01 — Framework

Framework overview

The AI Governance Readiness Assessment is a structured self-assessment tool for MAS-regulated private banks, with a particular focus on private banking and wealth management. It evaluates an institution’s readiness against the complete landscape of AI governance expectations applicable in Singapore as of early 2026.

The register comprises 193 discrete requirements derived from 13 source instruments, classified across 6 regulatory tiers and 7 thematic domains. It deliberately spans the full hierarchy of regulatory authority — from MAS supervisory guidelines currently in force, through proposed consultation papers, to industry methodologies and international assurance standards. This forward-looking scope lets institutions assess not only their compliance with current binding expectations, but also their preparedness for requirements likely to crystallise as consultation papers are finalised and observed practices become formal expectations.

The assessment produces a maturity rating, a domain-by-domain compliance breakdown, and prioritised remediation guidance for each identified gap. Scoring is computed entirely in the browser; answers persist only in local storage. To produce a PDF report, the answers are transmitted once to a stateless serverless function that renders the PDF and immediately discards them — no assessment data is retained on any server. See the privacy policy for the full data-handling commitment.

02 — Authority

Tiers & sources

Each source instrument is classified into one of 6 regulatory tiers, ordered by decreasing authority and enforceability. A gap against a SUPERVISORY requirement carries different implications than a gap against a METHODOLOGY requirement — the modal verb the regulator uses determines the response. Instruments sit beneath the tier that defines them; expand any tier to see its source documents and requirement contribution.

STATUTORYBinding obligation — "shall" / "must"

0 requirements›

Legally binding MAS Notices issued under the relevant Acts (e.g., Banking Act, Securities and Futures Act). Non-compliance may result in regulatory action, fines, or licence conditions.

Currently no AI-specific STATUTORY requirements. This tier is included for completeness and forward compatibility, as MAS may issue binding Notices on AI use in future.—

SUPERVISORYSupervisory expectation — "should" / "is expected to"

31 requirements›

MAS Guidelines and Circulars that set out supervisory expectations. While not legally binding per se, institutions are expected to comply and MAS will assess adherence during inspections and thematic reviews.

TRM Guidelines (January 2021)In force13 reqs

Outsourcing Guidelines for Banks (December 2023)In force8 reqs

CMG-G02 Digital Advisory GuidelinesIn force7 reqs

Fair Dealing Guidelines (May 2024)In force3 reqs

OBSERVED PRACTICEObserved good practice — "MAS has observed that…"

16 requirements›

Good practices observed by MAS through thematic reviews, inspections, and industry engagement. Published as Information Papers, these describe what MAS has seen leading institutions do, without prescribing specific requirements.

MAS Information Paper on AI Model Risk ManagementPublished Dec 202416 reqs

CONSULTATIONProposed direction — "has proposed" / "may require"

60 requirements›

Proposed guidance currently in public consultation. These represent MAS's likely direction of travel and institutions should begin planning for compliance, though final requirements may differ from consultation drafts.

P017 – Proposed Guidelines on AI Risk ManagementConsultation (closed Jan 2026)58 reqs

P004 – Proposed Guidelines on Third-Party Risk ManagementConsultation (closed Apr 2026)2 reqs

METHODOLOGYRecommended practice — "recommends" / "suggests"

67 requirements›

Industry methodologies, frameworks, and guidance developed by regulatory-adjacent bodies, industry consortiums, or standards organisations. These provide practical implementation approaches that institutions can adopt or adapt.

MindForge Ops Handbook & Implementation ExamplesPublished Jan 202632 reqs

FEAT Principles (2018)Published17 reqs

PDPA Advisory Guidelines (March 2024)Published Mar 202411 reqs

Veritas Assessment MethodologyPublished5 reqs

IMDA Model AI Governance Framework for Agentic AIPublished2 reqs

ASSURANCEVoluntary standard — "shall" (within standard scope)

19 requirements›

External assurance and certification standards that provide independent verification of AI governance maturity. Requirements within these standards use mandatory language, but adoption of the standard itself is voluntary.

ISO/IEC 42001:2023 – AI Management SystemPublished19 reqs

Counts sum to 193 across the 6 tiers. Each requirement is assigned to exactly one tier; requirements that draw on more than one instrument are counted under whichever instrument’s tier matches the row’s tier.

03 — Coverage

The seven domains

Every requirement is assigned to one of 7 thematic domains. Domains are the primary unit of reporting in the assessment results: maturity is computed per-domain, and gaps are remediated within the domain that owns them.

D1 · Model Governance & Validation

115

Full AI model lifecycle — identification, risk classification, development, validation, deployment, monitoring, change, and decommissioning. Governance structure and committee oversight, validation independence, third-party model controls, and generative-AI safeguards. Drawn primarily from P017, the MAS AI MRM Information Paper, MindForge, and ISO/IEC 42001.

D2 · Data Governance & Privacy

Personal data in AI systems — consent and notification, data protection impact assessments, privacy-by-design, anonymisation, training-data bias, and third-party data processing. PDPA Advisory Guidelines integrated with AI-specific data governance from P017 and MindForge.

D3 · Client-Facing AI & Suitability

AI systems that interact with clients or influence client outcomes — robo-advisory, recommendation engines, chatbots, and automated suitability. Algorithm governance, fair dealing, customer transparency, and redress mechanisms. CMG-G02 Digital Advisory Guidelines and Fair Dealing Guidelines, supplemented by P017’s client-facing provisions.

D4 · Explainability & Fairness

Responsible-AI principles — fairness definitions and metrics, protected-attribute handling, bias detection and mitigation, explainability proportionate to the use case, and agentic-AI governance. FEAT Principles operationalised through Veritas, with the IMDA Agentic AI Framework extending coverage to autonomous systems.

D5 · Outsourcing & Third-Party AI

AI from external providers — cloud AI platforms, vendor model APIs, and outsourced AI development. Governance framework, due diligence, outsourcing agreements, concentration risk, and lifecycle management. The existing Outsourcing Guidelines for Banks plus P017’s third-party provisions and the proposed P004 (consultation closed April 2026, pending finalisation).

D6 · Operational Resilience & Cybersecurity

Technology and security infrastructure for AI — IT governance and change management, access control, audit logging, incident response, and AI-specific cybersecurity threats (adversarial attacks, data poisoning, model extraction). TRM Guidelines as the baseline, supplemented by AI-specific operational resilience requirements in P017.

D7 · Governance Structure & Accountability

Institutional governance architecture for AI — management system, risk appetite and tolerance, AI risk culture, operating model, and skills and capability across board, senior management, and operational layers. ISO/IEC 42001 provides the structural backbone, with P017 supplying governance-structure requirements that intersect every other domain.

Domain 1 carries 60% of the register, reflecting the depth of P017 and the MAS AI MRM Information Paper around the model lifecycle. The remaining 40% is distributed across the other 6 supporting domains.

04 — Logic

Response model & scoring

A four-option response model balances meaningful differentiation with the practical constraint of self-assessment accuracy. Institutions should select the option that most accurately reflects their current state, erring on the side of conservatism where there is genuine uncertainty.

Fully Implemented

Documented, operationalised, and subject to regular review. Evidence is available for supervisory inspection.

Compliant

Partially Implemented

Some elements in place, but gaps remain in coverage, documentation, or review cadence.

Partial

Not Implemented

No evidence of policies, procedures, or controls — or existing controls are fundamentally inadequate to the regulatory expectation.

Gap

Not Applicable

The requirement does not apply given the institution’s current AI use cases. The institution should be prepared to justify the exclusion if queried by supervisors.

Excluded

Severity weighting

Each requirement is rated HIGH, MEDIUM, or LOW severity based on the regulatory tier of its source and the materiality of the control. A gap against a HIGH-severity SUPERVISORY requirement contributes more to the maturity score than a gap against a LOW-severity METHODOLOGY recommendation. Severity weights are listed in the requirement register and drive the structural-override clause described in the next section.

05 — Output

Maturity rating

Domain-level scores are aggregated into one of four maturity levels. Levels reflect the institution’s overall readiness posture and signal the appropriate management response — they are not a regulatory grade.

Critical Gaps

Material gaps in foundational controls, or any binding statutory requirement unaddressed, or three or more high-severity gaps. Remediation is a Board-level priority rather than an incremental compliance project.

< 40%

Developing

Core governance scaffolding is in place, but significant build-out remains across multiple domains. Sequenced investment — governance structure first, then risk materiality, then domain-specific remediation — outperforms parallel action.

40 – 65%

Defined

Coverage across all domains; targeted gaps remain in higher-severity requirements. Remediation deepens and connects existing capabilities rather than building new ones.

65 – 85%

Established

Comprehensive coverage; remaining gaps are in lower-tier or lower-severity items. Next steps focus on optimisation — calibrating governance intensity to risk materiality, strengthening monitoring-to-validation feedback loops, and preparing for P017 finalisation.

≥ 85%

A “Critical Gaps” rating overrides the percentage-band logic when any STATUTORY HIGH-severity requirement is unaddressed, or when three or more HIGH-severity gaps are present. An institution at 80% compliance with a single binding statutory failure is classified as Critical Gaps regardless.

06 — Caveats

Limitations

The assessment provides an indicative view of AI governance readiness. The following limitations should be considered when interpreting results.

Self-assessment bias

Self-assessments are subject to optimism bias, knowledge gaps, and inconsistent interpretation. Results should be validated through independent review or internal audit where material decisions depend on the outcome.

Point-in-time snapshot

The assessment captures the institution’s posture at a single moment. Periodic re-assessment is recommended, particularly following material changes in AI deployment, regulatory updates, or organisational restructuring.

Not legal advice

This tool does not constitute legal, regulatory, or compliance advice. Results are not a substitute for professional legal counsel or formal regulatory gap analysis.

Scope

The framework is calibrated to MAS-regulated private banks, with primary focus on private banking and wealth management. Application to other jurisdictions or sectors requires adaptation of the source register.

Consultation-stage requirements

A material portion of the register (60 of 193) derives from instruments at consultation stage (P017 and P004). Both consultations have closed and the guidelines are pending finalisation by MAS; final published text may differ from the consultation drafts.