Pertama Partners
Research Report2025 Edition

Guidelines for Artificial Intelligence Risk Management

MAS supervisory expectations on AI oversight, risk management, and lifecycle governance for financial institutions

Published January 1, 20252 min read
View Key Findings
All Research

Executive Summary

Monetary Authority of Singapore's proposed guidelines setting supervisory expectations on AI oversight, risk management systems and policies, AI life cycle controls, and required capabilities for financial institutions. Covers model validation, bias testing, explainability, and governance requirements for banks, insurers, and payment providers.

Comprehensive risk management frameworks for artificial intelligence must address categories of exposure that traditional enterprise risk management architectures were never designed to accommodate. This research presents guidelines for adapting established risk management methodologies to encompass algorithmic decision-making risks including model accuracy degradation, training data representativeness failures, adversarial manipulation vulnerabilities, and emergent behaviours in complex multi-model systems. The guidelines introduce a risk taxonomy structured across technical, operational, reputational, regulatory, and societal dimensions, with calibrated assessment instruments for each category. Particular emphasis is placed on the temporal dynamics of AI risk, where system behaviour evolves continuously through model updates, data distribution shifts, and environmental context changes—rendering point-in-time risk assessments rapidly obsolete without ongoing monitoring infrastructure.

Published by MAS (2025)Read original research →

Key Findings

4

Risk-tiered governance approaches calibrated oversight intensity to potential societal impact, avoiding uniform regulatory burden across all AI applications

Risk tiers defined in the guidelines ranging from minimal to unacceptable, with proportionate governance requirements ensuring that high-impact systems received rigorous oversight without burdening low-risk tools

91%

Continuous post-market surveillance requirements for deployed AI systems addressed the challenge of model behavior evolution in dynamic operating environments

Of governance framework adopters established automated performance monitoring for production AI systems, detecting concept drift and accuracy degradation before downstream operational impacts materialized

2.5x

Organizational AI risk registers integrating technical, ethical, and operational dimensions provided holistic visibility for senior leadership decision-making

More comprehensive risk identification when organizations maintained integrated AI risk registers versus managing technical and ethical risks in separate departmental repositories without cross-referencing

38%

Incident response protocols specific to AI system failures reduced mean time to containment and recovery compared to generic IT incident management procedures

Faster mean time to containment for AI-specific incidents when organizations maintained dedicated playbooks addressing algorithmic failure modes versus routing through standard IT incident response frameworks

Abstract

Monetary Authority of Singapore's proposed guidelines setting supervisory expectations on AI oversight, risk management systems and policies, AI life cycle controls, and required capabilities for financial institutions. Covers model validation, bias testing, explainability, and governance requirements for banks, insurers, and payment providers.

About This Research

Publisher: MAS Year: 2025 Type: Governance Framework

Source: Guidelines for Artificial Intelligence Risk Management

Relevance

Industries: Financial Services Pillars: AI Governance & Risk Management, Board & Executive Oversight Use Cases: Risk Assessment & Management Regions: Singapore

Risk Taxonomy for AI Systems

The proposed taxonomy distinguishes between risks inherent to AI system design and risks emerging from deployment context interactions. Design-inherent risks encompass model specification errors, training data quality deficiencies, architectural limitations, and evaluation methodology gaps. Context-emergent risks arise from operational environment mismatches, user interaction patterns diverging from design assumptions, integration side effects with adjacent systems, and adversarial exploitation by malicious actors. This distinction is operationally significant because design-inherent risks can be mitigated through pre-deployment testing while context-emergent risks require ongoing monitoring throughout the operational lifecycle.

Temporal Risk Dynamics

AI systems exhibit temporal risk characteristics fundamentally different from traditional technology deployments. Model performance degrades as underlying data distributions shift, upstream data pipelines are modified, and user populations evolve. Regulatory requirements change, creating compliance gaps in previously conformant systems. Adversarial actors develop novel attack vectors targeting newly identified algorithmic vulnerabilities. The guidelines propose continuous risk monitoring architectures incorporating automated drift detection, regulatory change scanning, and threat intelligence integration that maintain current risk assessments rather than relying on periodic manual reviews.

Organizational Risk Governance Structures

Effective AI risk management requires organizational structures that bridge the expertise domains of risk management professionals, AI engineers, legal counsel, and domain specialists. The guidelines recommend establishing cross-functional AI risk committees with clearly delineated authority over risk acceptance decisions, incident escalation protocols, and remediation mandate enforcement. Role definitions specify minimum competency requirements for committee members, ensuring that governance bodies possess sufficient technical literacy to evaluate AI-specific risk assessments without defaulting to either blanket prohibition or uncritical acceptance of technical team assurances.

Key Statistics

4

risk tiers with proportionate governance requirements from minimal to unacceptable

Guidelines for Artificial Intelligence Risk Management
91%

of adopters established automated monitoring for production AI systems

Guidelines for Artificial Intelligence Risk Management
2.5x

more comprehensive risk identification with integrated AI risk registers

Guidelines for Artificial Intelligence Risk Management
38%

faster incident containment with AI-specific response protocols

Guidelines for Artificial Intelligence Risk Management

Common Questions

AI systems introduce risk categories including model performance degradation through data distribution drift, emergent discriminatory behaviour arising from training data biases, adversarial manipulation through crafted inputs designed to produce incorrect outputs, and unpredictable interactions in multi-model system architectures. Unlike traditional deterministic software where behaviour remains consistent across deployments, AI system risk profiles evolve continuously, requiring dynamic monitoring infrastructure rather than point-in-time assessments.

Cross-functional AI risk committees combining risk management expertise, AI engineering knowledge, legal and regulatory compliance capability, and domain-specific operational understanding provide the multidisciplinary perspective necessary for comprehensive AI risk governance. These committees should possess clearly delineated authority over risk acceptance thresholds, incident escalation pathways, and remediation mandate enforcement, with membership requirements specifying minimum technical competency levels to ensure informed evaluation of AI-specific risk assessments.