Singapore's Shift from Trust to Assurance: What Professional Services Firms Must Do Now Under MAS AI Guidelines

For years, Singapore's approach to AI governance was built on a foundation of good faith. Regulators published frameworks, organisations adopted what they found useful, and the system largely ran on voluntary compliance. That era is ending. The regulatory changes introduced between 2024 and 2026 represent a decisive shift: organisations operating in or with Singapore must now actively demonstrate verifiable AI governance, not simply assert it.

For UK professional services firms — accountants, solicitors, HR consultancies, and marketing agencies with Singapore-facing operations or clients — this distinction matters enormously. Here is what has changed, and what you need to do about it.

The End of Voluntary: What Singapore's New Frameworks Actually Require

Singapore has not introduced a single omnibus AI law, and it is unlikely to do so. Instead, regulators have embedded AI governance requirements into existing legal and sectoral frameworks. The effect is the same as standalone legislation: compliance is mandatory, scrutiny is real, and the consequences of falling short are material.

The most significant development for firms with financial sector clients is the Monetary Authority of Singapore's AI Risk Governance (AIRG) guidelines, effective from 2025 with a twelve-month transition period. These guidelines make AI governance a board-level obligation for financial institutions. Covered entities must maintain a centralised AI inventory, conduct risk materiality assessments across their entire AI estate — including third-party and generative AI tools — and apply continuous lifecycle controls from deployment through to decommissioning.

The critical point for professional services providers is this: financial institutions cannot outsource their regulatory accountability. If your firm supplies AI-enabled services, tools, or consultancy to a Singapore-regulated financial institution, your client's regulator will look straight through the contractual boundary and assess whether your governance meets the required standard. Expect intensive due diligence, strict contractual controls, and mandatory third-party testing before any solution goes live.

Generative and Agentic AI: No Longer a Grey Area

In May 2024, Singapore's Infocomm Media Development Authority (IMDA) finalised its Model AI Governance Framework for Generative AI, setting out nine core dimensions including content provenance and incident reporting obligations. That framework was substantive. What followed in January 2026 was unprecedented.

IMDA launched the world's first dedicated governance framework for agentic AI — autonomous, goal-oriented systems capable of executing multi-step tasks with limited human intervention. This is directly relevant to professional services firms exploring AI agents for document review, client onboarding, compliance checking, or financial modelling.

The framework is clear about the risks that distinguish agentic AI from conventional AI: cascading actions, where one autonomous decision triggers a chain of consequential outputs, and the potential for errors to compound before any human can intervene. In response, the framework requires organisations to assess risks before deployment, establish explicit human approval checkpoints for high-stakes actions, and implement strict technical constraints on what an agent can do autonomously.

If your firm is piloting or deploying agentic AI — or advising clients who are — these requirements are not aspirational guidance. They define the governance standard against which your systems will be assessed.

Data Protection and AI Training: The PDPA Has Teeth

In March 2024, Singapore's Personal Data Protection Commission (PDPC) clarified how the Personal Data Protection Act applies to AI recommendation and decision systems. The guidelines address a question that many organisations had been quietly hoping to avoid: can personal data be used to train AI models without explicit individual consent?

The answer is conditionally yes, under the "Business Improvement" and "Research" exceptions — but the conditions are stringent. Organisations must apply robust safeguards, meet specific transparency requirements, and be able to demonstrate that data use was proportionate and controlled.

For professional services firms classified as data intermediaries under the PDPA — which includes systems integrators, bespoke AI developers, and many management consultancies — the obligations extend further. You must maintain rigorous data mapping, label training datasets appropriately, track data provenance, and actively assist your clients with their own PDPA compliance. The regulator expects you to be a partner in your clients' compliance, not merely a vendor who hands over a product and steps away.

Tools You Need to Know: AI Verify and Project Moonshot

Singapore's shift from trust-based to assurance-based compliance is not rhetorical. Regulators now expect organisations to use specialised testing infrastructure to demonstrate that their AI systems are safe and compliant before and during deployment.

Two platforms are central to this expectation. AI Verify provides a structured testing toolkit that allows organisations to document and evidence their governance processes across a standardised set of principles. Project Moonshot is a newly launched open-source platform that integrates benchmarking and red-teaming capabilities specifically for large language models, evaluating exposure to hallucinations, bias, and data leakage.

For UK firms, neither of these tools is yet embedded in domestic compliance culture. That gap represents both a risk and an opportunity. If your Singapore-based clients are asking whether your AI solutions have been tested against these frameworks, and you have no answer, that is a commercial and regulatory problem. Firms that invest early in understanding and applying these toolkits will be substantially better placed when clients — and regulators — come asking.

Professional Accountability: AI Cannot Replace Your Judgement

One thread runs through every element of Singapore's evolving AI governance landscape, and it applies directly to solicitors, accountants, and other licensed professionals: AI does not dilute your professional responsibility.

Singapore's Ministry of Law published draft guidance in September 2025 making this explicit for the legal sector. Lawyers remain wholly responsible for generative AI outputs used in client work. Professional competence and client confidentiality cannot be compromised by the capabilities — or the failures — of the tools you use. The principle is the same across other regulated professions. Your regulator, whether in Singapore or the UK, will not accept "the AI got it wrong" as a mitigating explanation.

This has practical implications for how your firm governs AI use internally. Supervision protocols, quality review processes, and clear accountability chains are not administrative overhead — they are the evidence trail that demonstrates your firm maintains professional standards in an AI-assisted environment.

What You Should Be Doing Now

The direction of travel is unambiguous. Voluntary adoption is giving way to verifiable governance. Singapore's frameworks are among the most detailed and operationally specific in the world, and they are setting the template that other regulators — including those in the UK — are watching closely.

For professional services firms, the priorities are clear: audit your AI estate and map it against the AIRG and IMDA frameworks; review your data intermediary obligations under the PDPA if you handle client data in Singapore; assess your contractual position with financial sector clients in light of the third-party accountability requirements; and build familiarity with AI Verify and Project Moonshot before your clients require it of you.

This is complex, fast-moving territory. Getting ahead of it requires specialist knowledge, not just good intentions.

Ops Intel helps UK professional services firms navigate AI compliance across multiple jurisdictions, including Singapore, with practical, evidence-based guidance that translates regulatory requirements into operational action. If your firm is assessing its position under Singapore's AI frameworks — or preparing for the UK's own evolving landscape — contact Ops Intel today to speak with a compliance specialist.