at launch and hasn’t moved since. Real is a risk register with a visible history — items added, closed, reopened, reprioritized — because someone is actually watching it.
MEASURE 4: Measurement Itself Gets Measured
- Your measurement approaches are periodically reviewed for validity and reliability
- Measurement outcomes inform decisions
- You can point to at least one instance where a measurement result changed a deployment decision, a design choice, or a risk rating
Theater vs. real:Theater is a quarterly metrics review that produces a slide deck and no decisions. Real is a metrics review that has, at least once, killed something or forced a redesign.
The test that cuts across all four
MEASURE is the function that separates organizations that manage AI risk from organizations that describe managing AI risk. The tell is whether you can produce, on short notice, evidence that a specific metric changed a specific decision. If every metric you track has only ever confirmed what you already believed, you’re not measuring risk. You’re measuring your own confidence and calling it governance.
Next in this series: MANAGE — the checklist for what happens after you know something is wrong.
Put these ideas to work.
Schedule a 30-minute walkthrough with our team.