For years, financial firms have been comfortable saying the right things about responsible AI.
Fairness. Ethics. Accountability. Transparency. Human oversight. Explainability. Strong words, usually presented in polished governance decks. The problem is that supervisors do not audit adjectives. They audit evidence.
That is why MAS Project MindForge matters.
On 20 March 2026, the Monetary Authority of Singapore announced the conclusion of phase two of Project MindForge and the publication of an AI Risk Management Toolkit for the financial services sector. The toolkit was developed with a consortium of 24 banks, insurers, capital market firms, and other industry partners. It covers traditional AI, generative AI, and emerging agentic AI technologies.
The hard truth is that this is not just another thought-leadership document. It is a bridge between principle and proof.
Why MindForge Is Different
The financial sector does not lack AI principles. Singapore has long had the FEAT principles: fairness, ethics, accountability, and transparency. Many banks already have model risk policies, technology risk controls, outsourcing governance, data policies, and risk committees. The gap is not language. The gap is operationalisation.
The MindForge toolkit is important because it pushes financial institutions to show how AI risk management works in practice. Its centrepiece is the AI Risk Management Operationalisation Handbook, supported by a supplement of AI case studies documenting lessons from financial institutions.
MAS says the handbook is organised into four sections aligned with its proposed Guidelines on AI Risk Management: scope and oversight, AI risk management, AI lifecycle management, and enablers. That structure is useful because it forces leaders to connect the boardroom, the risk function, technology delivery, and frontline business use.
I once advised a regional bank where AI governance looked mature until we asked for evidence. The policy existed. The committee existed. The use-case register was incomplete. The validation reports sat in different folders. Some vendor AI features had entered production through SaaS upgrades rather than formal model onboarding. Nobody was reckless. The control model simply did not match the speed of AI adoption.
MindForge speaks directly to that problem.
The Four Pillars That Matter
The first pillar, scope and oversight, is about who owns AI risk. This is where boards and senior management need more than passive awareness. They need clear roles, reporting lines, approval rights, escalation paths, and evidence that AI risk is integrated into normal governance.
The second pillar, AI risk management, is where many firms will feel the operational pain. MAS points to identification of AI usage, risk materiality assessment, and AI inventorisation through systems, policies, and procedures. In plain English: know where AI is used, classify how risky it is, and keep that inventory current.
The third pillar, AI lifecycle management, turns governance into delivery discipline. Controls must cover the AI lifecycle, from use-case approval and data preparation to testing, deployment, monitoring, change management, and retirement. A chatbot, credit model, fraud tool, document summariser, and agentic workflow should not all receive the same control intensity, but each needs a lifecycle.
The fourth pillar, enablers, is the one executives often underestimate. Responsible AI needs people, infrastructure, tooling, documentation, and training. A policy without capability is a museum exhibit.
Frankly, this is where the P&L conversation becomes real. Compliance uplift costs money. But the alternative is worse: fragmented AI, duplicated controls, slow approvals, audit surprises, and business teams quietly using unmanaged AI because the official process is too slow.
Inventory Is the New Control Point
Every serious AI governance programme starts with a boring question: what AI do we actually use?
Most firms struggle to answer it. Some use cases are formal models. Some are embedded inside vendor platforms. Some are spreadsheet macros with machine learning logic. Some are generative AI pilots in business units. Some are customer-facing systems. Some are internal productivity tools. Some are agentic workflows that can take action across systems.
That is why AI inventory is not clerical work. It is the control point.
The proposed MAS AI Risk Management Guidelines, issued for consultation in November 2025, are intended to apply to all financial institutions and set supervisory expectations around oversight, risk management systems, lifecycle controls, and organisational capabilities. The practical requirement is clear: firms need a structured view of AI usage and risk materiality.
I have seen the inventory problem in insurance, banking, and wealth management. The first pass always misses things. Marketing has a segmentation model. Operations has an automation that scores exception cases. HR has an AI screening tool. A SaaS provider quietly adds AI-assisted drafting. The risk team is not blind. The enterprise is simply more AI-enabled than its governance map admits.
The bottom line: if the inventory is weak, everything downstream is theatre.
Risk Tiers Should Drive the Work
Not every AI system deserves the same controls. A low-risk internal meeting summariser should not go through the same review as a credit decisioning system. But the reverse mistake is more dangerous: treating all AI as harmless productivity tooling until it touches customers, money, or regulated decisions.
Risk tiers should be based on business impact, customer harm, operational criticality, complexity, reliance, data sensitivity, explainability needs, third-party dependency, and autonomy. Agentic AI deserves special attention because the system can act, not merely advise.
MAS explicitly says the toolkit covers traditional AI, generative AI, and emerging agentic AI technologies. That matters. Agentic systems create a different control problem because they may chain steps, call tools, use live data, and trigger actions across systems.
For a CIO, this changes the funding model. The firm does not need one giant AI approval queue. It needs a risk-tiered operating model. Low-risk use cases move quickly with standard controls. Medium-risk use cases need documented review and monitoring. High-risk use cases need independent validation, stronger explainability, named owners, incident playbooks, and board-visible reporting.
Lifecycle Evidence Beats Policy Statements
The phrase “AI lifecycle management” sounds technical, but it is really about evidence.
Can the firm prove why the use case was approved? Can it show what data was used? Can it document testing and validation? Can it explain the human oversight model? Can it show monitoring results? Can it prove when the model, prompt, vendor configuration, or agent workflow changed? Can it retire or roll back the system if performance deteriorates?
That is the difference between an AI principle and an audit-ready control.
In one financial services programme, the breakthrough came when we stopped writing policy prose and started building evidence packs. Each high-risk AI use case had an owner, purpose statement, data lineage note, risk tier, test summary, approval record, monitoring dashboard, known limitations, and incident path. It was not glamorous. It made governance real.
MindForge should push firms in that direction. The handbook and case studies are useful precisely because they help teams convert abstract expectations into implementation artefacts.
The Board Needs a Different AI Report
Boards do not need every model detail. They do need a clear view of AI risk posture.
A useful board report should show the AI inventory by risk tier, material use cases, high-risk changes, incidents and near misses, third-party AI dependencies, unresolved exceptions, validation status, customer-impacting systems, and gaps in capability. It should also show whether the firm is using AI to create business value, not merely adding compliance overhead.
This is where financial firms need discipline. AI risk reporting should not become a monthly parade of pilot announcements. It should answer three questions.
- Where are we using AI in ways that matter?
- What evidence shows those systems are controlled?
- What decisions does management need from the board?
The smartest CIOs and CROs will treat MindForge as a board-education opportunity. It gives them a regulator-aligned vocabulary for explaining why AI governance needs investment in inventory tooling, monitoring, validation, third-party review, and staff capability.
The APAC Signal
Singapore often sets a practical tone for financial technology governance in APAC. MindForge is another example of that style: collaborative, industry-informed, and focused on implementation rather than grandstanding.
The toolkit is guidance rather than a finalised rulebook, but financial institutions should not confuse that with a lack of supervisory significance. MAS says it is reviewing responses to its earlier consultation on AI Risk Management Guidelines. It also says the Operationalisation Handbook will be periodically updated as industry AI use matures and to reflect MAS’ supervisory expectations. MAS will establish an AI risk management workgroup under BuildFin.ai to develop implementation resources, facilitate knowledge sharing, and build capabilities for newer AI technologies such as agentic AI.
That is a clear direction of travel. Supervisory expectations are moving from “do you have AI principles?” to “show me how AI risk is managed”.
For regional firms, the lesson is broader than Singapore compliance. AI governance fragmentation is becoming a strategic cost. Different markets, regulators, and business units will not wait for perfect global harmonisation. APAC leaders need a baseline they can standardise now.
What Financial Firms Should Do Now
The immediate priority is not to create another AI committee. It is to connect governance to evidence.
Start by refreshing the AI inventory. Include traditional models, generative AI tools, embedded vendor AI, pilots, agentic workflows, and material third-party dependencies. Then assign risk tiers using consistent criteria. Next, map lifecycle evidence for high-risk and customer-impacting use cases. Identify missing validation, weak monitoring, unclear ownership, and undocumented third-party controls.
After that, build the management rhythm. Review high-risk AI monthly. Report board-level AI risk quarterly. Track incidents, near misses, overrides, model drift, vendor changes, and unresolved exceptions. Train business owners to understand that AI governance is not a technology tax. It is the licence to scale AI safely.
The firms that move early will not be the slow, cautious ones. They will be the ones that can approve good AI faster because they know what evidence is needed. The firms that wait will find themselves stuck between business pressure to adopt AI and supervisory pressure to prove control.
MindForge is a warning and an opportunity. It warns financial firms that AI governance by slogan is finished. It offers them a practical path to turn responsible AI into auditable execution. In finance, that is where trust is built: not in the principle, but in the proof.