Singapore Model AI Governance Framework for Agentic AI

No. It is voluntary guidance issued by Singapore's Infocomm Media Development Authority. There is no penalty for non-adoption.

That said, "voluntary" in 2026 is doing a lot of work. The framework is increasingly cited by enterprise procurement teams as the baseline they expect vendors to demonstrate, by other national AI strategies as a reference text, and by binding regimes (notably the EU AI Act) as a model for what "state of the art" looks like in agentic governance. Treating it as table stakes is the safer interpretive stance.

The 2020 MGF (and the 2024 GenAI addendum) addresses general AI systems — primarily predictive models and generative content. The MGF for Agentic AI is purpose-built for systems where the AI plans, calls tools, and acts on the world over multiple steps with varying autonomy.

The four dimensions are conceptually consistent with the parent framework, but the techniques inside each dimension are agent-specific: agent identity management, tool-layer access controls, multi-agent emergent-behaviour testing, agent sprawl prevention, automation-bias countermeasures, and tradecraft retention.

They operate at different layers. The EU AI Act is binding law focused on classifying AI systems by risk and imposing obligations (prohibited, high-risk, limited-risk transparency, GPAI). It does not — yet — have agent-specific obligations.

The MGF for Agentic AI is voluntary guidance focused on how to build, test, and operate agentic systems safely. Most of what MGF Agentic prescribes (risk assessment, human oversight, technical robustness, monitoring) is exactly what EU AI Act Articles 9-15 require for high-risk AI. Adopting MGF Agentic produces much of the evidence an Annex IV technical file demands.

Cleanly. NIST AI RMF's four functions (Govern, Map, Measure, Manage) align dimension-by-dimension with the MGF Agentic. See the Control Mapping table below for the cross-reference.

If you already have a NIST AI RMF programme, you do not need to start over — you need to layer agent-specific controls (identity, tool-layer access, multi-agent testing, automation-bias monitoring) onto your existing Govern/Map/Measure/Manage cycle.

IMDA defines agents as AI systems that possess "some degree of independent planning, decision-making, and action-taking over multiple steps to achieve a user-defined goal." The framework focuses on agents built on generative AI models (SLM, LLM, or MLLM), though it acknowledges deterministic and other neural-network agents exist.

Key components of a simple agent: model, instructions, memory, planning/reasoning, tools, protocols, controls, and logging. Multi-agent setups extend this with patterns like sequential, supervisor, and swarm.

Dayos (risk-tiered automation of IT helpdesk tickets) is the strongest enterprise IT example. Tencent CodeBuddy (permission tiers for coding agents — read free, edit/bash/web-fetch/MCP gated) is the gold standard for governing developer-facing agents. GovTech's phased rollout of Windsurf, GitHub Copilot Agent Mode, and Claude Code shows how to roll out coding assistants with progressively widening capability envelopes. Stability Solutions' contrast between internal-facing and external-facing agents is the cleanest worked example of how risk tier drives control selection.

Multi-agent systems get explicit treatment in §1.2.3. The framework names the new risks (agent sprawl, miscoordination, conflict, collusion, emergent behaviours that cannot be predicted from individual-agent testing) and requires multi-agent-specific controls: structured schemas instead of free-text between agents, limits on shared memory, system-level testing in addition to per-agent testing, and centralised identity management to prevent uncontrolled proliferation.

Three things in combination: significant checkpoints with explicit approval (for high-stakes, irreversible, or outlier actions), digestible approval requests with risk/confidence metadata, and an audit programme that measures whether oversight is working — tracking human override rate, human response time, and outlier reviewers.

The framework is explicit that one-checkbox-per-action approval flows degrade into rubber-stamping. The remedy is to design fewer, better checkpoints rather than more, weaker ones, and to complement human oversight with automated monitoring that fails closed.

Every agent should have its own unique, cryptographically verifiable identity that is tied to a supervising agent, human user, or organisational department for accountability. The identity should differentiate the capacity in which the agent acts (independent vs delegated), and all agent identities should be issued and tracked through a central system to prevent agent sprawl.

Authorisations should be scoped, time- or session-bound, non-transferable, follow least privilege by default, and be bounded by the authorising human's own permissions. Where current OAuth and IAM systems do not natively cover agents, options today include intra-organisation extensions (Microsoft Entra Agent ID, Alibaba Agent ID Guard), OAuth 2.1 over MCP, and decentralised identity proposals from CSA and OpenID.

Coding agents are the case study with the most lived experience to date. The Tencent CodeBuddy worked example in v1.5 is a near-complete blueprint: tiered permissions (Read free, Edit/Bash/WebFetch/MCP gated), per-project default permission levels calibrated to repository risk, plain-language explanations of proposed actions ("here is what this `mysqldump | gzip` command will do, in English"), continuous monitoring for command-injection patterns that revoke whitelisting on suspicious variants, and re-approval on session boundaries.

GovTech's phased rollout pattern — internal employees only, no MCP, low-risk systems first; then central logging, MCP Governance Framework with whitelist gateway, expanded user base — is the operational template most enterprises can copy directly.

The framework treats agentic-commerce protocols as a fast-evolving extension of the Tools and Protocols components. The core guidance is unchanged: use standardised protocols where applicable, sandbox code execution, whitelist trusted servers, treat MCP as a potential governance layer (filter sensitive fields, log every call). For payments specifically, the framework points to deterministic limits — pre-declared transaction ceilings, cryptographically binding authorisation credentials (see Terminal 3's Verifiable Credential of Intent pattern), and post-action immutable audit trails.

Version 1.5 was published 20 May 2026 and incorporates feedback from 60+ companies. IMDA explicitly calls this a "living document" and invites further feedback and case studies via go.gov.sg/mgfagentic-feedback. Expect ~annual revisions. The next likely additions are deeper treatment of agent-to-agent protocols, more concrete computer-use agent guidance, and additional case studies in regulated industries.

ISO/IEC 42001 (AI Management System) is the systems-management overlay; MGF Agentic is the technique-level overlay for agentic systems specifically. They are complementary. Most ISO 42001 control objectives (A.5 organisational policies, A.6 internal organisation, A.8 lifecycle planning, A.9 data quality) map directly to MGF Agentic's first two dimensions. The technical-controls dimension adds material that ISO 42001 deliberately leaves to the implementer.