Agentic AI Governance — How Smartflow conforms, control-by-control, to Singapore IMDA's Model AI Governance Framework for Agentic AI. Browse all docs →
Agentic AI Governance

Governing Agentic AI, by Design

Singapore's IMDA published a Model AI Governance Framework for Agentic AI. Smartflow maps to all eight of its governance dimensions with concrete, enforced controls — verifiable agent identity, deterministic enforcement, a tamper-evident audit chain, a gateway kill switch, human-oversight analytics, and cross-boundary taint tracking.

Audience
CISO · Compliance · AI Governance
Framework
IMDA Agentic AI Governance
Aligns with
EU AI Act · NIST AI RMF · ISO 42001
Coverage
8 of 8 dimensions

Why Agentic Governance Is Different

For governance and risk leaders

A chatbot answers a question. An agent takes an action — it calls tools, moves money, edits records, and spins up other agents to do the same. The moment AI stops talking and starts acting, the governance question changes from "was the answer appropriate?" to "who authorised this action, could it be reversed, and can we prove what happened?"

Singapore's IMDA framework is the first major regulator-published rulebook written specifically for that shift. Smartflow was built as a deterministic governance gateway from day one, so the framework reads less like a gap list and more like a feature map. This page walks each of its eight dimensions and shows the exact Smartflow control that satisfies it.

The framework's core insight is that agentic risk is not primarily a model-quality problem — it is an identity, authority, and accountability problem. Three questions sit underneath every requirement:

  1. Is every agent action attributable to a uniquely identified, cryptographically verifiable agent — and to the human accountable for it?
  2. Are limits enforced deterministically, by design, rather than asked for politely in a prompt?
  3. When something goes wrong, can you interrupt it and prove the history afterward?
IMDA Agentic AI Framework EU AI Act Art. 12 & 14 NIST AI RMF ISO/IEC 42001 SOC 2 CC7

The Three Outcomes the Framework Is Driving Toward

IMDA organises agentic governance around three desired outcomes. Smartflow delivers each as a default property of the gateway, not as an add-on the customer has to assemble.

Make actions attributable
Every agent carries a verifiable identity tied to a human and a department; every action is stamped, scoped, and recorded.
Shipped
Make humans meaningfully accountable
Approvals at significant checkpoints, fail-closed defaults, and analytics that prove oversight is real rather than ceremonial.
Shipped
Keep control in human hands
Deterministic blocks, a gateway-wide emergency stop, and a tamper-evident record that survives the agents it governs.
Shipped

Conformance Scorecard

Eight governance dimensions, each mapped to the load-bearing Smartflow control that enforces it on the request path — not in a policy PDF, not in shadow mode, but as a default property of the gateway.

8/8
Dimensions enforced
100%
Mapped to shipping controls
T1–T3
Action-risk tiers on every call
3
Egress seams under one kill switch
# Governance dimension Smartflow control Status
1 Agent identity
Unique, cryptographically verifiable, accountable
AIDA agent credentials with Ed25519 verifiable identity, enforced inline on the proxy & MCP path; identities catalogued in AIBOM; issuance/revocation hash-chained. Shipped
2 Authorization scoping
Least-privilege, time-bound, non-transferable
Virtual-key allowlists, budgets & TTLs plus agent ⊂ human scope intersection and depth-capped, recorded recursive delegation chains. Shipped
3 Deterministic enforcement
Bound by design, not by prompt
System-level blocks (compliance, Maestro policy engine, Shield) on the request path with tier-aware fail-closed defaults. Shipped
4 MCP governance
Tool least-privilege, server whitelisting
MCP access control plus a trust-registry deterministic-deny gate; every tool call and every denial sealed into the audit chain. Shipped
5 Tamper-evident audit
Immutable record, incl. blocked actions
HMAC-chained VAS log (seq / prev_hash / key_id), blocked actions sealed, customer-runnable verify_chain. Shipped
6 Runtime & kill switch
Take agents offline, limit blast radius
Rate limits, circuit breakers, and a gateway-wide emergency stop (off / read-only / halt) across the proxy, MCP & A2A egress seams. Shipped
7 Human-oversight analytics
Audit the effectiveness of oversight
Override rate, median approval latency, and outlier-reviewer detection with rubber-stamping & automation-bias alerts. Shipped
8 Perimeter & A2A taint
Track data across trust boundaries
Perimeter egress classification and markers plus multi-hop taint-label propagation across agent-to-agent chains. Shipped
How to read this

Every control above runs on the default request path. The shared thread is determinism: Smartflow does not ask an agent to behave — it constrains what the agent is structurally able to do, records the attempt either way, and gives a human a single switch to stop everything.

The Eight Dimensions, in Detail

1 · Verifiable Agent Identity

The framework requires that each agent be uniquely identified, cryptographically verifiable, and accountable to the human or system on whose behalf it acts. Smartflow's AIDA (Agent Identity & Delegated Authority) layer issues each agent a credential bound to a principal — human, department, or supervising agent — and validates it inline on the proxy and MCP request path before any upstream call. Identity is verifiable by third parties via Ed25519 asymmetric signatures, and every issuance and revocation is written into the tamper-evident chain.

2 · Authorization Scoping

Authority must be scoped, least-privilege, time-bound and non-transferable — and, critically, an agent must never be granted more than the human authorising it actually holds. Smartflow computes an effective scope = agent ∩ human-authorised scope at request time, denies any escalation beyond the human's own permissions, and binds credential use to the issuing session rather than a bare bearer token. When an agent spins up a sub-agent, the delegation chain is recorded, depth-capped, and carried through agent-to-agent calls.

3 · Deterministic Enforcement

IMDA explicitly prefers deterministic limits, bound by design over instructions embedded in a prompt that a model may ignore. Smartflow enforces compliance rules, the Maestro policy engine, and Shield decisions as structural blocks on the request path. High-risk and irreversible actions fail closed by tier, so a control failure denies the action rather than letting it through with a warning.

4 · MCP Governance

Agents reach tools and systems through the Model Context Protocol. The framework calls for tool least-privilege, server whitelisting, and complete logging of agent-to-system interactions. Smartflow applies per-tool access control and a trust-registry deterministic-deny gate that refuses untrusted or unapproved servers before dispatch — and seals every call and every denial into the audit chain, so blocked attempts are auditable rather than dropped.

5 · Tamper-Evident Audit

The "Terminal 3" bar is an immutable record that includes blocked actions. Every request produces an HMAC-chained VAS log entry (seq, prev_hash, key_id); blocked actions are sealed too; and a customer-runnable verify_chain endpoint re-walks and cryptographically checks any range on demand. See the dedicated Tamper-Evident Audit Logs brief for the full design and an independent vendor comparison.

6 · Runtime Controls & the Kill Switch

When an agent misbehaves, an operator must be able to take it offline and limit the blast radius. Smartflow ships a gateway-wide emergency stop — "the red button" — with three modes (off / read-only / halt) enforced uniformly across the LLM, MCP, and agent-to-agent egress seams. The stop is scoped by action-risk tier (read-only allows reversible reads while blocking partially- or irreversible actions), propagates fleet-wide within a single request cycle, and each engage/disengage is itself sealed into the audit chain.

GET/api/admin/emergency-stopCurrent mode + who engaged it
POST/api/admin/emergency-stopEngage / disengage (off · read-only · halt)
GET/api/oversight/summaryHuman-oversight effectiveness metrics

7 · Human-Oversight Analytics

The framework asks organisations to audit the effectiveness of human oversight — because an approval queue where humans approve everything in two seconds is theatre, not control. Smartflow computes override rate (the rubber-stamping signal), median approval latency (the automation-bias signal), and flags outlier reviewers whose patterns deviate from their peers, raising alerts when oversight stops being meaningful.

8 · Perimeter & Cross-Boundary Taint

Data that crosses a trust or organisational boundary must be tracked. Smartflow classifies and marks every egress at the perimeter, and propagates multi-hop taint labels across agent-to-agent chains so that sensitive data carried through a sequence of agents remains traceable to its origin.

The Foundation: an Action-Risk Taxonomy

Underneath all eight dimensions is a single shared vocabulary. Smartflow classifies every action into one of three deterministic risk tiers, scored by severity × reversibility × oversight-feasibility:

T1 · Reversible
Read-only or trivially undone. Flows freely; still recorded. Permitted under a read-only emergency stop.
T2 · Partially reversible
Recoverable with effort. Subject to approval checkpoints and fail-closed defaults; blocked under read-only/halt.
T3 · Irreversible
Cannot be undone. Strongest controls — fails closed by default; emergency-stop events are themselves T3.

Because every call carries its tier, the same taxonomy drives fail-closed defaults, the kill switch's read-only scoping, and the agent-⊂-human binding — one classifier, consistently applied across the whole gateway.

Beyond IMDA: One Control Set, Many Frameworks

The same controls that satisfy the IMDA dimensions map directly onto the agentic-relevant clauses of the other major frameworks regulated buyers care about. Governance is not eight separate projects — it is one enforced control plane, evidenced many ways.

FrameworkAgentic-relevant expectationSmartflow evidence
IMDA Agentic AIIdentity, accountability, human control across 8 dimensionsThis scorecard — 8 of 8 enforced
EU AI Act Art. 12 / 14Record-keeping & human oversightHMAC audit chain + oversight analytics + kill switch
NIST AI RMFMap / Measure / Manage agent riskAction-risk tiering + measured oversight + deterministic manage controls
ISO/IEC 42001AI management-system controls & traceabilityPolicy engine, AIBOM identity catalogue, tamper-evident trail
SOC 2 CC7Detect & respond to anomaliesVerifier endpoint, oversight alerts, sealed denials

Questions to Ask Any Agentic Platform

If agent governance is on your evaluation scorecard, these are the questions worth asking every vendor — including us:

  1. Is each agent's identity cryptographically verifiable by a third party, or just an opaque API key?
  2. Can an agent ever be granted more authority than the human who authorised it?
  3. Are high-risk and irreversible actions enforced deterministically, or merely discouraged in a prompt?
  4. Is there one switch that halts all agent egress — LLM, tools, and agent-to-agent — and is using it itself audited?
  5. Can you prove the audit log was not altered, including records of blocked actions?
  6. Do you measure whether human approval is meaningful, or just that it happened?
  7. When data flows through a chain of agents, can you trace where it originated?
Want the control-by-control walkthrough?

This page is the executive view. The engineering teams behind procurement and audit can request the full requirement-by-requirement mapping with code evidence. Reach the team via aperion.ai.

SA
Scott Ancheta
CTO, Aperion
25 years in enterprise software architecture, advanced networking, and AI infrastructure. Scott leads product and engineering at Aperion, where the focus is making agentic AI safe, accountable, and auditable for regulated industries without sacrificing developer velocity.