Singapore & EU cross-map

Singapore runs a secure-by-design, risk-based, largely voluntary regime, deliberately interoperable with international norms and a reference for the forthcoming ASEAN framework. The operational machinery for testing against it lives in Project Moonshot and the engagement runbook (II.20), the assurance dimensions (II.21), and the verification/maturity standards (IV.2).

flowchart TB
  subgraph SG["SINGAPORE INSTRUMENTS"]
    G["CSA Guidelines on Securing AI Systems<br/>Oct 2024, secure-by-design, lifecycle"]
    CG["Companion Guide<br/>living; May 2025 added adversarial-robustness<br/>testing &amp; secure retraining"]
    AD["Securing Agentic AI Addendum<br/>Oct 2025; capability-based risk, workflow mapping"]
    ADV["Advisory AD-2026-004<br/>Apr 2026; frontier-model risk"]
  end
  INTL["INTERNATIONAL ANCHORS<br/>MITRE ATLAS · OWASP · NIST AI RMF<br/>ISO/IEC 42001 · EU AI Act"]
  G --> CG --> AD
  G --> ADV
  CG -.aligns to.-> INTL
  classDef sg fill:#26200c,stroke:#e4a23f,color:#f3dca0;
  classDef in fill:#0f1a18,stroke:#5bd1c5,color:#bdeee2;
  class G,CG,AD,ADV sg; class INTL in;

CSA owns the security instruments; IMDA/PDPC own governance; MAS owns financial-sector expectations. All reference ATLAS, OWASP, NIST and ISO, so a control built once maps outward.

AD-2026-004 - the mitigations, organized

Horizon	Measure	Why (vs AI-speed attacks)
Immediate	Patch critical/high vulns on internet-facing systems	Highest exposure to automated mass exploitation
Immediate	MFA on admin/gateway/cloud; IP allowlist where impossible	Blocks fast credential-driven access
Immediate	Secure or disconnect internet-facing dev/test	Common soft entry for automated recon
Immediate	Tighten cloud configs; fix exposed mgmt interfaces	AI rapidly finds misconfigurations
Immediate	Least privilege; revoke dormant accounts	Shrinks lateral-movement surface
Longer term	Network/micro-segmentation	Contains rapid AI-driven lateral movement
Longer term	Supply chain & dependency security	AI accelerates third-party exploitation
Longer term	Attack-path monitoring + behavioral anomaly detection	Catches multi-stage ops faster than human timelines
Longer term	Strong IAM; rapid credential response (minutes)	AI escalates/pivots at machine speed
Longer term	Shorten/automate patch cycles; use AI for vuln detection	AI weaponizes new CVEs within hours

Read it correctly

A cyber-hygiene tempo mandate. Almost every measure is classic good practice; the change is urgency, because the attacker’s clock sped up. Brief leadership as “controls right, timelines now too slow.”

MGF for Agentic AI - the framework assessors work against

Mapping a control to Singapore guidance

control: "Human-in-the-loop on consequential agent actions"
  -> IMDA Model AI Governance Framework (GenAI) / MGF for Agentic AI - human oversight
  -> CSA AD-2026-004 - frontier-AI advisory: monitor + constrain autonomous action
  -> AI Verify testable principle: "Human agency & oversight"
# for a SG-regulated client, cite the local instrument each control satisfies

IMDA launched the Model AI Governance Framework for Agentic AI (“MGF for Agentic AI”) at the World Economic Forum in Davos on 22 Jan 2026 - the world’s first governance framework purpose-built for AI agents that plan, reason, and act autonomously - and published an updated v1.5 on 20 May 2026 adding real-world case studies (e.g. the OpenClaw open-source agent platform) and new best practices for multi-agent systems, managing third-party-agent risk, and guarding against automation bias. It builds on the original 2020 MGF and the 2024 MGF for GenAI. Compliance is voluntary, but organisations remain legally accountable for their agents’ actions, and it applies to anyone deploying agentic AI in Singapore - in-house or third-party.

It is organised around four dimensions, which double as your assessment checklist for an agentic deployment: (1) assess & bound the risks upfront - define agent boundaries and limit the potential scope of impact at design time; (2) meaningful human accountability - keep humans ultimately responsible and guard against automation bias (over-trusting a system that has been reliable before); (3) technical controls & processes - “agentic guardrails,” traceability, and oversight mechanisms; and (4) end-user responsibility - equip and train users to oversee agents. The throughline (“define boundaries → bound impact → keep a human accountable → make it traceable”) maps directly onto this playbook’s spine: the lethal-trifecta triage (II.3), least-privilege agent identity (III.2), approval gates and the mitigation matrix (III.1), and detection/traceability (III.3).

Why it matters

Related Singapore work to know: CSA’s earlier “Securing Agentic AI” discussion paper, and the global-first AI Agents Sandbox that CSA, GovTech and IMDA launched with Google (Aug 2025) to study computer-use agents in real settings - its 20 May 2026 findings push risk-tiered action approval (pre-approval for high-risk/irreversible actions, post-hoc review for reversible ones) and distributing safeguards across platform, organisation, and end-user. The MGF is the most directly relevant instrument here: it’s the agentic-specific governance an accredited tester will be expected to assess against, it pairs naturally with Project Moonshot and AI Verify for the technical testing (II.20, II.21), and - because it’s still taking case-study submissions - it remains a live opportunity to contribute. Two adjacent 2026 developments to track: PM Lawrence Wong’s Feb 2026 Budget announcement of a National AI Council and national AI Missions, and MAS’s AI risk-management guidelines for financial institutions (which already name agentic AI).

EU cross-map: the EU AI Act is binding and risk-tiered. GPAI obligations have applied since 2 Aug 2025; most remaining obligations, Article 50 transparency, and the Article 49 registration database apply from 2 Aug 2026; and - per the 7 May 2026 “Digital Omnibus” agreement - the high-risk (Annex III) duties (risk management, data governance, logging, human oversight, robustness & cybersecurity) were pushed to 2 Dec 2027 (Annex I-embedded high-risk to Aug 2028). That deferral is a provisional political agreement pending formal adoption in the Official Journal (expected before Aug 2026); until adoption, 2 Aug 2026 remains the live deadline. The architecture - four risk tiers, conformity assessment, the GPAI track, the AI Office - is unchanged. SG orgs touching EU markets: build to the stricter EU high-risk bar where it applies; CSA/NIST/ISO cover the rest. Build once, label many.

For the organization (Singapore)

• Adopt CSA Guidelines + Companion Guide as baseline; use the Agentic Addendum’s workflow-mapping for any autonomous system.
• Treat AD-2026-004 as a board-level tempo mandate: tighten patch SLAs, enforce MFA + least privilege now, add machine-speed anomaly detection.
• EU markets → gap-assess EU AI Act high-risk early; financial institution → align to MAS explicitly.