Singapore’s Model AI Governance Framework Explained

Singapore's reputation as a leader in practical AI governance is well earned, but the framework most international observers describe is several generations out of date. The 2019 first edition of the Model AI Governance Framework and its January 2020 revision were genuinely pioneering at the time, but Singapore's actual operating framework in 2026 is a much richer ecosystem: a national strategy refreshed in late 2023, a generative-AI-specific governance framework released in May 2024, a testing toolkit (AI Verify) that has been mapped to international standards, sector-specific rules from the Monetary Authority of Singapore (MAS) and the Personal Data Protection Commission (PDPC), and active participation in international standard-setting through the Hiroshima AI Process, the OECD, the ASEAN Guide on AI Governance, and Digital FOSS.

The constant feature is the regulatory philosophy. Singapore continues to rely on the binding Personal Data Protection Act (PDPA), sectoral regulator rules, and authoritative non-binding guidance rather than a horizontal AI Act. Compliance for businesses operating in or with Singapore therefore involves a combination of statutory obligations (PDPA), sectoral expectations (MAS for financial institutions, Ministry of Health for health AI), and the non-binding but practically essential frameworks from IMDA, PDPC, and AI Verify Foundation.

National AI Strategy 2.0 (December 2023)

On 4 December 2023, Deputy Prime Minister Lawrence Wong launched Singapore's National AI Strategy 2.0 (NAIS 2.0) at the inaugural Singapore Conference on AI. NAIS 2.0 replaces the 2019 strategy and operates under the vision "AI for the Public Good, for Singapore and the World."

Three shifts and the strategic structure

NAIS 2.0 introduces three shifts:

Repositioning AI as a strategic necessity rather than an opportunity
Shifting from a local context to a global outlook
Moving from individual projects to wide-scale infrastructure and foundations

It is structured around three systems (Activity Drivers covering Industry, Government, and Research; People and Communities covering Talent, Capabilities, and Placemaking; Infrastructure and Environment covering Compute, Data, Trusted Environment, and International Partnerships), ten enablers, and fifteen actions. Headline targets include scaling Singapore's AI practitioner pool to 15,000 and committing more than S$1 billion over five years to support implementation.

NAIS 2.0 is a whole-of-government strategy coordinated by the Smart Nation Group, with delivery responsibilities shared across IMDA (industry, infrastructure, programme delivery), AI Singapore (research-to-impact and talent), A*STAR (research infrastructure and lab capacity), the PDPC for data governance, MAS for financial services, the Ministry of Health for health-sector AI, and other agencies for sectoral applications.

Key institutions

Infocomm Media Development Authority (IMDA)

IMDA is the lead operational agency for AI policy and ecosystem development under NAIS 2.0. It co-issues the Model AI Governance Frameworks (with PDPC and AI Verify Foundation), runs the Generative AI Evaluation Sandbox, drives the National Multimodal LLM Programme, and represents Singapore in international AI fora.

Personal Data Protection Commission (PDPC)

The PDPC enforces the PDPA and issues guidance on the intersection of data protection and AI. The PDPC was the original publisher of the Model AI Governance Framework and continues to issue specific Advisory Guidelines on AI use of personal data.

AI Verify Foundation

The AI Verify Foundation is a wholly owned, not-for-profit subsidiary of IMDA, launched mid-2023 as a steward of the AI Verify testing framework and toolkit. It harnesses contributions from a global open-source community to develop AI testing tools and is the technical centre of gravity for Singapore's AI assurance work.

Sector regulators

The Monetary Authority of Singapore (MAS) issues the FEAT (Fairness, Ethics, Accountability, Transparency) Principles for AI use in finance, the Veritas Initiative methodologies, and other guidance for licensed financial institutions. The Ministry of Health and the Health Sciences Authority (HSA) regulate AI in medical devices and clinical applications. The Cyber Security Agency (CSA) addresses AI cybersecurity. The Land Transport Authority (LTA) addresses autonomous vehicles. The Competition and Consumer Commission of Singapore (CCCS) is working with IMDA on extensions of AI Verify for testing potential anti-competitive AI behaviour.

The Personal Data Protection Act (PDPA)

The Personal Data Protection Act 2012 is Singapore's primary statute governing the collection, use, and disclosure of personal data. It applies to private sector organisations and to data of individuals in Singapore. Where AI systems process personal data, the PDPA's core obligations apply regardless of the AI Promotion guidance:

Consent: typically required, with permitted exceptions including legitimate interests and certain business contexts.
Purpose limitation, accuracy, and protection: data must be processed for stated purposes, kept accurate, and protected against unauthorised access.
Notification, access, and correction: individuals must be notified of processing purposes and can request access and correction.
Cross-border transfer: transfers permitted to jurisdictions with comparable protection or under approved mechanisms.
Data Breach Notification: required within prescribed timelines for notifiable breaches.
Data Protection Officer: organisations must appoint a DPO.

Penalties for serious violations under the PDPA's amended financial penalty framework can reach up to S$1 million or 10% of annual turnover in Singapore (whichever is higher) for organisations with annual local turnover exceeding S$10 million.

Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems

On 1 March 2024, the PDPC published Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems. The Guidelines clarify how PDPA consent and notification rules apply when personal data is used to train, test, or operate AI systems, and how exceptions (including legitimate interests and business improvement) can lawfully apply. They are the operational starting point for any AI deployment in Singapore that processes personal data.

The Model AI Governance Framework

Traditional AI: 2019 first edition, 2020 second edition

Singapore released the first edition of the Model AI Governance Framework in January 2019 and the second edition in January 2020. The framework is voluntary, principles-based, and structured around four broad areas: internal governance structures and measures, determining the level of human involvement in AI-augmented decision-making, operations management, and stakeholder interaction and communication. The 2020 second edition incorporated industry feedback and remains the reference for "traditional" (non-generative) AI systems.

Generative AI: Model AI Governance Framework for Generative AI (May 2024)

On 30 May 2024, IMDA and the AI Verify Foundation released the Model AI Governance Framework for Generative AI after a public consultation that ran from January to March 2024 and drew international comment. The Generative AI Framework expands the original framework to address generative AI risks (hallucinations, copyright infringement, value alignment, deepfakes, malicious use) alongside known AI risks (bias, lack of explainability, misuse).

It addresses nine dimensions for a trusted generative AI ecosystem:

Accountability: assigning responsibility across stakeholders
Data: trusted data sources, data quality, and copyright considerations
Trusted development and deployment: industry best practices including evaluation and disclosure
Incident reporting: structured pathways for reporting AI incidents
Testing and assurance: third-party testing capabilities
Security: addressing AI-specific security risks
Content provenance: tools for tracking AI-generated content authenticity
Safety and alignment R&D: investing in safety techniques
AI for Public Good: democratisation, public services, public-good applications

The framework is a "living document" intended to evolve. Updates over 2024 and 2025 incorporated OECD and GPAI assurance criteria for managing LLM and multimodal risks.

AI Verify and the testing ecosystem

AI Verify is Singapore's flagship contribution to operational AI governance. Launched in May 2022 as an AI governance testing framework and software toolkit, it tests AI systems against eleven internationally recognised AI ethics principles (transparency, explainability, repeatability or reproducibility, safety, security, robustness, fairness, data governance, accountability, human agency and oversight, and inclusive growth, societal and environmental well-being).

Key milestones:

May 2022: AI Verify launched as a Minimum Viable Product
October 2023: AI Verify mapped to the NIST AI Risk Management Framework, making the two frameworks interoperable
June 2023: AI Verify open-sourced
October 2023: Generative AI Evaluation Sandbox launched with major model developers (Google, Microsoft), application developers (DataRobot, OCBC), and third-party testers (Deloitte, EY)
June 2024: AI Verify mapped to ISO/IEC 42001:2023 AI Management Systems standard
February 2025: Global AI Assurance Pilot launched at the AI Action Summit in Paris to codify emerging norms and best practices for technical testing of generative AI applications

AI Verify is being embedded into Singapore public-sector procurement standards. AI Verify and ISAGO are increasingly treated as foundational requirements for government-linked projects, with implications for private-sector adoption through the supply chain.

Sovereign AI capability

NAIS 2.0 anchors significant sovereign AI capability investments. The National Multimodal LLM Programme (NMLP), an S$70 million initiative announced 4 December 2023 and led by IMDA with AI Singapore and A*STAR, supports the development of multimodal LLMs that reflect Southeast Asian languages and cultural contexts. SEA-LION (Southeast Asian Languages in One Network) is the open-source LLM developed by AI Singapore. MERaLiON, launched December 2024 by A*STAR's Institute for Infocomm Research, is the empathetic and culturally attuned national multimodal model. These are not regulatory instruments, but they shape what regulator expectations look like for "trusted environment" expectations.

International cooperation

Singapore is unusually active in international AI governance cooperation:

Hiroshima AI Process: Singapore endorses and contributes to the G7-led Hiroshima International Guiding Principles and Code of Conduct for advanced AI.
OECD AI: AI Verify is mapped to the OECD's framework, and Singapore participates in OECD AI policy work.
ASEAN Guide on AI Governance and Ethics: Singapore played a leading role in developing this regional framework.
Digital Forum of Small States (Digital FOSS): Singapore co-launched the AI Playbook for Small States with Rwanda in September 2024.
US-Singapore Critical and Emerging Technologies Dialogue: launched 12 October 2023, with AI as a key area for cooperation on safety, trust, and standards.
UK-Singapore alignment: collaboration on AI safety testing and AI Safety Institutes.

A practitioner's compliance plan

Step 1: PDPA compliance baseline

For all AI systems processing personal data, ensure PDPA compliance: lawful basis (consent or applicable exception), purpose limitation, security, breach notification, DPO appointment, and individual rights. Apply the PDPC's March 2024 Advisory Guidelines specifically to AI training data, recommendation systems, and decision systems.

Step 2: Map AI systems against the Model AI Governance Frameworks

For traditional (non-generative) AI, apply the 2020 second edition framework. For generative AI deployments, apply the May 2024 Generative AI Framework's nine dimensions. Document the risk assessment, governance structure, human involvement determination, operations management measures, and stakeholder communication. The frameworks are non-binding but treated as a "comply or explain" benchmark by regulators, customers, and international partners.

Step 3: Use AI Verify and the GenAI Evaluation Sandbox

Where appropriate, run AI Verify tests on the AI system to validate against the eleven AI ethics principles. For generative AI, consider participating in the GenAI Evaluation Sandbox or using its publicly available evaluation methods. Generate AI Verify reports as evidence of governance maturity for procurement, vendor due diligence, and regulator engagement.

Step 4: Sectoral compliance

For financial services, address MAS FEAT Principles, the Veritas Initiative methodologies, and any specific MAS guidance on AI in licensed activities. For health AI, address Ministry of Health and HSA medical device requirements. For competition-sensitive AI (pricing, recommendation), monitor CCCS work with IMDA on AI competition testing.

Step 5: Build international interoperability

Anchor the governance programme on NIST AI RMF, ISO/IEC 42001, or both, given that AI Verify maps to each. This single internal standard will satisfy the foundational expectations of the Singapore framework, the EU AI Act (with specific annexes), Japan's AI Guidelines for Business v1.1, and other major regimes.

Compliance FAQ

Does Singapore have a binding AI law?

Singapore does not have a horizontal AI statute. Binding obligations come from the PDPA for personal data, sectoral regulator rules (MAS, MOH, HSA, LTA, CCCS), and existing laws including the Cybersecurity Act, the Computer Misuse Act, and intellectual property statutes. The Model AI Governance Frameworks and AI Verify are non-binding but operate as authoritative guidance and a "comply or explain" benchmark.

What does the PDPC's 2024 Advisory Guidelines actually require?

The Advisory Guidelines clarify how PDPA rules apply to AI training data, AI-driven recommendation systems, and AI-driven decision systems. They explain when consent is required versus when exceptions (including legitimate interests for business improvement) apply, what notification obligations exist for individuals affected by AI decisions, and what accountability and security measures are expected. Treat them as the operational starting point for any AI deployment in Singapore that handles personal data.

Is using AI Verify mandatory?

No. AI Verify is voluntary. However, it is increasingly embedded in public-sector procurement and treated as a benchmark by financial institutions, large platforms, and international counterparties. For organisations seeking to demonstrate governance maturity, generating AI Verify reports is increasingly expected rather than optional.

How does Singapore's framework compare to the EU AI Act?

Singapore and the EU have taken explicitly different paths. The EU AI Act is a prescriptive, risk-classified statute with mandatory conformity assessment and substantial penalties. Singapore's approach is voluntary frameworks, sectoral statutes, and the binding PDPA for personal data. A multinational deployment subject to both regimes must comply with both; Singapore compliance does not satisfy EU AI Act obligations and vice versa. AI Verify's mapping to NIST AI RMF and ISO/IEC 42001 reduces the duplication.

What about generative AI specifically?

The May 2024 Model AI Governance Framework for Generative AI is the principal reference. The PDPC's 2024 Advisory Guidelines apply where personal data is involved. The GenAI Evaluation Sandbox provides testing infrastructure. The Global AI Assurance Pilot (February 2025) is codifying technical testing norms internationally. Expect continued updates as the framework is treated explicitly as a "living document."

What should businesses prioritise now?

PDPA compliance with the March 2024 Advisory Guidelines, alignment with the relevant Model AI Governance Framework (traditional or generative), AI Verify testing where appropriate, and a documented internal AI governance framework anchored on NIST AI RMF or ISO/IEC 42001. Track IMDA, PDPC, and MAS announcements as the framework continues to evolve.

The bottom line

Singapore's AI governance picture in 2026 is more developed than the older "Model Framework plus AI Verify" framing suggests. NAIS 2.0, the Generative AI Framework, the PDPC Advisory Guidelines, the Global AI Assurance Pilot, and the sovereign AI capability investments together create a dense ecosystem with binding statutes (PDPA, sectoral laws), authoritative guidance, and operational tooling that businesses can use to demonstrate compliance. The model remains voluntary at the AI-specific layer, but the practical effect is closer to mandatory than the "soft law" label implies, especially for organisations contracting with Singapore government, large platforms, or financial institutions. Build a governance programme that addresses PDPA obligations, the Model Framework expectations, AI Verify testing, and sectoral rules, and align it with NIST AI RMF or ISO/IEC 42001 for international interoperability. Watch for ongoing updates from IMDA and the AI Verify Foundation as the framework continues to evolve.

Last updated: April 2026. This article is educational content and is not legal advice. Singapore's AI governance landscape continues to evolve with updates from IMDA, PDPC, MAS, and the AI Verify Foundation. Consult qualified counsel before making compliance decisions.

Last updated April 29, 2026. This article is educational content and is not legal advice. Consult qualified counsel before making compliance decisions in your jurisdiction.