Procurement workflow surface
NIST AI RMF Generative AI Profile — vendor disclosure form
This is a sample disclosure form a procurement team can adapt for vendor RFPs and ITTs evaluating systems against NIST AI RMF Generative AI Profile. The provision-specific questions below were derived from the catalog's coverage cells; before issuing, a qualified procurement lawyer should review the adapted version against your jurisdiction's contract law. This form is NOT legal advice (see charter §7.4).
1. Vendor identification
2. AI system identification
3. Provision-specific questions
- Foundation Models / GPAI. Does the offered system meet the threshold for a general-purpose / foundation model under NIST AI RMF Generative AI Profile (Entire NIST AI 600-1 scope is GPAI / GenAI)? If yes, identify the specific obligations you will satisfy and the evidence you will provide.
(Cite: Entire NIST AI 600-1 scope is GPAI / GenAI)
- Deepfakes / Synthetic Content. Does the offered system generate or substantially modify audio / video / image / text in ways requiring disclosure or machine-readable provenance under NIST AI RMF Generative AI Profile (NIST AI 600-1 §3.11 Confabulation + §3.10 Information Integrity (synthetic content))? Describe the disclosure + provenance mechanisms implemented and their robustness against removal.
(Cite: NIST AI 600-1 §3.11 Confabulation + §3.10 Information Integrity (synthetic content))
- Transparency Obligations. Provide the documentation required under the transparency obligations of NIST AI RMF Generative AI Profile (Govern + Map cross-cutting documentation requirements applied to GenAI) — including (as applicable) model card, system card, training-data summary, evaluation results, and known limitations.
(Cite: Govern + Map cross-cutting documentation requirements applied to GenAI)
- Training-Data Rights. Identify the legal basis for training-data sourcing for the offered system (including copyright, consent, and any text-and-data-mining exemptions relied upon) and confirm consistency with NIST AI RMF Generative AI Profile (NIST AI 600-1 §3.4 Data Privacy + §3.7 Intellectual Property).
(Cite: NIST AI 600-1 §3.4 Data Privacy + §3.7 Intellectual Property)
- Catastrophic & Existential Risk. Has the offered system been evaluated against catastrophic-risk thresholds (e.g., CBRN information uplift, autonomous replication) consistent with NIST AI RMF Generative AI Profile (NIST AI 600-1 §3.1 CBRN Information Uplift; §3.3 Dangerous, Violent, or Hateful Content)? Provide the evaluation report or its public-disclosure equivalent.
(Cite: NIST AI 600-1 §3.1 CBRN Information Uplift; §3.3 Dangerous, Violent, or Hateful Content)
- Agentic AI Governance. Does the offered system act as an autonomous agent (multi-step tool-use, transactions, recursion) within scope of NIST AI RMF Generative AI Profile (NIST AI 600-1 names Value Chain + Component Integration as risk category covering agentic / tool-use deployments)? Describe the tool-use surface, authorisation model, and human-oversight checkpoints.
(Cite: NIST AI 600-1 names Value Chain + Component Integration as risk category covering agentic / tool-use deployments)
- Synthetic Content Provenance. Does the offered system generate or substantially modify audio / video / image / text in ways requiring disclosure or machine-readable provenance under NIST AI RMF Generative AI Profile (NIST AI 600-1 — Information Integrity is one of 12 named GenAI risk categories; covers synthetic-content labelling + provenance)? Describe the disclosure + provenance mechanisms implemented and their robustness against removal.
(Cite: NIST AI 600-1 — Information Integrity is one of 12 named GenAI risk categories; covers synthetic-content labelling + provenance)
- Environmental Impact of AI Training. Provide energy + emissions disclosures for training + inference of the offered system as required or recommended under NIST AI RMF Generative AI Profile (NIST AI 600-1 — Environmental Impacts is one of 12 named GenAI risk categories).
(Cite: NIST AI 600-1 — Environmental Impacts is one of 12 named GenAI risk categories)
4. Documentation enclosures expected
Tick each enclosure attached to the vendor response. Missing enclosures should be explained in the “Variances” field below.
- Content provenance + watermarking technical description
- Vendor company registration + insurance certificates
- Sub-processor / supply-chain list (including model upstream)
5. Vendor attestation
The undersigned, on behalf of the vendor, attests that the disclosures above are true and complete to the best of their knowledge at the date signed, and undertakes to notify the buyer in writing within 30 days of any material change to those disclosures.
This is a sample form derived from the catalog at /wiki/nist-ai-rmf-genai-profile. Adapt before issuing. Not legal advice; not jurisdiction-specific. See charter §7.4.