Introduction

Artificial Intelligence (AI) has emerged as one of the most transformative technologies in the financial services industry, offering unprecedented opportunities for efficiency, innovation, and enhanced customer experiences. However, the rapid adoption of AI—particularly Generative AI (Gen AI) and emerging Agentic AI—introduces complex risks that require robust governance and risk management frameworks.

Project MindForge, led by the Monetary Authority of Singapore (MAS), represents a continuation of multi-year industry collaboration to address responsible AI use. Building upon the FEAT (Fairness, Ethics, Accountability, Transparency) Principles established in 2018 and the Veritas Initiative (2020-2023), MindForge Phase 2 focuses on enabling financial institutions to scale AI with trust through comprehensive governance and risk management practices.

This paper synthesizes insights from the MindForge AI Risk Management Handbook, drawing on implementation experiences from four financial institutions: DBS, Julius Baer, Prudential, and an Investment Firm. These case studies illustrate practical approaches to AI governance across different organizational maturity levels.

The MindForge AI Risk Management Framework

The MindForge framework provides a structured approach to AI governance and risk management, organized into four key sections:

1. Scope & AI Oversight

Effective AI governance begins with clear definition of scope and responsibilities. The framework distinguishes between three fundamental elements:

• AI Model: A mathematical or logical representation mapping inputs to outputs
• AI System: An AI model plus other software components enabling real-world application
• AI Use Case: The specific, real-world context in which an AI system is intentionally used

The framework emphasizes that AI use cases serve as the basic unit of governance, reflecting the increased importance of considering factors beyond the model alone—particularly for Gen AI and Agentic AI where risks are highly contingent on use case parameters and system guardrails.

Governance Structure: The Board and Senior Management bear ultimate responsibility for AI governance, with operational governance organized through the traditional three lines of defense:

1. Business units responsible for daily risk management
2. Independent corporate risk management providing oversight and support
3. Independent assurance functions including internal audit

2. AI Risk Management

AI risk management operates at two levels:

Organization-Level Risk Management

Financial institutions must enhance their enterprise risk frameworks to incorporate AI-specific risks. Three approaches are identified:

• Distributed Approach: AI risks integrated into existing enterprise risk categories (cybersecurity, compliance, etc.)
• Concentrated Approach: AI risks grouped under an existing category, typically Model Risk
• AI-Specific Approach: Creation of a dedicated AI risk category

Key practices include:

• Identifying AI-specific risks relevant to the institution
• Incorporating these risks into the enterprise risk taxonomy
• Assessing and managing based on likelihood and materiality
• Developing portfolio-level views for senior leadership
• Periodic review to address emerging risks

Use Case-Level Risk Management

Each AI use case requires individual risk assessment through:

• Inherent Risk Materiality Assessment: Evaluating potential adverse impact and autonomy
• Residual Risk Assessment: Determining risk after controls are applied
• Calibrated Governance Requirements: Applying baseline or enhanced requirements based on risk materiality

3. AI Lifecycle Management

The framework identifies five stages of the AI lifecycle, each requiring specific risk management considerations:

3.1 Use Case Context & Design

• Clear identification of use case and model owners for end-to-end accountability
• Preliminary risk materiality assessment approved by senior management
• Documentation of use case and model details in central repository
• Human-in-the-loop design requiring active user review and approval

3.2 Data Acquisition & Processing

• Robust data management controls ensuring ethical and lawful data handling
• Security controls including stateless processing for LLMs
• Retrieval Augmented Generation (RAG) to ground outputs in verified sources
• Clear accountability for data verification and suitability

3.3 Onboarding, Build & Review

• Third-party risk profiling for external AI technologies
• Approved LLM lists with secured proxy services
• Rigorous performance testing to assess capabilities and mitigate risks
• Transparency measures including prominent disclaimers

3.4 Deployment

• Comprehensive monitoring plans with defined metrics and thresholds
• Contingency measures allowing feature disablement
• Cross-functional committee review and approval
• Progressive, phased rollout strategies
• User training for responsible use

3.5 Usage, Monitoring & Change Management

• Continuous monitoring of performance metrics and adoption rates
• User feedback collection for proactive interventions
• Change management processes with thorough testing before deployment
• Documentation, review, and approval for traceability
• Peer review for major changes

4. Enablers

Two foundational capabilities support effective AI risk management:

4.1 Skills, Knowledge & Culture

• AI literacy programs across the organization
• Role-specific training for governance and risk management personnel
• Continuous learning culture to keep pace with evolving technology
• Multidisciplinary collaboration across business, analytics, risk, compliance, technology, and HR

4.2 AI Infrastructure

• Centralized data and AI platforms with modern architecture
• Standardized processes and best practices (e.g., AI protocols)
• AI inventory capabilities for tracking all use cases and models
• Security and data access control mechanisms

Implementation Examples

DBS: Responsible Data Use (RDU) Framework

DBS has implemented a comprehensive RDU framework addressing three core questions:

1. Data Foundation: "Can we use it?" – Robust data policy framework covering security, privacy, access, and quality
2. DBS PURE Framework: "Should we use it?" – Ethical compass emphasizing Purposeful, Unsurprising, Respectful, and Explainable data use
3. AI Governance: "How we use it?" – Risk-based approach ensuring fairness, transparency, interpretability, and accountability

CodeBuddy Case Study: DBS developed an in-house Gen AI-powered programming assistant that:

• Integrates LLM capabilities with internal knowledge base via RAG
• Provides code completion, generation, explanation, and debugging
• Achieved 80% adoption among target data professionals
• Reduced AI project timelines from 15 months to under 3 months

Key Challenges Overcome:

• Employee education: 126,000+ training modules completed since 2019
• Legacy system integration: Leveraged centralized platform for modular integrations
• Incremental Gen AI risks: Cross-functional RAI taskforce with elevated clearance

Julius Baer: Tiered Governance Approach

Julius Baer implements AI through a three-stage governance process:

1. Business prioritization assessing business value
2. Review against AI regulations
3. Risk assessment including validation

The institution employs a two-stage toll gate process for AI use case governance, with tiered approaches to AI literacy and risk awareness based on use case complexity.

Prudential: Risk-Based Governance

Prudential applies a risk materiality assessment framework that:

• Evaluates use cases against materiality rubrics
• Applies calibrated governance requirements based on risk level
• Maintains central AI repository for all use cases and models
• Ensures clear roles and responsibilities across units

Investment Firm: Independent Validation

The investment firm emphasizes independent validation frameworks aligned with regulatory expectations, ensuring innovation proceeds safely particularly when handling sensitive data.

Key Risk Considerations

AI-Specific Risks

The MindForge consortium identified several categories of AI-specific risks:

• Reputational Risk: Public-facing use case failures reducing trust
• Legal Risk: Intellectual property concerns, copyright infringement
• Regulatory Risk: Breaches of financial services regulations
• Operational Risk: Dependence on accurate AI outputs
• Model Risk: Hallucinations, bias, performance degradation
• Data Risk: Exfiltration, leakage, quality issues

Key Risk Indicators (KRIs)

Effective monitoring requires appropriate KRIs:

Accountability & Governance:

• Proportion of use cases not in AI inventory
• Number of use cases without approval/ethics review

Transparency & Explainability:

• Number of "black box" AI systems

Legal & Regulatory:

• Process exceptions indicating governance breaches
• Copyright infringement claims
• Customer-facing use cases contravening regulations

Monitoring & Stability:

• Anomalies, error rates, performance degradation
• Model drift metrics
• Overall data quality

Risk Exposure:

• Aggregate use case KPI breaches
• Aggregate financial exposure
• Number of risk events or incidents

Implementation Challenges & Lessons Learned

Common Challenges

1. Cultural Transformation: Fostering a culture of responsible AI through extensive employee education
2. Legacy Integration: Incorporating AI into existing banking operations and workflows
3. Talent Scarcity: Optimizing scarce data science and analyst resources
4. Rapid Evolution: Addressing incremental risks from emerging AI technologies

Key Lessons

1. Multidisciplinary Collaboration: Success requires extensive collaboration across business, analytics, risk, compliance, technology, and HR functions
2. Adaptive Governance: Rapid AI evolution necessitates adaptive governance approaches with regular review and enhancement
3. Proportionate Approach: Risk-based, proportionate governance is crucial for efficient risk management without stifling innovation
4. Continuous Learning: A continuous learning culture enables organizations to keep pace with evolving technology, regulations, and societal norms
5. Industry Collaboration: Engagement with regulators and industry bodies drives collective progress

Future Perspectives

Generative AI and Agentic AI

The framework addresses emerging technologies:

• Gen AI: Requires additional guardrails for hallucinations, data leakage, and copyright concerns
• Agentic AI: Introduces complexity beyond traditional AI with multiple orchestrated agents

Horizon Scanning

Financial institutions should:

• Periodically perform horizon scanning for new AI-specific risks
• Monitor regulatory developments in AI governance
• Review and adapt risk management approaches regularly

Conclusion

Effective AI risk management in financial services requires a comprehensive, structured approach that addresses both organization-level and use case-specific risks. The MindForge framework provides practical guidance built on industry collaboration and real-world implementation experiences.

Key success factors include:

• Clear governance structures with Board and Senior Management accountability
• Risk-based, proportionate approaches calibrated to use case materiality
• Comprehensive lifecycle management from design through deployment and monitoring
• Strong enabling capabilities in skills, culture, and infrastructure
• Continuous adaptation to evolving technologies and risks

Financial institutions that implement robust AI governance and risk management will be better positioned to leverage AI benefits while managing risks appropriately, building trust with customers, regulators, and stakeholders, and accelerating innovation through measures that support observability, controllability, and oversight.

Governance and adoption are not in tension—widespread, rapid, and useful innovation in AI requires robust risk management and good governance.

References

1. MindForge Consortium (2026). "AI Risk Management Operationalisation Handbook". Monetary Authority of Singapore.
2. MindForge Consortium (2026). "AI Risk Management Implementation Examples". Monetary Authority of Singapore.
3. Monetary Authority of Singapore (2018). "FEAT Principles".
4. Veritas Initiative (2020-2023). "Methodology and Toolkit".