Singapore IMDA Model AI Governance Framework: What Businesses Can Learn in 2026
Singapore published a Model AI Governance Framework before Europe, Brazil, and the US. It's not regulation. It's a playbook for sector-specific governance in hard currency. Three principles travel straight to your business in 2026.
90-Second Summary
In 2019, Singapore published—and in 2024 updated—a Model AI Governance Framework that is not a regulation. There are no fines, no licenses, and no regulatory committees. It is an operational soft law: a sector-specific playbook that companies adopt voluntarily because it simplifies defense before investors, partners, and enterprise clients. Three principles transfer directly to mid-market companies in 2026 without depending on the approval of local AI bills. These include assigning a named owner for AI decisions, separating technical decisions from capital allocation, and requiring a formal human-in-the-loop oversight flow. All three can be implemented internally within 90 days, requiring zero vendors. While countries debate regulations, your company does not have to wait.
In 2026, when the board demands an explanation of how your company governs AI, three regulatory fronts dominate the public conversation. The EU AI Act has been in force since August 2024 and becomes fully applicable in August 2026. Local bills crawl through congress. The NIST AI Risk Management Framework is the technical reference in the US. You read all three and realize they discuss risk, classification, and regulatory obligations. None answer how to organize the internal governance of your AI operations under your own roof.
What answers this is a different kind of document. Singapore published its first version in January 2019, updated it in January 2020, and in May 2024 launched a specific version for generative AI: the Model AI Governance Framework by the IMDA in partnership with the PDPC. It is not hard law. It is operational, sector-specific soft law, featuring 2 core dimensions and 11 operational principles that fit on a COO's desk without becoming an expensive consulting project. Three of these principles apply directly to your operations.
What is the Model Framework and Why it Exists
In 2019, Singapore made an unusual industrial policy choice. Instead of creating mandatory AI regulations (the European path), and instead of letting the market self-regulate (the American path until 2024), it built a third way. It published a detailed sector playbook, complete with checklists and implementation examples, and left adoption voluntary. The bet was that mature companies would adopt it because the framework facilitates conversations with investors, partners, and enterprise clients. In 2026, that bet proved correct. Most regulated companies in Singapore follow the framework in practice, and the document has become an international reference cited by the OECD, ISO, and the Council of Europe.
| Document | Origin | Type | What it Answers | Non-Compliance Penalty |
|---|---|---|---|---|
| EU AI Act | European Union | Hard law | What rules to follow to mitigate regulatory risk | Up to €35M or 7% of global revenue |
| Local Bills (e.g., PL 2338 in BR) | Brazil (in congress) | Hard law (proposed) | Brazilian equivalent of the EU AI Act | To be determined by the final text |
| NIST AI RMF | USA (NIST) | Voluntary Federal | What technical risks to evaluate in a model | No fines; acts as a technical reference |
| Model AI Governance Framework | Singapore (IMDA + PDPC) | Sector-specific soft law | How to organize internal governance in financial terms | No fines; acts as an operational reference |
| ISO/IEC 42001 | ISO (International) | Certifiable standard | How to audit an AI management system | No fines; reputation and trust gains |
Reviewing the table above changes the board conversation. No single document solves AI governance for your company. The EU AI Act covers European regulatory risk. Local bills will address domestic regulatory risks once approved. The Model Framework addresses internal operational governance. ISO 42001 covers system auditing. Serious mid-market companies in 2026 treat these four layers as parallel tracks. Reducing everything to a single regulatory piece leaves a predictable gap.
The 2 Core Dimensions of the Model Framework
The original 2019 document has two main dimensions: Internal Governance Structures and Measures, which details how to organize committees, roles, and internal oversight; and Determining the Level of Human Involvement in AI-augmented Decision-making, which specifies how much a human participates in each category of decision. The 2024 generative AI update added three sub-dimensions: Provenance and Watermarking, Disclosure to Users, and Human Oversight Calibrated to Risk.
| Dimension | Focus | Expected Deliverable | Typical Owner |
|---|---|---|---|
| Internal Governance | Organizational structure, roles, and oversight | Documented governance charter with named owners | Chief of Staff, COO, or Executive Committee |
| Determining Human Involvement | Human participation level per decision category | Human-in-the-loop matrix by decision type | COO + CFO, with CTO input |
| Provenance (2024 add-on) | Origin and traceability of generative AI output | Prompt and training data audit trail | CTO + Data team |
| Disclosure to Users (2024 add-on) | Transparency regarding AI usage with end-users | Clear disclosure policy in product and processes | Product + Legal |
| Human Oversight Calibrated to Risk (2024) | Human review depth proportional to risk | Tiered review: low/medium/high-risk with distinct rules | COO + Compliance |
The second dimension is the most relevant for the economic perspective that many companies have yet to adopt: how much senior human time is required to ratify AI outputs per decision category, at what frequency, and with what depth. These questions have direct financial answers, and it is where human-agent coordination costs reside.
Transferable Principle 1: Assigning a Named Owner for AI Decisions
The first principle of the Model Framework that transfers directly to mid-market companies is structural. Every category of AI decision must have a named owner. In Singapore, the framework recommends four categories: decisions on the model (selection, training, tuning), decisions on data (origin, quality, anonymization), decisions on output (validation, calibration, ratification), and capital decisions (budget, headcount, vendor).
The typical mid-market company in 2026 fails here. They adopt AI with fragmented decision-making. The CTO chooses the model, the data team pulls the data, the business unit leader validates the output, and no one formalizes the capital decision. The result: the AI budget expands without an owner, ROI remains a guess, and the board demands explanations that no one can provide. An AI committee does not resolve this vacuum, because a committee is a monthly ceremony about risk and models, not the operational owner of a recurring decision.
| Decision Category | What is Decided | Typical Singapore Named Owner | Typical Mid-Market Owner (2026) |
|---|---|---|---|
| Model | Selection, training, fine-tuning, retirement | CTO or Head of AI | CTO (clear) |
| Data | Origin, quality, anonymization, retention | DPO + Data team | Data team (partial, DPO often absent) |
| Output | Validation, calibration, ratification | Business unit leader | Area leader (informal, no written criteria) |
| Capital | AI budget, ROI, vendor, headcount | CFO with COO input | Organizational vacuum in 4/5 of cases |
The fourth row is the category that weighs heaviest on the real operation, which neither the EU AI Act nor local bills cover. Regulatory compliance answers whether a model is high-risk. It does not answer how much it costs to operate the model combined with the senior time spent coordinating its use. Assigning a named owner for this category is an operational governance move, not a regulatory one. The Model Framework recommends the CFO. Mid-market reality in 2026 suggests the exact same path.
Transferable Principle 2: Separating Technical Decisions from Capital Decisions
The second principle is a clear separation. Technical decisions (which model, which data, which prompt) have different criteria than capital decisions (which inference budget, what ROI, which vendor contract). In Singapore, the two follow separate tracks with limited overlap. The CTO leads technical decisions, the CFO leads capital decisions, and the executive committee arbitrates rare intersections.
Confusing these two is a root cause of recurring errors in mid-market operations. A company that approves an AI vendor based on technical criteria (state-of-the-art model) ignores the ROI until the budget breaks. A company that approves based solely on financial criteria (cheapest vendor) gets stuck with an inferior model and wastes potential efficiency. Separating these two decisions into distinct committees does not double bureaucracy; it reduces strategic capital allocation errors.
| Dimension | Technical Decision | Capital Decision |
|---|---|---|
| Primary Criterion | Performance, security, accuracy | ROI, payback, fully loaded cost |
| Key Metric | Accuracy, latency, robustness | Cost per automated decision, payback in months |
| Named Owner | CTO + Head of AI | CFO + COO |
| Typical Frequency | Monthly to quarterly | Quarterly to annually |
| External Stakeholder | Technical vendor, model audit | Board, financial auditor, investor |
Financial readings only work when these two rows are formally separated. A CFO who takes ownership of the right column gains narrative autonomy that a joint AI committee cannot deliver. The CTO remains the owner of the left column, protected to make technical decisions without having to defend the ROI of every single release. In a mid-market organization, this separation can be achieved in 60 days of committee redesign, ensuring the CFO owns the economic front.
Transferable Principle 3: Formal Human-in-the-Loop Oversight Calibrated by Risk
The third principle is operational. Every category of AI decision must have a written rule defining human participation. In Singapore, the framework recommends three tiers: low-risk (human observes post-facto), medium-risk (human ratifies before execution), and high-risk (human approves with deep review). The choice of tier is a governance matter, not a technological one. The CTO gives input, but the owners are the COO and Compliance.
The practical equivalent in 2026 is rarely documented. Area leaders decide on the fly when to ratify an output, when to let it pass, and when to reject it. Without written criteria, ratification swings between the excessive (to cover perceived risk) and the omitted (due to lack of time). This oscillation consumes senior payroll without delivering proportional returns. It is precisely where the A2H edge becomes the most expensive invisible category in hybrid operations.
| Oversight Tier | Review Depth | Typical Application | Estimated Fully Loaded Cost Per Output |
|---|---|---|---|
| Low-risk | Human observes post-facto via sampling | Internal communication decisions, copy drafts | $10 to $30 per output |
| Medium-risk | Human ratifies before action executes | Client analysis, commercial proposals, board data | $60 to $160 per output |
| High-risk | Human approves with deep review and counter-argument | Pricing, major contracts, salary adjustments | $300 to $900 per output |
| Critical-risk (subset) | 2 senior humans + documented audit | Regulatory decisions, M&A, collective layoffs | $1,200 to $3,600 per output |
The last column of the table represents the economic category that still lacks a canonical name in corporate structures: the loaded cost per reviewed output, summed with the monthly volume of each tier. Without a formal, written oversight flow, this cost remains hidden in payroll. With a written flow, FinOps for coordination gains a measurable framework.
What You Can Learn (and What You Cannot Copy)
The three transferable principles can be implemented within 90 days internally without depending on legislative approvals, external vendors, or regulatory bodies. The pragmatic version is straightforward. Month 1: assign a named owner for the four AI decision categories. Month 2: formally separate the technical committee from the capital committee. Month 3: write down risk-calibrated human-in-the-loop oversight tiers with estimated loaded costs per tier.
What does not transfer is the macro structure. Singapore has a single agency (IMDA) with both regulatory and sector development mandates—a rare condition outside of city-states. Most countries distribute AI responsibilities across multiple agencies. Replicating the IMDA is a public policy debate that goes far beyond your company's 2026 cycle. The three operational principles, however, remain applicable regardless of the final regulatory landscape.
The 2024 generative AI update also transfers only partially. Provenance, disclosure, and calibrated oversight are useful sub-dimensions, but provenance requires local legal adaptation (privacy frameworks have different bases for training data usage) and disclosure levels vary depending on market culture. This adaptation requires a separate project between Legal and Product.
A 90-Day Adoption Roadmap for Mid-Market Companies
| Month | Primary Movement | Written Deliverable | Primary Owner |
|---|---|---|---|
| Month 1 | Assign a named owner to the 4 AI decision categories | A 2-page governance charter outlining clear ownership | Chief of Staff coordinates; COO and CFO ratify |
| Month 2 | Formally separate technical and capital committees | Two committee charters: frequency, standard agendas, quorums | COO designs; Board ratifies |
| Month 3 | Write risk-calibrated human-in-the-loop tiers | A matrix of 4 tiers × review depth × estimated loaded cost | COO + CFO co-draft |
| Month 4 (Optional) | Run an initial inventory to calibrate real vs. estimated costs | An edge radar mapping 3 to 5 real inventoried decisions | BizOps Director + dedicated senior analyst |
The fourth month is optional because the 30-day edge inventory acts as a reality check for the estimated loaded costs from Month 3. A company that executes Month 1 through Month 3 has already fulfilled 80% of what the Model Framework proposes. Month 4 secures a defensible financial reading before the board.
Frequently Asked Questions
Is Singapore's Model AI Governance Framework a mandatory regulation?
No. It is soft law. Published by the IMDA in partnership with the PDPC (first version in 2019, generative AI update in 2024), it does not impose fines, require licenses, or establish regulatory committees. It operates as a recommended industry playbook. Adoption is voluntary, but most regulated companies in Singapore follow it because the framework has become a market standard for demonstrating governance maturity to investors, partners, and enterprise clients.
What is the practical difference between the Model Framework and the EU AI Act?
The EU AI Act is hard law, applicable with heavy fines (up to €35M or 7% of global revenue) and risk categories (prohibited, high, limited, minimal) with strict obligations. Singapore's Model Framework is an operational soft law, focusing on helping companies design internal governance independent of regulatory demands. The EU AI Act tells you what rules to follow to avoid fines; the Model Framework tells you how to organize internal governance so that AI decisions remain defensible and auditable. They are complementary, not mutually exclusive.
Why should mid-market CFOs and COOs read the Model Framework instead of local bills?
Because typical draft bills are risk-focused equivalents of the EU AI Act (focusing on categories, fines, and data rights). The Model Framework covers an adjacent category: the internal economic governance of AI operations. In particular, it assigns owners to AI decisions, separates technical and capital decisions, and requires formal human-in-the-loop oversight. These three elements can be implemented in any business today without waiting for legislation.
Does the Model Framework cover human-agent coordination in financial terms?
Not directly, but yes, indirectly. The Operations Management dimension covers continuous monitoring, data quality, and internal stakeholder management—precisely where human-agent coordination costs manifest. The 2024 generative AI update added Provenance, Disclosure, and Human Oversight, which anchor the economic interpretation of the problem. Companies that monitor provenance and secure senior human ratification are already managing their human-to-agent and agent-to-human edges, even if they don't use those terms.
How can a mid-market company adapt the Model Framework without expensive consulting?
Through three steps executable in 90 days. First, read the two core dimensions (Internal Governance and Operations Management) and the practical annexes (~80 pages). Second, inventory AI decisions from the last 60 days, assigning a named owner and reviewer to each category (model, data, output, business). Third, institutionalize the separation between technical decisions and capital decisions. These three steps cover 80% of what the framework proposes with zero external vendor requirements.
The Bottom Line
Companies do not need to wait for local regulations to govern AI. Singapore proved that operational governance can exist ahead of mandatory regulation, and that voluntary adoption thrives when a framework becomes a market reference. The Model AI Governance Framework is a highly tested industry playbook for companies looking to establish governance before regulations are finalized.
The three transferable principles fit within a 90-day execution window managed by a Chief of Staff, COO, CFO, and a dedicated senior analyst. Assigning named owners, separating technical and capital decisions, and writing risk-calibrated human oversight tiers provides complete narrative defense before boards, investors, and enterprise clients. Furthermore, it ensures that the invisible vector of AI governance receives a measurable financial reading. Regulatory compliance limits risk; operational governance protects capital. Companies that secure both reach next year with a narrative advantage their competitors cannot match.