The First Government Framework for AI Agents, and Why It Matters for Your Business
Singapore has published the world's first national governance framework specifically for AI agents. It signals where regulation is heading globally. Here's what businesses need to know.
Agents are different, and governments are starting to notice
Most AI tools today work in a simple loop: you give them an input, they produce an output, you review it. That’s how chatbots, classifiers, and summarisers work, and it’s the model that almost every AI regulation in the world was written for.
AI agents break that loop. An agent plans across multiple steps, calls tools, queries databases, and takes actions, potentially dozens of decisions deep before a human sees anything. If your business uses tools that book meetings, draft and send emails, update CRM records, or manage workflows with minimal human input, you’re already in agent territory.
In January 2026, Singapore published the Model AI Governance Framework for Agentic AI, the first national-level governance framework written specifically for agents. It’s short, non-binding, and framed as a living document. But it’s significant because it signals the direction that AI governance is heading globally, not just in Singapore.
Why this matters beyond Singapore
Singapore leads the ASEAN Working Group on AI Governance. Its previous AI governance framework quietly became a reference point across Asia-Pacific over the last five years. This new agentic framework is positioned to play the same role. It’s the document regulators across the region are most likely to build on.
Combined with the EU AI Act (which we’ve written about in the context of Scotland’s AI Strategy) and the growing relevance of ISO 42001, a clear pattern is emerging: governance requirements for AI are tightening, and agents are next in line.
For businesses in the UK and Europe, this isn’t an abstract policy development. It’s a preview of the rules that will shape how AI tools can be deployed over the next few years.
What the framework actually says
Singapore’s framework is built around four pillars, and several of its ideas are genuinely new in the governance space:
Bound the risks at design time, not after deployment. The framework is explicit that the right place to limit an agent’s blast radius is before it goes live by capping what it can do, which tools it can call, and what data it can access. An agent deployment with no architectural limits on its autonomy is, by definition, ungoverned. This is a shift from “review the outputs” to “constrain the inputs.”
Decide who is responsible before something goes wrong. A typical agent deployment involves a model provider, a framework, tool providers, and the business deploying it. When something goes wrong, accountability collapses into finger-pointing unless you’ve decided in advance who owns which class of failure. The framework says: decide this, write it down, name names.
Audit whether human oversight is actually working. This is the sharpest idea in the document. It doesn’t just require human approval at significant checkpoints it requires organisations to measure whether those approvals are effective. Anyone who has watched someone click “approve” twenty times in a row without reading knows that “human in the loop” is a control that degrades silently. Singapore is the first framework to require measurement of that degradation.
Protect your team’s skills. The framework treats long-term workforce capability as something your AI governance should actively protect. As agents move from augmenting tasks to replacing them, the risk of deskilling (your team losing the ability to do the work without the AI) becomes a governance concern, not just an HR one.
Governance and security, side by side
Singapore’s agentic AI guidance is actually two documents working together. Three months before the IMDA framework launched, the Cyber Security Agency of Singapore (CSA) published a security-focused companion called “Securing Agentic AI” (October 2025), with a public consultation that ran until the end of that year. Where IMDA’s framework covers governance, like who is accountable, how risks are bounded, and how humans stay in the loop, CSA’s addendum covers the technical security controls underneath: agent identity management, lifecycle controls, and worked examples for coding assistants, automated onboarding, and fraud detection.
For businesses, the practical takeaway is that the governance and security layers are being designed to fit together. Treating them as a single stack is the simpler path, and it’s how legal commentators have started to interpret the two documents.
A further IMDA testing guideline for agentic AI applications is in development but not yet published. It will build on Singapore’s existing starter kit for testing LLM-based applications.
What this means for SMEs
You don’t need to comply with Singapore’s framework. But you should pay attention to the direction it sets, because it previews what governance expectations will look like everywhere:
If you’re adopting AI tools with agent capabilities, anything that takes multi-step actions on your behalf, you should know what those tools can and can’t do, what data they access, and what happens when they get it wrong. That’s not compliance overhead. It’s basic operational awareness.
If you’re evaluating AI products, ask vendors what controls exist on their agents’ autonomy. Can you limit what the agent does? Can you audit its decisions? If the vendor can’t answer those questions, that’s a red flag.
If you haven’t thought about AI governance yet, now is the time to start. The businesses that build simple, proportionate governance practices now (an AI policy, clear accountability, basic risk assessment) will be well ahead when formal requirements arrive. The strategy is the same whether you’re responding to Singapore, the EU AI Act, or future UK guidance: prepare early, and the compliance cost stays low.
The bottom line
Singapore’s framework matters not because it applies to your business today, but because it shows where the world is heading. Agents are becoming the default way AI gets deployed, and governance is catching up. The first country to publish a framework specifically for agents has set the benchmark.
The businesses that will navigate this well are the ones that treat governance as a practical discipline that is proportionate, grounded in real risk, and built into how they adopt AI, rather than waiting for regulation to force their hand.
If you’re thinking about how AI agents fit into your business, or how to build governance practices that are right-sized for your organisation, get in touch. We help businesses work through exactly these questions.