OISG Adequacy Test
Evaluate your AI system against the four OISG pillars. Each pillar has 5 criteria scored 0–5, for a total score of 0–100. Each criterion is mapped to the main compliance frameworks — EU AI Act, NIST AI RMF, OWASP LLM Top 10, ISO/IEC 42001 and others — with links to the official sources.
Organisation details
This information will appear on the downloadable assessment certificate.
Maps to EU AI Act Art. 15 (opens official source in a new tab) Art. 15 & Annex IV(2)(g) — accuracy levels and the metrics used, declared in the documentation.high confidence NIST AI RMF MEASURE 2.3 (opens official source in a new tab) MEASURE 2.3 — performance measured and documented for deployment-like conditions.high confidence
Maps to ISO/IEC 27001 A.5.23 (opens official source in a new tab) A.5.23 (2022) — information security for the use of cloud services; supports on-prem / private-cloud data residency.medium confidence
Maps to EU AI Act Art. 12 (opens official source in a new tab) Art. 12 record-keeping & Art. 10 data governance — traceable retrieval and data lineage.high confidence OWASP LLM08:2025 (opens official source in a new tab) LLM08:2025 Vector and Embedding Weaknesses — RAG retrieval integrity and traceability.high confidence
Maps to EU AI Act Art. 14 (opens official source in a new tab) Art. 14 — human oversight; agent autonomy must be bounded and overseeable.high confidence OWASP LLM06:2025 (opens official source in a new tab) LLM06:2025 Excessive Agency — scope, permissions and autonomy of agents must be constrained.high confidence
Maps to EU AI Act Art. 13 (opens official source in a new tab) Art. 13 transparency to deployers & Art. 86 right to explanation of individual decisions.high confidence NIST AI RMF MEASURE 2.9 (opens official source in a new tab) MEASURE 2.9 — model explainability and interpretability are documented and validated.high confidence
Maps to OWASP LLM01:2025 (opens official source in a new tab) LLM01:2025 Prompt Injection — direct and indirect injection across request and response paths.high confidence MITRE ATLAS AML.T0051 (opens official source in a new tab) AML.T0051 LLM Prompt Injection (.000 Direct / .001 Indirect).high confidence EU AI Act Art. 15(5) (opens official source in a new tab) Art. 15(5) — resilience against attempts by third parties to exploit system vulnerabilities.high confidence
Maps to OWASP LLM06:2025 (opens official source in a new tab) LLM06:2025 Excessive Agency — verified agent identity bounds inter-agent trust.high confidence ISO/IEC 27001 A.5.16 (opens official source in a new tab) A.5.16 Identity Management & A.8.5 Secure Authentication.medium confidence
Maps to NIST AI RMF MANAGE 2.4 (opens official source in a new tab) MANAGE 2.4 — mechanisms to supersede, disengage or deactivate systems showing unacceptable behaviour.high confidence EU AI Act Art. 14(4)(e) (opens official source in a new tab) Art. 14(4)(e) — ability to intervene or interrupt via a stop button or similar procedure.high confidence
Maps to GDPR Art. 25 (opens official source in a new tab) Art. 25 — data protection by design and by default; redact PII before it reaches the model.high confidence OWASP LLM02:2025 (opens official source in a new tab) LLM02:2025 Sensitive Information Disclosure — prevent PII leakage to and from the model.high confidence
Maps to SLSA Build L2/L3 (opens official source in a new tab) SLSA Build track — signed provenance (L2) and hardened builds (L3) extended to model artifacts.high confidence OWASP LLM03:2025 (opens official source in a new tab) LLM03:2025 Supply Chain — integrity of models, adapters and datasets.high confidence
Maps to EU AI Act Art. 72 (opens official source in a new tab) Art. 72 post-market monitoring & Art. 9 risk management — continuous, not periodic.high confidence NIST AI RMF MANAGE 4.1 (opens official source in a new tab) MANAGE 4.1 — post-deployment monitoring plans are implemented and documented.high confidence
Maps to EU AI Act Art. 12 (opens official source in a new tab) Art. 12 record-keeping & Art. 19 automatically generated logs.high confidence ISO/IEC 27001 A.8.15 (opens official source in a new tab) A.8.15 Logging & A.8.16 Monitoring activities.medium confidence
Maps to EU AI Act Art. 14 (opens official source in a new tab) Art. 14 — human oversight defined as a design requirement.high confidence NIST AI RMF GOVERN 3.2 (opens official source in a new tab) GOVERN 3.2 & MANAGE 2.4 — human roles, oversight and intervention are defined.high confidence
Maps to EU AI Act Art. 72 (opens official source in a new tab) Art. 72 post-market monitoring & Art. 15 accuracy/robustness across the lifecycle.high confidence NIST AI RMF MEASURE 2.4 (opens official source in a new tab) MEASURE 2.4 — deployed system monitored with documented mechanisms; MANAGE 4.1.high confidence
Maps to EU AI Act Art. 6 (opens official source in a new tab) Art. 6 & Annex III high-risk classification rules + Art. 9 risk management.high confidence ISO/IEC 23894:2023 (opens official source in a new tab) ISO/IEC 23894 — AI risk identification and assessment process.medium confidence