Header image: gov-09-header.png

If I had to point to a single jurisdiction that has been thinking about AI governance the longest, in the most operationally serious way, and with the most consistent output, I would point to Singapore. The Monetary Authority of Singapore published the FEAT Principles in 2018. That is not a typo. Six years before the EU AI Act entered into force, and eight years before the Digital Omnibus deferrals, MAS had already stated that fairness, ethics, accountability, and transparency should be the operating principles for AI in the financial sector.

What is notable about Singapore is not that it started early. What is notable is that it kept going. The Veritas Initiative operationalised FEAT with concrete tools between 2020 and 2023. Project MindForge extended the framework to generative AI. The MAS Consultation Paper on AI Risk Management Guidelines, released 13 November 2025 with consultation closing 31 January 2026, translates a decade of soft-law development into binding supervisory expectations. In parallel, the Infocomm Media Development Authority and the Personal Data Protection Commission have built out the Model AI Governance Framework, AI Verify, and the AI Testing Accreditation Programme (AI TAP).

This article covers Singapore’s framework in operational detail, and then places it in the wider APAC context: Hong Kong, China, Japan, South Korea, and the frameworks that sit around them. There is a lot in this landscape that is useful for organisations well beyond APAC.

Singapore: the FEAT foundation

The FEAT Principles are the starting point. They are 14 principles organised under four headings: Fairness, Ethics, Accountability, Transparency.

Under Fairness, the principles address justifiability of individual and group outcomes, monitoring of outcomes, and the framework for making choices about accuracy versus fairness trade-offs where they cannot both be maximised.

Under Ethics, the principles address alignment with the organisation’s ethical standards, ensuring AI systems are subject to internal ethical governance, and application of ethical standards in the acquisition of external AI systems.

Under Accountability, the principles address internal ownership by clearly identified individuals or committees, ongoing review by an independent internal group, effective communication with data subjects, and specific management of high-risk decisions.

Under Transparency, the principles address proactive disclosure about AI use, timely and understandable explanation to data subjects, and appropriate documentation to support internal governance.

The FEAT Principles are voluntary in form but function as supervisory expectations in practice. MAS refers to them repeatedly in its subsequent guidance, its inspections, and its consultations.

Veritas: from principles to tools

The Veritas Initiative was launched in 2019 as an industry consortium including MAS, financial institutions, technology companies, and consultancies. Its purpose was to translate FEAT from principles into practical tools.

Between 2020 and 2023, Veritas produced a series of assessment methodologies and open-source toolkits covering fairness, ethics and accountability, and transparency. The tools were designed to help financial institutions assess specific AI systems against FEAT expectations, generating assessment reports that could be used for internal governance and for supervisory engagement.

Veritas continues to be maintained. The current toolkit is available open-source and remains a reference implementation of fairness metrics and assessment methodology for the financial sector.

The significance of Veritas is that it demonstrated MAS’s approach: soft-law principles supported by concrete operational tools, developed in consortium with the industry that would use them. This is a specific regulatory strategy, and it has produced results.

Project MindForge: extending to generative AI

Project MindForge was launched in 2023 as the generative AI-focused successor to Veritas.

Phase 1 concluded in May 2024 with the publication of a whitepaper on the emerging risks and opportunities of generative AI for banks. Its focus was on the specific risks that generative AI introduces beyond traditional machine learning: hallucination, prompt injection, data leakage, insecure integrations, and the changed risk profile of open-ended text generation in financial services contexts.

Phase 2 concluded in early 2026 with the publication of the MindForge AI Risk Management Executive Handbook (January 2026) and the MindForge AI Risk Management Operationalisation Handbook (March 2026). Together, these documents provide 17 considerations across governance, risk management, and lifecycle controls, with detailed operationalisation practices, illustrative case studies, and references to complementary frameworks including NIST AI RMF, ISO/IEC 42001, and OWASP guidance.

MindForge Phase 2 extends the framework to agentic AI as well as generative AI. This is one of the more forward-leaning aspects of the Singapore approach: it is looking ahead to the next class of AI systems before they become dominant, rather than reacting after they do.

MAS Guidelines on AI Risk Management: the binding move

The MAS Consultation Paper on Proposed Guidelines on Artificial Intelligence Risk Management for Financial Institutions, released 13 November 2025, is MAS’s most substantial single regulatory move on AI.

The Guidelines apply to all financial institutions and set out MAS’s expectations on: oversight of AI risk management, key AI risk management systems, policies and procedures, key AI lifecycle controls, and capabilities and capacity needed for the use of AI.

Structurally, the Guidelines apply a proportionality principle. A high-impact, highly complex, business-critical AI system attracts the most stringent governance. A lower-risk application attracts less. The Guidelines are consistent with, and complement, the FEAT Principles and the IMDA’s Model AI Governance Framework.

Consultation closed 31 January 2026. Once finalised, the Guidelines will function as supervisory expectations, with a 12-month transition period to implement.

Key elements of the Guidelines include:

Board and senior management oversight. The Board and senior management have primary and ultimate responsibility for the AI risk management framework. This includes approving AI strategy and risk appetite, and improving their own AI literacy. For institutions with significant AI risk exposure, MAS suggests establishing a cross-functional committee.

AI-related policies, procedures, and standards. Institutions must define key AI concepts, processes, and responsibilities in documented form.

Enterprise risk framework integration. AI-specific risks must be integrated into the enterprise risk framework and risk appetite.

Third-party AI risk management. Enhanced procurement, vendor assessment, and contracting practices are expected.

Use-case-level risk management. Risk materiality assessments, proportionate controls, and pre- and post-deployment reviews for each AI use case.

AI inventory. Institutions must record and maintain core information on AI use cases.

Data governance. Data used in AI systems must be compatible with ethical, regulatory, and organisational standards.

Model lifecycle controls. Controls apply across the AI lifecycle from development through decommissioning.

Assurance. Independent review or validation of material AI models is expected.

The Guidelines are intended to complement rather than replace existing MAS guidelines on outsourcing, technology risk management (TRM Guidelines), operational resilience, and business continuity management. Financial institutions in Singapore are, in practice, complying with a stack of interlocking guidance, not a single instrument.

Figure 1: Singapore’s AI governance stack

Diagram 1: gov-09-diagram1.png

Figure 1 shows Singapore’s AI governance stack for the financial sector. At the top is board-level oversight. Below that are enterprise risk framework integration, AI-specific policies, and third-party management. Below that are the operational elements: use-case risk assessment, model lifecycle controls, monitoring, and assurance. The framework references the FEAT Principles as underlying philosophy, the Veritas toolkit as operational instrumentation, MindForge as the generative and agentic AI extension, and the MAS Guidelines as the supervisory expectations layer. The specific elements draw on TRM Guidelines, outsourcing guidance, and operational resilience expectations that continue to apply.

The IMDA and PDPC track: beyond financial services

Singapore’s non-financial-services AI governance runs through the Infocomm Media Development Authority and the Personal Data Protection Commission.

The Model AI Governance Framework, first published in 2019 and updated across multiple versions, provides voluntary guidance for organisations across all sectors. The 2024 update, jointly issued with the PDPC, aligned with international transparency requirements. In January 2026, IMDA released what it described as the world’s first Model AI Governance Framework for Agentic AI, extending the framework to systems that take autonomous actions.

AI Verify is a testing framework and open-source software toolkit, launched by IMDA and PDPC in 2022. It enables organisations to assess responsible AI implementation against 11 internationally recognised AI governance principles, and is designed to be used for internal governance, customer communication, or supervisory demonstration.

AI TAP (the AI Testing Accreditation Programme) accredits third-party AI testing organisations. AI TAP participants can perform testing (including red teaming) that meets accredited standards, providing an assurance mechanism that would otherwise require organisations to build internal testing capacity from scratch.

Singapore has also proposed international standards. ISO/IEC 42119-8, a Singapore-proposed standard for generative AI testing methodologies including benchmarking and red teaming, is progressing through international standardisation.

The Personal Data Protection Act 2012 continues to apply. The PDPC has issued specific guidance on AI and personal data, covering consent, data protection by design, and the use of personal data in training and inference.

Hong Kong

Hong Kong’s approach parallels Singapore’s in shape but is less institutionally consolidated.

The Personal Data (Privacy) Ordinance (PDPO) is the primary instrument. The Office of the Privacy Commissioner for Personal Data (PCPD) published the Model Personal Data Protection Framework for AI in June 2024, setting out expectations for organisations processing personal data using AI. In January 2026, the PCPD launched compliance checks across 60 organisations. Results published in May 2026 showed 95% of the sampled organisations using AI in day-to-day operations, with over half using three or more AI systems. The PCPD has signalled an increasingly active supervisory stance.

The Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC) have issued AI-related guidance for the financial sector. The Digital Policy Office coordinates cross-government AI policy.

There is no horizontal AI statute in Hong Kong. The framework operates through general privacy law and sectoral supervision.

China

China has taken a distinct approach with a sequence of specific regulations rather than a single horizontal law.

The Provisions on the Administration of Deep Synthesis Internet Information Services (2022) governed deepfakes and synthetic content ahead of most other jurisdictions.

The Interim Measures for the Management of Generative AI Services took effect in August 2023 and were the world’s first comprehensive generative AI regulation. They imposed obligations on providers of generative AI services offered to the Chinese public, including content moderation, training data requirements, and registration.

The Regulations on the Administration of Deep Synthesis Internet Information Services and the Provisions on the Administration of Algorithmic Recommendations of Internet Information Services (2021) address recommendation systems and content synthesis.

Additional draft regulations and standards, including the Basic Safety Requirements for Generative AI Services technical standards, provide implementing detail.

The Chinese approach emphasises pre-deployment approval, ongoing supervisory oversight, and content-related obligations that reflect China’s specific regulatory priorities. Organisations serving the Chinese market face a materially different compliance environment than those operating elsewhere in APAC.

Japan and South Korea

Japan has continued with a soft-law approach coordinated through the Ministry of Economy, Trade and Industry (METI) and the AI Strategy Council. Voluntary guidelines including the AI Business Guidelines and the AI Governance Guidelines set out expectations for developers and deployers. The approach is deliberately less prescriptive than the EU, positioned as pro-innovation. Sector-specific regulators (Financial Services Agency, personal data protection authorities) continue to apply their existing frameworks.

South Korea enacted the Framework Act on the Development of Artificial Intelligence in December 2024, with the Act taking effect in January 2026. This is a horizontal risk-based statute similar in shape to the EU AI Act, though with different specifics. It classifies AI by risk, imposes obligations on providers and users of high-risk AI, and establishes a governance framework administered by the Ministry of Science and ICT. South Korea is the second major APAC jurisdiction with a horizontal AI statute in force.

Other APAC jurisdictions (Thailand, Malaysia, Indonesia, Philippines, Vietnam, Australia, New Zealand) are at various stages of policy development, mostly through consultation rather than legislation.

Cross-cutting themes

Several themes emerge from the APAC picture that are worth naming.

Sectoral before horizontal. Most APAC jurisdictions have advanced sector-specific regulation, particularly for financial services, well ahead of horizontal AI law. This is a stark contrast to the EU approach.

Public-private co-development. Singapore’s Veritas and MindForge, Hong Kong’s PCPD framework, Japan’s METI guidelines, and Australia’s Voluntary AI Safety Standard all reflect substantial industry engagement in developing the frameworks. This is deliberate and produces frameworks that map more easily to operational reality.

Assurance and testing infrastructure. Singapore’s AI Verify and AI TAP, and the ISO/IEC 42119-8 international standards work, are building an assurance ecosystem that other jurisdictions are increasingly looking to. Testing accreditation, benchmarking methodology, and red teaming frameworks are becoming shared infrastructure.

Alignment with international norms. Most APAC frameworks explicitly align with OECD AI Principles, and increasingly with EU AI Act structural elements. This is a pragmatic response to a global AI economy. Divergence between jurisdictions imposes cost on providers; convergence reduces it.

Figure 2: The APAC regulatory map

Diagram 2: gov-09-diagram2.png

Figure 2 maps the APAC AI regulatory landscape as of mid-2026. It distinguishes jurisdictions with horizontal AI statutes in force (South Korea, China), sector-focused supervision with sophisticated frameworks (Singapore, Hong Kong), soft-law approaches (Japan, Australia, New Zealand), and jurisdictions with early-stage or draft regimes (Thailand, Malaysia, Indonesia, Philippines, Vietnam). The map understates connectivity: many APAC jurisdictions actively reference each other’s frameworks, and organisations operating across the region typically build to the higher standard.

What organisations should do

Three practical moves for organisations with APAC exposure.

If you operate in Singapore’s financial sector, prepare for MAS Guidelines finalisation. The 12-month transition period after finalisation is short. The Guidelines are consistent with FEAT, Veritas, and MindForge, so organisations that have implemented those already are well-positioned. Organisations that have not should begin now.

If you serve the Chinese market, treat it as its own compliance track. The specific content, registration, and pre-deployment obligations do not translate from other frameworks. Local counsel and local compliance capability are essential.

Adopt AI Verify or an equivalent testing framework. Even outside Singapore, AI Verify provides a well-designed and open-source assessment approach. Using it produces documentation aligned with international principles and creates a working template that scales to other jurisdictions.

Where this batch ends

This is the last article in batch 1. We have covered the philosophy of AI governance, the risk landscape it addresses, and the four jurisdictional pictures that shape most enterprise compliance work today: the EU, the US, Australia, and Singapore-plus-APAC.

Batch 2 turns from the “what applies” question to the “how to comply” question. Article 10 goes deep on the NIST AI Risk Management Framework, which has become the de facto engineering spec for AI risk management inside enterprises. Article 11 covers ISO/IEC 42001, the AI Management System standard that is increasingly the certification standard organisations seek to demonstrate structured governance. Article 12 addresses model risk management for AI and LLMs. Article 13 covers documentation, cards, and audit trails. Article 14 addresses responsible AI in practice: fairness, explainability, and human oversight in operational depth. Article 15 covers agentic AI governance. Article 16 covers third-party and shadow AI risk. Article 17 closes with incident response, red-teaming, and audit readiness, including the practical governance checklist.

The regulatory picture is what defines the destination. The frameworks and controls in batch 2 are how you actually get there.