Singapore IMDA Model AI Governance Framework: What Businesses Can Learn in 2026
Singapore wrote the playbook for governing AI from the inside before any regulator, and in January 2026 launched the world's first framework for agentic AI. It covers the risk of human-agent coordination. The price of it is the neighboring front. Three moves that fit your business in 2026.
90-Second Summary
Singapore published a playbook in 2019 on how a company governs AI from the inside, before any regulator asks. It is not a law: no fines, no licenses. It refreshed it for generative AI in 2024 and, in January 2026, launched the world's first framework dedicated to agentic AI, agents that decide and act on their own. That framework governs the coordination between humans and agents, and between agents, through the lens of risk: who is accountable, what the agent can do, how to intercept it. What it does not do, by design, is put a price on that coordination. That is the reading Ritometrics proposes on top, and it fits in three moves that do not wait for any bill to clear congress: put a name on every AI decision, split the technical decision from the capital decision, and write down how much human enters each risk tier. What belongs to Singapore and what we add, always kept apart, because it is the blend of the two that muddies the conversation.
The board pulls you in and asks how the company governs AI. The public conversation hands you three names. The EU AI Act, in force since August 2024, fully applicable in August 2026. Local bills, still in congress. The NIST AI Risk Management Framework, the American technical reference. All three speak the same language: risk, category, obligation in front of a regulator. None answers the question the board actually asked, which was a different one: how to put the house in order from the inside.
What does answer it is a document almost nobody has read. Singapore published the first version in January 2019, revised it in January 2020, added a chapter for generative AI in May 2024, and in January 2026 added the sibling that matters to anyone running an agent: the world's first governance framework for agentic AI. All under the same family name, the Model AI Governance Framework, signed by the IMDA. None of it is a law. It is soft law: a playbook you adopt on your own, with checklists and implementation examples, no fine and no license.
What the Model Framework Is and Why It Exists
In 2019, Singapore made a bet no one else had made. Europe was writing mandatory rules. The United States was letting the market sort itself out. Singapore carved a path down the middle: it wrote the detailed playbook, with checklists and implementation examples, and forced no one to follow it. The bet was that a mature company adopts for free whatever earns it a better conversation with an investor, a partner, and a client. Seven years later, it paid off. Most regulated companies there follow it by choice, and the OECD, ISO, and the Council of Europe now cite the text as a reference.
In January 2026, at Davos, Singapore repeated the move for a new problem: AI agents that plan, decide, and act on their own. The agentic AI framework came out as the first of its kind in the world, and was updated as early as May, with guidance for multi-agent systems and third-party agents. Same philosophy as seven years before: get ahead of the regulator, for free, and let the market adopt because it pays off.
| Document | Origin | Type | What it Answers | Penalty for Non-Compliance |
|---|---|---|---|---|
| EU AI Act | European Union | Hard law | Which rules to follow to lower regulatory risk | Up to €35M or 7% of global revenue |
| Local Bills (e.g., PL 2338 in BR) | Brazil (in congress) | Hard law (proposed) | Local equivalent of the EU AI Act | Set in the bill, still being adjusted |
| NIST AI RMF | USA (NIST) | Voluntary federal | Which technical risks to assess in a model | No fine, technical reference |
| Model AI Governance Framework | Singapore (IMDA + PDPC) | Sector-specific soft law | How to govern AI from the inside, before the regulator | No fine, operational reference |
| ISO/IEC 42001 | ISO (international) | Certifiable standard | How to audit an AI management system | No fine, reputational gain |
There is no single piece that solves AI governance for your company, no matter what the vendor of the week promises. The EU AI Act closes European regulatory risk. Local bills will close the domestic one once they pass. The Model Framework closes governance from the inside. ISO 42001 closes the system audit. Distinct holes, and whoever plugs one and sleeps soundly wakes up with the other three wide open.
The Four Dimensions of the Model Framework
The classic document, the 2019 one, is organized around four dimensions, not two, as it is sometimes summarized. The first, internal governance: who runs what, committee, roles, oversight from the inside. The second, level of human involvement: how much human enters each AI-augmented decision. The third, operations management: data quality, bias mitigation, model validation and robustness. The fourth, stakeholder communication: what you tell the user, how you explain the machine's decision, where they file a complaint. The 2024 version for generative AI expanded this into nine areas: accountability, data, content provenance, testing, security, among others. And the 2026 version for agentic AI reorganized everything around four pillars of its own.
| Dimension | Focus | Expected Output | Typical Owner |
|---|---|---|---|
| Internal governance | Organizational structure, roles, and oversight from the inside | Written governance charter, a name in every chair | Chief of Staff, COO, or executive committee |
| Level of human involvement | How much human enters each type of AI-augmented decision | Matrix of who decides what, by decision type | COO, with CTO input |
| Operations management | Data quality, bias mitigation, model validation and robustness | A routine for testing, monitoring, and reproducibility | CTO + Data team |
| Stakeholder communication | What you tell the user and how you explain the AI decision | A transparency rule and a feedback channel | Product + Legal |
The 2026 agentic AI framework starts from a fact the 2019 one did not have to face: an agent does not only suggest, it acts. It calls an API, alters a system, triggers another agent. So the text rests on four pillars, all aimed at containing what autonomy introduces.
| Pillar | What it Requires in Practice |
|---|---|
| Assess and bound the risk upfront | Use-case-specific assessment, according to the agent's autonomy level and data access |
| Make humans meaningfully accountable | A named owner across those who build, deploy, operate, and use, with power to intercept or review the action |
| Technical controls and process | Least-privilege access, tool guardrails, progressive deployment, real-time monitoring, and logging |
| End-user responsibility | Transparency about what the agent does, an escalation channel, and people trained to supervise |
Notice what the four dimensions and the four pillars have in common: they all govern coordination through the lens of risk. Who is accountable, what the agent can touch, when the human steps in, how you intercept it. It is the right lens for avoiding damage. But there is a neighboring front no version of the framework touches, by design, because it is not its job: how much that coordination costs in money. Every senior human who ratifies what the machine produced carries a price in payroll. Every review round, every handoff between person and agent, every agent that calls another agent burns expensive time. The framework says "put someone accountable and bound the damage." The economic reading asks "and how much does that cost per month?" From here on, what belongs to the framework is marked as such; what is our reading, too.
Move 1: Put a Named Owner on Every AI Decision
The first move lands straight: every AI decision needs a name stuck to it. The framework already asks for this: the internal governance dimension talks about roles and oversight, and the accountability pillar of the agentic framework requires making clear who answers among those who build, deploy, operate, and use the agent. What Ritometrics adds is a practical way to slice that responsibility so no corner is left orphaned. Four categories: the decision on the model (which to choose, how to train, when to tune), the decision on data (where it comes from, whether it holds up, how to anonymize), the decision on output (validate, calibrate, ratify), and the capital decision (how much to spend, how many people, which vendor). That fourth one is our cut, on purpose: it is the one that vanishes from the account.
This is where the company trips in 2026. AI walks in with the decision scattered and no one as guardian. The CTO picks the model, the data team pulls the data, the area lead validates the output, and the capital decision is left an orphan, with no one to own the bill. The result is familiar: the AI budget swells with no owner, the ROI drops to a hallway guess, and the board asks for an explanation with no one to ask. An AI committee does not plug this hole, because a committee is a monthly ceremony about risk and model, not the owner who answers for the decision that repeats every week.
| Decision Category | What it Decides | Who Should Own It | How it Usually Stands (2026) |
|---|---|---|---|
| Model | Which to choose, how to train, when to tune, when to retire | CTO or Head of AI | CTO, and this is the only clear one |
| Data | Where it comes from, whether it holds up, how to anonymize, how much to retain | DPO + Data team | Data team alone, with the DPO absent in 2 of every 3 cases |
| Output | Validate, calibrate, ratify the model output | Business unit lead | Area lead improvising, with no written criteria |
| Capital | How much to spend, what the ROI is, which vendor, how many people | CFO, with COO input | No man's land in 4 of every 5 cases |
The fourth row is the one that weighs heaviest in payroll in the real operation, and it is precisely the one neither the EU AI Act nor local bills reach. Compliance tells you whether the model is high-risk. It does not tell you what it costs to run the model plus the senior time spent coordinating its use, which is where the money leaks. The Singapore framework does not name that owner. It talks about clear accountability, and stops there. Ritometrics takes one step further and names who has the vocabulary to own the bill: the CFO.
Move 2: Split the Technical Decision from the Capital Decision
The second move is a cut, and this one is entirely our reading. The framework says nothing about budget or the CFO. Deciding the technical (which model, which data, which prompt) follows one criterion; deciding the capital (which inference budget, what ROI, which vendor contract) follows another. Stacking the two on one table is the root of an error that repeats across the mid-market. The company that approves an AI vendor looking only at the technical, the most powerful model, ignores ROI until the invoice explodes. The one that approves looking only at the wallet, the cheapest, gets stuck with a crippled model and leaves efficiency on the table. Putting each decision on its own table does not double the paperwork. It cuts a capital allocation error that costs far more than the extra meeting.
| What is at Stake | Technical Decision | Capital Decision |
|---|---|---|
| Criterion that rules | Performance, security, accuracy | ROI, payback, total loaded cost |
| Headline metric | Accuracy, latency, robustness | Cost per decision processed, payback in months |
| Owner of the chair | CTO + Head of AI | CFO + COO |
| Typical cadence | Monthly to quarterly | Quarterly to annually |
| Who holds it to account | Technical vendor, model audit | Board, financial auditor, investor |
The financial reading only closes when these two rows are formally pulled apart. The CFO who takes the right column gains a narrative autonomy the single AI committee never delivers. The CTO stays owner of the left column, protected to decide on the technical without having to defend ROI at every new release. In the mid-market, this separation fits in 60 days of committee redesign. The CFO takes the economic front.
Move 3: Write the Human Review Calibrated to Risk
The third move is the one that moves payroll the most, and it is the most anchored in the framework itself. The second dimension of the classic document is literally about this: determining the level of human involvement in the AI-augmented decision, according to risk. The agentic framework reinforces it, requiring mechanisms that let the human intercept, interrupt, or review the agent's action. What the framework does not do, again, is put a price on it. Ritometrics proposes three tiers with the cost in plain sight. At low risk, the human looks after the fact, by sampling. At medium, ratifies before the thing happens. At high, approves with deep review and counter-argument. Choosing the tier is a governance decision, not a technology one: the CTO weighs in, but the chair belongs to the COO with Compliance.
In 2026, that rule is almost never on paper. The area lead decides on the spot when to ratify the model output, when to let it pass, when to block it. And with no written criteria, ratification swings between overkill (reviewing everything, out of fear of the risk they imagine) and neglect (reviewing nothing, because no one has the time). The swing costs senior payroll on both ends, with no gain the size of the spend. It is exactly where the A2H edge becomes the most expensive invisible category of a hybrid operation.
| Risk Tier | Review Depth | Where it Usually Lands | Loaded Cost per Reviewed Output |
|---|---|---|---|
| Low | Human looks after the fact, by sampling | Internal communication, first draft of copy | $10 to $30 per output |
| Medium | Human ratifies before the action runs | Client analysis, commercial proposal, board data | $60 to $160 per output |
| High | Human approves with deep review and counter-argument | Pricing, large contract, salary adjustment, strategic decision | $300 to $900 per output |
| Critical (a slice of high) | Two senior humans at the table, plus a documented audit | Regulatory decision, M&A, mass-scale workforce decision | $1,200 to $3,600 per output |
The last column is the invoice no one has opened yet. Loaded cost per reviewed output, multiplied by the monthly volume of each tier, is the real price of coordinating human and machine. Without the written rule, that price dissolves into payroll, with no label, no one to hold it to account. With the written rule, the coordination spend gets a number you can measure.
What You Can Learn (and What You Cannot Copy)
The three moves fit in 90 days inside the house, with no vote in congress, no external vendor, no regulatory committee. The recipe is short. In month 1, stick an owner on each of the four AI decision categories. In month 2, split the technical committee from the capital committee. In month 3, write the human review tiers calibrated to risk, with the loaded cost estimated for each one.
What does not cross the ocean is the structure at the top. Singapore has a single agency, the IMDA, with a regulatory and sector mandate at the same time, a rare luxury outside a city-state, and it is already on the third generation of the playbook (classic, generative, agentic) while many countries are still debating their first law. Cloning that arrangement, or inventing a single agency, is a public policy debate that lasts longer than your company's year. The three operational moves keep holding, regardless of how the local regulation ends up drawn.
The newer versions cross only halfway. The 2024 one for generative AI and the 2026 one for agentic AI bring useful pieces (content provenance, user-facing transparency, oversight calibrated to risk), but provenance needs legal adjustment (data-protection regimes stand on different ground for personal data used in training) and transparency asks for another degree given local market culture. That adjustment fits in a separate project, Legal with Product, and does not block the rest.
A 90-Day Adoption Plan
| Month | The Move of the Month | What Gets Written | Who Drives |
|---|---|---|---|
| Month 1 | Stick an owner on each of the 4 AI decision categories | A 2-page governance charter, a name per chair, no gap | Chief of Staff coordinates, COO and CFO ratify |
| Month 2 | Split the technical committee from the capital committee | Two committee charters: cadence, standard agenda, minimum quorum | COO designs, board ratifies |
| Month 3 | Write the human review tiers with the loaded cost in each one | Matrix of risk tiers × depth × estimated loaded cost | COO + CFO write it four-handed |
| Month 4 (optional) | An initial inventory to check the real cost against the estimate | An edge radar crossing 3 to 5 real decisions already mapped | Director of operations + dedicated senior analyst |
The fourth month is optional because the 30-day edge inventory serves as real proof for the numbers estimated in month 3. A company that delivers from month 1 to month 3 has already covered the essence of the three moves. Month 4 is what closes the financial reading you can defend in front of the board.
Frequently Asked Questions
Is Singapore's Model AI Governance Framework a mandatory regulation?
No. It is soft law, and the difference is not a detail: no one fines you for ignoring it. It was published by the IMDA (Infocomm Media Development Authority) together with the PDPC (Personal Data Protection Commission), first version in 2019, second edition in January 2020, a version dedicated to generative AI in May 2024, and a framework of its own for agentic AI in January 2026. No fine, no license, no regulatory committee. It is a playbook: operational checklist and implementation example. Adoption is voluntary, but most regulated companies in Singapore follow it anyway, for a practical reason. Whoever shows up in front of the investor, the partner, or the enterprise client with documented governance closes faster than whoever shows up with good intentions.
What is the practical difference between the Model Framework and the EU AI Act?
One answers a regulator, the other answers your own board. The EU AI Act is hard law, in force since August 2024 and fully applicable in August 2026, with fines up to €35M or 7% of global revenue and four risk classes (prohibited, high, limited, minimal), each with a distinct obligation. It answers which rules to follow to avoid a fine. Singapore's Model Framework answers a different question: how to organize governance from the inside so that every AI decision stays defensible and auditable in-house, regardless of what the regulator demands. They do not compete. One covers the risk that fines you, the other covers what rots when no one owns the decision.
Why should mid-market CFOs and COOs read the Model Framework before local bills?
Because a bill like PL 2338, moving through congress in 2026, is the EU AI Act with a local accent: risk, category, fine, data subject rights. Same front. Singapore's Model Framework covers the neighboring front, the one neither the local bill nor the EU AI Act touches: the governance of the AI operation in-house. It requires a named owner for the AI decision and a formal human-review flow calibrated to risk. That is from the framework. Splitting the technical decision from the capital decision and putting the CFO on the bill is the reading Ritometrics adds on top. None of the four moves depends on a floor vote. They fit in your company this week.
Does the Model Framework measure human-machine coordination in money?
Directly, no. And it is worth being honest about it. No version of the framework measures coordination in money; that is not its job. What it offers is the floor. The third dimension of the classic document, operations management, deals with continuous monitoring and data quality, the terrain where the cost of coordinating human and machine shows up. The 2026 agentic AI framework goes further and names coordination between agents as a risk territory. Putting a price on it is the step Ritometrics proposes on top: a company that already traces usage and measures the quality of what its senior people ratify is one step away from counting, in money, what that coordination costs.
What does the 2026 agentic AI framework change from the earlier versions?
It launched in January 2026, at Davos, and was updated in May of the same year, the world's first governance framework built for agents that plan and act on their own. It starts from a problem the 2019 text did not have: an agent does not only suggest, it executes: calls an API, alters a system, triggers another agent. So it is organized around four pillars: assess and bound the risk before releasing the agent, keep a human genuinely accountable and able to interrupt the action, put technical controls in place (least-privilege access, real-time monitoring, logging everything), and make clear the responsibility of whoever uses it. The May update added guidance for multi-agent systems and third-party agents. For anyone running a hybrid workforce, it is the most current risk reading available. What is missing, as in the earlier versions, is the cost reading.
The Bottom Line
The company of 2026 does not need to wait for a bill to take effect to govern its own AI from the inside. Singapore proved it twice, in 2019 with ordinary AI and in 2026 with agents, that operational governance can be born ahead of any mandatory rule, and that voluntary adoption grows on its own when the playbook is good enough to become a market reference. The Model AI Governance Framework is not the only model in the world. It is the best tested for whoever needs to put the house in order before the regulator knocks.
What it governs is the risk of coordination: who is accountable, what the agent does, when the human steps in. What it leaves open is the price of that coordination. That is the neighboring front, and it is where the economic reading fits, with the CFO on the bill and the cost in money on the table, so that the invisible vector of AI governance gets a reading in money. The framework closes the risk, the economic reading closes the capital, and the two run in parallel. Whoever covers both reaches the board with the whole answer, not with half.