Singapore’s financial services watchdog is making a clear argument to banks rolling out artificial intelligence: responsible AI will not be judged by policy statements alone, but by whether firms can prove, test and operationalise their controls in practice.
That is the significance of the Monetary Authority of Singapore’s new MindForge AI Risk Management Toolkit, a regulator-backed framework developed with 24 banks and financial institutions, as well as a range of industry partners, including HSBC, Citi, UBS, BlackRock, DBS, Standard Chartered, UOB and Prudential.
At a time when banks are racing to test, trial and deploy generative AI and explore more autonomous systems, MAS is trying to pin governance directly to execution, embedding expectations around oversight, risk classification, lifecycle controls and infrastructure into something far more practical.
For QA and software testing teams in financial services, that matters, because the toolkit is not just another set of principles.
MAS’ move should be seen as a clear attempt to move AI assurance closer to the heart of software testing and delivery, model validation and operational resilience, in a market where regulators increasingly want evidence that systems are behaving as intended, that risks are understood, and that controls work outside slide decks and policy documents.
MAS itself described the release of the toolkit as a milestone in ensuring the “responsible adoption of AI in finance”, with Chief FinTech Officer Kenneth Gay saying the regulator wanted to strengthen “AI governance and risk management practices across the industry”.
That direction is reinforced by Alan Lim, Director in MAS’ Financial Infrastructure & AI Office, who explained on LinkedIn that the package is built to help firms move “from theory to practice”, combining an Operationalisation Handbook with real-world case studies from across the sector.
That practical turn is what makes the initiative especially relevant for banks. The handbook is structured around four areas aligned to MAS’ proposed AI guidelines: scope and oversight, AI risk management, AI lifecycle management and enablers.
In plain terms, that means firms are being pushed to define who owns AI, identify where it is being used, assess how material the risks are, and put controls around the full lifecycle of deployment and monitoring.
For testing teams, this pushes AI assurance far beyond functional checks. It brings governance, traceability, monitoring and control validation into the quality remit.
Big-name backing
The names involved tell their own story. This is not a niche sandbox exercise. HSBC, Citi, UBS and BlackRock sit alongside DBS, UOB, Standard Chartered and other major regional and global players, suggesting that MAS is trying to create something closer to a market-wide operating model for AI controls in finance.
BlackRock’s Marko Milek captured that shift neatly, saying MindForge helps the industry translate “responsible AI principles into actionable risk management”.
He pointed out that BlackRock had already built strong foundations in information security, third-party risk and model management, but had augmented them for new AI risks, while the framework also supports “AI cataloguing, vendor and enterprise risk integration, and use-case based risk management as organisations scale.”
That point about cataloguing and use-case risk is especially important for banks now introducing AI into sprawling technology estates.
As institutions such as HSBC, Citi and UBS expand their use of vendor models, internal copilots and generative AI tools, the challenge is no longer just whether a model works in isolation.
It is whether firms know where AI sits across the enterprise, how its risks differ across business lines, and what testing or assurance evidence is needed at each stage.
MAS is effectively telling banks that AI inventory, risk materiality and lifecycle controls can no longer be treated as optional governance extras.
DBS, which has become one of the clearest examples of Singapore’s AI push in banking, used its contribution to MindForge to underline exactly that.
Sameer Gupta, the bank’s Chief Analytics Officer, said that “to fully realise AI’s value, governance must be treated as a strategic imperative”.
He added that the handbook and implementation examples would help firms turn “responsible AI principles into practical action”, enabling innovation while sustaining trust and confidence in the system.
The wording is telling. Governance is not being framed as a brake on deployment, but as the mechanism that makes deployment credible.
Broader strategy
That line fits with the broader direction of travel in Singapore. Over the last two years, MAS has steadily tightened the connection between innovation and assurance.
In late 2025, it announced a collaboration with the UK’s Financial Conduct Authority focused specifically on advancing AI testing, regulatory QA and joint experimentation.
That partnership was designed to support the testing of AI solutions under supervised conditions and reflects a wider regulatory push to build shared validation environments rather than rely on firms to self-certify.
“To fully realise AI’s value, governance must be treated as a strategic imperative.”
– Sameer Gupta, DBS
For banks operating across multiple jurisdictions, the significance is obvious: regulators are no longer just setting expectations for AI governance, they are beginning to shape the testing conditions around it.
The same pattern is visible in MAS’ wider approach to resilience. In 2025, the regulator called for stronger oversight of third-party and open-source software, warning that financial institutions needed a detailed and dynamic inventory of IT components and dependencies.
That may sound like a separate cyber issue, but it is highly relevant to AI risk. Many GenAI and agentic systems are stitched together from external models, APIs, orchestration layers and open-source components.
For QA teams, the challenge is not simply validating the model output. It is understanding the wider dependency chain, testing how those components behave under stress, and identifying where risk enters through vendors, integrations or opaque upstream services.
That is one reason the MindForge framework lands at an important moment. Sam Burrett, a Sydney-based AI Lead and director at law firm MinterEllison, highlighted on LinkedIn the AI risk taxonomy aligned to lifecycle stages and ethics concepts, the steps for uplifting existing governance “to avoid duplication”, and the sections showing how to assess use-case level risks through decision flows.
His broader point is probably the most relevant for banks under pressure to industrialise AI safely: “Most organisations we work with have an AI policy. Very few have actually operationalised AI governance. This is a great resource to help your team close that gap.”
That gap between policy and operational evidence is exactly where QA and software testing teams are being drawn more deeply into regulatory work.
In many banks, AI governance still sits largely with risk, compliance or data teams. But once regulators start expecting firms to classify use cases, validate controls across the lifecycle, monitor outcomes continuously and prove that governance is embedded in practice, the work quickly becomes inseparable from software delivery and assurance.
Testing teams become central not just to validating outputs, but to generating the evidence that governance is actually functioning.
Lifecycle management
The report’s emphasis on lifecycle management sharpens that further. MAS says firms need controls “covering the entire lifecycle of AI use”, not just model development or approval.
That puts a spotlight on pre-deployment validation, data and model change management, post-deployment monitoring, retraining decisions, incident response and oversight of evolving systems.
In practice, banks will need stronger forms of continuous testing, better observability, more formal control points in CI/CD workflows and clearer escalation paths when AI behaves unexpectedly.
That is already visible in Singapore’s digital banking market, where regulatory pressure has pushed testing, resilience and compliance closer together.
The city-state’s digital banks have had to show from the outset that cloud-native delivery can coexist with regulator-grade assurance. That has elevated non-functional testing, failover validation, policy-as-code, resilience testing and continuous control checks.
“We see this as a benchmark not only for Singapore, but for markets across the region.”
– Ravindaran Nair
The same logic now applies to AI. As banks bring AI into customer service, fraud, operations, compliance and decision-support workflows, they will be expected to show not only that models are accurate enough, but that they are governed, monitored and recoverable under supervisory scrutiny.
The contribution from BlackRock hints at how that may evolve in practice. Milek’s reference to integrating AI risk with information security, third-party risk and model management suggests banks are being pushed towards more unified control environments rather than standalone AI governance programmes.
Burrett’s observation that one of the most useful elements is the guidance on uplifting existing governance “to avoid duplication” reinforces the same point.
In other words, MAS is not asking banks to build a parallel universe of AI controls. It is pushing them to extend existing risk, resilience and control frameworks so AI can be managed as part of the wider enterprise.
That is also why big-bank participation matters. When institutions such as HSBC, Citi, UBS, BlackRock and DBS help shape the framework, it gives the final product more weight than a conventional consultation paper.
It suggests the industry’s largest players accept that AI risk management must become more granular, more operational and more testable. For multinational firms, that matters beyond Singapore.
Prudential’s Group Chief Technology Risk Officer, Ravindaran Nair, argued MindForge sets “a strong foundation for responsible AI in financial services” and described it as “a benchmark not only for Singapore, but for markets across the region.”
That feels plausible. Regulators elsewhere are converging on similar themes around resilience, third-party risk, explainability and evidence-based governance, even if the precise rules differ.
Standard Chartered’s role in the enterprise governance workstream underlines the same idea. Alvaro Garrido said that as AI becomes more deeply embedded across financial services, “strong and practical enterprise level governance is essential” to ensure innovation is deployed responsibly and at scale.
Crucially, he said MindForge shows the power of cross-industry collaboration in turning principles into “actionable guidance that organisations can operationalise.”
That is the line running through the whole project: operationalise, not just endorse.
UOB’s Frankie Phua put it similarly, describing MindForge as a “strong, MAS-led initiative” that brings the industry together to co-create AI risk governance guidelines that are practical, proportionate and risk-sensitive.
He said effective governance underpins successful AI adoption by giving firms the “confidence to innovate at pace.”
In a banking context, that matters because one of the biggest tensions in AI adoption is speed. Boards want faster deployment, business units want value, and regulators want assurance. MAS is trying to resolve that tension by giving firms a structure that makes fast deployment more defensible.
Insurers and wealth managers
The inclusion of insurers and wealth players broadens the relevance further. David Tan of Income Insurance said Project MindForge shows how risks can be mitigated and opportunities in AI and GenAI realised “through close regulatory and industry collaboration”, with guidance applied proportionately across institutions of different scale and maturity.
Julius Baer’s Andreas Zingg stressed the importance of an “internationally aligned AI risk management framework” that allows AI to support innovation without compromising client trust.
Taken together, those remarks show that the toolkit is not confined to one banking niche. It is trying to create common language for AI oversight across multiple parts of financial services.
What makes Singapore particularly notable is that this is happening alongside a broader state-backed push to build financial-sector capabilities in AI, testing and resilience.
MAS has already committed major funding to AI innovation, model deployment and governance in finance, while also launching initiatives around quantum security, cross-industry infrastructure and stronger software resilience.
The regulator has made no secret of its belief that Singapore can become a centre of excellence not just for AI development, but for the testing and deployment of AI in financial services. MindForge is one of the clearest signs yet of what that ambition looks like in practice.
For QA and software testing teams, the implications are significant. The future workload is not just about model validation in the narrow sense.
It includes validating governance workflows, testing the quality of inventories and classifications, stress-testing integration points, checking whether monitoring thresholds work in practice, and ensuring incidents involving AI can be detected, escalated and explained. In a world of GenAI and agentic systems, those tasks are fast becoming part of digital resilience.
That is why the MAS toolkit matters beyond Singapore. It offers one of the clearest recent examples of a regulator, working alongside major banks and asset managers, trying to define what AI governance looks like when it reaches engineering reality.
It also shows where the compliance burden is heading. The banks involved, from HSBC and Citi to UBS, BlackRock and DBS, are effectively acknowledging that AI in finance will have to be inventorised, classified, tested, monitored and governed with the same seriousness now applied to other critical technology risks.
QA FINANCIAL EVENTS
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Inside banking’s shift to smarter QA to tackle complexity and risk
- SmartBear CPTO on AI in banking QA: ‘Impressive metrics but no critical scenarios’
- Banks push beyond traditional QA as resilience testing gains ground
- Banking QA professionals warn AI still doesn’t know ‘where the bodies are buried’
- RECAP: The QA Financial Healthcare & Insurance Forum Philadelphia 2026
WATCH NOW
QA FINANCIAL PODCASTS
CLICK HERE TO LISTEN TO OUR EXCLUSIVE CONVERSATIONS
