MindXO Insight | Policy Engagement
Our Response to the MAS Consultation on AI Risk Management Guidelines
In January 2026, MindXO submitted a formal response to the Monetary Authority of Singapore's Consultation Paper on Guidelines on Artificial Intelligence Risk Management. Our submission supports the proportionate, risk-based approach and proposes concrete mechanisms to strengthen implementation: criteria for self-assessing AI adoption level, a sandbox carve-out for experimental AI, organisational materiality thresholds, shadow AI discovery, and a structured impact taxonomy.
By Myriam Ayada · MindXO · January 2026
View the MAS Consultation Paper
Key takeaways
- Proportionality needs criteria. We support proportionate application, but FIs need guidance to self-assess their AI adoption level and know when enhanced governance is triggered.
- Sandbox carve-out. Controlled experimental AI should be governable as a special case within basic policies, with a defined governance checkpoint at the transition to production.
- Shadow AI is a tiering risk. FIs in the "basic policies" tier need a proportionate discovery expectation, or they may inadvertently remain under-governed.
- Materiality needs structure. A 13-domain impact taxonomy and explicit organisational thresholds make AI risk materiality assessment consistent and aggregable.
Question 1: Proportionate Application
MAS seeks comments on the proposed proportionate application of the Guidelines to all FIs and the guidance set out in paragraph 1.5 and the Annex.
We strongly support the proposed proportionate application of the Guidelines. The principle that governance intensity should scale with risk materiality is both pragmatic and aligned with international best practice. We offer the following observations to strengthen implementation.
1. Criteria for assessing AI adoption level
The Guidelines establish that "All FIs should minimally institute basic policies for the use of AI commensurate with the FI's level of AI adoption" (para 1.5) while FIs with AI integrated into business processes require fuller governance. However, the criteria for assessing an FI's level of AI adoption are not specified.
We suggest that the AI Risk Management Operationalisation Handbook provide guidance on how FIs may self-assess their AI adoption level. Such guidance would help FIs determine when their AI adoption has progressed beyond "minimal" and triggers the expectation for enhanced governance structures. This would also provide MAS with a more consistent basis for understanding AI adoption patterns across the financial sector over time.
2. Sandbox exception for experimental AI use
The Guidelines apply to AI whether or not used as an integrated part of business processes. However, there is a third category not explicitly addressed: controlled experimental use of AI in sandbox or pilot environments.
We recommend the Guidelines clarify that FIs may include provisions for sandbox or pilot AI use as a special case within their basic policies. Such provisions would govern AI systems that:
- Are deployed in a controlled test environment, segregated from production systems
- Are not used for actual business decisions affecting customers or operations
- Are limited to a defined pilot population or synthetic data
- Are subject to a defined time limit for experimentation
- Are not connected to critical business processes or customer-facing channels
This clarification would provide FIs confidence that carving out experimental use within their basic policies is an acceptable approach, while ensuring appropriate safeguards remain in place. The transition from sandbox to production deployment should be a defined governance checkpoint, at which point the Guidelines would apply based on the AI system's risk materiality.
3. Guidance for smaller FIs
While proportionality inherently accommodates smaller FIs, explicit guidance would assist implementation. FIs with minimal AI use might satisfy requirements through: a single AI policy covering all use cases, simplified intake and approval processes, combined roles (e.g., one individual serving as both Model Owner and Risk Owner for low-risk AI), and reliance on vendor documentation for third-party AI with appropriate due diligence.
4. Supporting implementation through standard templates
To facilitate consistent implementation across the industry, we recommend MAS consider providing standard templates for key artefacts at a later stage, for example through the AI Risk Management Operationalisation Handbook: AI policies, intake forms, risk assessment frameworks, and evidence documentation.
Question 3: Board and Senior Management Oversight
MAS seeks comments on the proposed responsibilities of board and senior management for AI oversight.
We support the proposed Board and senior management responsibilities. The allocation reflects appropriate separation between strategic oversight and operational implementation.
The Guidelines appropriately require that the AI inventory capture "key roles and responsibilities (e.g., owners, developers)" (paragraph 3.5) and that clear roles be assigned for AI risk materiality assessment, including a control function to ensure consistent application (paragraph 3.11). While these requirements establish sound foundations, FIs would benefit from additional guidance on the types of roles to be defined and the distinction between them, particularly between risk management and governance functions. For example, clarity on the respective responsibilities of an AI Risk Owner (accountable for risk assessment and monitoring) versus an AI Governance Owner (accountable for policy compliance and approval processes) would support consistent implementation across the industry.
The Guidelines could also clarify how role assignments and approval mechanisms should scale with risk materiality, both at the individual AI system level and at the organisational level. For FIs with lower risk materiality, a single individual may appropriately cover multiple roles. As risk materiality increases, roles should be separated and approval mechanisms strengthened to ensure adequate oversight and avoid conflicts of interest.
Question 4: Cross-Functional Committee and Organisational Risk Materiality
MAS seeks comments on the proposed expectation for FIs to establish a dedicated cross-functional committee where the FI's overall AI risk exposure is assessed to be material, and how FIs should assess the materiality of their AI risk exposure at an organisational level.
We strongly support the expectation for a dedicated cross-functional committee where organisational AI risk exposure is material. We recommend the Guidelines clarify that the committee should operate at two levels: Strategic Oversight (AI strategy, risk appetite, policy approval, escalation to Board and senior management) and Operational Implementation (reviewing and approving individual AI use cases, monitoring ongoing compliance, coordinating across business and control functions). The two functions may be discharged by the same committee for FIs with lower AI risk exposure, but should be clearly distinguished as risk exposure increases.
On assessing organisational-level AI risk materiality, the presence of at least one high-risk AI system deployed in critical business lines or regulated activities should generally warrant establishment of such a committee. Beyond individual high-risk systems, FIs could consider: aggregation across use cases (with thresholds determined by the FI's size and risk profile), concentration risk (correlated failure and single points of failure across vendors or underlying models), customer exposure metrics, dependency and reversibility (including kill-switch capability), and velocity of AI adoption.
Question 5: Shadow AI Discovery for FIs with Minimal AI Adoption
The Guidelines establish robust AI identification requirements for FIs with AI integrated into business processes (Section 3), including "systems, policies and procedures to ensure the consistent identification of AI usage across all relevant business and functional areas." This addresses shadow AI risk for FIs at that adoption level only.
However, for FIs with minimal or no known AI adoption, those applying only basic policies (Annex, paragraph 5), there is no equivalent requirement to proactively discover unreported AI usage. The basic policies require periodic compliance checks, but these assume the FI already has visibility over where AI is being used.
This creates a gap: an FI that believes it has no AI integrated into business processes may have shadow AI that, if discovered, would reclassify the FI as having AI integrated into business processes, triggering fuller governance requirements. We recommend the basic policies requirement include an explicit expectation for periodic discovery of AI usage, proportionate to the FI's size and complexity.
Question 7: Risk Materiality Dimensions
MAS seeks comments on the proposed dimensions for assessing AI risk materiality, including impact, complexity and reliance, and whether there are any other relevant dimensions FIs should consider.
We support the proposed three-dimensional framework of Impact, Complexity, and Reliance. To support consistent and comprehensive assessment of the Impact dimension, we propose a structured taxonomy of impact domains: Strategic & Alignment; Commercial & Customer; Operational & Business; Regulatory & Legal; Health, Safety & Environment; Reputational & Brand; Financial; Confidentiality & IP; Technical Performance & Reliability; Security & Resilience; Data & Privacy; Algorithmic Ethics, Fairness & Society; Transparency & Traceability.
For the Complexity dimension, we recommend FIs additionally consider: model opacity, integration complexity, novelty within the FI, and change velocity. For the Reliance dimension: override practicality, kill-switch capability, and expertise degradation.
To ensure consistent application, we recommend FIs develop scoring methodologies for each dimension, with explicit criteria for each score level and defined aggregation across dimensions. This prevents inconsistent materiality assessments across similar AI applications and enables portfolio-level risk aggregation.
Question 9: Additional Observations
MAS seeks comments on any other aspects of AI risk management not covered in the consultation paper.
We recommend the Guidelines or Handbook address AI-specific incident classification. Traditional incident management may not adequately capture AI failure modes such as gradual drift, emergent bias, or adversarial exploitation. A classification framework distinguishing AI-specific incident types would support more effective root cause analysis and industry learning. Over time, such classification could also support anonymised industry-level learning and supervisory dialogue on emerging AI risk patterns.
About MindXO
MindXO is a UAE-based research and advisory specializing in AI governance and risk management. Frameworks aligned with ISO 42001, NIST AI RMF, and GCC regulatory requirements.