IMDA released MGF v1.5 at ATxSummit 2026. One case study shows what enforcement-layer governance actually requires. Read the analysis →

Model Governability Assessment

Does your control set actually hold, against every framework that applies to you, at the same time?

Most organisations assess their AI governance one framework at a time, if they assess it at all: a PDPA check here, an ISO 42001 review there. The Model Governability Assessment tests your control set against MAS AIRG, MGF v1.5, PDPA, ISO 42001, and the EU AI Act simultaneously, tests whether the controls that matter are technically enforced rather than procedurally described, and produces the evidence your board or a regulator will ask for. It is built to run annually, so governability becomes something you track, not something you re-litigate from zero each year.

What "governability" means

Most AI governance work happens one framework at a time. A PDPA check here, an ISO 42001 readiness review there, a MAS AIRG mapping exercise once the guidelines are close to issuance. Each exercise produces its own checklist, and none of them answers the harder question: does the underlying control set actually hold, is it technically enforced, and would it produce evidence under real scrutiny. The Model Governability Assessment treats governability as a single, testable property of your AI systems, assessed once, across every framework that applies to you.

The assessment is built around five dimensions.

Framework reconciliation. Your control set is mapped against MAS AIRG, the IMDA Model AI Governance Framework (MGF v1.5), PDPA, ISO 42001, and, where you have EU exposure, the EU AI Act, at the same time. The output is a single reconciled control set with overlaps and conflicts made explicit, not five separate compliance memos that each assume they are the only framework in the room.

Enforcement reliability. Each control identified in the reconciliation is tested for whether it is technically enforced or procedurally described. A control that depends entirely on a person following a process under pressure is not enforcement. This dimension is where the assessment separates governance that would survive an incident from governance that would only survive an audit.

Decision lineage. A narrower and harder question: if a specific AI decision were challenged tomorrow, could you reconstruct what data informed it, which model version made it, and what authority approved it. Most organisations can answer this for financial reporting. Few can answer it for their AI systems.

Authority loop closure. Override authority is only real if the loop closes: a defined trigger halts the system, a named human receives the request, and the system does not proceed until ratification is received or a fail-safe default takes effect. This dimension audits your Suspended Handoff State and Human Ratification Gate mechanisms, and, for autonomous agents, your Agentic Risk Boundary definitions, against whether they are designed only or actually closed end to end.

Evidence readiness. The final test is whether all of the above can be produced on demand, not reconstructed after an incident. This dimension checks whether the documentation a regulator, auditor, or board would ask for already exists, or would need to be assembled under pressure.

Framework reconciliation Does one control set satisfy every framework that applies to you, at once?
Enforcement reliability Are the controls technically real, or procedurally described?
Decision lineage Could you reconstruct what governed a specific decision, on demand?
Authority loop closure Does override authority close end to end, or stop at the design document?
Evidence readiness Does the proof already exist, or would it be assembled under pressure?
The rating is not pass or fail per framework. It is a single governability score across all five dimensions.

Why this runs annually

Frameworks change. MAS AIRG is not yet final. MGF versions update. Model versions and deployments change your systems even when the regulatory environment does not. A one-time assessment tells you whether your control set held on the day it was tested. The MGA is structured to run annually, or after a material system or framework change, specifically so governability becomes a tracked metric rather than a one-time diagnosis your board reviews once and files away. The baseline year establishes the full reconciliation and rating. Each annual reassessment re-tests the same five dimensions against whatever has changed, at a reduced scope and duration.

What you receive

  • A governability rating across all five dimensions, structured so next year's assessment is directly comparable to this one
  • A framework reconciliation map showing which controls satisfy which frameworks, and where they conflict
  • A decision lineage specification for your highest-consequence AI systems
  • An authority loop closure assessment covering every override mechanism in scope
  • An evidence pack organised for regulator, auditor, or board review
  • A prioritised remediation roadmap for any dimension that does not yet hold

How it works

The baseline assessment runs over six weeks: a discovery session to map every AI system and its authority to act, the structured five-dimension assessment, a reconciliation workshop to walk through conflicts and overlaps across frameworks, and a closing board presentation. The annual reassessment that follows runs over three weeks and re-tests the same five dimensions against what has changed since the previous assessment, whether that is a new framework version, a new AI system, or a materially changed deployment.

This is fixed-fee, agreed before the baseline assessment begins. As the flagship instrument in Aivance's practice, it is designed to be the engagement your enforcement layer is measured against every year, not a report that goes in a drawer.

A one-time compliance check tells you whether your controls held on the day someone looked. Governability is not a one-time property. It has to be measured the same way every year, or it is not a measurement at all.

If you can't evidence it, it isn't governance yet.

Start with the complimentary 30-Minute Enforcement Gap Review. We identify which of three assurance questions your organisation cannot currently answer: does your control set satisfy the frameworks that apply to you, is it technically reliable, and can you evidence it. Within 48 hours, you receive a written diagnosis mapped to your applicable frameworks.

Book Your Enforcement Gap Review