§ III · Framework mappings

Edition: v.1.2
Mapped: 94 / 94

Mappings to adjacent frameworks.

HI-AAF was designed to be a sibling of existing assurance frameworks, not a replacement. Where a HI-AAF control evidences a requirement of NIST AI RMF, ISO/IEC 42001, OWASP LLM Top 10, SOC 2 Type II, the EU AI Act, MITRE ATLAS, or the Singapore Model AI Governance Framework, that linkage is documented here.

These mappings are directional: meeting a HI-AAF control evidences but does not by itself satisfy the corresponding external requirement. A customer pursuing certification under an external framework should use these mappings to identify evidence reuse — not to substitute one assurance for another.

Frameworks covered — primary

NIST AI RMF: NIST AI Risk Management Framework 1.0
ISO/IEC 42001: ISO/IEC 42001:2023 — Artificial intelligence management system
OWASP LLM Top 10: OWASP Top 10 for Large Language Model Applications
SOC 2 (TSC): AICPA Trust Services Criteria for SOC 2 Type II

Frameworks covered — regional & supplementary

EU AI Act: EU AI Act — Regulation (EU) 2024/1689
MITRE ATLAS: MITRE ATLAS — Adversarial Threat Landscape for AI Systems
Singapore: Singapore Model AI Governance Framework / AI Verify / PDPA

Table GOV.M · GOV mappings — primary · v.1.211 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

GOV-01Risk owner designationGOVERN 2.1, GOVERN 2.25.3, A.2.2—CC1.3, CC1.4

GOV-02Agent Behavior CharterGOVERN 1.4, MAP 1.1A.4.2—CC2.1

GOV-03Agent Risk RegisterGOVERN 1.15.2, A.2.1—CC1.1, CC1.2

GOV-04Acceptable Use PolicyMAP 1.1, MAP 5.16.1.2, A.5—CC3.1, CC3.2

GOV-05Change management authorityGOVERN 1.3, GOVERN 1.47.5, A.3.2—CC8.1

GOV-06Lifecycle RACIGOVERN 2.1, GOVERN 2.35.3, 7.2—CC1.3

GOV-07Personnel trainingGOVERN 3.1, GOVERN 3.27.2, 7.3—CC1.4

GOV-08Board reporting cadenceGOVERN 4.1, GOVERN 4.25.1, 9.3—CC1.2

GOV-09Decommissioning procedureGOVERN 1.5A.3.4—CC6.5

GOV-10Vulnerability disclosureGOVERN 6.1, GOVERN 6.2A.3.3—CC7.4

GOV-11Regulatory documentation packGOVERN 5.1, MEASURE 4.39.3, A.2.3—CC1.3, CC4.1

Table GOV.R · GOV mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

GOV-01Risk owner designationArt. 9(1)—MAIGF Internal Governance, AI Verify Accountability

GOV-02Agent Behavior CharterArt. 9(1), Annex IV(1)—MAIGF Internal Governance, AI Verify Accountability

GOV-03Agent Risk RegisterArt. 9(2)—MAIGF Internal Governance

GOV-04Acceptable Use PolicyArt. 9(2), Art. 9(4)—MAIGF Internal Governance, AI Verify Accountability

GOV-05Change management authorityArt. 9(9), Art. 17(1)—MAIGF Internal Governance

GOV-06Lifecycle RACIArt. 9(1)—MAIGF Internal Governance, AI Verify Accountability

GOV-07Personnel trainingArt. 9(9)—MAIGF Internal Governance

GOV-08Board reporting cadenceArt. 9(1)—MAIGF Internal Governance, AI Verify Accountability

GOV-09Decommissioning procedureArt. 17(1)(j)—MAIGF Internal Governance

GOV-10Vulnerability disclosureArt. 9(9)—MAIGF Internal Governance

GOV-11Regulatory documentation packArt. 9(1), Art. 17, Annex IV—MAIGF Internal Governance, AI Verify Accountability

Table SPC.M · SPC mappings — primary · v.1.29 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

SPC-01Written specificationMAP 3.1, MAP 3.2A.6.2.2, A.6.2.3—CC5.1, CC8.1

SPC-02Capability evaluation suiteMAP 3.4, MAP 4.1A.6.2.3—CC5.2

SPC-03Adversarial assessmentMEASURE 2.7, MEASURE 2.8A.6.2.5, 8.4LLM06, LLM10CC7.1

SPC-04Policy alignment testingMEASURE 2.6A.6.2.4—CC5.2

SPC-05Deployment gateMEASURE 2.5, MEASURE 2.6A.6.2.5LLM01, LLM02CC7.1

SPC-06Behavior baseline captureMEASURE 1.1, MEASURE 1.3A.6.2.6—CC7.1, CC8.1

SPC-07Versioned evaluation setMANAGE 3.1, MANAGE 3.2A.6.2.6—CC8.1, CC8.2

SPC-08Known-unsafe inputs catalogMEASURE 2.78.4LLM06, LLM10CC7.1

SPC-09Fairness evaluationMEASURE 2.11, MEASURE 3.3A.6.2.5—CC1.1

Table SPC.R · SPC mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

SPC-01Written specificationArt. 9(1), Annex IV(2)—MAIGF Testing & Assurance, AI Verify Reproducibility

SPC-02Capability evaluation suiteArt. 9(7), Art. 15(1)—MAIGF Testing & Assurance, AI Verify Reproducibility

SPC-03Adversarial assessmentArt. 9(6), Art. 15(4)ReconnaissanceMAIGF Testing & Assurance, AI Verify Security, AI Verify Robustness

SPC-04Policy alignment testingArt. 9(7)—MAIGF Testing & Assurance, AI Verify Safety

SPC-05Deployment gateArt. 9(1), Art. 15(1)—MAIGF Testing & Assurance

SPC-06Behavior baseline captureArt. 9(2), Art. 15(3)—MAIGF Testing & Assurance, AI Verify Reproducibility

SPC-07Versioned evaluation setArt. 9(7)—MAIGF Testing & Assurance, AI Verify Reproducibility

SPC-08Known-unsafe inputs catalogArt. 15(4)ReconnaissanceMAIGF Testing & Assurance, AI Verify Security

SPC-09Fairness evaluationArt. 10(2), Art. 10(5)EvaluationMAIGF Testing & Assurance, AI Verify Reproducibility, AI Verify Safety

Table IAM.M · IAM mappings — primary · v.1.28 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

IAM-01Dedicated non-human identityMAP 4.1A.7.4—CC6.1, CC6.2

IAM-02Credential vault managementv.1.2 sourceA.7.4—CC6.1

IAM-03Least-privilege scopingMANAGE 4.1A.8.3—CC6.1, CC7.2

IAM-04Action attribution in logsv.1.2 sourceA.7.4—CC6.1, CC7.2

IAM-05Delegated authority modelGOVERN 2.2A.8.3—CC6.3

IAM-06Credential rotationv.1.2 sourceA.7.4—CC6.1, CC6.2

IAM-07Multi-factor authentication for agent adminv.1.2 sourcev.1.2 source—CC6.1, CC6.6

IAM-08Multi-tenant credential isolationv.1.2 sourceA.7.4—CC6.1, CC6.3

Table IAM.R · IAM mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

IAM-01Dedicated non-human identityArt. 15(2)—AI Verify Security

IAM-02Credential vault managementArt. 15(2)—PDPA s.24, AI Verify Security

IAM-03Least-privilege scopingArt. 15(2)—AI Verify Security

IAM-04Action attribution in logsArt. 15(2)—AI Verify Security

IAM-05Delegated authority modelArt. 15(2)—PDPA s.24, AI Verify Security

IAM-06Credential rotationArt. 15(2)—AI Verify Security

IAM-07Multi-factor authentication for agent adminArt. 15(2)—AI Verify Security

IAM-08Multi-tenant credential isolationArt. 15(2)—PDPA s.24, AI Verify Security

Table INP.M · INP mappings — primary · v.1.210 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

INP-01Direct prompt injection detectionMEASURE 2.7A.8.2LLM01CC7.1

INP-02Indirect prompt injection defenseMEASURE 2.7, MEASURE 2.8A.8.2LLM01CC7.1, CC7.2

INP-03Trust boundary enforcementMEASURE 2.8A.8.2LLM01, LLM05CC7.1

INP-04Sensitive content handlingMEASURE 2.8A.7.2LLM03CC7.1

INP-05Jailbreak pattern libraryMEASURE 2.7v.1.2 sourceLLM01CC7.1

INP-06Input size and complexity limitsv.1.2 sourcev.1.2 sourceLLM05A1.1

INP-07Rate limiting and abuse detectionv.1.2 sourcev.1.2 source—CC6.1, A1.1

INP-08Untrusted content source handlingv.1.2 sourcev.1.2 sourceLLM01, LLM05v.1.2 source

INP-09Memory and retrieval injection defensev.1.2 sourcev.1.2 sourceLLM01, LLM07v.1.2 source

INP-10Retrieval and memory write authenticationv.1.2 sourcev.1.2 sourceLLM07v.1.2 source

Table INP.R · INP mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

INP-01Direct prompt injection detectionArt. 15(4)Initial AccessMAIGF Security, AI Verify Security

INP-02Indirect prompt injection defenseArt. 15(4)Initial AccessMAIGF Security, AI Verify Security, AI Verify Robustness

INP-03Trust boundary enforcementArt. 15(4)Initial AccessMAIGF Security, AI Verify Security

INP-04Sensitive content handlingArt. 15(4)—MAIGF Security, AI Verify Security

INP-05Jailbreak pattern libraryArt. 15(4)Initial AccessMAIGF Security, AI Verify Security

INP-06Input size and complexity limitsArt. 15(4)—MAIGF Security, AI Verify Robustness

INP-07Rate limiting and abuse detectionArt. 15(4)—MAIGF Security, AI Verify Security

INP-08Untrusted content source handlingArt. 15(4)Initial AccessMAIGF Security, AI Verify Security, AI Verify Robustness

INP-09Memory and retrieval injection defenseArt. 15(4)Initial AccessMAIGF Security, AI Verify Security

INP-10Retrieval and memory write authenticationArt. 15(4)—MAIGF Security, AI Verify Security

Table ACT.M · ACT mappings — primary · v.1.29 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

ACT-01Tool allowlistMAP 4.1, MEASURE 2.6A.8.4LLM07, LLM08CC6.3

ACT-02Per-tool authorization policyMANAGE 1.3, MANAGE 2.1A.8.4LLM08CC7.1

ACT-03Pre-execution reviewMANAGE 2.3A.8.5LLM08CC7.1, CC8.1

ACT-04Rate and cost limitsMANAGE 2.2A.8.4LLM06CC6.3, A1.1

ACT-05Loop and recursion detectionMANAGE 2.2v.1.2 sourceLLM06CC7.2

ACT-06Blast-radius limitsMANAGE 2.3v.1.2 sourceLLM08CC6.3, CC8.1

ACT-07Kill switchMANAGE 4.2v.1.2 source—CC7.4, A1.2

ACT-08Tool result validationMEASURE 2.6A.8.4LLM08CC7.1

ACT-09Dry-run / shadow modeMANAGE 4.3A.8.6—CC7.4, A1.3

Table ACT.R · ACT mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

ACT-01Tool allowlistArt. 15(3)ExecutionMAIGF Operations Management, AI Verify Human Agency & Oversight

ACT-02Per-tool authorization policyArt. 15(3)ExecutionMAIGF Operations Management

ACT-03Pre-execution reviewArt. 14(4)ImpactMAIGF Operations Management, AI Verify Human Agency & Oversight

ACT-04Rate and cost limitsArt. 15(3)—MAIGF Operations Management

ACT-05Loop and recursion detectionArt. 15(3)ExecutionMAIGF Operations Management

ACT-06Blast-radius limitsArt. 15(3)ImpactMAIGF Operations Management, AI Verify Human Agency & Oversight

ACT-07Kill switchArt. 14(4), Art. 15(3)ImpactMAIGF Operations Management, AI Verify Human Agency & Oversight

ACT-08Tool result validationArt. 15(3)ExecutionMAIGF Operations Management

ACT-09Dry-run / shadow modeArt. 15(1)—MAIGF Operations Management

Table DAT.M · DAT mappings — primary · v.1.213 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

DAT-01Data classification schemeMAP 2.3A.7.3—CC6.1, C1.1

DAT-02Cross-tenant data isolationv.1.2 sourceA.7.4—CC6.1, C1.1

DAT-03PII handling at runtimev.1.2 sourceA.7.3—P3.1, P4.1

DAT-04Retention policiesMANAGE 1.3A.7.4, A.8.2LLM06CC6.1, C1.1

DAT-05Right-to-deletion proceduresMAP 2.3A.7.4—CC6.6, C1.1

DAT-06Training and RAG data provenanceMEASURE 2.10A.7.5LLM06P3.1, P4.2

DAT-07Data residency requirementsv.1.2 sourceA.7.4—P6.1

DAT-08Encryption at rest and in transitv.1.2 sourceA.7.4—CC6.1, CC6.7

DAT-09Consent for AI processingv.1.2 sourceA.7.3—P1.1, P2.1

DAT-10Memory architecture documentationMAP 2.3A.7.3, A.7.4—CC6.1

DAT-11Memory and retrieval isolationv.1.2 sourceA.7.4—CC6.1, C1.1

DAT-12Embedding and vector store integrityv.1.2 sourceA.7.4—CC6.1

DAT-13Retrieved memory traceabilityMEASURE 2.10A.7.5—CC2.2

Table DAT.R · DAT mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

DAT-01Data classification schemeArt. 10(2)—MAIGF Data, AI Verify Data Governance

DAT-02Cross-tenant data isolationArt. 10(2)—PDPA s.24, MAIGF Data, AI Verify Data Governance

DAT-03PII handling at runtimeArt. 10(2)—PDPA s.24, MAIGF Data, AI Verify Data Governance

DAT-04Retention policiesArt. 10(2)—PDPA s.25, MAIGF Data, AI Verify Data Governance

DAT-05Right-to-deletion proceduresArt. 10(2)—PDPA s.25, PDPA s.26, AI Verify Data Governance

DAT-06Training and RAG data provenanceArt. 10(1), Art. 10(2)—PDPA s.13, MAIGF Data, AI Verify Data Governance

DAT-07Data residency requirementsArt. 10(5)—PDPA s.26, MAIGF Data

DAT-08Encryption at rest and in transitArt. 10(2)—PDPA s.24, AI Verify Data Governance

DAT-09Consent for AI processingArt. 10(5)—PDPA s.13, PDPA s.14, MAIGF Data, AI Verify Data Governance

DAT-10Memory architecture documentationArt. 10(2)—MAIGF Data, AI Verify Data Governance

DAT-11Memory and retrieval isolationArt. 10(2)—PDPA s.24, MAIGF Data, AI Verify Data Governance

DAT-12Embedding and vector store integrityArt. 10(2)—MAIGF Data, AI Verify Data Governance

DAT-13Retrieved memory traceabilityArt. 10(2)—MAIGF Data, AI Verify Data Governance

Table OUT.M · OUT mappings — primary · v.1.214 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

OUT-01Groundedness and hallucination checksMEASURE 2.9A.6.2.5LLM09PI1.3

OUT-02Content safety filtersMEASURE 2.6v.1.2 sourceLLM02PI1.3

OUT-03PII and secrets leakage preventionMANAGE 2.3v.1.2 sourceLLM02P3.1, C1.1

OUT-04Citation and provenanceMEASURE 2.9v.1.2 sourceLLM09PI1.3

OUT-05Model provider inventoryMANAGE 3.1v.1.2 source—CC9.2

OUT-06Third-party integration inventoryMANAGE 3.1v.1.2 sourceLLM03CC9.2

OUT-07Third-party integration reviewMANAGE 3.2v.1.2 source—CC9.2

OUT-08Open-source dependency scanningGOVERN 6.1A.10.2LLM05CC9.2

OUT-09Vendor contractual requirementsMAP 4.1, MEASURE 1.3A.7.6LLM03CC2.2

OUT-10Fairness monitoring in productionMEASURE 3.3, MANAGE 3.2v.1.2 source—CC1.1

OUT-11AI-generated content disclosurev.1.2 sourcev.1.2 source—v.1.2 source

OUT-12Model version pinningMANAGE 3.1v.1.2 source—CC8.1

OUT-13Explainability for consequential decisionsMANAGE 3.2v.1.2 source—v.1.2 source

OUT-14Contestability and appeal processMANAGE 3.2v.1.2 source—v.1.2 source

Table OUT.R · OUT mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

OUT-01Groundedness and hallucination checksArt. 15(1), Art. 15(3)—MAIGF Content Provenance, AI Verify Transparency

OUT-02Content safety filtersArt. 15(3)—AI Verify Safety

OUT-03PII and secrets leakage preventionArt. 15(3)—PDPA s.24, AI Verify Transparency

OUT-04Citation and provenanceArt. 13(1), Art. 15(1)—MAIGF Content Provenance, AI Verify Transparency

OUT-05Model provider inventoryArt. 15(2)—MAIGF Trusted Development and Deployment

OUT-06Third-party integration inventoryArt. 15(2)—MAIGF Trusted Development and Deployment

OUT-07Third-party integration reviewArt. 15(2)—MAIGF Trusted Development and Deployment

OUT-08Open-source dependency scanningArt. 15(2)—MAIGF Trusted Development and Deployment

OUT-09Vendor contractual requirementsArt. 10(2)—MAIGF Trusted Development and Deployment, AI Verify Transparency

OUT-10Fairness monitoring in productionArt. 10(2), Art. 10(5)—AI Verify Fairness

OUT-11AI-generated content disclosureArt. 13(1), Art. 13(2)—MAIGF Content Provenance, AI Verify Transparency

OUT-12Model version pinningArt. 15(1)—MAIGF Trusted Development and Deployment

OUT-13Explainability for consequential decisionsArt. 13(1), Art. 14(4)—AI Verify Explainability, AI Verify Transparency

OUT-14Contestability and appeal processArt. 14(4)—AI Verify Fairness, AI Verify Transparency

Table MON.M · MON mappings — primary · v.1.211 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

MON-01Per-step loggingMANAGE 4.1, MEASURE 1.1A.9.2—CC7.2, CC7.3

MON-02Log retention and tamper evidenceMEASURE 2.4, MEASURE 2.11A.9.3—CC7.3, CC8.1

MON-03Real-time anomaly detectionMANAGE 1.1, MANAGE 2.1A.6.2.4, A.9.4—CC5.2, CC7.3

MON-04Drift monitoringMANAGE 2.4, MEASURE 3.2A.9.4—CC7.3

MON-05Human review queueMANAGE 2.1, MANAGE 4.1v.1.2 source—CC7.3, CC7.4

MON-06Reviewer qualification and trainingMANAGE 2.1v.1.2 source—CC1.4

MON-07Agent-specific incident responseMANAGE 4.1, MANAGE 4.2v.1.2 source—CC7.3, CC7.4, CC7.5

MON-08Post-incident learning loopMANAGE 4.3v.1.2 source—CC7.5

MON-09Alerting and on-call coverageMANAGE 4.1v.1.2 source—CC7.2, CC7.3

MON-10Monitoring effectiveness reviewMANAGE 2.4v.1.2 source—CC7.3

MON-11Reviewer welfare protectionsv.1.2 sourcev.1.2 source—CC1.4

Table MON.R · MON mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

MON-01Per-step loggingArt. 14(4)—MAIGF Incident Reporting, AI Verify Human Agency & Oversight

MON-02Log retention and tamper evidenceArt. 14(4)—AI Verify Human Agency & Oversight

MON-03Real-time anomaly detectionArt. 14(4)—MAIGF Incident Reporting, AI Verify Human Agency & Oversight

MON-04Drift monitoringArt. 14(4)—MAIGF Incident Reporting

MON-05Human review queueArt. 14(1), Art. 14(4)—MAIGF Incident Reporting, AI Verify Human Agency & Oversight

MON-06Reviewer qualification and trainingArt. 14(4), Art. 26(2)—AI Verify Human Agency & Oversight

MON-07Agent-specific incident responseArt. 14(4), Art. 26(5)—MAIGF Incident Reporting

MON-08Post-incident learning loopArt. 14(4)—MAIGF Incident Reporting, AI Verify Human Agency & Oversight

MON-09Alerting and on-call coverageArt. 14(4)—MAIGF Incident Reporting

MON-10Monitoring effectiveness reviewArt. 14(4)—MAIGF Incident Reporting, AI Verify Human Agency & Oversight

MON-11Reviewer welfare protectionsArt. 14(4), Art. 26(2)—MAIGF Operations Management, AI Verify Human Agency & Oversight

Table MAS.M · MAS mappings — primary · v.1.29 controls

ControlNameNIST AI RMFISO/IEC 42001OWASP LLMSOC 2

MAS-01Multi-agent topology documentationGOVERN 6.1v.1.2 source—CC2.1

MAS-02Agent-to-agent authenticationMANAGE 2.1A.8.4LLM08CC6.3

MAS-03Confirmation binding across chainsMANAGE 2.3v.1.2 sourceLLM06CC6.3

MAS-04Privilege escalation preventionMANAGE 4.3A.8.6—CC7.4

MAS-05Cross-agent loop detectionMANAGE 2.2v.1.2 sourceLLM06CC7.2

MAS-06Per-hop invocation loggingMANAGE 4.1v.1.2 source—CC7.2, CC7.3

MAS-07Aggregate blast-radius capsMANAGE 3.2v.1.2 source—CC6.3, CC8.1

MAS-08Suspend propagationMANAGE 4.2v.1.2 source—CC7.4, A1.2

MAS-09External agent trust boundariesGOVERN 6.1, MANAGE 3.1v.1.2 sourceLLM06CC9.2

Table MAS.R · MAS mappings — regional & supplementary · v.1.2

ControlNameEU AI ActMITRE ATLASSingapore

MAS-01Multi-agent topology documentationArt. 25(1)—MAIGF Accountability

MAS-02Agent-to-agent authenticationArt. 25(1), Art. 14(4)ExecutionMAIGF Accountability, AI Verify Security

MAS-03Confirmation binding across chainsArt. 14(4)ExecutionMAIGF Accountability, AI Verify Human Agency & Oversight

MAS-04Privilege escalation preventionArt. 14(4), Art. 25(1)Execution, Lateral MovementMAIGF Accountability

MAS-05Cross-agent loop detectionArt. 14(4)Execution, Lateral MovementMAIGF Accountability

MAS-06Per-hop invocation loggingArt. 14(4)—MAIGF Accountability

MAS-07Aggregate blast-radius capsArt. 14(4), Art. 25(1)ImpactMAIGF Accountability

MAS-08Suspend propagationArt. 14(4), Art. 25(1)—MAIGF Accountability

MAS-09External agent trust boundariesArt. 25(1)Lateral MovementMAIGF Accountability

Notation

External framework references use the publishing body's native notation. NIST AI RMF uses FUNCTION CATEGORY.SUBCATEGORY; ISO/IEC 42001 uses clause numbers and Annex A control IDs; OWASP uses the LLM Top 10 short codes; SOC 2 uses AICPA Trust Services Criteria IDs; EU AI Act uses article and annex numbers; MITRE ATLAS uses tactic names; Singapore references use MAIGF dimension names, AI Verify principle names, and PDPA section numbers.

Note on Singapore references: references to the Singapore Model AI Governance Framework, AI Verify principles, and the Singapore Personal Data Protection Act are introduced in v1.2. They reflect the publisher's reading of those frameworks as of the date of this draft. Specific dimension names, principle labels, and statutory section references should be confirmed against current IMDA and AI Verify Foundation publications prior to citing this mapping in public materials.