Singapore’s agentic AI framework gives government a practical path forward

Singapore’s Infocomm Media Development Authority has released version 1.5 of its Model AI Governance Framework for Agentic AI, and it deserves close attention from Australian public sector agencies.

The framework recognises a shift already underway. AI systems are moving from content generation into task execution. IMDA describes agentic AI as systems that can take actions, adapt to new information and interact with other agents and systems to complete tasks on behalf of people. Current uses include coding assistants, customer service agents and enterprise workflow automation.

That makes agentic AI highly relevant to government.

Agencies are full of multi-step work. Checking documents. Finding policy. Testing forms. Preparing correspondence. Routing requests. Summarising submissions. Comparing supplier responses. Supporting call centre staff. Helping people find services. Moving information between systems.

Many of these tasks are repetitive and fragmented. They also require context and a working knowledge of how government operates.

Agentic AI could help public servants spend less time navigating systems and more time solving problems. It could improve digital service testing, support better service navigation, reduce manual rework and make internal knowledge easier to use.

The opportunity is real. It needs serious treatment.

A practical framework

The strongest feature of Singapore’s framework is its practicality.

It looks at how agentic systems are built and operated. It identifies core components such as models, instructions, memory, planning and reasoning, tools, protocols, controls, logging and monitoring.

That gives agencies a useful checklist.

Sometimes government technology governance starts with broad principles, then jumps to procurement and compliance. Delivery teams are left to fill in the operational detail themselves. This framework helps close that gap.

It prompts agencies to ask: what tools does the agent use, what systems does it touch, what data can it access, what does it remember, how is activity logged and what controls are built in?

Those questions matter as much for delivery teams as they do for executives approving wider use.

Action-space and autonomy

The framework’s use of action-space and autonomy is particularly useful.

Action-space is the range of actions an agent can take, including transactions it can execute, based on its tools and permissions. Autonomy is the degree to which the agent can decide how to act towards a goal.

This gives agencies a better way to assess agentic AI use cases.

An internal research agent with access to approved public information has a small action-space. A coding agent that can edit files, run commands and connect to repositories has a larger one. A workflow agent connected to business systems, records and external APIs has a broader operational footprint again.

The same applies to autonomy. An agent following a fixed process creates a different profile from one given a broad goal and wide freedom to determine the steps.

This distinction can help agencies avoid treating all agents the same. Some will be simple assistants. Others will sit inside operational workflows. They need different levels of governance rather than a one-size fits all approach (which I've seen all too many times).

Controls need to be built in

The framework is also strong on bounding risks early.

IMDA recommends limiting access to tools and systems, using identity and access controls, making agent actions traceable and controllable, and assessing whether a use case is suitable before deployment.

Public sector agencies already operate with delegations, approvals, permissions, information classifications, privacy obligations, cyber controls and audit requirements. Agentic AI makes these controls even more important, and can be used to support their implementation equitably.

It also recommends stronger system-level controls for higher-risk actions, such as preventing certain tools from being called, limiting tools to read-only access, or building required steps into the workflow. This helps ensure right-sizing controls for actions, which is essential in risk management processes.

Prompts, training and guidance can all help with this, However access permissions, whitelists, sandboxes, logs, approval gates, rate limits and monitoring carry more weight in production environments.

Testing and monitoring

The framework provides a sensible approach leading into deployment.

It recommends testing agents for task execution, policy adherence and tool-use accuracy before release, then rolling them out gradually with continuous monitoring. It also highlights change management and version control, recognising that changes in one part of an agentic system can have wider impacts across connected workflows.

It suggests that agencies should start their agentic journeys by looking at bounded internal uses such as coding support, service testing, content checking, knowledge search and workflow assistance. These can deliver value while helping agencies learn how these agents behave in their own environments within highly controlled and regulated scopes.

The Google and Singapore Government sandbox is a useful example. It tested computer-use agents for public sector use cases including automated quality assurance for government digital services, AI safety testing and helping citizens navigate social assistance applications. It also surfaced practical issues around testing data, reasoning logs, prompt injection and the breadth of actions available to computer-use agents.

End-user responsibility

The section on end users is another strength for the framework. It distinguishes between people who interact with agents and people who integrate agents into work processes.

It suggests that users should understand what an agent can do, what data it can access, how data is handled, where to escalate issues and what responsibilities they hold. For staff integrating agents into workflows, it recommends training on use cases, prompting, failure modes, feedback loops and tradecraft.

This recognises that staff will need differentiated training during AI adoption, and this doesn't necessarily break down along traditional IT/business lines. Increasingly agents may be created within business teams by an individual (or small team) and used by the other members of that team, or other teams - rather than coming from an IT team out to business teams.

This makes agentic AI adoption a workforce issue as much as a technology issue. IT teams have a role, though ownership needs to sit with the business areas using the agents.

Where the framework could improve

While the framework is strong on risk and system controls (all positives), it is lighter on public value.

For government, a framework should ask agencies to define the benefit clearly of the agents. Faster service testing. Reduced backlog. Better consistency. Less manual rework. Improved accessibility. Faster policy analysis. Better reuse of corporate knowledge.

These should be measured and assessed. Otherwise agentic AI risks becoming another technology wave with impressive pilots and uneven outcomes - particularly as AI models update, agentic capabilities change and the outcomes may degrade or improve without regular adjustments.

Procurement also needs more attention.

Most agencies will buy agentic capability - including by accident - through platforms, cloud services, vendors and integrators. Contracts will shape how much control agencies retain over logs, data, tool access, model changes, monitoring, testing, records, exit rights and incident response. Standard software clauses struggle to manage some of the newer needs.

Government contracts for agentic AI should cover tool permissions, audit logs, model and prompt changes, data residency, subcontractors, security testing, accessibility, performance reporting, fallback processes and the ability to disable specific agent functions quickly and rollback or roll onto a manual process in extremis.

The third area is shared government patterns.

Agencies should not each invent their own approach to logging tool calls, managing agent identity, approving MCP servers or testing common failure modes. IMDA notes that protocols such as MCP and Agent2Agent are developing quickly, and that controls, logging and monitoring are core components of agentic systems.

For government, that points to common patterns: standard logging schemas, approved integration models, reusable evaluation datasets, shared sandbox environments and procurement clauses that smaller agencies can use.

Where this comes in for Australia

Australia already has useful foundations in place for AI use, and has been approaching the area pragmatically and in a measured way, with a strong central group helping to establish standards and practices that are effective and manage risks.

In particular the Commonwealth’s Policy for the responsible use of AI in government (v2.0) took effect on 15 December 2025. It applies to non-corporate Commonwealth entities, with exceptions, and includes mandatory requirements for accountable officials, transparency statements, strategic AI adoption, operational responsible use, use case accountability, internal registers, staff training and impact assessment.

The transparency statement standard also requires agencies to explain why they use AI, classify their use, describe monitoring measures, outline compliance and provide public contact points in plain language.

Singapore’s framework adds a more operational layer. It gives agencies practical language for tools, permissions, autonomy, testing, monitoring and end-user capability.

That is the next layer Australian agencies will need.

Agencies should begin with practical uses where agentic AI can help staff do useful work now.

Internal knowledge support. Digital service testing. Coding assistance. Policy research. Records classification support. Procurement response analysis. Content checking. Call centre guidance. Service navigation.

These uses are valuable, testable and easier to bound. They also build confidence and capability before agents move into more sensitive operational environments.

The approach should be relatively straightforward. Pick a real problem. Bound the agent’s permissions. Test it properly. Train the users. Measure the result. Improve the controls. Scale what works.

Singapore’s framework is a strong contribution because it moves the conversation into the practical mechanics of agentic AI. Its next stage should go deeper on public value, procurement, workforce change and shared government operating patterns.

For Australian agencies, it is well worth reviewing now. Agentic AI has the potential to help government work faster, more consistently and with less friction. The agencies that benefit most will be those that treat it as an operational capability from the start.