Why Agentic Governance Is Different
A chatbot answers a question. An agent takes an action — it calls tools, moves money, edits records, and spins up other agents to do the same. The moment AI stops talking and starts acting, the governance question changes from "was the answer appropriate?" to "who authorised this action, could it be reversed, and can we prove what happened?"
Singapore's IMDA framework is the first major regulator-published rulebook written specifically for that shift. Smartflow was built as a deterministic governance gateway from day one, so the framework reads less like a gap list and more like a feature map. This page walks each of its eight dimensions and shows the exact Smartflow control that satisfies it.
The framework's core insight is that agentic risk is not primarily a model-quality problem — it is an identity, authority, and accountability problem. Three questions sit underneath every requirement:
- Is every agent action attributable to a uniquely identified, cryptographically verifiable agent — and to the human accountable for it?
- Are limits enforced deterministically, by design, rather than asked for politely in a prompt?
- When something goes wrong, can you interrupt it and prove the history afterward?
The Three Outcomes the Framework Is Driving Toward
IMDA organises agentic governance around three desired outcomes. Smartflow delivers each as a default property of the gateway, not as an add-on the customer has to assemble.
Conformance Scorecard
Eight governance dimensions, each mapped to the load-bearing Smartflow control that enforces it on the request path — not in a policy PDF, not in shadow mode, but as a default property of the gateway.
| # | Governance dimension | Smartflow control | Status |
|---|---|---|---|
| 1 | Agent identity Unique, cryptographically verifiable, accountable |
AIDA agent credentials with Ed25519 verifiable identity, enforced inline on the proxy & MCP path; identities catalogued in AIBOM; issuance/revocation hash-chained. | Shipped |
| 2 | Authorization scoping Least-privilege, time-bound, non-transferable |
Virtual-key allowlists, budgets & TTLs plus agent ⊂ human scope intersection and depth-capped, recorded recursive delegation chains. | Shipped |
| 3 | Deterministic enforcement Bound by design, not by prompt |
System-level blocks (compliance, Maestro policy engine, Shield) on the request path with tier-aware fail-closed defaults. | Shipped |
| 4 | MCP governance Tool least-privilege, server whitelisting |
MCP access control plus a trust-registry deterministic-deny gate; every tool call and every denial sealed into the audit chain. | Shipped |
| 5 | Tamper-evident audit Immutable record, incl. blocked actions |
HMAC-chained VAS log (seq / prev_hash / key_id), blocked actions sealed, customer-runnable verify_chain. |
Shipped |
| 6 | Runtime & kill switch Take agents offline, limit blast radius |
Rate limits, circuit breakers, and a gateway-wide emergency stop (off / read-only / halt) across the proxy, MCP & A2A egress seams. | Shipped |
| 7 | Human-oversight analytics Audit the effectiveness of oversight |
Override rate, median approval latency, and outlier-reviewer detection with rubber-stamping & automation-bias alerts. | Shipped |
| 8 | Perimeter & A2A taint Track data across trust boundaries |
Perimeter egress classification and markers plus multi-hop taint-label propagation across agent-to-agent chains. | Shipped |
Every control above runs on the default request path. The shared thread is determinism: Smartflow does not ask an agent to behave — it constrains what the agent is structurally able to do, records the attempt either way, and gives a human a single switch to stop everything.
The Eight Dimensions, in Detail
1 · Verifiable Agent Identity
The framework requires that each agent be uniquely identified, cryptographically verifiable, and accountable to the human or system on whose behalf it acts. Smartflow's AIDA (Agent Identity & Delegated Authority) layer issues each agent a credential bound to a principal — human, department, or supervising agent — and validates it inline on the proxy and MCP request path before any upstream call. Identity is verifiable by third parties via Ed25519 asymmetric signatures, and every issuance and revocation is written into the tamper-evident chain.
2 · Authorization Scoping
Authority must be scoped, least-privilege, time-bound and non-transferable — and, critically, an agent must never be granted more than the human authorising it actually holds. Smartflow computes an effective scope = agent ∩ human-authorised scope at request time, denies any escalation beyond the human's own permissions, and binds credential use to the issuing session rather than a bare bearer token. When an agent spins up a sub-agent, the delegation chain is recorded, depth-capped, and carried through agent-to-agent calls.
3 · Deterministic Enforcement
IMDA explicitly prefers deterministic limits, bound by design over instructions embedded in a prompt that a model may ignore. Smartflow enforces compliance rules, the Maestro policy engine, and Shield decisions as structural blocks on the request path. High-risk and irreversible actions fail closed by tier, so a control failure denies the action rather than letting it through with a warning.
4 · MCP Governance
Agents reach tools and systems through the Model Context Protocol. The framework calls for tool least-privilege, server whitelisting, and complete logging of agent-to-system interactions. Smartflow applies per-tool access control and a trust-registry deterministic-deny gate that refuses untrusted or unapproved servers before dispatch — and seals every call and every denial into the audit chain, so blocked attempts are auditable rather than dropped.
5 · Tamper-Evident Audit
The "Terminal 3" bar is an immutable record that includes blocked actions. Every request produces an HMAC-chained VAS log entry (seq, prev_hash, key_id); blocked actions are sealed too; and a customer-runnable verify_chain endpoint re-walks and cryptographically checks any range on demand. See the dedicated Tamper-Evident Audit Logs brief for the full design and an independent vendor comparison.
6 · Runtime Controls & the Kill Switch
When an agent misbehaves, an operator must be able to take it offline and limit the blast radius. Smartflow ships a gateway-wide emergency stop — "the red button" — with three modes (off / read-only / halt) enforced uniformly across the LLM, MCP, and agent-to-agent egress seams. The stop is scoped by action-risk tier (read-only allows reversible reads while blocking partially- or irreversible actions), propagates fleet-wide within a single request cycle, and each engage/disengage is itself sealed into the audit chain.
7 · Human-Oversight Analytics
The framework asks organisations to audit the effectiveness of human oversight — because an approval queue where humans approve everything in two seconds is theatre, not control. Smartflow computes override rate (the rubber-stamping signal), median approval latency (the automation-bias signal), and flags outlier reviewers whose patterns deviate from their peers, raising alerts when oversight stops being meaningful.
8 · Perimeter & Cross-Boundary Taint
Data that crosses a trust or organisational boundary must be tracked. Smartflow classifies and marks every egress at the perimeter, and propagates multi-hop taint labels across agent-to-agent chains so that sensitive data carried through a sequence of agents remains traceable to its origin.
The Foundation: an Action-Risk Taxonomy
Underneath all eight dimensions is a single shared vocabulary. Smartflow classifies every action into one of three deterministic risk tiers, scored by severity × reversibility × oversight-feasibility:
Because every call carries its tier, the same taxonomy drives fail-closed defaults, the kill switch's read-only scoping, and the agent-⊂-human binding — one classifier, consistently applied across the whole gateway.
Beyond IMDA: One Control Set, Many Frameworks
The same controls that satisfy the IMDA dimensions map directly onto the agentic-relevant clauses of the other major frameworks regulated buyers care about. Governance is not eight separate projects — it is one enforced control plane, evidenced many ways.
| Framework | Agentic-relevant expectation | Smartflow evidence |
|---|---|---|
| IMDA Agentic AI | Identity, accountability, human control across 8 dimensions | This scorecard — 8 of 8 enforced |
| EU AI Act Art. 12 / 14 | Record-keeping & human oversight | HMAC audit chain + oversight analytics + kill switch |
| NIST AI RMF | Map / Measure / Manage agent risk | Action-risk tiering + measured oversight + deterministic manage controls |
| ISO/IEC 42001 | AI management-system controls & traceability | Policy engine, AIBOM identity catalogue, tamper-evident trail |
| SOC 2 CC7 | Detect & respond to anomalies | Verifier endpoint, oversight alerts, sealed denials |
Questions to Ask Any Agentic Platform
If agent governance is on your evaluation scorecard, these are the questions worth asking every vendor — including us:
- Is each agent's identity cryptographically verifiable by a third party, or just an opaque API key?
- Can an agent ever be granted more authority than the human who authorised it?
- Are high-risk and irreversible actions enforced deterministically, or merely discouraged in a prompt?
- Is there one switch that halts all agent egress — LLM, tools, and agent-to-agent — and is using it itself audited?
- Can you prove the audit log was not altered, including records of blocked actions?
- Do you measure whether human approval is meaningful, or just that it happened?
- When data flows through a chain of agents, can you trace where it originated?
This page is the executive view. The engineering teams behind procurement and audit can request the full requirement-by-requirement mapping with code evidence. Reach the team via aperion.ai.