Chapter 1: Regulatory Overview
1.1 The Singapore Approach to AI Regulation
Singapore does not have a comprehensive AI-specific statute. As of June 2026, the city-state governs artificial intelligence through a deliberate combination of voluntary governance frameworks, an established personal data protection law (the Personal Data Protection Act 2012), sector-specific regulatory guidance, and open-source testing toolkits. This is not a regulatory gap. It is a policy choice. Singapore has explicitly positioned itself as an AI governance innovation hub that attracts investment and talent by offering structured, business-friendly guidance rather than prescriptive legislation.
The approach is sometimes described as "governance-by-design" — embedding responsible AI principles into development and deployment workflows through detailed frameworks and practical tools, rather than imposing top-down statutory obligations with penal consequences. The result is a regulatory environment that demands compliance with personal data protection law while offering voluntary but highly influential governance frameworks that most serious market participants adopt as a matter of commercial necessity and reputational prudence.
1.2 Key Regulatory Bodies
Infocomm Media Development Authority (IMDA): The primary government agency responsible for AI governance policy in Singapore. IMDA developed the Model AI Governance Framework (versions 1 and 2) and co-led the development of the Model AI Governance Framework for Generative AI (2024) and the Agentic AI Governance Framework (January 2026). IMDA also oversees the AI Verify Foundation and the broader National AI Strategy.
Personal Data Protection Commission (PDPC): Established under the Personal Data Protection Act 2012 and operating as part of IMDA. The PDPC enforces Singapore's data protection law, issues enforcement decisions, publishes advisory guidelines on data-related AI use, and imposes financial penalties for data protection violations. The PDPC published the Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems in 2024.
AI Verify Foundation: Launched in June 2023, the AI Verify Foundation is an industry-led initiative supported by IMDA. It manages AI Verify, Singapore's open-source AI governance testing framework and software toolkit. The Foundation brings together over 70 member organisations globally to develop testing standards for AI systems. AI Verify enables organisations to conduct technical testing against internationally recognised AI governance principles.
Smart Nation Group (SNG): Formerly the Smart Nation and Digital Government Office (SNDGO). Oversees Singapore's national digitalisation strategy, including AI deployment across government. The National AI Strategy 2.0 (December 2023) falls under SNG's coordination.
Government Technology Agency (GovTech): The technology arm of the Singapore government. Develops and deploys AI systems for public services. GovTech operates under internal AI governance standards and publishes guidance on responsible AI use in government.
Monetary Authority of Singapore (MAS): The central bank and financial regulator. MAS issued the Fairness, Ethics, Accountability, and Transparency (FEAT) Principles for AI in financial services (2018, updated 2022) and leads the Veritas initiative, a collaborative framework for validating AI and data analytics solutions in the financial sector.
Ministry of Health (MOH) and Health Sciences Authority (HSA): MOH provides policy guidance on AI in healthcare. HSA regulates AI-based medical devices as Software as a Medical Device (SaMD) under the Health Products Act.
Competition and Consumer Commission of Singapore (CCCS): Enforces the Consumer Protection (Fair Trading) Act and the Competition Act 2004, both of which may apply to AI-related commercial conduct.
1.3 Timeline of Key Developments
| Date | Development |
|---|---|
| 2012 | Personal Data Protection Act enacted (No. 26 of 2012) |
| January 2, 2013 | PDPA data protection provisions take effect |
| November 2018 | MAS FEAT Principles published (AI in finance) |
| January 2019 | Model AI Governance Framework v1 published (IMDA) |
| January 2020 | Model AI Governance Framework v2 published (IMDA) |
| December 2020 | PDPA amendments enacted (consent framework reform, mandatory breach notification, financial penalties increase) |
| February 1, 2021 | PDPA amendments take effect (enhanced enforcement powers, breach notification, data portability) |
| January 2022 | AI Verify testing toolkit announced |
| June 2023 | AI Verify Foundation launched (open-source AI governance testing) |
| November 2023 | National AI Strategy 2.0 released |
| December 2023 | Bletchley Declaration signed by Singapore |
| June 2024 | Model AI Governance Framework for Generative AI published (IMDA + AI Verify Foundation) |
| 2024 | PDPC Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems published |
| January 2026 | Agentic AI Governance Framework published (world-first framework for autonomous AI agents) |
1.4 Key Legislation and Frameworks Affecting AI
| Law or Framework | AI Relevance |
|---|---|
| Personal Data Protection Act 2012 (No. 26 of 2012) | Personal data processing obligations for all AI systems handling personal data |
| Model AI Governance Framework v2 (2020, IMDA) | Voluntary governance principles: internal governance, risk management, stakeholder communication, human oversight |
| Model AI Governance Framework for Generative AI (2024) | 9 dimensions of governance for generative AI systems |
| Agentic AI Governance Framework (January 2026) | Governance for autonomous AI agents operating with limited human oversight |
| MAS FEAT Principles (2018, updated 2022) | AI governance in financial services |
| Consumer Protection (Fair Trading) Act (Cap. 52A) | Protection against unfair AI-related commercial practices |
| Competition Act 2004 (No. 46 of 2004) | Competition law applicable to AI market conduct |
| Protection from Online Falsehoods and Manipulation Act 2019 (No. 18 of 2019) | AI-generated disinformation and falsehoods |
| Computer Misuse Act 1993 (Cap. 50A) | Unauthorised access and cybercrimes involving AI systems |
| Health Products Act (Cap. 122D) | AI-based medical devices (SaMD) |
| Cybersecurity Act 2018 (No. 9 of 2018) | AI systems in critical information infrastructure |
Want to monitor your AI compliance automatically? Try AIOS — your AI compliance OS. https://mmoww.net/ai/app/
Quick Decision Matrix
Use this matrix to determine your AI compliance obligations.
| Your Situation | Risk Level | Priority Action | Go To |
|---|---|---|---|
| Deploying AI that affects employment decisions | High | Impact assessment required | Chapter 3 |
| Using AI for customer-facing services | Medium-High | Transparency obligations apply | Chapter 4 |
| Internal AI tools (analytics, automation) | Medium | Document and monitor | Chapter 5 |
| AI in regulated sector (finance, health) | High | Sector-specific rules apply | Chapter 3 |
| Procuring AI from third-party vendor | Medium | Vendor due diligence needed | Chapter 5 |
| Just exploring AI for the first time | Low | Start with governance framework | Chapter 2 |
5-second answer: If your AI system makes decisions that affect people, you have compliance obligations. Start with Chapter 2 for the regulatory framework, then Chapter 3 for your specific obligations.