Back to Resources
AI Readiness13 min read

AI Governance for Singapore SMEs: NIST AI RMF, ISO 42001 & IMDA's Framework, Explained

You don't need a compliance team to run a governance programme. Here's how a 10–50 person Singapore business maps enterprise AI governance standards down to a one-page policy.

Haojun See
Haojun See

Founder & Director, On The Ground

Updated 11 July 2026

Why "we'll deal with governance later" is the wrong call

Governance sounds like a big-company problem — the kind of thing a 200-person bank needs and a 15-person firm can defer. That instinct is understandable and, per the frameworks below, wrong. The trigger for AI governance isn't headcount. It's the moment someone on your team pastes a client contract, a patient record, a CV, or a financial statement into a chatbot to save time. That moment already happened at most SMEs we talk to, usually months before anyone thought to write a policy about it. Singapore's PDPA doesn't care how large your company is; it cares what you did with personal data and whether you can show you thought about the risk before, not after. The good news: you don't need a compliance department to run a credible governance programme. You need four decisions, documented once, revisited yearly. This guide walks through where those four decisions come from — NIST's AI RMF, ISO/IEC 42001, and Singapore's own Model AI Governance Framework and AI Verify — and turns each into something you can act on this week.

NIST's AI RMF in four questions your business can actually answer

NIST's AI Risk Management Framework organises AI governance into four functions. Translated out of enterprise language: Govern — Who in your business actually decides which AI tools get used, and for what? If the honest answer is "nobody, people just download what they want," that's your Govern gap. Fix: name one person (often the founder, at SME scale) as the approver for any new AI tool that will touch client or staff data. Map — What could actually go wrong, and where? For most SMEs this is short: data leakage to a third party, a hallucinated fact reaching a client, biased screening of CVs or applications, or over-reliance on AI output nobody checked. Fix: write these four risks down once, per use case, before rolling a tool out team-wide. Measure — How would you know if one of those things happened? For a small business this doesn't need dashboards — it needs a habit: spot-checking AI-drafted client communications before they exist, and encouraging staff to flag when an AI tool got something wrong. Manage — What do you do when it does happen? Fix: a one-line escalation path — who gets told, and whether the client needs to be informed — decided in advance rather than improvised during an incident. That's the whole framework, scaled down. NIST built it to be voluntary and sector-agnostic precisely so it would translate this way.

ISO/IEC 42001 without the certification budget

ISO/IEC 42001 is the world's first certifiable AI management system standard — "certifiable" being the operative word. Certification means an accredited external auditor reviews your documented processes against the standard's clauses and issues a certificate, the same way ISO 9001 works for quality management. For most SMEs, that cost isn't justified unless a client, tender, or partner specifically requires it. What's worth borrowing without paying for certification is the standard's structure: AI risk is managed as an ongoing management system, not a one-time checklist. In practice that means three things any SME can do without a consultant: (1) write down your AI risk process once, rather than relying on memory, (2) name who owns it, and (3) put a date in the calendar to review it — quarterly is plenty at this scale. If a client or tender does ask for ISO 42001 alignment specifically, that's the point at which a proper gap assessment against the standard's clauses becomes worth commissioning.

Singapore's Model AI Governance Framework and AI Verify, translated

Singapore's own reference point — issued by IMDA and the PDPC — rests on two tenets: AI decision-making should be explainable, transparent, and fair; and AI solutions should be human-centric in design. The AI Verify testing framework, built by IMDA and the AI Verify Foundation, operationalises this into 11 principles: transparency, explainability, repeatability/reproducibility, safety, security, robustness, fairness, data governance, accountability, human agency and oversight, and inclusive growth. You don't need to run AI Verify's technical test toolboxes to benefit from the thinking behind it. For an SME, the practical translation of those 11 principles is closer to five habits: 1. Explainability — if AI drafted it, someone who understands why can explain the reasoning, not just repeat the output. 2. Fairness — if AI is used in hiring, credit, or customer screening, someone has checked it isn't systematically favouring or excluding a group. 3. Human oversight — no AI output reaches a client or a decision without a human able to override it. 4. Data governance — you know what data went in, where it came from, and whether you were allowed to use it. 5. Accountability — one named person owns each AI use case, so "the AI did it" is never the end of the conversation internally. These five habits, done consistently, get you most of the practical benefit of the full 11-principle framework at SME scale.

PDPA and AI: the part that actually bites SMEs

The Personal Data Protection Act doesn't mention "AI" as a special category — it governs personal data, regardless of what processes it. That's precisely why it's the governance issue most SMEs actually run into, usually the first week someone starts using an AI tool for real client work. Three PDPA-relevant questions to settle before (not after) your team adopts an AI tool broadly: Consent and purpose — was the personal data you're about to feed into an AI tool collected with a purpose that covers this use? Client data collected for "delivering the engagement" may not cover "training a third-party AI model," depending on the tool's terms. Data minimisation — does the AI tool need the client's full name, NRIC, or account number to do the task, or would a redacted or anonymised version work just as well? Most drafting, summarisation, and analysis tasks don't actually need identifiers. Where the data goes — does your AI vendor's terms of service let you opt out of your inputs being used to train their models, and have you actually turned that setting on? This is a five-minute check that most teams never do. None of this requires a lawyer for day-to-day use — it requires a written answer to these three questions, once, that new hires get shown on day one.

A one-page AI usage policy you can adopt this week

Here's a minimum-viable policy structure, in plain language, that a founder or ops lead can adapt in an afternoon: 1. Approved tools — name the AI tools your team is allowed to use for work (e.g., Claude, ChatGPT Enterprise). Anything else requires the approver's sign-off first. 2. Who approves new tools — one named person, not a committee. 3. What never goes in — a short list: unredacted NRIC numbers, financial account details, health records, anything covered by a client NDA that specifically restricts third-party processing. 4. What needs redaction first — names and identifying details in documents used for drafting, analysis, or summarisation, unless the task specifically requires them. 5. Human check before it goes out — any AI-drafted content reaching a client, regulator, or the public gets read by a human before it's sent. 6. What to do if something goes wrong — who gets told, and within what timeframe, if AI output turns out to be wrong, biased, or a data handling mistake is discovered. 7. Review date — put a recurring calendar reminder, at minimum yearly, to reread this document and update it. That's a governance programme a 10-person company can run without a single new hire — and it directly covers the Governance & Risk dimension of our AI Readiness Audit.

When you actually need a full ISO 42001 or AI Verify programme

The one-page policy above covers the large majority of SME risk. It stops being enough when: a client's procurement or legal team specifically asks for ISO/IEC 42001 alignment or an AI Verify report as a condition of the contract; you're bidding for a government tender that names either framework; you're building AI-enabled software you plan to sell into regulated buyers (financial services, healthcare, government); or you've had an actual data incident and need to demonstrate a remediated process to a regulator or client. At that point, the right move is a proper gap assessment against the specific framework being asked for — not a bigger version of the one-page policy.

Frequently asked questions

Do Singapore SMEs need to comply with the EU AI Act?

Only if you place an AI system on the EU market, offer it to users in the EU, or your AI system's output is used in the EU — extraterritorial reach is a real feature of the Act. Most Singapore SMEs serving only local or regional clients aren't in scope. But if you build or resell software that EU customers use, check the Act's risk-tiering (unacceptable/high-risk/limited/minimal risk) with a lawyer rather than assuming you're exempt.

Is ISO/IEC 42001 certification worth it for a small business?

Usually not on its own merits — certification costs (external audit, documentation, ongoing surveillance audits) rarely pencil out for a 10–50 person company with no external mandate. It becomes worth pursuing when a client, government tender, or partner explicitly requires it, or when you're selling AI-enabled software into enterprise or regulated buyers who ask for it during procurement. Short of that, borrow the standard's structure (documented AI risk process, defined roles, review cadence) without paying for certification.

What's the difference between IMDA's Model AI Governance Framework and AI Verify?

The Model AI Governance Framework is the policy document — principles and guidance for how organisations should think about AI governance (explainability, transparency, fairness, human-centricity). AI Verify is the operational testing framework that turns those principles into 11 measurable governance principles, roughly 85 testable criteria, and technical test toolboxes that produce an actual governance report. Think of the Model Framework as the 'what' and AI Verify as the 'how you'd prove it.'

Can our team paste client data into ChatGPT or Claude?

Only with a policy that answers three questions first: what counts as personal or confidential data at your firm, whether your AI tool's terms of service allow you to opt out of your inputs being used for model training, and whether you're redacting identifiers before anything sensitive goes in. PDPA doesn't ban using AI tools — it requires you to have thought this through and be able to show you have, which is exactly what a one-page policy is for.

What should a minimum AI usage policy cover?

At minimum: what data categories are off-limits or require redaction first, which AI tools are approved for use, who owns the decision to approve a new tool, what staff must check before trusting AI output (especially for anything client-facing or numeric), and who to tell if something goes wrong. See the one-page template in this guide.

Want to Apply This to Your Business?

We're a Singapore AI development and automation agency. Let's discuss how we can help solve your specific challenges.