Singapore Just Dropped a Governance Blueprint for Agentic AI — Here's What Compliance Teams Need to Know
In January 2026, Singapore's government published the Model AI Governance Framework (MGF) for Agentic AI — the first comprehensive governance blueprint spe
Singapore Just Dropped a Governance Blueprint for Agentic AI — Here's What Compliance Teams Need to Know
Published: April 2026 | Reading time: ~7 min
In January 2026, Singapore's government published the Model AI Governance Framework (MGF) for Agentic AI — the first comprehensive governance blueprint specifically designed for AI agents. For compliance teams at VASPs, banks, and financial institutions starting to experiment with autonomous AI, this document is required reading.
Here's the short version: agentic AI is not just "better ChatGPT." It can book meetings, transfer money, update databases, and call external APIs — all without asking for permission between steps. That's powerful. It's also a compliance risk that existing AI policies weren't built to handle.
What Makes Agentic AI Different
Traditional AI tools respond when you prompt them. Agentic AI acts on your behalf — planning a sequence of steps, calling tools, and completing tasks with minimal human intervention. The framework defines an agent through five core components:
- Model — the LLM "brain" making decisions
- Instructions — the system prompt defining the agent's role and constraints
- Memory — short and long-term context storage
- Tools — connections to external systems (APIs, databases, browsers)
- Protocols — standards for agent-to-agent communication like MCP and A2A
A compliance agent at a VASP might, for example, autonomously screen a counterparty wallet against OFAC lists, pull their on-chain transaction history, flag the risk score, draft a SAR, and route it to the right team — all in one uninterrupted workflow.
That's the promise. But the same agent, if misconfigured or manipulated, could exfiltrate customer PII, approve transactions it shouldn't, or quietly alter audit logs.
The Four Pillars of the MGF
The framework organizes responsible agentic AI deployment into four areas. Here's what each means in practice for compliance operations.
1. Assess and Bound the Risks Upfront
Before deploying any agent, you need to map its risk profile across two dimensions: impact (how bad if something goes wrong) and likelihood (how likely it is to go wrong).
Key impact factors:
- Can the agent access sensitive data (KYC files, transaction records)?
- Can it reach external systems (third-party APIs, payment rails)?
- Can it write to databases, or only read?
- Are its actions reversible? (Sending a wire transfer is not.)
Key likelihood factors:
- How autonomous is the agent? Does it follow a defined SOP or make its own decisions?
- How complex is the task — how many steps, how much judgment required?
- Is the agent exposed to untrusted external data (e.g., the open web)?
The framework recommends applying least-privilege access from day one: give agents only the tools they need, nothing more. A transaction monitoring agent doesn't need write access to the customer database. A KYC summarizer doesn't need access to payment APIs.
For crypto compliance teams: This maps directly to the risk-based approach you already apply to customer due diligence. Apply the same logic to your AI tools.
2. Make Humans Meaningfully Accountable
Agents act dynamically. Traditional accountability frameworks assume static workflows — a human approves, an action happens. With agents, an approval at step 1 can trigger ten downstream actions you never explicitly signed off on.
The MGF's answer: define explicit checkpoints where human approval is required before the agent proceeds. These should include:
- High-stakes decisions — flagging an entity as high-risk, filing a SAR
- Irreversible actions — sending external communications, executing transactions
- Outlier behavior — the agent accessing systems outside its normal scope
- User-defined thresholds — e.g., any transaction above $10,000
Critically, the framework warns about automation bias — the tendency to rubber-stamp agent recommendations because "it's usually right." As agents become more capable, this risk grows. The recommendation: regularly audit whether human oversight is actually happening, not just formally in place.
On the organizational side, accountability needs to be distributed clearly:
| Role | Responsibility |
|---|---|
| Leadership | Define permitted use cases, set risk tolerance |
| Product/Engineering | Build, test, and monitor agents |
| Cybersecurity | Red-team agents, define security guardrails |
| End users | Responsible use, report anomalies |
For third-party agentic tools (SaaS compliance platforms, vendor AI), the framework recommends contractual provisions covering security arrangements, data protection, and performance guarantees — and checking whether the vendor offers per-agent identity tokens and robust tool call logging.
3. Implement Technical Controls
New agentic components create new attack surfaces. The framework highlights three risk vectors that don't exist with simple LLM apps:
- Planning & Reasoning — an agent can hallucinate a flawed multi-step plan that looks correct step-by-step but produces a harmful outcome
- Tools — prompt injection via tool outputs can hijack the agent's behavior; a compromised MCP server can exfiltrate data
- Protocols — poorly configured agent-to-agent communication can leak data or create cascading failures
Technical controls the framework recommends:
During development:
- Implement tool guardrails (validate inputs and outputs at each tool call)
- Enforce least-privilege access at the code level
- Implement plan reflection — have the agent review its own plan before executing
Before deployment:
- Test for baseline safety: does the agent stay within its defined scope?
- Test policy adherence: does it follow your compliance SOPs?
- Test tool use accuracy: does it call the right tools with the right parameters?
After deployment:
- Gradual rollout — don't go from pilot to full production overnight
- Real-time monitoring with alerts for anomalous tool calls or access patterns
- Use agents to monitor other agents in multi-agent setups
For multi-agent systems (e.g., an orchestrator agent that spawns sub-agents for different screening tasks), the framework highlights cascading risk: one agent's hallucination becomes another's input. This is especially relevant for compliance workflows where a flawed risk score in step 2 could corrupt every downstream decision.
4. Enable End-User Responsibility
Governance doesn't end with the developers. The humans interacting with agents — compliance analysts, risk officers, operations staff — are the last line of defense before agent actions have real-world consequences.
The framework's baseline requirements for end users:
- Know the agent's range of actions (what it can and cannot do)
- Know what data it can access
- Know their own responsibilities when reviewing agent outputs
Beyond the baseline, the framework recommends training employees to recognize common failure modes: inconsistent reasoning, agents acting on outdated policies, or agents escalating decisions they should handle autonomously (and vice versa).
There's a deeper principle here: don't let agents erode human expertise. If compliance analysts defer all judgment to AI, they lose the skills needed to catch the edge cases AI gets wrong.
Why This Matters for VASPs Now
Most VASPs and crypto exchanges are at the early stages of integrating agentic AI — using it for transaction monitoring alerts, KYC summarization, or regulatory reporting. The MGF was written for exactly this moment: before full-scale deployment, when governance frameworks are still being established.
A few practical first steps:
- Map your agent's action-space — document exactly what tools, APIs, and data each AI agent can access. This is your attack surface.
- Define irreversibility thresholds — identify which agent actions cannot be undone and require mandatory human review.
- Assign named accountability — for each agent deployment, there should be a specific person or team responsible for its behavior.
- Establish an audit trail — every tool call an agent makes should be logged. This is non-negotiable for regulatory scrutiny.
- Red-team your agents — attempt to manipulate them via prompt injection in tool outputs. If you haven't tested it, assume the vulnerability exists.
The Bottom Line
The MGF for Agentic AI is a practical document, not a philosophical one. It was developed with government agencies and leading companies and reflects where enterprise AI deployment actually is today.
The governance principles — least privilege, human-in-the-loop at checkpoints, clear accountability, robust logging — are not new. What's new is applying them to systems that act autonomously across dozens of steps, call external APIs, and operate at a speed and scale that makes traditional oversight impractical.
For compliance teams, the challenge is the same one you've always faced: manage risk without paralyzing operations. The MGF gives you a structured way to do that.
The full framework is available from Singapore's IMDA. It's worth reading, especially Annex A, which includes a curated list of further resources on agentic AI security and governance.
VASP Screener helps crypto compliance teams screen entities, wallets, and transactions against global sanctions lists. As AI agents become part of compliance workflows, governance frameworks like the MGF will shape how these tools are built and audited.
Sources
Run a VASP screening yourself
Generate a free 7-criteria EDD report with automatic OFAC sanctions integration.
Run Free Screening →This article is provided for informational purposes only and does not constitute legal advice. Always verify with official sources and professional counsel before making compliance decisions.