MAS’ AI Governance Mandate Sets the Bar for Financial Institutions

Against this backdrop, the Monetary Authority of Singapore (MAS) has issued its proposed Guidelines on Artificial Intelligence Risk Management (AIRG). The direction is unmistakable. As AI adoption accelerates, governance expectations and practices in financial services must mature in parallel.

While the new Guidelines complement MAS’ existing Fairness, Ethics, Accountability and Transparency (FEAT) principles, they go further in operationalising how AI risks should be governed across financial institutions. AIRG signals a structural shift that elevates AI from a technology initiative to a board-level risk category.

Elevating AI to the board agenda

A defining feature of AIRG is its explicit emphasis on board and senior management accountability. MAS makes clear that leadership plays a critical role in establishing and overseeing robust AI risk management frameworks.

This is more than symbolic.

Historically, AI governance has often been fragmented across innovation teams, data science functions and model risk units. AIRG reframes AI risk as enterprise risk. Boards are expected to define AI risk appetite, embed AI into enterprise risk frameworks, ensure clear lines of accountability and, where risks are material, establish appropriate governance forums such as cross-functional AI risk committees.

For directors and senior executives, this raises fundamental strategic questions:

• Where is AI embedded in core business processes?
• Which AI systems materially affect customer outcomes or financial performance?
• What is our tolerance for model opacity, bias risk or automation risk?
• Do we have credible escalation and oversight mechanisms?

In effect, MAS is asking institutions to treat AI not as experimental innovation, but rather as a managed strategic capability.

The inventory imperative

One of the most operationally significant expectations under AIRG is the requirement for financial institutions to establish and maintain an accurate, up-to-date inventory of AI use cases, systems and models.

This requirement reflects a practical truth. AI cannot be governed if it cannot be seen.

In many organisations, AI capabilities have proliferated organically, embedded in vendor solutions, business unit tools, digital platforms and internal productivity applications. Without a consolidated view, institutions risk fragmented oversight and inconsistent controls.

Beyond simple identification, MAS expects financial institutions to assess the risk materiality of each AI use case. At a minimum, this assessment needs to consider:

• Impact, including financial, operational, customer and regulatory consequences
• Complexity, including model novelty and explainability challenges
• Reliance, including degree of autonomy and availability of human alternatives 

Higher-risk AI systems must be subject to more stringent controls.

This structured classification exercise is likely to be transformative. It often reveals shadow AI deployments, unclear ownership structures and inconsistent validation practices. More importantly, it establishes the foundation for proportionate governance, which is a central principle of AIRG.

Lifecycle governance, not point-in-time controls

Another highlight of the proposed Guidelines is the emphasis on end-to-end lifecycle controls.

AI risk is dynamic. Models evolve. Data drifts. Use cases expand. Generative AI systems may behave unpredictably under novel prompts. Governance frameworks that rely solely on pre-deployment checks are insufficient.

MAS expects institutions to implement controls that span the entire AI lifecycle, including:

• Data management, quality and security
• Fairness and bias mitigation
• Transparency and explainability standards
• Human oversight mechanisms
• Independent validation for higher-risk AI
• Ongoing monitoring and incident management
• Technology and cybersecurity safeguards
• Change management and safe decommissioning

The inclusion of elements such as adversarial testing, monitoring thresholds and kill switches highlights MAS’ recognition that AI risks can crystallise in real time.

The lifecycle approach defined in the AIRG aligns AI governance more closely with existing model risk management and technology risk disciplines, while extending them to address the distinct characteristics of generative and autonomous systems.

Proportionate but not optional

A notable strength of AIRG is its proportionate application framework.

Where AI is deeply embedded or mission-critical, full governance expectations apply. Where AI is used in a limited, assistive capacity (for example, drafting emails or summarising documents), financial institutions are subject to more basic policy requirements.

However, proportionate does not mean permissive.

Even assistive AI usage requires clear ownership, defined boundaries for acceptable use, human review protocols and approved tool governance. Given the rapid internal deployment of generative AI tools across many financial institutions, this clarification is timely.

The message from MAS is clear: All AI use in financial services requires governance. The intensity of control should match the level of risk.

Capability as a strategic differentiator

Beyond structural controls, MAS emphasises the importance of adequate skills, training and technological capacity to manage AI responsibly.

This is a critical point. AI governance cannot be sustained through policy documents alone and a “checklist” mindset. Institutions must invest in:

• Board and senior management education
• Cross-functional risk and compliance capability
• Technical validation expertise
• Robust infrastructure and cybersecurity resilience

As AI systems grow more sophisticated, so too must the capabilities required to oversee them. Institutions that fail to build internal understanding risk either over-constraining innovation or underestimating exposure.

From compliance exercise to strategic enabler

It would be easy to interpret AIRG as introducing another compliance obligation into an already complex regulatory environment. That would be a missed opportunity to view this as an opportunity for growth.

Strong AI governance enables rather than constrains innovation. Clear risk appetite statements empower responsible experimentation. Structured inventories allow institutions to scale high-value AI use cases confidently. Robust monitoring builds customer and regulatory trust.

AI governance, in fact, is now a leadership mandate.

Financial institutions stand at a pivotal moment. AI capabilities will continue to advance. Customer expectations will evolve. Regulatory scrutiny will intensify.

The institutions that succeed will not be those that retreat from AI innovation. They will be those that pair technological ambition and enablement with governance discipline, transforming AI from an experimental tool into a resilient, trusted and strategically governed capability.

Call to action

1. Conduct an AIRG readiness assessment: Establish a clear baseline of your current AI governance, controls and oversight against MAS expectations. Identify high-risk use cases such as GenAI and customer-facing AI that may require immediate attention.
2. Clarify governance and accountability: Ensure board and senior management ownership of AI risk. Define clear roles across the three lines of defence and formalise escalation and oversight structures for material AI initiatives.
3. Build a centralised AI inventory and risk materiality framework: Implement consistent AI identification criteria and develop a centralised inventory. Apply structured risk materiality assessments so that higher-impact AI systems receive proportionate controls.
4. Embed proportionate lifecycle controls: Strengthen controls across data governance, fairness and explainability. Ensure AI risks are monitored, documented and managed consistently across the full lifecycle.
5. Invest in capability and culture: Equip Boards, management and risk teams with the knowledge to oversee AI effectively. Foster a risk-aware culture that balances innovation with control and accountability.