Vietnam AI Strategy: Governance for Rapid Digital Transformation

Vietnam's National Strategy on Research, Development and Application of Artificial Intelligence until 2030 is explicitly growth-oriented. It aims to expand AI adoption across public services, enterprise operations, and the digital economy. The compliance baseline, however, is shaped by more specific rules such as Decree No. 13/2023/ND-CP on personal data protection and the broader cybersecurity environment. That combination creates a familiar implementation risk: transformation programs move quickly, but the controls around personal data handling, provider selection, and review authority lag behind. Keeptrusts fits into that gap. It does not replace Vietnamese legal analysis, consent management, or sector-specific obligations. It does make the runtime boundary explicit by reducing personal data before provider dispatch, enforcing provider constraints from YAML rather than from policy decks, and creating an audit surface that shows how each AI route behaved.

Use this page when

• You are scaling AI under Vietnam's national strategy and need technical governance now, not later.
• Your AI routes process customer, employee, or citizen data that triggers Decree 13 concerns.
• You want a fail-closed pattern for provider eligibility and evidence collection.

Primary audience

• Primary: Enterprise architects, privacy officers, platform engineers
• Secondary: transformation offices, security teams, product governance leads

The problem

Rapid digital transformation creates pressure to standardize on one AI platform. That sounds efficient until teams start mixing very different workloads: internal productivity, claims support, onboarding automation, citizen-facing assistance, and document summarization. The data classes are different. The consequences are different. The transfer expectations are different. Yet the integration path is often identical.

Vietnam's AI strategy does not tell teams to stop innovating. It does require a more mature operating model than a generic provider SDK scattered across applications. Decree 13 adds urgency because personal data protection cannot be an afterthought once prompts, attachments, and generated summaries are already flowing to upstream services.

The operational failures are predictable. Teams do not know which routes contain sensitive data. Providers are selected based on convenience rather than declared handling guarantees. Logs show that a request happened, but not why that provider was acceptable or what controls ran before the request left the boundary. When a reviewer later asks how a route aligns with privacy expectations, the answer is often a diagram, not enforceable behavior.

The solution

Treat governance as part of the transformation stack. Each route should declare what kind of data it handles, what provider guarantees are required, and whether the route is allowed to continue when those guarantees are unavailable.

Keeptrusts is particularly useful where Decree 13 concerns intersect with provider routing. pii-detector reduces obvious personal data before dispatch. data-routing-policy can require zero data retention, no-training posture, tokenized input support, and no internet egress for routes that need a narrow trust boundary. That gives transformation teams a pattern they can reuse safely. Instead of asking every product team to interpret privacy requirements, the shared platform enforces them.

This also creates a better basis for change control. When a transformation program adds a new provider or changes a route's purpose, you can test the updated configuration before rollout and preserve evidence that the control set changed intentionally.

Implementation

For a Vietnam route that handles personal data and should fail closed if no reviewed provider is available, use explicit data_policy declarations and route filtering.

pack:
  name: vietnam-digital-transformation
  version: 1.0.0
  enabled: true

providers:
  targets:
    - id: vietnam-reviewed
      provider: openai
      model: gpt-5.4-mini-mini
      secret_key_ref:
        env: OPENAI_API_KEY
      data_policy:
        zero_data_retention: true
        training_opt_out: true
        retention_days: 0
        in_memory_only: true
        sanitized: true
        accepts_tokenized_input: true
        allow_internet_egress: false

policies:
  chain:
    - pii-detector
    - data-routing-policy
    - audit-logger

policy:
  pii-detector:
    action: redact
    redaction:
      marker_format: label
      include_metadata: true

  data-routing-policy:
    require_zero_data_retention: true
    require_no_training: true
    max_retention_days: 0
    require_in_memory_only: true
    sanitize_before_provider: true
    tokenize_sensitive_fields: true
    allow_internet_egress: false
    on_no_compliant_provider: block
    log_provider_selection: true

  audit-logger:
    retention_days: 90

This configuration does two important things for a transformation program. First, it makes provider acceptance criteria reviewable in one place. Second, it ensures that if the reviewed provider set is unavailable, the route stops instead of silently falling back to a looser option. That is the right bias for sensitive modernization programs. If the business wants lower-friction routing for low-risk internal drafting, create a separate route and say so clearly.

The follow-through matters. Use kt policy lint --file policy-config.yaml during authoring, then test representative prompts in CI before rollout. Governance for rapid transformation is not just about the control chain; it is about keeping the control chain from drifting as adoption expands.

Results and impact

The result is a transformation model that can scale without dissolving into policy exceptions. Teams know which routes may process personal data, which providers are acceptable, and what happens when no compliant provider is available. Audit review becomes faster because the route itself explains the control posture.

It also improves change discipline. Adding a provider is no longer a product team's local decision. It becomes a governed configuration change that can be validated, tested, and reviewed across the shared platform.

Key takeaways

• Vietnam's AI strategy supports rapid adoption, which makes route governance more important, not less.
• Decree 13 concerns should be expressed as routing and data-handling constraints where possible.
• data-routing-policy is strongest when every provider target declares data_policy metadata explicitly.
• Fail-closed routing is often the right default for sensitive digital transformation workloads.
• CI and export evidence keep transformation programs from drifting out of compliance as they scale.

Next steps

• Review provider declarations in Data Policies and Data Routing.
• Apply route filtering with Data Routing Policy.
• Add redaction with Tutorial: Setting Up PII Redaction.
• Export review evidence from Tutorial: Exporting Compliance Evidence.