Docs

Appearance

Singapore IMDA Model AI Governance Framework for Agentic AI (v1.5)

The Model AI Governance Framework for Agentic AI (short: MGF for Agentic AI) is best-practice guidance published by the Infocomm Media Development Authority (IMDA) of Singapore. The current edition is version 1.5, published on 20 May 2026 and updated on 5 June 2026. It gives organisations a structured overview of the risks of agentic AI and the emerging best practices for managing them, so that agentic AI can be adopted with greater confidence.

The framework is targeted at organisations deploying agentic AI — whether by building agents in-house or by using third-party agentic solutions — and is organised around four dimensions that span the agentic AI lifecycle.

Quick decision — is this framework for you?

  • Deploying or building agentic AI and want a structured risk model → the MGF for Agentic AI gives you the four dimensions, the agent core-component model, and the agentic risk taxonomy. Start with Agentic AI components and risk taxonomy.
  • You already run an AI governance programme (ISO/IEC 42001, NIST AI RMF) → treat the MGF for Agentic AI as the agentic overlay. Its control-level substance reuses framework-agnostic controls you may already operate; the agentic-specific block is what is new.
  • You operate multi-agent systems → pay particular attention to the multi-agent dimension. In Modulos this is the conditional requirement MRF-317, which applies only when more than one agent runs.
  • You want to operationalise it in Modulos now → go straight to Operationalizing the MGF for Agentic AI in Modulos for the MFF-17 and OFF-17 rollout.

TL;DR

  • The MGF for Agentic AI v1.5 (IMDA, 20 May 2026, updated 5 June 2026) is best-practice guidance, not a law or regulation. It builds on the Model AI Governance Framework (2nd Edition, 2020).
  • It is organised into four dimensions: assess and bound the risks upfront; make humans meaningfully accountable; implement technical controls and processes; and enable end-user responsibility. IMDA frames these as an iterative process.
  • It describes eight core components of an agent (model, instructions, memory, planning and reasoning, tools, protocols, controls, and logging and monitoring), distinguishes action-space from autonomy as the two axes that determine what an agent can do, names four levels of human involvement, and sets out three multi-agent patterns (sequential, supervisor, swarm).
  • It names five negative outcomes organisations should be aware of — erroneous actions, unauthorised actions, biased or unfair actions, data breaches, and disruption to connected systems — plus systemic and multi-agent risks such as agent sprawl, miscoordination, conflict, collusion, and emergent behaviour.
  • Modulos models it as two templates: MFF-17 (app, 9 requirements, MRF-311MRF-319, 49 controls) and OFF-17 (org, 4 requirements, ORF-389ORF-392, 22 controls). Risk scoping runs through an action-space-by-autonomy classification + impact-by-likelihood risk-cell rubric (MCF-545/546/547), not through tags.

Primary source

IMDA Model AI Governance Framework for Agentic AI, v1.5, published 20 May 2026 (updated 5 June 2026), Infocomm Media Development Authority (IMDA), Singapore. Always verify framework claims against the current published edition.

Key facts
Publisher
IMDA (Singapore)
Version
v1.5 (20 May 2026, updated 5 Jun 2026)
Type
Best-practice guidance
Scope
Organisations deploying agentic AI
Structure
4 dimensions across the agent lifecycle
Modulos templates
MFF-17 (app) + OFF-17 (org)

What is the MGF for Agentic AI?

Compared to generative AI, AI agents can take actions, adapt to new information, and interact with other agents and systems to complete tasks on behalf of humans. The framework defines agentic AI systems as software systems consisting of one or multiple AI agents that may operate individually or collaboratively. Agents possess some degree of independent planning, decision-making, and action-taking over multiple steps to achieve a user-defined goal.

These greater capabilities bring new risks: an agent's access to sensitive data and ability to change its environment — for example updating a customer database or making a payment — are double-edged. As organisations move towards deploying multiple agents with complex interactions, outcomes become more unpredictable. The framework's premise is that humans must remain accountable and properly manage these risks: existing trusted-AI principles such as transparency, accountability, and fairness continue to apply, but need to be translated into practice for agents, and meaningful human control and oversight need to be integrated into the agentic AI lifecycle. That oversight must be balanced, because continuous human oversight over all agent workflows becomes impractical at scale.

The framework builds on the responsible-AI practices for organisations set out in the Model AI Governance Framework (2nd Edition, 2020), which is the only IMDA instrument it explicitly cross-references. IMDA describes the MGF for Agentic AI as a living document, developed with government agencies and leading companies, that will be continuously updated to keep pace with new developments.

What counts as agentic AI (scope)

The framework focuses on agents built on generative AI models, which generally use a small, large, or multimodal large language model (SLM, LLM, or MLLM) as the brain to make decisions and complete tasks. It notes that software agents are not a new concept and that other agents exist, such as those using deterministic rules or other neural networks, but its treatment is centred on generative-AI agents.

It describes eight core components of an agent:

#ComponentWhat it is
1ModelThe SLM, LLM, or MLLM that serves as the central reasoning and planning engine — the "brain".
2InstructionsNatural-language commands that define the agent's role, capabilities, and behavioural constraints (e.g. a system prompt).
3MemoryInformation stored and accessible to the model, in short- or long-term storage.
4Planning and reasoningThe model's ability to output a series of steps needed for a task.
5ToolsThe means by which an agent takes actions and interacts with other systems; an agent can also be called as a tool by another agent.
6ProtocolsStandardised ways for agents to communicate with tools and other agents.
7ControlsMeasures that limit the agent's action-space and autonomy — access controls, guardrails, and human approvals.
8Logging and monitoringRecords of agent actions, decisions, and interactions to enable monitoring, debugging, and accountability.

To reason about what an agent can do, the framework distinguishes two axes. Action-space (also called authority or capabilities) is the range of actions an agent can take, including the transactions it can execute, which depends mainly on the tools and permissions it has. Autonomy (also called decision-making) is the degree to which an agent can decide how to act towards a goal, which depends mainly on its instructions and the level of human involvement. The framework names four levels of human involvement:

  • Agent proposes, human operates — the human reviews and approves every agent action.
  • Agent and human collaborate — the agent requires approval at significant steps and the human can intervene at any time.
  • Agent operates, human approves — the agent requires approval only at critical steps or failures.
  • Agent operates, human observes — the agent does not require approval; its actions may be audited after the fact.

For multi-agent set-ups, the framework describes three design patterns — sequential (agents work one after another in a structured workflow), supervisor (one supervising agent coordinates specialised agents under it), and swarm (agents work at the same time, handing off as needed) — and notes that real systems often use hybrid patterns. Protocols include the Model Context Protocol (MCP) for agent-to-tool communication and the Agent2Agent Protocol (A2A) for agent-to-agent communication; MCP is one instantiation of a connector pattern in a fast-developing space, not a mandated technology.

→ Deep dive: Agentic AI components and risk taxonomy — the eight core components, action-space and autonomy, multi-agent patterns, and the full risk taxonomy.

The four dimensions of the framework

The operative guidance is organised into four dimensions. IMDA frames them as an iterative process rather than a one-time sequence — for example, if an anomaly is detected during monitoring, an organisation may revisit earlier dimensions. The descriptive introduction (agent components and the risk taxonomy) assigns no actor-specific duties; the operative recommendations begin with the four dimensions.

1. Assess and bound the risks upfront

Organisations should adapt their internal structures and processes to account for new risks from agents. The starting point is to understand the risks posed by the agent's actions, which depend on factors such as the scope of actions the agent can take, the reversibility of those actions, and the agent's autonomy. To manage these early, organisations could limit the agent's scope of impact by designing appropriate boundaries at the planning stage — for example limiting access to tools and external systems — and ensure actions are traceable and controllable through measures such as identity management and access controls for agents.

→ Deep dive: Assess and bound the risks.

2. Make humans meaningfully accountable

Once an organisation gives the "green light" for agentic deployment, it should take steps to ensure human accountability. Because agent autonomy complicates traditional responsibility assignments tied to static workflows, and multiple actors may be involved across the agent lifecycle, the framework recommends clearly defining the responsibilities of different stakeholders — internally and with external vendors — while emphasising adaptive governance. Meaningful human oversight has to be adapted to address automation bias, including defining significant checkpoints in the agentic workflow that require human approval (such as high-stakes or irreversible actions) and regularly auditing human oversight to check that it remains effective over time.

→ Deep dive: Make humans meaningfully accountable.

3. Implement technical controls and processes

Organisations should ensure the safe and reliable operationalisation of agents by implementing technical measures across the agent lifecycle. During development, this means incorporating technical controls for new agentic components such as planning, tools, and still-maturing protocols, to address the increased attack surface. Before deployment, agents should be tested for baseline safety and reliability — including new dimensions such as overall execution accuracy, policy adherence, and tool use. During and after deployment, because agents interact dynamically with their environment and not all risks can be anticipated upfront, the framework recommends gradual rollout alongside continuous monitoring.

→ Deep dive: Implement technical controls and processes.

4. Enable end-user responsibility

Trustworthy deployment does not rely solely on developers; it also depends on end-users using agents responsibly. As a baseline, users should be informed of the agent's range of actions, its access to data, and the user's own responsibilities. The framework recommends layering on training to equip employees to manage human-agent interactions and exercise effective oversight, while maintaining their tradecraft and foundational skills.

→ Deep dive: Enable end-user responsibility.

The agentic AI risk taxonomy (overview)

The framework's risks are familiar in kind — agents inherit traditional software vulnerabilities and LLM-specific risks such as hallucination, bias, data leakage, and prompt injection — but manifest differently through the new components, and matter more because agents take actions in the real world. Organisations should be aware of five negative outcomes:

OutcomeWhat it covers
Erroneous actionsIncorrect actions, such as scheduling on the wrong date or producing flawed code.
Unauthorised actionsActions taken outside the agent's permitted scope or authority.
Biased or unfair actionsActions that lead to unfair outcomes, especially across different groups.
Data breachesActions that expose or wrongly modify sensitive data.
Disruption to connected systemsDisruption caused when agents are compromised or malfunction.

The framework adds systemic and multi-agent risks: the speed and volume of agent decisions strain real-time oversight; cascading or compounding effects can amplify a single mistake across later steps; and multi-agent systems introduce risks such as agent sprawl, collaborative failures (miscoordination, conflict, collusion), and unpredictable emergent behaviour. These are most pronounced when agents cross system or organisational boundaries.

→ Full taxonomy: Agentic AI components and risk taxonomy.

What's new in version 1.5

Version 1.5 incorporates feedback received from more than 60 companies since version 1.0. The main changes:

  • Agentic components — added safety-and-reliability components (controls, and logging and monitoring) to the agent's core components.
  • Protocols — updated for newer protocols, especially for agentic commerce.
  • Systemic and multi-agent risks — added as a dedicated risk category.
  • The four dimensions — added an IMDA case study on applying the framework to OpenClaw deployments.
  • Assess and bound the risks — added risk factors including system complexity and use of third-party solutions, with case studies.
  • Make humans meaningfully accountable — refined the agentic value chain to separate platform providers from system providers or app developers, and added more practices against automation bias such as monitoring human override rates and response times.
  • Implement technical controls — added an overview of control types (structural and rule-based controls vs model-based or prompt-layer controls) and change-management recommendations.
  • Enable end-user responsibility — added detail on loss of tradecraft and its impact on business continuity.

Worked company examples and their figures throughout the framework are illustrative case studies, not framework requirements.

How the MGF for Agentic AI compares to other frameworks

Cross-framework mapping (preview)

A detailed control-by-control mapping is in preparation. At a high level, the MGF for Agentic AI is adjacent and complementary to other governance and security frameworks rather than overlapping with any of them:

  • OWASP Top 10 for Agentic Applications — a security-specific taxonomy for agentic threats; the MGF's technical-controls dimension sits naturally alongside it. See OWASP Top 10 for Agentic Applications.
  • ISO/IEC 42001 — a certifiable AI management-system standard; the MGF for Agentic AI can act as the agentic overlay inside an ISO 42001 AIMS.
  • NIST AI RMF — a voluntary risk-management operating model; its Govern/Map/Measure/Manage functions cover overlapping ground at the control level.

In Modulos, this cross-framework reuse is realised at the control layer: several controls behind MFF-17/OFF-17 carry an Agnostic tag and are the same control objects reused by other framework templates, so evidence recorded once can serve multiple frameworks. This preview does not assert article-by-article mappings to any binding regulation.

For other Singapore guidance, see MAS FEAT principles. Full side-by-side: AI governance frameworks comparison.

How Modulos operationalizes the MGF for Agentic AI

Modulos models the framework as two templates, deliberately split between organisation-wide governance and per-application build-and-operate work:

  • OFF-17 — Singapore MGF for Agentic AI (org) — tenant-wide governance. 4 requirements (ORF-389ORF-392), 22 controls. Use one OFF-17 organisation project.
  • MFF-17 — Singapore MGF for Agentic AI (app) — per-application build and operate. 9 requirements (MRF-311MRF-319), 49 controls. Use one MFF-17 application project per agentic system.

The two templates are designed to operate together. The org/app split is deliberate and avoids duplicating any obligation: the central risk-and-change methodology lives on ORF-390 even though MRF-311 references it, and the central agent catalogue lives on ORF-391 even though MRF-312 references it. Each requirement is evidenced through a readiness signal plus owner-attested fulfilment — not through reviews, which are reserved for control status changes.

The 13 requirements group against the four dimensions as follows:

DimensionOrg (OFF-17)App (MFF-17)
1 — Assess and bound the risksORF-390 (risk and change methodology), ORF-391 (central agent catalogue)MRF-311 (use-case suitability and risk context), MRF-312 (bound agent authority by design)
2 — Make humans meaningfully accountableORF-389 (value-chain and internal responsibilities)MRF-313 (design and audit meaningful human oversight), MRF-319 (red-team agents and assess third-party components)
3 — Implement technical controlsMRF-314 (controls during design and development), MRF-315 (test agent and multi-agent behaviour), MRF-316 (gradual deploy, monitor, manage change)
4 — Enable end-user responsibilityORF-392 (train integrating users, preserve manual fallback)MRF-318 (disclose agent identity, authority, data use, escalation)
Cross-cutting — multi-agentMRF-317 (govern multi-agent and cross-system interactions)

MRF-317 is conditional: it applies only when more than one agent runs. Single-agent deployments mark it not applicable.

Scoping is not tag-driven — every one of the 13 requirements carries empty requirement tags, so there is no Singapore-specific tag family to filter on. Risk scoping instead runs through an action-space-by-autonomy classification and an impact-by-likelihood risk-cell rubric, encoded in controls MCF-545 (action-space and autonomy classification), MCF-546 (agentic risk-cell rubric), and MCF-547 (agent suitability gate). This is the through-line that turns the framework's two axes and risk taxonomy into an explicit, recorded scoping decision per agent.

→ Full rollout: Operationalizing the MGF for Agentic AI in Modulos — project structure, the requirement-by-requirement walkthrough, the scoping rubric, and the evidence package.

Getting started

Agentic AI components and risk taxonomy

The eight core components, action-space vs autonomy, multi-agent patterns, and the full risk taxonomy

Assess and bound the risks

Dimension 1 — understand and bound agent risk by design before deployment

Make humans meaningfully accountable

Dimension 2 — value-chain responsibilities, meaningful oversight, and automation bias

Implement technical controls

Dimension 3 — lifecycle technical measures, testing, and staged rollout

Enable end-user responsibility

Dimension 4 — disclosure, training, and preserving manual tradecraft

Operationalizing in Modulos

A practical path to implement MFF-17 and OFF-17 with requirements, controls, and evidence

Frequently asked questions about the MGF for Agentic AI

What is the Singapore IMDA Model AI Governance Framework for Agentic AI?

The Model AI Governance Framework for Agentic AI is best-practice guidance published by the Infocomm Media Development Authority (IMDA) of Singapore. The current edition is version 1.5, published on 20 May 2026 and updated on 5 June 2026. It gives organisations a structured overview of the risks of agentic AI and emerging best practices for managing them, organised into four dimensions: assess and bound the risks upfront; make humans meaningfully accountable; implement technical controls and processes; and enable end-user responsibility. It is aimed at organisations deploying agentic AI, whether by building agents in-house or by using third-party agentic solutions.

Is the MGF for Agentic AI mandatory or voluntary?

The MGF for Agentic AI is best-practice guidance, not a law or a regulation. IMDA describes it as a living document that collates current best practices and real-world case studies and that will be updated as the technology develops; it does not create legal obligations of its own. Organisations adopt it to manage agentic-AI risk in a structured, defensible way. In the Modulos platform the corresponding templates carry a Regulation label, but that is a platform-template artefact, not a legal characterisation of the framework.

What are the four dimensions of the MGF for Agentic AI?

The framework is organised into four dimensions:

  1. Assess and bound the risks upfront — understand an agent's risks from its action-space, the reversibility of its actions, and its autonomy, then bound the agent's scope of impact by design.
  2. Make humans meaningfully accountable — allocate responsibilities across the value chain and integrate meaningful human oversight while guarding against automation bias.
  3. Implement technical controls and processes — apply technical measures across the agent lifecycle and test agents before and after deployment.
  4. Enable end-user responsibility — inform users of the agent's actions and data access and equip them through training while preserving manual tradecraft.

IMDA frames the four dimensions as an iterative process rather than a one-time sequence.

What counts as agentic AI under the framework, and what is in scope?

The framework defines agentic AI systems as software systems consisting of one or multiple AI agents that may operate individually or collaboratively, where agents possess some degree of independent planning, decision-making, and action-taking over multiple steps towards a user-defined goal. It focuses on agents built on generative AI models that use an SLM, LLM, or MLLM as the brain. It sets out eight core components — model, instructions, memory, planning and reasoning, tools, protocols, controls, and logging and monitoring — distinguishes action-space from autonomy, names four levels of human involvement, and describes three multi-agent patterns: sequential, supervisor, and swarm.

How does the MGF for Agentic AI relate to the original MGF (2020) and to AI security standards like the OWASP Top 10 for Agentic Applications?

It builds on the responsible-AI practices for organisations set out in the Model AI Governance Framework (2nd Edition, 2020), translating principles such as transparency, accountability, and fairness into practice for agents — that is the only IMDA instrument it explicitly cross-references. It draws on attributed third-party resources (for example from GovTech Singapore, CSA Singapore, the World Economic Forum, and the Gradient Institute) for adapted concepts, but these are not IMDA instruments. It is complementary to security taxonomies such as the OWASP Top 10 for Agentic Applications and to management-system standards such as ISO/IEC 42001 and NIST AI RMF, which cover overlapping ground at the control level.

What changed in version 1.5 of the framework?

Version 1.5 incorporates feedback from more than 60 companies. It adds safety-and-reliability components (controls, and logging and monitoring) and updates protocols, especially for agentic commerce. It introduces systemic and multi-agent risks and an IMDA OpenClaw case study. It also refines the agentic value chain, expands automation-bias practices, adds an overview of control types and change-management guidance, and details loss of tradecraft.

How does Modulos implement the MGF for Agentic AI (MFF-17 and OFF-17)?

Modulos models the framework as two templates. MFF-17 (app) holds the per-application build-and-operate obligations as nine requirements, MRF-311 through MRF-319, mapped across 49 controls. OFF-17 (org) holds tenant-wide governance as four requirements, ORF-389 through ORF-392, mapped across 22 controls. Use one OFF-17 organisation project and one MFF-17 application project per agentic system. Scoping is not tag-driven; risk scoping runs through an action-space-by-autonomy classification and an impact-by-likelihood risk-cell rubric encoded in MCF-545, MCF-546, and MCF-547. Each requirement is evidenced through a readiness signal plus owner-attested fulfilment. See Operationalizing the MGF for Agentic AI in Modulos.

Who is the framework aimed at — developers, deployers, or end-users?

It is targeted at organisations looking to deploy agentic AI, whether by developing agents in-house or by using third-party agentic solutions. Its four dimensions touch every actor in the agentic value chain. The framework names five roles in its simplified value chain: tooling providers, platform providers, system providers or app developers, the deployer, and end users. Across these roles, the deployer allocates responsibilities, the providers and integrators design and bound agents and apply technical controls, the human supervisors exercise oversight, and end-users use agents responsibly once informed of the agent's range of actions, data access, and their own responsibilities.

Source attribution

This page summarises the IMDA Model AI Governance Framework for Agentic AI, v1.5, published 20 May 2026 (updated 5 June 2026) by the Infocomm Media Development Authority (IMDA), Singapore. The framework builds on the Model AI Governance Framework (2nd Edition, 2020). Worked company examples in the source are illustrative case studies, and concepts adapted from third parties (including GovTech Singapore, CSA Singapore, the World Economic Forum, the Gradient Institute, and Anthropic) retain their original source attributions in the framework text.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. Always verify framework claims against the current published edition of the IMDA Model AI Governance Framework for Agentic AI.