By Vince Chew, CEO of Evvo Labs | 2026-06-11 | Pillar: AI Strategy & Governance

The 2026 Reality

If you operate an enterprise in 2026 that builds, buys, or deploys AI in any meaningful sense, you are now subject to at least three distinct AI governance regimes — whether or not you have a single AI policy on the books. Singapore published the world’s first Agentic AI governance framework in January 2026. The European Union’s AI Act is now law, with full high-risk conformity obligations taking effect on 2 August 2026. The United States, despite having no single federal AI law, has produced a stack of frameworks — NIST AI RMF 1.0, the White House OMB Memo M-24-10, sector-specific SEC and FTC guidance, and procurement-grade requirements from the GSA — that have collectively become the de facto baseline that regulators, insurers, and M&A lawyers expect to see.

The problem is no longer whether AI governance exists. It is that the frameworks are complementary, overlapping, jurisdictionally specific, and increasingly mandatory in different ways. Boards and C-suites are being asked to make strategic AI commitments without a clear map of which framework applies to which line of business, which requires which kind of audit, and which produces which kind of customer or regulatory expectation.

This is a practitioner’s comparison, not a policy essay. It is written for executives who need to make capital allocation, build-vs-buy, and audit-readiness decisions in the next two quarters.

The Five Frameworks That Define the Field

There are five frameworks that any multinational AI operator in 2026 must understand. Three are regulatory or quasi-regulatory, one is an international standard, and one is a model framework. They are not in competition — they are in conversation. Most enterprises end up running more than one at the same time.

|—|—|—|—|—|

| EU AI Act | European Commission | Binding law, in force since Aug 2024 | Risk-tiered obligations; fines up to 7% of global revenue | Conformity assessment for high-risk |

| NIST AI RMF 1.0 | US National Institute of Standards and Technology | Voluntary, de facto global baseline | Risk functions: Govern, Map, Measure, Manage | No |

| ISO/IEC 42001:2023 | ISO / IEC | International standard | AI management system (Plan-Do-Check-Act) | Yes — third-party audit |

| Singapore Model AI Governance Framework for Agentic AI | PDPC Singapore (Jan 2026) | Voluntary guidance, world-first for agentic AI | Autonomous AI agents specifically | No |

| OMB M-24-10 | US White House | Mandatory for US federal agencies | Federal AI use; CAIO designation; impact assessments | No (compliance enforced via procurement) |

Framework Issuing Body Status Focus Certifiable?

Two more warrant attention for context. The OECD AI Principles (updated 2023–2024, adopted by 46+ countries) provide the value-level vocabulary that all five frameworks draw on. The IEEE 7000-2021 series addresses ethical system design and shows up in supply-chain requirements in some regulated industries.

1. The EU AI Act: The Only Binding One

The EU AI Act is the only one of the five that is law with teeth. It entered into force on 1 August 2024, with prohibited-practice provisions applying from 2 February 2025 and full high-risk obligations from 2 August 2026. Non-compliance carries fines of up to 7% of global annual turnover or €35 million, whichever is higher.

The Act is extraterritorial. It applies to any organisation that places an AI system on the EU market, regardless of where the organisation is headquartered, and to any output used in the EU — meaning a Singapore-based company with European customers, employees, or beneficiaries is in scope. This is the same reach model as GDPR, and it has the same forcing function.

The Act uses a four-tier risk classification:

  • **Unacceptable risk (prohibited)** — social scoring, real-time biometric identification in public spaces, manipulation of vulnerable groups.
  • **High risk (strict requirements)** — AI in employment, education, critical infrastructure, law enforcement, essential services, and any safety component of regulated products. Requires conformity assessment, risk management systems, data governance, technical documentation, post-market monitoring, and human oversight.
  • **Limited risk (transparency obligations)** — chatbots, emotion recognition, deepfakes. Must disclose AI involvement to users.
  • **Minimal risk** — spam filters, AI-powered games, inventory management. No specific obligations.

What this means in practice: if you build or deploy an AI system that touches hiring, credit, healthcare triage, biometric identity, or critical infrastructure, you need a conformity assessment, a registered EU quality management system, a post-market monitoring plan, and a serious incident reporting process — by 2 August 2026. The first high-risk fines are not theoretical; the EU AI Office is now operational and the first investigations are underway.

What this costs: the price tag for a serious EU AI Act compliance programme runs from €250,000 for a small high-risk use case to several million euros for a complex, multi-product, multi-jurisdictional deployment. Most enterprises underestimate the documentation and post-market monitoring requirements — those are where the budget overruns come from.

2. NIST AI RMF: The De Facto Global Baseline

The NIST AI Risk Management Framework (AI RMF 1.0), published in January 2023, is technically a US-domestic voluntary framework aimed at federal agencies and their contractors. In practice, it is the most-cited governance vocabulary in the world. UK and EU organisations — particularly in financial services and critical infrastructure — reference it as the structured language for AI risk management. The four-function structure (Govern, Map, Measure, Manage) has become common shorthand in governance documentation across the G7.

NIST’s strength is that it is principle-based and adaptable. It does not tell you what counts as a “high-risk” system — that comes from your regulatory context. It tells you how to organise the work of identifying, assessing, and managing whatever risks you face. For a US company that does not yet have EU exposure, NIST AI RMF is the right starting point. For a multinational, it is the internal operating layer that you map onto more specific regulatory requirements.

NIST is also the framework most likely to be demanded by counterparties without any law requiring it. The US GSA Schedule contracts increasingly require RMF alignment. Major US insurers are starting to require it for cyber liability coverage. M&A due-diligence questionnaires routinely ask for RMF documentation. Outside the US, the equivalent “show me your AI governance programme” question typically expects to see RMF-style artefacts.

NIST released several companion profiles in 2024 and 2025 — most notably the Generative AI Profile (July 2024) and the AI RMF for Agentic AI workstream — that extend the core framework to the specific risk surfaces of modern AI deployments.

3. ISO/IEC 42001:2023: The Certifiable One

ISO/IEC 42001, published in December 2023, is the world’s first AI management system standard. It is the AI counterpart to ISO 27001 (information security) and ISO 9001 (quality). It applies the Plan-Do-Check-Act methodology through 10 structured clauses, and — critically — it is certifiable. A qualified third-party auditor can issue an ISO 42001 certificate that you can show to customers, regulators, and acquirers.

The critical distinction for organisations navigating the EU AI Act is this: ISO 42001 certification does not constitute EU AI Act compliance. What ISO 42001 provides is the management system infrastructure — documented processes, governance structures, audit mechanisms, and controls — that makes EU AI Act compliance demonstrable and sustainable. If you are an EU high-risk AI provider, ISO 42001 is the right foundation; you then layer the EU’s specific conformity requirements on top.

For non-EU organisations, ISO 42001 is increasingly appearing as a supply-chain requirement — particularly in regulated industries where third-party AI suppliers must demonstrate governance maturity. Several major financial-services and pharmaceutical companies now require ISO 42001 certification (or a credible roadmap to it) from any AI vendor they procure.

Adoption signal: as of Q2 2026, the AITC in Singapore has adopted ISO 42001 as a national standard, published as SS ISO/IEC 42001:2024 — the first international AI standard that Singapore has published as a Singapore Standard. This is a strong signal that ISO 42001 will become the de facto certification standard across Southeast Asia.

4. Singapore MGAF for Agentic AI: The First of Its Kind

The Model AI Governance Framework for Agentic AI, launched in January 2026 by Singapore’s Personal Data Protection Commission (PDPC) in collaboration with IMDA, is the world’s first comprehensive governance guidance specifically designed for autonomous AI agents. This matters because the existing frameworks — EU AI Act, NIST AI RMF, ISO 42001 — were not designed for agentic systems. Singapore has filled a gap that the rest of the world is now scrambling to close.

The framework addresses four core dimensions:

  1. **Assessing and bounding risks upfront.** Organisations must conduct thorough risk assessments before deploying agentic AI, defining clear boundaries for agent behaviour, tool access, and decision-making authority. This includes establishing risk thresholds that trigger human review.
  2. **Ensuring meaningful human accountability.** The framework mandates clear chains of responsibility for agentic AI actions. Organisations must designate accountable parties for agent behaviour and maintain governance structures that can respond to agent failures or unexpected behaviours.
  3. **Implementing technical controls.** Technical safeguards must be embedded within agentic systems — access controls, audit logging, behavioural monitoring, and automated policy enforcement mechanisms.
  4. **Enabling end-user responsibility.** Where agentic AI interfaces with external users or customers, appropriate transparency and control mechanisms must ensure users understand they are interacting with autonomous systems.

    5. The framework is voluntary. But Singapore has a track record of voluntary frameworks becoming procurement-grade requirements (the Singapore Cyber Trust Mark is the most recent example — voluntary at launch, de facto mandatory for many government and enterprise tenders within 18 months). The PDPC’s MGAF for Agentic AI is likely to follow the same arc.

    The strategic reading: if you deploy AI agents in any jurisdiction, the Singapore MGAF is the most directly relevant governance document currently in existence. It is also the document most likely to be cross-referenced by MAS, CSA, and IMDA in their supervisory guidance over the next 12 months. Aligning with it now is cheap; retrofitting in 2027 will be expensive.

    5. OMB M-24-10: The US Federal Mandate

    OMB Memorandum M-24-10 is the US federal government’s AI governance mandate for executive agencies. It requires agencies to designate a Chief AI Officer (CAIO), conduct AI impact assessments, implement minimum practices for rights- and safety-impacting AI, and report AI use cases annually. It is not directly applicable to private-sector organisations — but it is directly applicable to any private-sector company that sells AI to the US federal government, which is a much larger set of companies than most executives realise.

    The practical effect is that M-24-10 has become a procurement-grade baseline for federal contracting. If your AI product cannot meet CAIO-style impact-assessment and minimum-practices requirements, you cannot sell into the US federal market — a market that, even excluding defence and intelligence, runs to tens of billions of dollars in annual AI procurement.

    The Strategic Sequencing Question

    The most common question we get from C-suite clients is: “Which one do I start with?” The answer depends on your footprint, but the pattern is consistent.

    |—|—|—|—|

    | US-only, no EU exposure | NIST AI RMF | OMB M-24-10 (if federal contracting) | ISO 42001 if customer pressure |

    | US with EU customers/employees | NIST AI RMF | EU AI Act conformity (high-risk) | ISO 42001 for procurement-grade credibility |

    | EU-domiciled | EU AI Act | ISO 42001 | ISO 42001 within 18 months |

    | Singapore or SEA-anchored | Singapore MGAF + ISO 42001 | NIST AI RMF (for global alignment) | ISO 42001 as it becomes procurement-grade |

    | AI agent builder (any region) | Singapore MGAF for Agentic AI | NIST AI RMF Generative AI Profile | ISO 42001 + MGAF implementation audit |

    Profile Start with Layer next Certify when

    The “optimal sequence” question has a defensible default answer: start with NIST AI RMF for internal alignment, layer EU AI Act compliance on top of the high-risk requirements if you have EU exposure, and pursue ISO 42001 certification when a customer, acquirer, or regulator asks for it. Singapore MGAF is the add-on for any organisation building or deploying autonomous agents.

    The Investment Case for Governance

    A common board-level question is: what does good AI governance actually buy us? The honest answer is four things, in descending order of CFO-friendliness:

    1. **Reduced regulatory fine exposure.** EU AI Act fines scale to 7% of global revenue. The math on AI governance investment versus avoided fines favours the investment by several orders of magnitude.
    2. **Procurement and customer-trust premium.** ISO 42001 certification, Singapore Cyber Trust Mark certification, and demonstrable RMF alignment are increasingly required to compete for enterprise and government contracts. The companies that have these move faster in the sales cycle.
    3. **Insurance and M&A positioning.** US cyber liability insurers are now asking for RMF documentation as a precondition for coverage. M&A due-diligence on AI-enabled targets is increasingly including governance review. Operating without an audit-ready governance programme is now a valuation drag.
    4. **Incident response speed.** The companies with mature AI governance recover from AI incidents 3–5× faster than those without, because the response process is documented, the accountable parties are pre-named, and the audit trail is already in place.

      5. The investment case is not theoretical. The market is signalling: the companies that do not invest in audit-ready AI governance will find themselves locked out of the most attractive segments of the market within 24 months.

      What This Means for Your 2026–2027 Plan

      Three execution priorities for the next two quarters:

      First, run a framework diagnostic against your actual AI footprint. Map every AI system you build, buy, or deploy against the five frameworks. Identify which systems are high-risk under the EU AI Act. Identify which are agentic and subject to the Singapore MGAF. Identify which counterparty relationships demand ISO 42001. This exercise is the foundation for everything else.

      Second, appoint single-threaded ownership. The single biggest failure mode we see in client AI governance programmes is distributed ownership. The EU AI Act expects a single “provider” entity. NIST AI RMF expects a defined “AI risk function.” ISO 42001 expects a top-management-sponsored governance body. Without a named owner with budget and authority, the programme stalls.

      Third, sequence certification deliberately. Most organisations should target ISO 42001 certification within 18–24 months and EU AI Act conformity by 2 August 2026 if they have high-risk exposure. The Singapore MGAF should be adopted as the design specification for any agentic AI system in development or production today. The NIST AI RMF should be the internal vocabulary and operating layer that ties it all together.

      Closing

      The 2026 AI governance landscape is dense, complementary, and increasingly mandatory in different ways. The frameworks are not in competition. The companies that will lead the next phase of enterprise AI deployment are the ones that stop treating governance as a compliance cost and start treating it as operational infrastructure — the foundation that lets them move faster, sell into harder markets, recover from incidents cleanly, and earn the trust of customers, regulators, and capital providers.

      The frameworks exist. The certifications are achievable. The expertise to operationalise them is available in the market. The question is no longer whether to invest in AI governance — it is how fast you can build the muscle.

      Vince Chew is CEO of Evvo Labs and an advisor to boards and CXOs across Southeast Asia on AI strategy, cybersecurity governance, and operational resilience. Infinite Value Ventures is Evvo Labs’ enterprise advisory practice. To discuss an AI governance diagnostic or framework-mapping engagement for your organisation, contact us.

      Methodology note: This brief draws on the EU AI Act (Regulation 2024/1689), NIST AI RMF 1.0 and Generative AI Profile, ISO/IEC 42001:2023 (and its Singapore Standard counterpart SS ISO/IEC 42001:2024), the Singapore PDPC MGAF for Agentic AI (January 2026), US OMB M-24-10, and the OECD AI Principles. Where market sizing or adoption data is cited, the source is listed in the references section below.

      References

      • European Commission. (2024). *Regulation (EU) 2024/1689 — AI Act*. Official Journal of the European Union.
      • NIST. (2023). *AI Risk Management Framework 1.0*. NIST AI 100-1.
      • NIST. (2024). *Generative AI Profile for the AI RMF*. NIST AI 600-1.
      • ISO/IEC. (2023). *ISO/IEC 42001:2023 — Information Technology — Artificial Intelligence — Management System*.
      • PDPC Singapore & IMDA. (2026). *Model AI Governance Framework for Agentic AI*.
      • US Office of Management and Budget. (2024). *M-24-10 — Advancing the Responsible Acquisition and Use of AI*.
      • OECD. (2024). *Updated AI Principles*.
      • AITC Singapore. (2024). *SS ISO/IEC 42001:2024 — Singapore Standard adoption of ISO/IEC 42001*.
      • Mordor Intelligence. (2026). *Singapore Cybersecurity Market — 2026–2031 Outlook*.
      • Cloud Security Alliance. (2026). *Sub-4-Hour Weaponization of Agentic AI Frameworks* (CVE analysis).