What does a Singapore SME actually have to do, and by when, to comply with MAS AIRG, IMDA MGF for Generative AI, the EU AI Act, the PDPC AI Advisory Guidelines and the CSA-MAS Joint Advisory?

The Answer in 60 Seconds

Five Singapore-relevant AI governance instruments have hardened from principles into supervisory expectations between March 2024 and November 2025, and three of them now carry compliance deadlines that fall in 2026 and 2027. (1) MAS Information Paper on AI Model Risk Management dated 5 December 2024 (Circular ID 18/24) sets out three pillars — governance & oversight, key risk management systems, development & validation controls — that MAS expects all banks, licensed insurers, capital markets intermediaries, payment institutions and Lloyd's Asia Scheme members to be able to evidence in their next supervisory review. (2) MAS Consultation Paper P017-2025, Guidelines on AI Risk Management (the "AIRG"), was issued on 13 November 2025; consultation closed 31 January 2026; once finalised, financial institutions get a 12-month transition period from issuance. (3) IMDA Model AI Governance Framework for Generative AI (May 2024) and AI Verify 2.0 (forthcoming) set the testing and assurance baseline that all AI deployers in Singapore — financial or not — should now align to. (4) PDPC Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems (1 March 2024) clarifies the Business Improvement, Research and Legitimate Interests Exceptions, and is operative now. (5) The EU AI Act (Regulation 2024/1689) entered force 1 August 2024 and bites Singapore SMEs extraterritorially — prohibited practices since 2 February 2025, GPAI obligations since 2 August 2025, high-risk obligations from 2 August 2026 (subject to Digital Omnibus extension proposals), embedded high-risk from 2 August 2027. Maximum EU fine: €35 million or 7% of global turnover, whichever is higher. The CSA-MAS-SPF Joint Advisory on Scams Involving Digital Manipulation (12 March 2025) and the MAS Information Paper on Cyber Risks Associated with Generative AI (30 July 2024) supply the cyber-risk overlay. The ASEAN Guide on AI Governance and Ethics (February 2024, expanded January 2025) supplies the regional baseline. None of this is optional for an SME serving regulated counterparties, EU customers, or relying on personal data inputs to AI systems.

The Sourced Detail

Singapore's AI governance architecture has shifted from principle-setting to supervisory-expectation-setting in the eighteen months between March 2024 and the close of the AIRG consultation on 31 January 2026. The five instruments below, plus the EU AI Act's extraterritorial reach, now define the operational baseline for Singapore SMEs. Treating any of them as voluntary is no longer defensible against the PDPC, MAS, IMDA or — for SMEs serving EU customers — the European Commission's AI Office.

1. MAS Information Paper on AI Model Risk Management — 5 December 2024

The MAS Information Paper on AI Model Risk Management was issued on 5 December 2024 under Circular ID 18/24, addressed to chief executives of all banks, finance companies, licensed insurers, capital markets intermediaries, payment institutions, designated financial holding companies and Lloyd's Asia Scheme members.

The MAS Information Paper on AI Model Risk Management sets out three pillars:

Pillar 1 — Oversight and governance. Cross-functional AI oversight forums; AI policies and standards; training programmes; senior management accountability for material AI systems.

Pillar 2 — Key risk management systems and processes. AI inventory; materiality assessment frameworks calibrated by impact, complexity and reliance; third-party AI vendor governance; data lineage and quality controls.

Pillar 3 — Development, validation and deployment. Pre-deployment testing; ongoing monitoring; model drift detection; human-in-the-loop checkpoints; explainability; documentation.

MAS's stated intent in the paper is that "the good practices observed should generally apply to other financial institutions" — meaning the document functions as a de facto baseline for every MAS-regulated entity, not only the surveyed banks. SMEs that are MAS-regulated should expect their next thematic supervisory review to test against these three pillars.

2. MAS Consultation Paper P017-2025 — Guidelines on AI Risk Management

On 13 November 2025, MAS issued Consultation Paper P017-2025, Consultation Paper on Guidelines on Artificial Intelligence Risk Management. The consultation closed on 31 January 2026; the final guidelines (the "AIRG") are expected during 2026, with a stated 12-month transition period from issuance.

The AIRG hardens the December 2024 Information Paper into formal Guidelines under the Banking Act, Financial Services and Markets Act, Insurance Act, Securities and Futures Act, and Payment Services Act — meaning compliance becomes part of MAS's supervisory toolkit and a foundation for enforcement action under section 27 FSMA and the equivalent provisions of the other Acts.

Per the MAS consultation paper on Guidelines on Artificial Intelligence Risk Management (P017-2025, 13 November 2025), the AIRG covers:

  • AI inventory for all systems used by the FI, including third-party AI embedded in vendor products. Materiality dimensions: impact (severity if AI fails), complexity (interpretability of the model), reliance (degree of human-in-the-loop oversight).
  • Board-level oversight with documented accountability for AI risk at senior management and board level.
  • Three lines of defence for AI: business ownership; independent risk and compliance; internal audit. Each line has explicit AI-specific responsibilities.
  • Full lifecycle controls from data acquisition through development, testing, deployment, monitoring and decommissioning.
  • Third-party AI governance including vendor due diligence, contractual indemnities, incident-reporting clauses, and exit provisions.
  • Generative AI and AI agents receive express treatment, drawing on MAS's Project MindForge (the industry sandbox programme run with major Singapore-incorporated banks) and the FEAT principles (Fairness, Ethics, Accountability, Transparency) issued by the Veritas Initiative.

MAS has also signalled that an AI Risk Management Handbook will follow during 2026 — providing illustrative practices and worked examples to accompany the formal Guidelines.

3. IMDA Model AI Governance Framework for Generative AI — 30 May 2024

The Model AI Governance Framework for Generative AI, released by the Infocomm Media Development Authority and the AI Verify Foundation on 30 May 2024 after consultation on a January 2024 draft, applies to all AI deployers in Singapore — not only MAS-regulated FIs. The MGF for Generative AI is structured around nine governance dimensions:

  1. Accountability — clear allocation of responsibility across the AI value chain.
  2. Data — provenance, quality, bias, copyright and privacy of training and inference data.
  3. Trusted development and deployment — model cards, system cards, robust evaluation.
  4. Incident reporting — structured process for detecting, escalating and remediating AI incidents.
  5. Testing and assurance — pre-deployment and continuous testing aligned to AI Verify.
  6. Security — adversarial robustness, prompt injection defences, model and weight protection.
  7. Content provenance — watermarking, C2PA-style provenance tagging, deepfake disclosure.
  8. Safety and alignment R&D — investment in research into model alignment with developer/deployer intent.
  9. AI for public good — equitable access, bridging the digital divide, sustainable AI.

The MGF explicitly maps to the NIST AI Risk Management Framework, ISO/IEC 42001:2023 (the AI Management System standard), and the OECD AI Principles. SMEs aligning to MGF therefore satisfy a substantial portion of overseas regulator expectations as well.

The companion AI Verify open-source toolkit — administered by the AI Verify Foundation — provides 11 governance principles tested through 50+ technical and process tests, including hallucination/inaccuracy, bias detection, undesirable content classification, data leakage, adversarial vulnerability, transparency, explainability and human-AI configuration. The forthcoming AI Verify 2.0 (announced at the PDP Summit 2025) extends coverage to agentic AI archetypes and deeper LLM-specific testing.

4. PDPC Advisory Guidelines on Use of Personal Data in AI — 1 March 2024

The PDPC Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems, issued on 1 March 2024, are operative now — they do not require enabling legislation because they interpret existing PDPA provisions.

The Advisory Guidelines clarify three exceptions to the consent requirement under the PDPA:

  • Business Improvement Exception (PDPA First Schedule Part 5 Division 2). Permits use of personal data for product/service improvement, subject to assessment that benefits are commensurate with privacy intrusion.
  • Research Exception (PDPA First Schedule Part 5 Division 3). Permits research use subject to safeguards.
  • Legitimate Interests Exception (PDPA First Schedule Part 5 Division 1). Permits use where the legitimate interest of the organisation outweighs the adverse effect on the individual, subject to a documented assessment.

For each exception, the PDPC sets transparency, accountability and Data Protection Impact Assessment (DPIA) expectations. SMEs feeding personal data into AI training pipelines or AI inference (e.g., HR analytics, lending decisions, customer recommendation engines) must run and document DPIAs before deployment.

The guidelines also articulate explainability expectations: the level of explainability provided to affected individuals should be calibrated to the impact of the AI decision on them. Higher-impact decisions (lending, hiring, insurance underwriting) attract higher explainability obligations.

5. CSA-MAS-SPF Joint Advisory on Scams Involving Digital Manipulation — 12 March 2025

The CSA-MAS-SPF Joint Advisory on Scams Involving Digital Manipulation of 12 March 2025 is the operational counterpart to the MAS Information Paper on Cyber Risks Associated with Generative AI issued on 30 July 2024.

The MAS July 2024 paper identifies four categories of GenAI-driven cyber risk:

  1. Deepfake-driven impersonation of executives, customers and counterparties.
  2. AI-enhanced phishing and social engineering — including voice cloning and personalised pretexting at scale.
  3. Model manipulation — prompt injection, training-data poisoning, jailbreaks.
  4. AI-enabled malware — autonomously generated payloads, evasive techniques.

The March 2025 Joint Advisory mandates specific operational defences against deepfake-driven funds-transfer fraud, including callback verification protocols and segregation-of-duties requirements for high-value transfers. The Singapore Police Force Annual Scams and Cybercrime Brief 2024 reported S$1.1 billion in scam losses in 2024 — a 70% year-on-year increase from S$651.8 million in 2023, driven significantly by AI-enabled techniques.

6. EU AI Act — extraterritorial reach for Singapore SMEs

The EU AI Act, Regulation (EU) 2024/1689, was published in the Official Journal of the European Union on 12 July 2024 and entered force on 1 August 2024. Its phased commencement runs as follows:

  • 2 February 2025 — prohibited AI practices apply (social scoring, real-time remote biometric ID in public spaces, manipulative AI exploiting vulnerabilities, etc.).
  • 2 August 2025 — General Purpose AI (GPAI) obligations and the new EU AI Office's powers come into effect.
  • 2 August 2026 — high-risk AI obligations apply (the main compliance burden for most SMEs in scope).
  • 2 August 2027 — embedded high-risk obligations (AI in regulated products such as medical devices, machinery, toys).

The Digital Omnibus package proposed by the European Commission on 19 November 2025 may extend the 2 August 2026 high-risk deadline, but as at 7 May 2026 no extension has been adopted.

A Singapore SME falls within the AI Act's scope when any of the following apply:

  • It places an AI system on the EU market (sells, licenses, deploys, makes available — even free of charge);
  • The AI system's output is used in the EU (regardless of where the SME is based);
  • The SME acts as importer, distributor or authorised representative of an EU AI system;
  • The SME provides AI services to EU residents.

This is materially broader than the GDPR's territorial scope. A Singapore SaaS SME with EU customers — even one EU customer — falls within scope if the AI system's output is used by that customer in the EU, per the extraterritorial provisions of Article 2 of the EU AI Act (Regulation (EU) 2024/1689).

Maximum penalties under Article 99 of the AI Act:

  • €35 million or 7% of global turnover, whichever is higher, for prohibited AI practices.
  • €15 million or 3% of global turnover for high-risk AI obligations breaches.
  • €7.5 million or 1% of global turnover for incorrect or misleading information to authorities.

For a Singapore SME, Article 99(6) caps each fine at whichever of the two figures is the lower — so for an SME with S$50 million in global turnover, the prohibited-practice exposure is approximately S$3.5 million (7% of turnover), broadly comparable to the equivalent PDPA cap of S$5 million (10% of annual Singapore turnover).

7. ASEAN Guide on AI Governance and Ethics — regional baseline

The ASEAN Guide on AI Governance and Ethics was endorsed by ASEAN Digital Ministers on 2 February 2024. The expanded ASEAN Guide on AI Governance and Ethics — Generative AI was launched at the Singapore International Cyber Week 2024 and the ASEAN Digital Ministers' Meeting in January 2025.

The Guide does not have legal force but provides a regional baseline that ASEAN members (Singapore, Malaysia, Indonesia, Thailand, the Philippines, Vietnam, Brunei, Cambodia, Laos, Myanmar) can use to align national approaches. For Singapore SMEs operating cross-border in ASEAN, the Guide is a practical reference for vendor and partner due diligence in jurisdictions whose national AI frameworks are less mature.

The Compliance Timeline — Month-by-Month

The following calendar consolidates all hardline dates Singapore SMEs must operationalise. Dates marked (LIVE) are already in force; dates marked (SCHEDULED) are formally announced; dates marked (EXPECTED) are reasonably foreseeable based on consultation timelines and government statements.

Already in force (action required now)

  • 1 March 2024 (LIVE) — PDPC Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems. Action: DPIA programme, transparency disclosures, explainability documentation, consent or exception assessment.
  • 30 May 2024 (LIVE) — IMDA Model AI Governance Framework for Generative AI. Action: align governance to nine dimensions; run AI Verify against customer-facing AI.
  • 30 July 2024 (LIVE) — MAS Information Paper on Cyber Risks Associated with Generative AI. Action: assess GenAI-specific cyber controls; deepfake training; prompt injection defences.
  • 1 August 2024 (LIVE) — EU AI Act enters force. Action: scoping assessment for any EU touchpoint.
  • 2 February 2025 (LIVE) — EU AI Act prohibited practices. Action: confirm no prohibited use cases (social scoring, real-time biometric ID, manipulative AI etc.).
  • 5 December 2024 (LIVE) — MAS Information Paper on AI Model Risk Management (Circular ID 18/24). Action: align governance to three pillars; AI inventory; materiality assessment; FEAT integration.
  • 12 March 2025 (LIVE) — CSA-MAS-SPF Joint Advisory on Scams Involving Digital Manipulation. Action: callback verification; multi-channel approval; deepfake training.
  • 2 August 2025 (LIVE) — EU AI Act GPAI obligations. Action: if you place a GPAI model on the EU market, technical documentation, copyright compliance, training-data summaries.

Currently scheduled or expected

  • 31 January 2026 (PASSED) — MAS AIRG consultation closed.
  • Mid-2026 (EXPECTED) — MAS issues final AIRG. 12-month transition begins.
  • 2 August 2026 (SCHEDULED, subject to Digital Omnibus extension) — EU AI Act high-risk obligations apply. Action for SMEs serving EU: CE-equivalent conformity assessment, technical documentation, registration, post-market monitoring.
  • End-2026 (EXPECTED) — MAS AI Risk Management Handbook (illustrative practices).
  • End-2027 (SCHEDULED) — Workplace Fairness Act 2025 + Workplace Fairness (Dispute Resolution) Act 2025 commence (relevant to AI hiring tools — see article on AI bias in hiring).
  • Mid-2027 (EXPECTED) — MAS AIRG transition period ends; full compliance required.
  • 2 August 2027 (SCHEDULED) — EU AI Act embedded high-risk obligations apply.

What Singapore SMEs Must Do Now — A 7-Step Operational Programme

The following programme is calibrated to a Singapore SME with 25-250 employees. Smaller SMEs may compress steps; larger SMEs may need additional resources but the structure remains.

Step 1 — Establish board-level AI oversight (next 30 days)

Singapore SMEs frequently delegate AI decisions to whoever happens to be running the deployment — an HR director picks Workday, a marketing lead picks Midjourney, a software lead picks GitHub Copilot. Under MAS AIRG and the IMDA MGF, this is no longer defensible.

The minimum structure: a designated AI risk owner at C-suite level (in MAS-regulated FIs, the Chief Risk Officer or equivalent; in non-regulated SMEs, typically the CFO or COO); a documented AI policy approved at board level; quarterly board reporting on AI risk.

For SMEs <25 employees, the AI risk owner may be the founder/CEO; the documentation requirement remains.

Step 2 — Build the AI inventory (next 60 days)

The AI inventory is the foundation of every other control. The minimum data fields:

  • AI system name, vendor and version.
  • Business owner.
  • Use case description (what the AI does, who it affects, what decisions it informs or makes).
  • Data inputs (personal data flag; PDPA categorisation; cross-border flow flag).
  • Data outputs (downstream system; affected individuals).
  • Materiality dimensions per AIRG: impact (severity if AI fails — none / low / medium / high / critical); complexity (interpretability — fully transparent / partially interpretable / black-box); reliance (human oversight — full / sample / none).
  • Risk classification under EU AI Act if any EU touchpoint (prohibited / high-risk / limited risk / minimal risk).
  • Vendor warranties summary (training data IP, indemnification, breach notification, exit).
  • Last AI Verify or equivalent test date.
  • Last DPIA date.

Most Singapore SMEs discover during this exercise that they have between three and twenty-five distinct AI systems in use — far more than they thought. The inventory itself is often the most valuable artefact.

Step 3 — Run AI Verify on at least one customer-facing AI system (next 90 days)

The AI Verify open-source toolkit is free. Run it against your highest-impact customer-facing AI — typically a customer-service chatbot, a recommendation engine, or a content-generation tool. The output is a structured report covering hallucination/inaccuracy, bias, undesirable content, data leakage and adversarial vulnerability. It will surface concrete remediation items.

For SMEs serving the EU, AI Verify output is one of the building blocks of the technical documentation required under Annex IV of the EU AI Act — making this step also a head-start on EU compliance.

The Global AI Assurance Pilot (Feb-May 2025, with subsequent expansions) paired 17 deployers across 10 sectors with 16 specialist testers, producing an emerging pool of accredited testers SMEs can engage for assurance work.

Step 4 — Audit existing insurance for AI gaps (next 90 days)

Walk the existing tower:

  • Professional Indemnity / Tech E&O — does the wording expressly cover AI-driven errors? Or is AI silent? Are there AI sub-limits? Lockton's Preet Gill noted in the Financial Times that "a general policy that covers up to $5mn in losses might stipulate a $25,000 sublimit for AI-related liabilities." Identify any sub-limit and quantify the gap.
  • Cyber Liability — does the wording cover AI-as-attack-surface (deepfake-enabled FTF, AI-driven phishing, prompt injection)? What is the FTF sub-limit? Is the social-engineering endorsement bought?
  • Media / Multimedia Liability — for content-generating SMEs, does the wording cover AI-output IP claims? "Intentional infringement" exclusions are a frequent friction point.
  • D&O — does the wording respond to a shareholder or regulator action arising from an AI governance failure? Singapore SMEs heading toward IPO or regulated counterparty relationships should review.
  • EPL — does the wording cover algorithmic bias claims under the WFA 2025? Retroactive date alignment with the WFA commencement (end-2027) is critical.

Step 5 — Build vendor warranty discipline (next 120 days)

Every AI procurement contract from this point should include:

  • Training-data IP provenance warranty — vendor confirms training data was lawfully obtained and does not infringe third-party IP.
  • Hallucination / error-rate warranty — vendor confirms tested error rates at deployment; obligation to report material increases.
  • Bias testing obligations — vendor commits to defined bias-testing cadence and disclosure (critical for HR / lending / insurance underwriting use cases under Singapore WFA 2025 and PDPC March 2024 guidelines).
  • Security and breach notification — aligned to PDPA section 26D 3-day notification.
  • Indemnification for IP and privacy claims — including third-party copyright, trademark, defamation arising from AI output.
  • Data residency for PDPA compliance — confirmation of where training and inference data are processed.
  • Exit and transition — data return, model deletion, runoff support.

Major vendor commitments to look for: Adobe Firefly indemnity (commercial-safe training); Microsoft Customer Copyright Commitment for Copilot output (announced September 2023); OpenAI Copyright Shield; Anthropic indemnification. These are useful starting points but each has carve-outs that SMEs should review with counsel.

Step 6 — Update incident-response playbook (next 120 days)

The MAS AIRG, IMDA MGF and CSA-MAS Joint Advisory each require AI-incident reporting. The minimum incident-response playbook:

  • AI-incident definition — error, hallucination, bias finding, data leakage via AI output, adversarial attack, agent rogue action, deepfake-driven fraud attempt.
  • Detection mechanisms — observability tooling, customer complaints, regulatory notice, third-party security researcher disclosure.
  • Triage — first-hour assessment of impact, scope, regulatory triggers (PDPC s.26D, MAS Notice 657 if FI, EU AI Act incident reporting if EU touchpoint).
  • Containment — kill-switch protocols, model rollback, public-facing advisory.
  • Notification — PDPC within 3 calendar days if PDPA breach; insurer within policy notification window; affected individuals; regulators.
  • Documentation — Annex B-style structured documentation for PDPC; AIRG-aligned root-cause analysis.

Step 7 — Plan for AIRG mid-2026 issuance and EU AI Act 2 August 2026 (next 12 months)

For MAS-regulated FIs: the 12-month transition begins from issuance of the final AIRG, expected mid-2026. SMEs should map current state against the consultation paper now, not wait for the final text.

For SMEs serving the EU: the 2 August 2026 high-risk deadline (subject to Digital Omnibus extension) requires a conformity-assessment-equivalent process for any high-risk AI system. Singapore's MGF and AI Verify alignment provides ~60-70% of the underlying technical documentation but does not substitute for the EU's specific conformity-assessment pathway.

Singapore Insurance Market Context

The Singapore commercial insurance market in late 2025 / early 2026 is in a soft phase: per the Marsh Global Insurance Market Index Q4 2025, Asia composite rates fell 5%; Singapore-specific cyber rates fell 13%; global cyber rates fell 7%. This is the sixth consecutive quarter of global rate decline.

Per Mordor Intelligence's Singapore Cyber Liability Insurance Market report (January 2026), the Singapore cyber market is projected to grow from USD 56.72 million in 2025 to USD 94.73 million by 2031 — an 8.93% CAGR. Standalone cyber covers held 53.65% market share in 2025; BFSI accounted for 29.55%.

The soft market presents Singapore SMEs with a time-limited window to negotiate affirmative AI wording into existing PI / Tech E&O / Cyber / Media policies before insurers harden their position. Lockton, Aon, Marsh, WTW and Howden Singapore all report probing AI usage at renewal but have not yet introduced AI exclusions in Singapore-marketed wordings as a market-wide norm.

For SMEs needing dedicated AI cover today, the Singapore-distribution status of named products is:

  • AXA XL CyberRiskConnect with Gen AI Endorsement — confirmed available in Asia per AXA XL's own 21 October 2024 press release. Targets SMEs developing their own Gen AI models. Note: AXA XL is the global commercial / specialty arm of AXA Group, separate from the former AXA Insurance Singapore retail business that was acquired by HSBC in 2022 and rebranded HSBC Life Singapore.
  • Munich Re aiSure / Mosaic-aiSure — global product launched 26 February 2026 with EUR/USD/CAD 15 million in initial capacity; distributed via Mosaic's cyber specialists worldwide.
  • Armilla AI Liability with Chaucer — standalone product launched 30 April 2025; up to US$25 million per organisation following Armilla's January 2026 capital raise; primary distribution through Lockton (US); accessible to Singapore SMEs through Lloyd's Asia syndicates via London-experienced brokers.
  • Coalition Active Cyber Policy with Affirmative AI Endorsement — US Surplus Lines and Canada only.
  • Coalition Deepfake Response Endorsement — US, UK, Canada (incl. Quebec), Australia, Germany, Denmark, Sweden, France only. Not Singapore.

What This Means for Your Business

Five practical points.

The MAS AIRG transition begins on issuance, not on the consultation paper date. SMEs that are MAS-regulated should treat mid-2026 to mid-2027 as the implementation window, not 2026 alone. Map current state to the consultation paper now to avoid a last-minute scramble.

The IMDA MGF and PDPC March 2024 guidelines apply to every Singapore SME using AI, not just FIs. A marketing agency using Midjourney, an HR consultancy using Workday, a software firm using GitHub Copilot — all are within scope of the IMDA MGF and the PDPC personal-data guidelines. Treating these as voluntary is no longer defensible.

The EU AI Act extraterritoriality is broader than GDPR. A Singapore SaaS SME with even one EU customer using AI output in the EU is in scope. The August 2026 high-risk deadline (subject to Digital Omnibus extension) requires conformity-assessment readiness; AI Verify output gets you part of the way but does not substitute.

Your existing PI / Tech E&O / Cyber / Media / D&O / EPL stack needs a deliberate AI gap audit. The soft market gives you negotiating room now; that window will close as insurers harden wordings.

A licensed IFA can match your current programme to an AI-aware programme. Singapore-licensed IFAs and brokers — Marsh, Aon, WTW, Howden, Lockton, Gallagher, Jardine Lloyd Thompson and the domestic broker community — have access to the Lloyd's Asia specialty market for AI-vendor risks and to the AXA XL Gen AI endorsement. COVA introduces SMEs to licensed IFAs who can match current programme to AI-aware programme without recommending a specific product.

Questions to Ask Your Adviser

  1. Does my current PI / Tech E&O wording expressly cover AI-driven errors, hallucinations, defamation arising from AI output, IP infringement from AI output, and bias claims — or is AI silent? What is the AI sub-limit?
  2. Does my cyber wording respond to deepfake-driven funds-transfer fraud, prompt injection, and AI-driven privacy breaches? What is the FTF sub-limit and is the social-engineering endorsement bought?
  3. Does my D&O wording respond to a shareholder or regulator action arising from an AI governance failure under MAS AIRG?
  4. Does my EPL wording respond to algorithmic bias claims under the Workplace Fairness Act 2025 / WFDRA 2025? What is the retroactive date and does it align with the WFA commencement (end-2027)?
  5. Is the AXA XL CyberRiskConnect Gen AI Endorsement available through my broker, and does my Singapore SME meet AXA XL's underwriting threshold?
  6. If I serve EU customers, does my current programme respond to EU AI Act regulatory defence costs and fines (where insurable)?
  7. Where my AI vendor offers indemnification (Adobe Firefly, Microsoft Copyright Commitment, OpenAI Copyright Shield, Anthropic indemnification), how does the indemnity interact with my own insurance — does my insurer require subrogation, and does the vendor's cap (typically fees paid in the prior 12 months) leave a residual gap I should insure?

Related Information