AI Governance

Pragmatic AI Governance for APAC

Aligning to MAS, IMDA, and global guidance without slowing down.

2 min readAI Governance

November 2025 changed something.

That is when MAS released its consultation paper on AI Risk Management Guidelines for financial institutions. The consultation closed in January 2026. The toolkit developed through Project MindForge, involving 24 of the region's leading banks and insurers, published in March. Once the final guidelines are issued, non-compliance will be a supervisory matter.

For APAC enterprises in regulated industries, the window for treating AI governance as a voluntary best practice has closed.

What MAS actually requires

The MAS framework applies to all MAS-regulated financial institutions — banks, insurers, fintechs, payment providers, capital market intermediaries. It requires board and senior management accountability for AI risk. It mandates an AI inventory, materiality assessments across three dimensions (impact, complexity, reliance), and lifecycle controls covering development, deployment, monitoring, and retirement. Third-party AI tools are explicitly within scope — an institution cannot delegate governance responsibility to a vendor.

These requirements sit within a regional ecosystem that is broader than MAS alone. Bank Negara Malaysia has comparable AI guidelines. Bank of Thailand has an AI risk management framework. The EU AI Act classifies financial AI as high-risk with significant conceptual overlap to MAS expectations. Multinational institutions operating across the region are navigating several frameworks simultaneously.

Inventory and visibility

Most organisations do not know with precision what AI systems are operating, who authorised them, and what decisions they are influencing. Building that inventory is not glamorous work. It is also unavoidable.

Proportionality

The MAS framework is explicitly risk-based. High-materiality AI systems attract more exacting standards. Low-materiality systems may use simplified controls. Getting the materiality assessment right determines how much governance overhead each system actually requires. Applying the same rigour to a rule-based internal chatbot as to an AI model making credit decisions is a waste of resources and misses the point.

Third-party risk

The era of assuming that a vendor's AI is the vendor's governance problem is over. If the model influences a regulated decision, the institution is accountable for understanding its behaviour, documenting its risks, and maintaining contractual audit rights over it.

None of this is insurmountable. Organisations with clear board ownership of AI risk, a functioning AI inventory, and documented lifecycle controls for high-impact systems are well-positioned. The ones that struggle are those that treated AI governance as a future compliance exercise rather than a current operational reality.

The regulatory signal from Singapore is not ambiguous. The time to build the foundation is now.

Move from strategy to delivery.

Speak with a senior operator about your revenue, APAC, or AI priorities.

Book a Consultation