Audience: AI engineering teams, compliance officers, and governance leads deploying agentic AI systems in Singapore, ASEAN, or for organizations subject to IMDA guidance. Also relevant for MAS-regulated financial institutions using AI agents.
IMDA MGF for Agentic AI v1.5 published May 20, 2026. Voluntary framework, but referenced by MAS (Monetary Authority of Singapore) and sectoral regulators. Over 60 organizations contributed to v1.5, including Tencent, Google, AWS, DBS, OCBC, PwC, GovTech, and Workday. This is the world's first government-issued governance framework specifically designed for AI agents that plan, call tools, and act over multiple steps.
1. What the IMDA Framework Requires
The IMDA Model AI Governance Framework for Agentic AI (MGF) is a 51-page practical guide that addresses AI systems capable of autonomous planning, reasoning, tool calling, and multi-step execution. Unlike high-level principle documents, the MGF provides specific governance requirements across four dimensions.
The Four Dimensions
| Dimension | Focus | Key Requirements |
|---|---|---|
| D1: Risk Assessment | Assess and bound risks upfront | Impact analysis (domain, data access, external systems, reversibility). Likelihood assessment (autonomy level, complexity, exposure to external inputs). Tiered risk approach. |
| D2: Human Accountability | Make humans meaningfully accountable | Clear ownership chains for agent actions. Escalation mechanisms. Meaningful oversight (not rubber-stamp approval). Automation bias mitigation. |
| D3: Technical Controls | Implement controls and processes | Structural, rule-based, and prompt-layer controls. Tool access governance. Logging and monitoring. Multi-agent coordination safeguards. |
| D4: End-User Responsibility | Enable informed end-user decisions | Transparency about agent capabilities and limitations. Disclosure when interacting with AI agents. User control over agent scope. |
What Makes This Framework Unique
The MGF explicitly addresses challenges that generic AI governance frameworks do not:
- Agent sprawl: Uncontrolled proliferation of agents across an organization
- Miscoordination: Multiple agents working at cross purposes
- Conflict: Agents with incompatible objectives sharing resources
- Collusion: Agents optimizing together in ways that circumvent intended constraints
- Emergent behaviors: Unexpected capabilities arising from multi-agent interactions
The framework covers three multi-agent architectures: sequential (pipeline), supervisor (orchestrator-worker), and swarm (peer-to-peer). SWT3 chain witnessing provides cryptographic evidence across all three patterns.
2. Four-Dimension Crosswalk to SWT3
| IMDA Dimension | Requirement | SWT3 Procedure | Evidence Produced |
|---|---|---|---|
| D1: Risk Assessment | Risk bounding | AI-GRD.1 | Guardrail evaluation verdict per inference |
| Guardrail policy enforcement | AI-GRD.2, AI-GRD.3 | Policy version binding, violation recording | |
| Fairness and bias assessment | AI-FAIR.1, AI-FAIR.2 | Bias metric attestation per model | |
| D2: Human Accountability | Agent identity tracking | AI-ID.1 | Agent identity bound to every witness anchor |
| Human oversight attestation | AI-HITL.1, AI-HITL.2 | Human-in-the-loop verification evidence | |
| Authorization gates | AI-ACC.1 | Pre-inference authorization attestation | |
| D3: Technical Controls | Tool call governance | AI-TOOL.1, AI-TOOL.2 | Per-tool-call witness anchor with permission verification |
| Inference logging | AI-INF.1 | SHA-256 fingerprinted inference record | |
| Multi-agent chain tracing | AI-CHAIN.1 | Cycle ID linking all anchors in a decision chain | |
| Model drift monitoring | AI-DRIFT.1 | Drift detection attestation | |
| Revocation capability | AI-REV.1 | Anchor revocation with reason codes | |
| D4: End-User Responsibility | Transparency and explainability | AI-EXPL.1, AI-TRANS.1 | Transparency attestation per interaction |
| Consent management | AI-CONSENT.1 | Consent verification attestation | |
| Content watermarking | AI-MARK.1 | AI-generated content marking verification |
3. Multi-Agent Chain Witnessing
The IMDA framework's coverage of multi-agent architectures maps directly to SWT3's chain witnessing capability. Every node in a multi-agent decision chain receives its own witness anchor, linked by a shared cycle_id.
How It Maps to IMDA D3 (Technical Controls)
When an orchestrator agent delegates work to sub-agents, each step produces a witness anchor. The cycle_id field links all anchors in the chain. Auditors can reconstruct the full decision lineage: which agent acted, what tools were called, what model was used, and whether any policy violations occurred.
The SWT3 auditor portal visualizes these chains as a "subway map" -- a swimlane diagram showing human intent, orchestrator decisions, and worker/tool execution with color-coded nodes for PASS, FAIL, and policy violations.
Each node in the chain carries: agent ID, model ID, clearing level, tool name (if applicable), policy violations (if any), and an SWT3 anchor. The chain is cryptographically verifiable end-to-end. No node can be inserted, removed, or modified after witnessing.
Architecture Coverage
| IMDA Architecture | SWT3 Evidence Pattern |
|---|---|
| Sequential (pipeline) | Linear chain of anchors with sequential timestamps. Each step inherits the cycle_id from the previous step. |
| Supervisor (orchestrator-worker) | Orchestrator anchor at the start, worker anchors branching off, orchestrator anchor at the end. The agent_id field distinguishes orchestrator from workers. |
| Swarm (peer-to-peer) | Multiple agents with the same cycle_id but different agent_ids. Trust Mesh credentials verify each agent's identity before data exchange. |
4. Tool Call Governance
The IMDA framework emphasizes tool access governance as a core technical control. SWT3 provides two procedures for tool witnessing:
Per-Tool-Call Evidence
Every tool call executed by an AI agent generates a witness anchor recording: the tool name, the calling agent, the model used, the clearing level, and the verdict. If the tool call violates policy (e.g., accessing a restricted database, exceeding scope), the violation is recorded in the anchor's observations field.
Pre-Execution Authorization
Before a tool is executed, the permission verification procedure checks whether the agent has authorization for that tool at the current clearing level. The verification result is witnessed regardless of outcome -- both grants and denials create evidence.
The framework distinguishes between structural controls (architecture-level), rule-based controls (policy enforcement), and prompt-layer controls (instruction-level). SWT3 tool witnessing operates at the rule-based control layer -- it records what happened and whether it matched policy. Structural and prompt-layer controls are the deployer's responsibility; SWT3 witnesses the outcome.
5. Trust Mesh for Agent-to-Agent Verification
The IMDA framework identifies agent-to-agent trust as a key challenge in multi-agent systems. Trust Mesh is SWT3's mutual verification protocol: before two agents exchange data, each presents a cryptographic credential proving its compliance posture, clearing level, and jurisdiction.
How Trust Mesh Addresses IMDA Risks
| IMDA Risk | Trust Mesh Response |
|---|---|
| Agent sprawl | Every agent must present a valid credential. Unregistered agents cannot participate in the mesh. |
| Miscoordination | Policy requirements are declared before data flows. If requirements conflict, the exchange is blocked and the blocked attempt is witnessed. |
| Collusion | Every agent-to-agent exchange is independently witnessed. Coordinated behavior that violates policy produces detectable patterns in the audit trail. |
| Emergent behaviors | Chain witnessing captures the full interaction sequence. Unexpected behavior produces anomalous anchor patterns (drift detection). |
6. Clearing Levels for Cross-Border Compliance
Singapore's position as a cross-border data hub creates unique compliance requirements. The IMDA framework applies alongside PDPA (Personal Data Protection Act) and sector-specific regulations (MAS guidelines for financial institutions, HSA for healthcare).
SWT3 clearing levels control what metadata survives the witness process:
| Level | Content Retained | Singapore Use Case |
|---|---|---|
| L0 Analytics | Full context: hashes, factors, model ID, provider, guardrails | Internal R&D, pre-deployment testing |
| L1 Standard | Hashes and factors only. No raw prompts or responses. | Production deployments, MAS-regulated systems |
| L2 Sensitive | Hashes, factors, model ID only. No provider metadata. | Healthcare AI (HSA), PII-heavy workloads under PDPA |
| L3 Classified | Numeric factors only. Model ID hashed. Zero metadata. | Government systems (GovTech), defense applications |
Clearing levels are embedded in every witness anchor. Cross-border data transfers can use higher clearing levels to strip metadata before evidence leaves Singapore jurisdiction, while retaining the cryptographic proof that governance controls were active.
7. Implementation Path
The singapore-imda profile pre-configures clearing level defaults, jurisdiction metadata (SG), and enables chain witnessing for multi-agent deployments. All witness anchors include jurisdiction and legal basis fields that survive all clearing levels.
For organizations already using the SDK, IMDA compliance evidence is generated automatically. No code changes are required beyond setting the profile. The crosswalk mapping above shows which SWT3 procedures produce evidence for each IMDA dimension.
Every witness anchor can be independently verified at sovereign.tenova.io/verify using only the anchor string. No API keys, no vendor access. SHA-256 runs locally.