Executive Summary · § 04
Standards alignment
BAGF is not a standalone framework Bizzi invented. Each control in this document maps directly to standards and regulations CIO and Compliance teams already know. The table below shows the pillar-level mapping. Appendix A details the section-level mapping.
| Pillar | ISO/IEC 42001 | NIST AI RMF | EU AI Act | OWASP-LLM | NĐ 13/2023 |
|---|---|---|---|---|---|
| I. AI Organization | A.5, A.6 | GOVERN | Art. 9, 17 | n/a | Art. 20 |
| II. Legal & Regulatory | A.9 | GOVERN, MAP | Art. 10, 12, 13 | n/a | Art. 4–19 |
| III. Ethics & Transparency | A.7, A.8 | MAP, MANAGE | Art. 13, 14 | LLM09 | Art. 16, 17 |
| IV. Data / AIOps / ADLC | A.6, A.8 | MEASURE, MANAGE | Art. 9, 12, 15 | LLM03, LLM05 | Art. 27 |
| V. AI Security | A.7 | MEASURE | Art. 15 | LLM01–10 | Art. 26, 27 |
Why these five standards
Section titled “Why these five standards”- Decree 13/2023/NĐ-CP. Mandatory for any organization processing personal data in Vietnam. Non-negotiable.
- ISO/IEC 42001. The first international standard for AI Management Systems. Emerging as the gold standard for enterprise AI governance.
- NIST AI RMF. The U.S. AI risk management framework. Often required by multinational customers.
- EU AI Act. The first comprehensive AI law. In phased effect from 2024 to 2027. Relevant for customers with EU operations.
- OWASP Top 10 for LLMs. Community-authored list of the ten most common LLM application risks. The backbone of Pillar V.
Standards not in this table
Section titled “Standards not in this table”BAGF v1.0 does not directly reference SOC 2 or PCI-DSS. These are not AI-specific frameworks. They are addressed by Bizzi’s ISMS aligned with ISO 27001 (see Appendix B). Where customers have specific requirements (for example SOC 2 Type II), Bizzi provides separate evidence under contract.