Singapore Published a Playbook, Not a Law: Reading the IMDA Agentic AI Framework Against the EU AI Act

IMDA structures its guidance around four dimensions, and it frames them as iterative rather than fixed. This is a regulator teaching a method instead of decreeing a rule. Agentic AI is autonomous, multi-step and unpredictable, so any specific instruction written today is likely wrong by the next model release.

Dimension 1, assess and bound the risks upfront. Not every task suits an agent. Decide which use cases do, then constrain them by design: least-privilege access to tools and systems, robust agent identity, and threat modelling for the failure modes specific to agents, such as memory poisoning, tool misuse and privilege compromise. Risk here is likelihood times impact, where impact turns on the error-tolerance of the domain, access to sensitive data and external systems, whether the agent can only read or can also write, and the reversibility of its actions.

Dimension 2, make humans meaningfully accountable. Allocate responsibility inside the organisation and across the value chain, then design oversight that is real rather than decorative. IMDA describes an autonomy spectrum with four operating modes: agent proposes and human operates (approve everything), agent and human collaborate (approve at significant steps such as a database write or a payment), agent operates and human approves (approve only at critical steps such as deleting a database or a payment above a threshold), and agent operates and human observes (audited after the fact). The framework is unusually candid about how this fails. Monitor the human override rate, because a rate near zero signals rubber-stamping. Monitor the response time, because a near-instant decision signals review fatigue. When approval infrastructure fails, the system should deny by default.

Dimension 3, implement technical controls and processes. For higher-risk actions, prefer structural system-level rules over prompt-layer guardrails. Whitelist trusted MCP servers, sandbox code execution, use structured schemas for multi-agent communication, test whole workflows before deployment, then roll out gradually with continuous monitoring: immutable logs, alert thresholds, observability of the OpenTelemetry kind, and agents that monitor other agents. IMDA notes that MCP itself can act as a governance layer.

Dimension 4, enable end-user responsibility. Operators must be told the exact range of actions an agent can take, the data it can reach, and what they are personally responsible for. Train them. Guard against loss of tradecraft, the quiet risk that if the agent does all the work, the humans lose the ability to catch it when it drifts.

The framework backs these with real cases from its own pages. Dayos tiered IT tickets by risk and reported cutting legacy licensing cost by 121,000 dollars a year. Tencent CodeBuddy gates by permission tier: reads need no approval, while edit, bash, webfetch and MCP calls do. Terminal 3 wrapped a payroll agent in a Verifiable Credential of Intent, a Trusted Execution Environment boundary and an immutable ledger. These are engineering patterns, not policy slogans.

The EU AI Act is everything the IMDA framework is not. It is binding, risk-tiered and penalty-backed, on a fixed statutory calendar. It entered into force on 1 August 2024. Prohibited practices and AI literacy obligations applied from 2 February 2025. Obligations for general-purpose AI and the penalty regime went live on 2 August 2025. Full application lands on 2 August 2026, with high-risk classification obligations under Article 6(1) from 2 August 2027. The penalties reach up to 35 million euros or 7 percent of worldwide annual turnover, whichever is higher, for prohibited-practice breaches, with lower tiers for other infringements. For SMEs and start-ups, the fine is the lower of the fixed amount or the percentage, which is relief, not exemption.

Here is the part the headlines miss. Strip away "voluntary playbook" versus "penalty-backed statute" and IMDA's four dimensions map one-to-one onto the EU's articles. Bound-the-risk is Article 15 (accuracy and security). Meaningful human accountability is Article 14 (human oversight). Technical controls and logging are Article 12 (record-keeping). End-user responsibility is Article 4 (AI literacy). Same four controls, two entirely different reasons to build them. Whether you fear EU fines or adopt Singapore guidance, you build bounded least-privilege access, a human confirm-step, an immutable audit trail and operator literacy. That is the editorial spine of the whole debate: same destination, different roads.

One honest footnote for the legal reader. The EU's own hard-law calendar is now slipping on precisely the agentic-relevant provisions. A Digital Omnibus provisional agreement reached on 7 May 2026 proposes deferring stand-alone high-risk obligations to roughly December 2027. As of today that is a proposal, not law. It is also the clearest illustration of the pacing problem: even the regime built on certainty is rewriting its timetable as the technology moves under it.

Legally, no. Commercially, yes. That is the whole answer and it is not a dodge. Nothing forces you to adopt the IMDA framework. But voluntary guidance acquires teeth through three shadow mechanisms that need no statute. First, enterprise procurement: B2B buyers turn frameworks into mandatory vendor checklists, so no alignment can mean no contract. Second, cyber-liability insurance: underwriters increasingly demand these controls before they will cover an autonomous agent's actions. Third, tort standard-of-care: courts cite published frameworks to establish negligence, so an agent that causes financial harm with no meaningful human accountability hands the plaintiff their yardstick. Treating IMDA as optional because it is "only guidance" leaves you exposed on all three.

The separate calculation is EU reach. The Act is extraterritorial. A Singapore business whose agent output is used in the Union is in scope regardless of where it sits. The reframe that de-risks the whole decision: you build the same four controls either way, so build them now and let them double as commercial insurance and EU readiness.

The market is running ahead of all of this. Deloitte's State of AI in the Enterprise 2026 reports roughly 74 percent of enterprises planning agentic AI within two years, against only about 21 percent with a mature model for agent governance. Gartner predicts that over 40 percent of agentic AI projects will be cancelled by the end of 2027, citing escalating costs, unclear value and inadequate risk controls. The money rails are already live. OpenAI's Agentic Commerce Protocol shipped in September 2025, and Mastercard launched Agent Pay for Machines on 10 June 2026 for sub-cent machine-to-machine settlement. The governance gap between what the market is deploying and what it can control is not a footnote. It is the business problem.

We read the IMDA framework as a vindication of governance-as-product, not governance-as-paperwork. A regulator wrote a document that names MCP, A2A and agentic commerce protocols by name. It reads like an engineering spec, not legal prose. That is the signal. A framework you can adopt beats a law you must fear, because adoption lowers the cost of starting while the controls protect you under either regime.

The three artefacts the agentic future actually needs are the same three both Singapore and the EU demand, and they are the same three we build into an agent-ready business layer. The confirm-step, which is Dimension 2 and Article 14, the moment a human authorises a consequential action. Bounded permissions, which are Dimension 1 and Article 15, least-privilege access so an agent can only touch what its task requires. The audit trail, which is Dimension 3 and Article 12, the immutable record of what was decided and why. This is the work of AI governance reduced to what ships to production.

We hold one claim deliberately loose. The durable advantage here is probably not the governance feature itself, which model providers will commoditise as native controls. It is the proprietary workflow data generated at every human confirm-step, the record of what your business actually chose to approve. And we will not bury the strongest counter-argument. A sceptic reasonably prefers hard law, because it offers certainty, a defined safe harbor and a level field that penalises reckless competitors, where soft law leaves you in permanent legal ambiguity. Both can be true. Soft law lowers the cost of starting. Hard law lowers the ambiguity of arriving. You need the controls regardless of which one you are answering to.

There is a deeper reason to govern the brain than either fines or checklists. In an agent-to-agent economy, an ungoverned agent is an untrusted agent. The confirm-step becomes proof of genuine human economic intent in a sea of synthetic actions. The audit trail becomes the counterparty-risk record other agents inspect before they transact with yours. Governance stops being a cost the lawyers demand and becomes the interoperability protocol that lets your agents do business at all. Govern the brain, and the rest of the stack becomes something you can trust enough to let off the leash.