Singapore AI Verify in 2026: Implementation Notes for ASEAN Buyers

Singapore's AI Verify is an open-source AI governance testing framework released in May 2022 by the Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission (PDPC), then transferred to the AI Verify Foundation in June 2023. The 2024-2026 evolution added a Generative AI Evaluation Sandbox (Project Moonshot), the Model AI Governance Framework for GenAI (May 2024), and explicit crosswalks to NIST AI RMF, ISO/IEC 42001, and the EU AI Act. ASEAN enterprise buyers now treat AI Verify alignment as procurement table stakes. Source: AI Verify Foundation, May 2024. Updated 2026-05-20.

AI Verify is two things that are often conflated: a governance framework and a testing toolkit. Both matter, and both are now required when ASEAN enterprises evaluate AI vendors. The framework defines 11 internationally accepted AI ethics principles organised under five pillars (transparency, explainability, repeatability and reproducibility, safety and resilience, fairness, data governance, accountability and human agency, inclusive growth and societal wellbeing, environmental sustainability, robustness, security). The toolkit converts those principles into automated technical tests plus structured process checks.

The history matters because it explains the trajectory. AI Verify launched at the World Economic Forum 2022 as a pilot. In June 2023, Singapore transferred AI Verify to the AI Verify Foundation, a non-profit jointly governed by industry and government with founding members including Google, Microsoft, IBM, Salesforce, IMDA, and the Monetary Authority of Singapore. The transfer signalled that AI Verify is now a multi-stakeholder international initiative rather than a purely national programme. Per the AI Verify Foundation's 2024 annual report, the foundation has grown to over 100 corporate members across 20 countries.

The strategic takeaway is that AI Verify is the most likely template for ASEAN-wide AI governance practice, has the strongest crosswalks to other major frameworks (NIST AI RMF, ISO/IEC 42001, EU AI Act, OECD AI Principles), and is genuinely open source, which makes it the most procurement-friendly framework currently available. Companies selling into Singapore, Malaysia, Indonesia, the Philippines, Thailand, and Vietnam are increasingly being asked for AI Verify test reports alongside the usual SOC 2 and ISO certifications. See our Singapore agentic AI governance guide for the deeper context.

The AI Verify framework is structured to be readable by lawyers and operable by engineers, which is unusual and is why it has traction.

In May 2024, the AI Verify Foundation and IMDA published the Model AI Governance Framework for Generative AI (MGF-GenAI), a major evolution of the original 2019 Model Framework. The MGF-GenAI is structured around nine dimensions: accountability, data, trusted development and deployment, incident reporting, testing and assurance, security, content provenance, safety and alignment research, and AI for public good. It is the most explicit ASEAN guidance on generative AI to date and is referenced in MAS (Monetary Authority of Singapore) AI guidance, MoH (Ministry of Health) clinical AI guidance, and the Singapore government's own internal AI use policies.

The practical implementation pattern: treat MGF-GenAI as the GenAI-specific overlay on AI Verify. Process checks expand to include content provenance evidence (e.g. C2PA-style watermarking, model output labelling), generative-specific incident reporting workflows (hallucination tracking, prompt injection detection), and supply-chain controls on model providers. Technical tests expand to include the Project Moonshot evaluation harness for prompt injection, bias, jailbreak resistance, and hallucination rate.

Per IMDA's 2024 MGF-GenAI launch documentation, the framework was developed in consultation with major model providers (OpenAI, Anthropic, Google, Meta) and is intentionally aligned with the NIST AI 600-1 Generative AI Profile (July 2024) and the EU AI Act GPAI rules. This is the alignment story buyers should expect their vendors to be able to articulate.

The single best argument for AI Verify is that one programme satisfies most of the documentation and testing obligations of the other major frameworks simultaneously. The crosswalks below are based on the AI Verify Foundation's published mapping documents plus our implementation experience.

The strategic implication: an enterprise that adopts AI Verify as its operational framework can produce evidence for NIST AI RMF, ISO/IEC 42001 certification, and EU AI Act high-risk system documentation with marginal additional effort. The Areebi NIST AI RMF and EU AI Act compliance hubs walk through the platform mappings that make this practical.

For ASEAN enterprises adopting AI Verify in 2026, the rollout that consistently lands inside 12 weeks looks like this.

Weeks 1-2 - Governance setup. Charter an AI Governance Committee with representation from Legal, Privacy, Security, Data Science, and the business unit owners of the highest-impact AI use cases. Name an accountable executive (typically the CISO or Chief Data Officer in ASEAN structures). Adopt the 11 AI Verify principles formally and publish an AI Acceptable Use Policy that names AI Verify as the governing framework.

Weeks 3-4 - System inventory and risk tiering. Inventory all AI systems in scope. Tier each system by impact (high, medium, low) using the MGF-GenAI risk dimensions. For each high-impact system, identify the named risk owner, the dataset provenance, the model lineage, and the affected stakeholder groups. Our AI vendor list guide covers the vendor side of this inventory.

Weeks 5-7 - Process check evidence. Assemble the AI Verify process check evidence pack: governance documents, model documentation (model cards), dataset documentation (datasheets for datasets), change logs, training and competency records, incident response procedures, and stakeholder engagement records. The Areebi audit log and policy engine automate the majority of this evidence; manual evidence is concentrated in governance and stakeholder records.

Weeks 8-10 - Technical testing. Run the AI Verify Testing Framework Toolkit against high-impact models. For GenAI systems, run Project Moonshot evaluations covering prompt injection, hallucination rate, bias, and jailbreak resistance. Document baseline scores, target thresholds, and remediation plans for any failures. The technical test layer feeds the MEASURE function of NIST AI RMF and the residual risk evidence required by Article 9 of the EU AI Act.

Weeks 11-12 - Internal report and external attestation. Compile the AI Verify report. Where the company is selling into MAS-regulated, MoH-regulated, or Singapore government markets, prepare the report in the format expected by the regulator. Optional: submit the report for AI Verify Foundation peer review or community validation. At Areebi, we publish a quarterly summary of our own AI Verify-aligned controls so enterprise buyers can include it in their procurement evidence packs.

Between 2024 and 2026, ASEAN procurement questionnaires shifted from generic security questions to a specific set of AI Verify-aligned questions. The five that show up most often are below; vendors that cannot answer them in writing now lose competitive deals in Singapore, Indonesia, Malaysia, and the Philippines.

1. Which of the 11 AI Verify principles does your product address, and what is your evidence? Expect a principle-by-principle mapping with citations to internal controls and test results.
2. What process checks have you completed against the AI Verify Foundation toolkit? Expect either a self-attestation pack or, ideally, peer-reviewed validation.
3. For your GenAI features, what technical evaluations have you run from Project Moonshot or equivalent harnesses? Expect prompt-injection, hallucination, bias, and jailbreak scores with date stamps and target thresholds.
4. How does your AI Verify evidence crosswalk to NIST AI RMF, ISO/IEC 42001, and the EU AI Act? Expect a crosswalk table similar to the one above, ideally aligned with the AI Verify Foundation published mappings.
5. What is your incident reporting commitment under MGF-GenAI? Expect a written commitment to notify customers of AI-specific incidents (hallucination at scale, prompt injection exploits, bias drift) within a defined window.

Vendors that pass these questions consistently win ASEAN enterprise deals at premium prices. Vendors that ignore them are increasingly excluded from RFP shortlists in Singapore and Malaysia in particular.

Three implementation patterns to avoid.

Pitfall 1: Treating AI Verify as a one-off certification rather than an operating discipline. AI Verify is designed for continuous evidence generation. Teams that run it as a one-time exercise produce a static report that ages out within months, then have to rebuild from scratch at the next procurement event. Avoid this by tying AI Verify process checks to the operational workflows that already exist (incident management, change control, model release, vendor onboarding) so the evidence is generated as a byproduct.

Pitfall 2: Skipping the process checks and running only the technical tests. Engineering teams gravitate to the toolkit because it is automatable. Process checks are then deferred and never completed. Auditors and procurement teams asking for AI Verify reports expect both. Avoid this by assigning process check ownership to the AI Governance Committee with a defined evidence pipeline.

Pitfall 3: Confusing AI Verify with PDPC Personal Data Protection Act (PDPA) compliance. They are related but distinct. PDPA is Singapore's privacy law and is mandatory; AI Verify is a voluntary AI governance framework that addresses AI-specific concerns beyond personal data. ASEAN compliance programmes need both. Per PDPC's 2024 Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems, AI systems processing personal data have explicit PDPA obligations layered on top of any AI Verify alignment.

To complete an ASEAN AI governance reading set, work through these in order.

• Singapore agentic AI governance - the deeper analysis of Singapore's emerging agentic AI guidance and how it intersects with AI Verify.
• NIST AI RMF hub - the canonical Areebi reference for the framework that AI Verify maps most cleanly to.
• ISO/IEC 42001 certification guide - the management system standard that pairs with AI Verify for evidence depth.
• EU AI Act compliance hub - the regulatory framework with the strongest interoperability story with AI Verify in 2026.
• AI vendor list for CFOs - the procurement-side artefact that pairs with the AI Verify evidence pack.

• AI Verify Foundation - Official AI Verify framework, toolkit, and Project Moonshot documentation. aiverifyfoundation.sg
• IMDA Model AI Governance Framework for Generative AI - May 2024 release, including the nine dimensions. imda.gov.sg
• PDPC Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems - March 2024 release covering PDPA obligations for AI systems. pdpc.gov.sg
• OECD AI Policy Observatory - Singapore profile - Cross-jurisdiction view of Singapore's AI governance approach. oecd.ai/en/dashboards/countries/Singapore
• NIST AI 600-1 Generative AI Profile - July 2024, the US reference profile that AI Verify aligns with on GenAI. airc.nist.gov