On January 22, 2026, at the World Economic Forum in Davos, Singapore's Minister for Digital Development and Information, Josephine Teo, announced something that hadn't existed anywhere in the world before: a governance framework built specifically for AI agents that plan, reason, and take action on their own. The Infocomm Media Development Authority, IMDA, called it the Model AI Governance Framework for Agentic AI. Everyone else has started calling it the MGF.
If you build with AI agents, sell into Singapore, or work with clients who do, this is worth twenty minutes of your attention. Not because it's a law. It isn't. Compliance with the MGF is voluntary. But three things make it matter anyway: it's the first document anywhere that tries to define what "responsible" actually means for a system that acts without asking permission at every step, it's already being cited in client contracts and vendor due diligence across the region, and IMDA already updated it once, in May, based on real deployment feedback. This is not a framework someone wrote once and filed away. It's being actively used.
Why agentic AI needed its own rulebook

Singapore didn't start from zero here. IMDA's original Model AI Governance Framework goes back to 2019, and the Generative AI version followed in 2024, covering the risks that come with large language models: hallucination, bias, IP, content provenance. Agentic AI is a different animal, and the MGF says so directly.
A generative AI system responds to a prompt and hands you an output. An agentic system does something with it. It can browse the web, call APIs, write to a database, execute code, or complete a multi-step task chain without a human clicking "approve" at every stage. A customer service chatbot that only answers questions isn't in scope here. A system that can look up an order, issue a refund, and update the CRM on its own is exactly what this framework is written for.
That distinction matters more than it sounds. The moment an AI system stops just talking and starts doing, the risk profile changes completely. A wrong answer is annoying. A wrong action, an unauthorized refund, a payment sent to the wrong account, a customer record silently corrupted, is a different category of problem. IMDA's framework treats it as one.
The four things the framework actually asks you to do

Strip away the legal language and the MGF comes down to four practical demands, which the framework itself organizes as four dimensions.
First, assess and bound the risk before you deploy anything. This means actually mapping out how much error your specific use case can tolerate, how much sensitive data the agent touches, whether its actions can be undone, and how complex the task chain actually is. The practical version of this: give every agent the minimum tools and data access it needs to do its job, nothing more. Give each agent a unique identity tied to whoever is supervising it, so if something goes wrong, there's a clear line back to a person. And actually threat-model the thing, specifically for the failure modes agents introduce that traditional software doesn't: memory poisoning, tool misuse, and privilege compromise.
Second, make a human meaningfully accountable, not just nominally accountable. This is the part most teams get wrong without realizing it. "Human in the loop" has become a phrase people say to sound responsible, but the MGF pushes past the phrase and asks a harder question: who, specifically, signs off before a high-stakes or irreversible action goes out? The framework calls out automation bias directly, the tendency for a human reviewer to rubber-stamp whatever the agent proposes because it's usually right, which means the "human checkpoint" quietly stops doing anything. The May update sharpened this further, recommending organizations actually monitor override rates and response times. If your human approver hasn't overridden the agent in three months, that's not proof the agent is flawless. It might be proof the checkpoint isn't a checkpoint anymore.
Third, put real technical controls behind the policy, not just a document that says you have policy. Concretely: log the agent's planning and reasoning steps so a decision can be reconstructed after the fact, apply least-privilege access so an agent can't touch more of the database than its task requires, and whitelist which servers and tools it's allowed to call rather than letting it reach anywhere. Test for accuracy, policy compliance, and robustness before it goes live, then roll it out gradually with monitoring running the whole time, not monitoring added after something breaks.
Fourth, make sure the humans using the agent understand what it's actually allowed to do. This dimension gets skipped constantly because it sounds like the "soft" one, but it's specifically about transparency: telling users what actions the agent can take, what happens to their data, and where the escalation path is if something goes wrong. The framework also flags something worth sitting with if you're scaling a team around agent output: as agents absorb the entry-level tasks, junior staff can lose the chance to build the foundational skills they'd need if the agent goes down or behaves unpredictably. That's not a hypothetical. It's a business continuity risk with a name.
What changed in the May update, and why it matters more than the launch

Frameworks that get published once and never touched again are usually theater. This one isn't. On May 20, 2026, IMDA updated the MGF based on four months of industry feedback, and the changes tell you where the real friction is showing up in production.
The update added safety components that weren't explicit at launch, access controls, guardrails, human approvals, logging, and monitoring, as core parts of what an agent is expected to have from the start, not bolted on later. It explicitly added multi-agent systems and third-party agent usage as distinct risk categories, which matters if your architecture involves agents calling other agents, or if you're deploying a vendor's agent rather than one you built yourself, since accountability gets murkier the moment more than one party is in the chain. It clarified who's responsible for what across a platform provider versus a system provider versus an app developer, which is exactly the kind of question that turns into a finger-pointing exercise after an incident if nobody defined it up front.
And it added something genuinely useful: real case studies from companies and government agencies that had actually operationalized the framework, mapped to all four dimensions. That's the part that separates a governance document from a governance theater exercise. Case studies exist because organizations tried this, hit specific friction points, and reported back what worked.
Where this actually shows up if you're building or selling into Singapore
Here's the part that matters if you're not a policy person. Singapore doesn't have a standalone AI law. Its approach is deliberately sector-specific and use-case centric rather than one sweeping statute. That means the MGF sits alongside other pieces: the PDPA for anything touching personal data, the FEAT Principles if you're anywhere near financial services, sector guidelines for healthcare. AI Verify, Singapore's testing toolkit, lets an organization actually validate its AI system against these principles rather than just asserting compliance on a slide. None of this is abstract policy background. It's the actual checklist a Singapore-based client's legal or compliance team is going to hand you the moment your proposal involves an agent that can take action rather than just generate text.
If you're pitching agentic AI work into this market, whether that's a custom agent build, an MCP-based integration, or a workflow automation layer, expect three questions that didn't used to come up eighteen months ago: What's the blast radius if this agent does the wrong thing? Who specifically signs off before it acts on sensitive data or an irreversible transaction? And can you show, not just tell, that there's logging and monitoring behind it. Being able to walk through the MGF's four dimensions in a client conversation, unprompted, is a real differentiator right now, mostly because most vendors still can't.
How this compares to what's happening elsewhere

It helps to see this next to what other jurisdictions are doing. The EU AI Act takes a mandatory, risk-tiered approach that's legally binding across sectors, with real penalties attached. Singapore's MGF is voluntary and principles-based, built around industry collaboration rather than statute, with binding requirements showing up only in specific sectors, financial services being the clearest example, where the Monetary Authority of Singapore has its own AI risk management guidelines layered on top.
That difference in approach doesn't make the MGF optional in practice. Voluntary frameworks become de facto requirements the moment enterprise clients, banks, and government agencies start asking vendors to demonstrate alignment with them before signing a contract. A lot of companies are already treating Singapore's framework as a practical way to get ahead of the EU AI Act's stricter requirements too, using the same governance work to satisfy both, since the underlying questions, who's accountable, what controls exist, how is this tested, overlap heavily.
This is also landing at a moment when Singapore is actively pushing agentic AI adoption, not just regulating it cautiously from the sidelines. In February 2026, Prime Minister Lawrence Wong announced a new National AI Council to oversee AI-focused transformation across four sectors: advanced manufacturing, connectivity, finance, and healthcare. The government also expanded its Enterprise Innovation Scheme so businesses can claim a 400 percent tax deduction on qualifying AI spending, capped at roughly US$39,600 a year through 2027 and 2028. Read together, the signal is consistent: Singapore wants agentic AI adopted fast, and it wants the guardrails adopted just as fast alongside it. Speed and governance aren't being framed as a tradeoff here. They're being pushed as the same initiative.
A concrete way to apply the four dimensions

The four dimensions read like compliance language until you run an actual scenario through them, so here's one.
Say you're building an agent for a Singapore-based e-commerce client that handles customer refund requests: it reads the complaint, checks order history, decides whether the refund qualifies under policy, and issues it.
Dimension one, assess and bound the risk, means asking upfront how much this specific task can tolerate error. A wrongly approved $15 refund is a rounding error. A wrongly approved $1,500 refund on a bulk order is not. That difference should set a hard dollar threshold above which the agent can recommend but not execute, and the agent's tool access should be scoped to exactly the refund system and order database, nothing broader.
Dimension two, human accountability, means naming an actual person or role who reviews refunds above that threshold, and then watching whether that person is really evaluating each one or has started approving everything the agent suggests without a second look. If override rates drop to near zero within a month, that's a signal worth investigating, not a sign the system is working perfectly.
Dimension three, technical controls, means the refund decision and the reasoning behind it get logged in a form someone could actually review later, the agent's database access is read-only except for the specific refund-issuing action, and the system was tested against edge cases, duplicate claims, mismatched order IDs, before it ever touched a live customer.
Dimension four, end-user responsibility, means the customer knows they're dealing with an automated decision, understands what data it used to reach that decision, and has a clear path to a human if they disagree with the outcome.
None of that requires exotic engineering. It requires deciding these things on purpose, before deployment, instead of discovering the gaps after a refund goes to the wrong account and nobody can explain why.
Where this leaves builders right now
The MGF is explicitly described as a living document, and IMDA has said as much by updating it within four months of launch based on real feedback and contributed case studies. That's unusual for a government framework, and it's worth treating it that way: not a static compliance checkbox to clear once, but a moving target that's actively absorbing lessons from deployments happening right now across the region.
The framework's biggest value isn't in any single clause. It's in forcing a distinction that a lot of AI vendors have been quietly blurring: the difference between an agent that's technically running in production and an agent that's actually accountable. Plenty of teams have shipped the first without building the second. They have an agent doing real work, with no clear owner, no override tracking, no documented blast radius if it acts on bad information.
That gap is exactly what the MGF's four dimensions are built to close, and it's also exactly the gap a client's procurement or legal team is now trained to look for. The organizations that get ahead of this aren't the ones with the most sophisticated agent architecture. They're the ones who can answer, clearly and specifically, who is accountable when the agent is wrong. That answer either exists before you ship, or it gets discovered the expensive way after something goes sideways.
If you want a second set of eyes on how your current agent setup would hold up against these four dimensions, comment on this post and tell me what you're building. I'll send back a short read on where the gaps likely are.
