Gobernanza de IA en Singapur — Model Framework + AI Verify
Resumen ejecutivo
Why Singapore is the architectural reference for soft-law AI governance globally
The most common framing of Singapore’s AI regulation describes it as a soft-law jurisdiction that has chosen not to legislate AI comprehensively, often grouped together with the United Kingdom as «the soft-law alternatives to the EU AI Act». The grouping captures the formal characteristic and misses the architectural distinction entirely. Singapore is not just a soft-law jurisdiction; Singapore is the world’s principal source of practical AI assurance methodology, and its frameworks have become the operational reference for AI testing infrastructure globally, regardless of which substantive regulation a jurisdiction has chosen.
The dominant narrative reads Singapore’s choice as innovation-first regulatory minimalism — frameworks instead of laws, testing tools instead of penalties, industry consultation instead of binding obligations. The reading captures Singapore’s institutional preference and misses what makes the Singaporean approach structurally distinctive. Singapore did not choose soft law as the absence of regulation; Singapore chose soft law as the architectural alternative to comprehensive legislation, built around operational testing infrastructure rather than statutory obligations. The choice is intentional, sustained over more than seven years (since the 2019 first edition of the Model Framework), and increasingly validated by international convergence on Singaporean tooling and methodology.
This matters in three concrete ways. First, Singapore’s frameworks have become the de facto international reference: AI Verify is the world’s first AI governance testing framework and software toolkit, mapped to ISO/IEC 42001:2023 with a crosswalk to NIST AI RMF, and adopted internationally as a practical assurance tool. Project Moonshot has signed an MoI with MLCommons to develop a common safety benchmark suite for generative AI. The DFOSS AI Governance Playbook (with Rwanda) is positioning Singaporean methodology as the reference for small states globally. Second, the institutional architecture is genuinely distributed: IMDA as overarching regulator, AI Verify Foundation as the open-source community-driven testing infrastructure (120+ members), Digital Trust Centre at NTU as the research host designated as Singapore AI Safety Institute, PDPC as the binding personal data regulator, and sectoral regulators (MAS, HSA) for vertical applications. The architecture deliberately separates rule-making from testing infrastructure from research from binding enforcement — and each piece is operationally substantive. Third, the soft-law approach pairs explicitly with operational tooling: every framework principle in the MGF, MGF-Gen AI, and MGF-Agentic AI is connected through AI Verify and Project Moonshot to a concrete testing methodology, evaluation benchmark, or assurance mechanism. The frameworks are not descriptions of intent; they are operational specifications validated through testing.
What makes Singapore’s 2024-2026 regulatory cycle particularly significant is the first-mover position on Agentic AI governance: in January 2026, IMDA published the Model AI Governance Framework for Agentic AI, the first structured governance framework for autonomous AI agents from any major jurisdiction. This positions Singapore at the leading edge of the next AI governance frontier — not because Singapore legislated first but because Singapore’s framework methodology was operationally ready to extend to a new technology generation faster than statutory processes elsewhere can produce binding rules.
What Singapore represents in the global AI regulatory landscape, then, is the architectural argument that soft-law AI governance can lead practical AI assurance globally when paired with sustained institutional investment in testing infrastructure. The rest of this reference treats the framework architecture and the testing infrastructure as one integrated system rather than as separate documents.
The framework family: MGF, MGF-Gen AI, MGF-Agentic AI
Singapore’s framework architecture has three principal Model AI Governance Frameworks, each addressing a different generation of AI technology, structured around accountability, transparency, and operational testability.
Model AI Governance Framework (MGF) — Traditional AI
First published January 2019, second edition January 2020. Addresses traditional AI systems — predictive models, classification systems, decision-support tools. Built around two foundational principles:
- AI decision-making should be explainable, transparent, and fair
- AI solutions should be human-centric
The framework structures these principles into four key areas: internal governance structures, determining the level of human involvement, operations management, and stakeholder interaction and communication. The MGF V2 has been used as the foundation for sectoral guidance (notably MAS’s Veritas Toolkit for financial services) and as the structural reference for AI Verify’s testing categories.
Model AI Governance Framework for Generative AI (MGF-Gen AI)
Published 30 May 2024 by IMDA and AI Verify Foundation, following a public consultation that ran from 16 January to 15 March 2024. The first comprehensive framework specifically addressing generative AI from any major jurisdiction. Built around nine dimensions:
- Accountability: structural incentives and responsibility allocation along the AI value chain (model developers, application deployers, cloud service providers)
- Data: training data sourcing, quality, and governance
- Trusted development and deployment: practices for responsible AI development
- Incident reporting: post-deployment monitoring and incident response
- Testing and assurance: third-party testing, including AI Verify and Project Moonshot
- Security: cybersecurity for AI systems
- Content provenance: identifying AI-generated content (technical alignment with C2PA)
- Safety and alignment R&D: research investment
- AI for public good: democratizing AI access, public sector adoption, sustainable development
The MGF-Gen AI explicitly addresses risks reinforced or introduced by generative AI: hallucinations, copyright infringement, value alignment, scale of misuse, and content provenance. It is the most operationally specific framework on these issues globally.
Model AI Governance Framework for Agentic AI
Published January 2026 by IMDA. The first structured governance framework for autonomous and semi-autonomous AI agents from any major jurisdiction. Addresses governance challenges specific to AI systems capable of independent decision-making and action — task delegation, multi-step planning, tool use, persistent memory, and multi-agent coordination.
The Agentic AI Framework operationalises governance for the next AI technology generation before binding statutory frameworks elsewhere have produced agent-specific rules. This positions Singapore as the structural reference for organisations and regulators globally seeking guidance on agent governance, and creates substantive convergence pressure on subsequent EU, US, and UK rule-making.
AI Verify — the testing framework and toolkit
AI Verify is the world’s first AI governance testing framework and software toolkit, developed by IMDA. Originally released as an MVP in 2022 and a full open-source toolkit in 2023, AI Verify is the operational counterpart to the Model AI Governance Frameworks.
Eleven governance principles. AI Verify outlines 11 governance principles aligned with international AI standards from the EU, US, and OECD: transparency, explainability, reproducibility, safety, security, robustness, fairness, data governance, accountability, human agency, and inclusive growth and societal and environmental well-being.
Testing dimensions. AI Verify tests AI systems against the principles through:
- Process checks: documentation review, governance verification, accountability tracing
- Technical tests: standardized algorithmic testing for fairness, robustness, and explainability
- Combined assurance: integrated testing framework producing reports usable for regulator engagement, customer assurance, and internal governance
International alignment. AI Verify has been formally mapped to ISO/IEC 42001:2023 (Information technology — Artificial intelligence — Management system) and a crosswalk has been published with NIST AI RMF. Organizations using AI Verify can demonstrate alignment with both ISO/IEC 42001 management system requirements and NIST AI RMF process structure simultaneously, reducing the cost of meeting multiple international assurance frameworks.
Open-source community. AI Verify is hosted on GitHub and governed by the AI Verify Foundation’s open-source community. The toolkit is extensible through plugin-based extensions tailored to different sectors. Organizations contribute improvements, sectoral plugins, and new evaluation methodologies, with AI Verify Foundation curating the toolkit.
Integration with sectoral toolkits. AI Verify integrates with the Monetary Authority of Singapore’s Veritas Toolkit for AI use in financial services, providing a sector-specific adaptation that extends the horizontal AI Verify principles to MAS’s binding sectoral expectations.
Project Moonshot — generative AI testing
Project Moonshot, launched on 30 May 2024 at ATxSG 2024 by Singapore’s Minister for Communications and Information, is the world’s first open-sourced toolkit to bring red-teaming, benchmarking, and baseline testing together for large language models in a single, easy-to-use platform. Developed by the AI Verify Foundation through partnerships with DataRobot, IBM, Singtel, and Temasek.
Three combined capabilities.
- Benchmarking: standardized «exam questions» measuring LLM performance across capability, quality, and trust & safety
- Red-teaming: automated adversarial testing for vulnerabilities, jailbreaks, and harmful outputs
- Baseline testing: integration into CI/CD pipelines for continuous safety testing
Tested risk categories. Project Moonshot identifies and tests for:
- Hallucinations and factual inaccuracy
- Undesirable content generation
- Data disclosure (PII, training data extraction)
- Susceptibility to adversarial prompts (prompt injection, jailbreaks)
- Out-of-domain responses
- Domain-specific reliability issues
International integration. Project Moonshot is part of the AI Verify Foundation–MLCommons Memorandum of Intent signed 29 May 2024 to develop a common safety benchmark suite for generative AI. The MOI positions Singaporean tooling as a foundational input to the international AI safety benchmark infrastructure.
Open beta accessibility. Project Moonshot is an open beta accessible via GitHub. The latest version integrates into CI/CD pipelines for automated safety testing, making LLM evaluation accessible to development and compliance teams without requiring specialized AI safety expertise.
The institutional architecture: IMDA, AIVF, PDPC, DTC, SG AISI
Singapore’s AI governance institutional architecture is genuinely distributed across five principal bodies, each with distinct operational responsibilities.
Infocomm Media Development Authority (IMDA). The overarching regulator and policy-setter for Singapore’s AI governance. Under Singapore’s Ministry of Communications and Information. IMDA leads framework development (MGF, MGF-Gen AI, MGF-Agentic AI), runs the Generative AI Evaluation Sandbox (launched October 2023), and coordinates the broader institutional architecture. IMDA frameworks are not legally binding in themselves but increasingly function as benchmarks in procurement, contracting, and regulatory discussions.
AI Verify Foundation (AIVF). Wholly-owned not-for-profit subsidiary of IMDA, launched June 2023. AIVF operates AI Verify and Project Moonshot, develops the Model AI Governance Framework for Generative AI in partnership with IMDA, and harnesses an open-source community of 120+ members (with AWS and Dell as premier members). AIVF has signed Memoranda of Intent with MLCommons (common safety benchmarks, 29 May 2024) and Microsoft (content provenance, 30 May 2024).
Personal Data Protection Commission (PDPC). The binding personal data regulator under the Personal Data Protection Act (PDPA). PDPC issues advisory guidelines that operationalize PDPA for AI uses involving personal data. The PDPC Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems issued in March 2024 are the principal binding source of AI obligations in Singapore for systems processing personal data.
Digital Trust Centre (DTC) at NTU. A national centre for research in trust technology, funded by IMDA and the National Research Foundation (NRF), hosted by Nanyang Technological University. DTC drives Singapore’s research ecosystem on AI safety, evaluation, and governance methodology.
Singapore AI Safety Institute (SG AISI). Designated May 2024, hosted within DTC. Part of the international AI Safety Institute network alongside UK AISI (rebranded AI Security Institute February 2025), US AISI, Japan AISI, Korea AISI, Canadian AISI, and others. SG AISI focuses on:
- AI evaluation and testing science
- International collaboration with other AISIs (active discussions with US AISI and UK AISI on GenAI evaluations)
- Science-based input to Singapore’s AI governance work
- Multi-modal and multicultural AI safety evaluation
Sectoral regulators. Beyond the horizontal architecture, sectoral regulators apply existing mandates to AI: the Monetary Authority of Singapore (MAS) with its Veritas Toolkit for financial services AI; the Health Sciences Authority (HSA) for AI medical devices; the Land Transport Authority for autonomous vehicles. The two-tier architecture (IMDA for horizontal AI guidance plus sectoral regulators for vertical sectoral application) operates with clear coordination protocols.
The binding legal layer: PDPA and sectoral regulation
While Singapore has no comprehensive AI legislation, binding obligations exist for AI uses that intersect with personal data processing or sectoral regulation.
Personal Data Protection Act (PDPA). Applies across the AI lifecycle from data collection and model training to deployment and monitoring. The PDPC Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (March 2024) provide binding interpretation covering:
- Use of personal data to train ML models
- Use of personal data in deployment for decisions, recommendations, and predictions
- Consent and notification obligations for AI uses
- Data minimization and purpose limitation in AI training
- Anonymization and de-identification practices
PDPA penalties for non-compliance can reach SGD 1 million or 10% of annual turnover in Singapore (whichever is higher) for serious breaches. The PDPA penalty regime is the principal source of substantive AI compliance teeth in Singapore.
Sectoral regulatory layers.
- Monetary Authority of Singapore (MAS) issues the Fairness, Ethics, Accountability and Transparency (FEAT) Principles for AI in finance, integrated with the Veritas Toolkit
- Health Sciences Authority (HSA) regulates AI as a medical device under the Health Products Act
- Land Transport Authority governs autonomous vehicle testing and deployment
- MAS Notice 612 and related circulars apply existing operational risk management to AI use in regulated financial institutions
The sectoral layers operate within their existing statutory mandates, with IMDA frameworks providing horizontal coherence across sectors.
International coordination and global influence
Singapore’s AI governance approach is structurally oriented toward international convergence and influence on global AI assurance methodology rather than purely domestic regulatory ambition.
ISO/IEC 42001 alignment. AI Verify has been formally mapped to ISO/IEC 42001:2023, demonstrating Singapore’s strong support for global harmonization through international standards. The mapping enables organizations using AI Verify to simultaneously demonstrate alignment with the international AI management system standard.
NIST AI RMF crosswalk. AI Verify Foundation has published a crosswalk with the US NIST AI Risk Management Framework, allowing organizations to use AI Verify to achieve the desired outcomes of both the AI Verify testing framework and NIST AI RMF.
MLCommons partnership. The 29 May 2024 Memorandum of Intent between AI Verify Foundation and MLCommons commits both organizations to collaborate on building a common safety benchmark suite for generative AI, positioning Singaporean tooling as foundational input to international AI safety benchmark infrastructure.
Microsoft content provenance. The 30 May 2024 IMDA–Microsoft Memorandum of Intent on content provenance proof of concept positions Singapore at the centre of international content authenticity policy and standards development (alongside C2PA).
International AISI network. SG AISI is in active discussions with US AISI and UK AISI on collaborations in GenAI evaluations, joining the international AI Safety Institute network as a substantive technical contributor.
DFOSS AI Governance Playbook. Joint development with Rwanda’s Ministry of ICT and Innovation, with consultations through the Digital Forum of Small States. The Playbook is structured as a living document that captures collective experience of small states on AI adoption and governance, positioning Singaporean methodology as the reference for small-state AI governance globally.
G7 Hiroshima Process and Council of Europe. Singapore is not a G7 member but is a Hiroshima Code of Conduct supporter through partner channels. Singapore is not a Council of Europe member. The international engagement is structured through Singapore’s leadership of the AI Safety Institute network and the AI Verify community rather than through direct treaty participation.
Intersections with other regimes
Five intersections shape how Singapore’s AI governance operates within the broader international AI regulatory architecture.
EU AI Act. Singaporean organizations operating in or selling AI to the EU are subject to the EU AI Act independently of Singaporean frameworks. AI Verify provides an operational testing methodology that maps substantively to EU AI Act technical documentation requirements, fundamental rights impact assessment elements, and post-market monitoring expectations. Multinational organizations can use AI Verify as the testing infrastructure layer beneath EU AI Act conformity processes.
ISO/IEC 42001. Formally mapped to AI Verify. Singapore is among the most active jurisdictions globally in promoting ISO/IEC 42001 as the international AI management system standard, with both the framework architecture and the testing infrastructure designed to support and complement ISO/IEC 42001 certification.
NIST AI RMF. Crosswalk with AI Verify enables convergent compliance. Organizations operating in both Singapore and US markets benefit from the mapping by reducing duplication in assurance work.
APAC AI regulatory landscape. Singapore’s soft-law plus testing infrastructure approach contrasts structurally with South Korea’s binding AI Basic Act, Japan’s no-penalty AI Promotion Act, and China’s stack-layer regulation. For organizations operating across APAC, the four jurisdictions present four distinct regulatory architectures requiring different compliance strategies, though all four converge substantively on transparency, accountability, and lifecycle risk management.
Council of Europe Framework Convention on AI. Singapore is not a Council of Europe member and is not a signatory. The Convention’s substantive principles overlap with Singapore’s frameworks but do not extend binding international obligations to Singaporean organizations.
## ⚖️ How Zertia operates within the Singapore AI governance environment
>
> > ### Built around Singapore’s MGF and AI Verify
>
> Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory
>
> Zertia is an ANAB-accredited AI management system certification body, with offices in Boston, Madrid, and London, and ANAB accreditation in the United States. Active accreditation processes are underway with UKAS (United Kingdom) and ENAC (Spain/EU). Singapore’s AI governance environment — soft-law frameworks paired with operational testing infrastructure, formal mapping between AI Verify and ISO/IEC 42001, leading position in global AI assurance methodology — makes accredited ISO/IEC 42001 certification particularly relevant for Singaporean organizations seeking international assurance and for international organizations operating into the Singapore market.
>
> Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. Accredited ISO/IEC 42001 certification is the most operationally significant AI governance asset available to Singaporean organizations and to international organizations operating into Singapore. The formal mapping between AI Verify and ISO/IEC 42001 means that ISO/IEC 42001 certification provides direct evidence of substantive alignment with Singapore’s MGF, MGF-Gen AI, and MGF-Agentic AI frameworks, plus operational compatibility with Project Moonshot testing methodology. AIUC-1 provides agent-level technical assurance for AI vendors deploying agents into Singapore enterprise environments — particularly relevant given Singapore’s first-mover Model AI Governance Framework for Agentic AI. ISO/IEC 27001 and ISO/IEC 27701 are the operational complements for PDPA personal information protection requirements administered by PDPC.
>
> Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. Algorithmic Impact Assessments structured to satisfy the substantive expectations of the Singaporean Model AI Governance Framework family (across traditional, generative, and agentic AI), with documentation that supports parallel EU AI Act conformity, NIST AI RMF attestation, and US state AI law compliance for multinational organizations. NIST AI RMF Attestation is particularly relevant given the published AI Verify–NIST AI RMF crosswalk, providing portable assurance evidence usable in both Singapore and US markets simultaneously.
>
> Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Independent audits structured to provide assurance evidence portable across Singaporean framework expectations, EU AI Act requirements, US state AI laws, and other APAC jurisdictions. Particularly relevant for Singaporean multinationals with EU and US operations and for international organizations using Singapore as a regional hub for APAC AI deployment.
>
> Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Programmes treat the Singapore AI governance architecture explicitly, including the framework family (MGF, MGF-Gen AI, MGF-Agentic AI), AI Verify and Project Moonshot testing infrastructure, the institutional architecture (IMDA, AIVF, PDPC, DTC, SG AISI), and integration with EU AI Act, NIST AI RMF, and ISO/IEC 42001 for organizations operating across multiple jurisdictions. Particularly relevant for legal, compliance, and AI governance teams in Singaporean organizations and in international organizations using Singapore as a regional hub.
>
> Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS and ENAC. Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.
>
> ### 🎯 Take action
>
> | 🔍 Diagnose your alignment | 📊 Build the management backbone |
> |—|—|
> | Pre-Certification Assessment → | ISO/IEC 42001 Certification → |
> | Independent diagnosis against the Model AI Governance Framework, AI Verify testing toolkit, and IMDA guidance for organisations operating in Singapore or anchoring APAC AI governance there. | The accredited management system that operationalises Singapore’s principles-based AI governance into auditable practice, integrating MGF and AI Verify outputs into international standards. |
>
> Discuss Singapore AI governance compliance and international AI assurance positioning →
Regulación que entiendes es regulación que puedes convertir en ventaja competitiva.
¿No estás seguro de si este marco aplica a tu organización? Hablemos.
