Aivance Analysis | Agentic AI Governance
Why ARC Matters for Regulated Sector Leaders Now
Singapore’s Agentic Risk and Capability (ARC) Framework is likely to become an important reference point for organisations building or governing agentic AI systems. Developed by GovTech Singapore in collaboration with CSA and IMDA, ARC has already begun appearing in Singapore’s broader governance ecosystem. It is cited in CSA’s Addendum on Securing Agentic AI and has been referenced in ministerial discussions around AI governance. For regulated sector organisations, that places it firmly in the category of frameworks that will shape architecture reviews and are likely to feature in structured conversations around agentic AI risk as sector-specific guidance continues to mature.
ARC answers an important set of governance questions. It also surfaces the next question organisations will need to solve.
What ARC Actually Does
ARC evaluates risk through three lenses: the components that make up an agent, the way agentic systems are designed, and the capabilities those systems are given. Of the three, the capability taxonomy is the framework’s most original contribution.
Capabilities in ARC are what a system can autonomously execute using its available tools and resources. They are organised across three categories. Cognitive capabilities cover planning and goal management, agent delegation, and tool use. Interaction capabilities span multimodal communication, official communications, business transactions, internet access, computer use, and programmatic interfaces. Operational capabilities cover code execution, file and data management, and system management.
This capability-based approach may prove to be the framework’s most enduring contribution. Governing internet search access as a capability, rather than policing individual search APIs, produces a governance surface that survives tool-level change. Dozens of different search APIs can all enable the same underlying capability, while a single tool can simultaneously enable multiple distinct capabilities. As MCP tooling evolves rapidly, capability-level governance scales in ways that tool inventories cannot.
ARC maps those capabilities to failure modes across three categories: agent failure through misalignment, poor performance, or unreliability; external manipulation through deliberate attacks that cause the agent to deviate; and tool or resource malfunction through failures, compromise, or inadequacy. Controls are tiered into Cardinal requirements that cannot be waived, Standard controls to be adopted or adapted meaningfully, and Best Practice considerations for high-risk systems. The full risk register covers 46 risks and 88 controls.
The architecture ARC describes moves through a clear chain: Capabilities to Risks to Controls. That chain is a substantial contribution to the Singapore governance landscape and the right starting point for any organisation seeking to govern agentic systems with rigour.
Where the Framework Is Intentionally Scoped
ARC is transparent about its own limits. The framework’s residual risk section acknowledges that no control list can anticipate every operational condition, that composite risks emerge from the interaction of two or more capabilities, and that continuous monitoring is needed to identify unexpected behaviours in production. These are not admissions of weakness. A well-constructed governance framework should say exactly this when being honest about what lies beyond specification.
The key distinction the framework itself creates, without attempting to resolve, is between specifying a control and verifying that it remains active. ARC is intentionally scoped to address the former. That scoping is appropriate. Frameworks do their best work when they define what governance requires. The question of how those requirements remain continuously true in production is an architectural question of a different kind.
The Enforcement and Evidence Layer
The practical consequence is that governance transitions from a design problem into an operational one.
Consider ARC’s hardest category. A Cardinal control is non-waivable. It specifies, for example, that input guardrails must be implemented to detect prompt injection in an internet-search-capable agent. That specification is precise and consequential.
A Cardinal control defines what must exist. It does not prove that it remains true.
What it does not do is continuously verify that those controls remain active, correctly configured, and observable in production.
The specification and the verification are different artifacts requiring different infrastructure. Producing a signed-off Cardinal control checklist answers the design-time question. Answering the operational question, whether the resulting system behaves consistently with that assessment at scale and across edge cases, requires architecture that lives in the deployment pipeline rather than the risk register.
For organisations operating under MAS AIRG or comparable frameworks, this distinction is material. The enforcement layer determines what the system actually does. The evidence layer produces the continuous record that those constraints remain correctly configured. Stated as a chain: Principles → Capabilities → Risks → Controls → Enforcement → Evidence. ARC delivers the first four layers with genuine rigour. The question those layers raise, rather than settle, is what architecture operationalises the last two.
What This Means for Organisations in Singapore’s Regulated Sectors
Organisations navigating agentic AI deployment in Singapore’s regulated sectors should work through an ARC assessment. The framework provides the most structured and Singapore-contextualised approach currently available for mapping capability risk in agentic systems, and it is likely to feature increasingly in structured conversations around agentic AI risk as sector guidance continues to develop.
Completing that assessment answers the design-time question rigorously. It produces a documented capability profile, a grounded risk register, and a set of tiered control specifications that represent a meaningful governance baseline.
The organisations positioned ahead of regulatory evolution are those treating that risk register as an input into enforcement architecture rather than as a terminal artifact.
MAS AIRG and IMDA’s governance guidance both point toward governance that is increasingly operational, measurable, and demonstrable rather than purely documentation-driven. ARC provides the structured foundation that enforcement architectures need to know what to enforce. The capability taxonomy names what the system can do. The control specifications define what must constrain it. Those are precisely the inputs that runtime governance infrastructure requires.
ARC as Input Layer
ARC may prove to be something more significant than a governance framework: the input layer for the next generation of agentic governance architectures. The capability taxonomy, the risk register, and the tiered control specifications are structured outputs that enforcement and monitoring systems can consume directly. The question of whether Cardinal controls are active in production is only answerable if you know what those controls are and what they are designed to enforce. ARC provides exactly that foundation.
The ARC Framework represents a serious piece of work at the right moment. The field has been working through the first four layers of the governance chain for the better part of two years: Principles → Capabilities → Risks → Controls → Enforcement → Evidence. ARC closes the middle section with more rigour than anything currently available in the Singapore governance landscape.
The organisations that complete an ARC assessment have documented what their agentic systems should do and what controls should govern them. The organisations that move fastest over the next two years may not be those with the most governance documentation, but those that can continuously demonstrate that their governance assumptions remain enforced in production.
Aivance is a boutique AI governance consultancy based in Singapore. We work with CROs, CISOs, and Enterprise Architects in APAC enterprises to design governance that functions as an enforcement layer, beyond a documentation exercise. Book the free 30-Minute Enforcement Gap Diagnosis to map where your runtime controls stand today.