Where this meets what you already use
Cross-walked to the frameworks your auditors already know.
This is not a replacement for ISO, NIST, or the EU AI Act. It complements them — adding the agentic-software-development specifics they do not cover and mapping back to the controls and clauses they do.
One row per framework
The table below names where each external framework touches the model. It is a navigational aid; per-item traceability lives in the canonical reference.
| Framework | Reference | HiveCraft dimensions | Notes |
|---|---|---|---|
| ISO 27001:2022 | A.5 / A.6 / A.8 |
| Annex A controls for security policy, organisation, and asset management map across HCSM operational and risk groups. |
| NIST CSF 2.0 | GOVERN / IDENTIFY / DETECT / RESPOND |
| GOVERN function aligns with D11 disclosure and D9 jurisdiction; DETECT.CM aligns with D2 telemetry. |
| NIST AI RMF 1.0 | GOVERN / MAP / MEASURE / MANAGE |
| AI-specific risk-management functions map to retrieval-grounding (D6), compliance (D9), and disclosure (D11). |
| EU AI Act | Art. 9 / 15 / 16 / 26 / 50 |
| Risk-management system (Art. 9), accuracy/robustness (Art. 15), QMS (Art. 16), deployer obligations (Art. 26), transparency (Art. 50). |
| GDPR | Art. 6 / 7 / 13 / 14 / 30 / 32 |
| Lawful basis, consent versioning (Art. 7 mirrors HCSM consent_versions), records of processing, security of processing. |
| CMMI | CM / PR / VV / OT / OPP |
| Configuration Management, Process Quality, Verification and Validation, Organisational Training, Organisational Performance. |
| SPACE framework | Satisfaction / Performance / Activity / Communication / Efficiency |
| Developer-productivity framing complements HCSM telemetry and outcome groups. |
| MLOps maturity | MS / Google / AWS levels |
| Industry MLOps level-2 capabilities are necessary (not sufficient) for HCSM Group A at L4. |
| ISO 42001 | AI Management System |
| AI-specific management-system standard; HCSM Group C carries ISO 42001 obligations for REG-typed practices. |
| ISO/IEC 25010 | Quality model |
| Functional suitability, reliability, security characteristics inform retrieval/grounding evaluation. |
| ISO 9001 | Clauses 7.1.6 / 7.2 / 8.6 |
| Organisational knowledge, competence, release of products and services map to KB curation and acceptance. |
| ISO 31000 | Risk management |
| Generic risk-management process underpins HCSM risk-register expectations. |
| SOC 2 | Trust Services Criteria (CC) |
| Security and availability TSCs map to HCSM hardening and stakeholder-outcome groups. |
| PCI DSS | Latest standard |
| Payment-card environments contribute Class-S statutory blockers when in scope. |
| CIS Benchmarks | OS / Cloud / Container |
| Benchmark-derived hardening drift contributes to D8 evidence. |
| COBIT 2019 | BAI08 / EDM |
| Knowledge management governance objective complements HCSM KB curation discipline. |
| ISO/IEC 17021-1 | Conformity-assessment / certification bodies |
| Aggregator / publisher obligations under §15-A6 inherit ISO/IEC 17021-1 precedent for comparative claims. |
| Microsoft RAI MM | Responsible AI Maturity Model |
| Vendor-published RAI MM level mappings indicate D9/D11 coverage but do not substitute for HCSM evidence. |
Why these frameworks?
Each one already carries auditable evidence expectations relevant to agentic-software-development practice. Where a framework partially overlaps, this model does not duplicate — it references and adds the agentic-specific items missing from the source standard.
- ISO 27001:2022 + ISO 27701 — security and privacy management systems.
- NIST CSF 2.0 + SP 800-53 + SSDF — cybersecurity and secure-development functions.
- NIST AI RMF 1.0 + ISO 42001 — AI-specific risk management and management-system requirements.
- EU AI Act + GDPR + EU Data Act — EU regulatory regimes for AI, personal data, and data-sharing.
- CMMI + ISO 9001 + ISO/IEC 25010 — process maturity and software-quality models.
- SPACE + MLOps maturity — developer productivity and ML-operations practice baselines.
Need help mapping this into your existing controls?
The about page lists how to reach us; the contact page is the simplest route.