The guidelines are draft.
The transition window is not.
The MAS AI Risk Management Guidelines closed for consultation on 31 January 2026 and finals are expected in the second half of the year. The MindForge Operationalisation Handbook published 20 March 2026 already tells you what an audited AI governance posture looks like. ISO 42001 is in the market and US-EU buyers are asking for it on procurement questionnaires today.
The institutional response is to wait for the guideline finals. That answer is wrong arithmetically: the proposed transition window is how long you get, not when you start, and a six-month transition is not enough time to stand up a material-risk AI governance posture from cold.
The right answer is to build against the Handbook now. The control set is observable, the structure is published, and an AIMS built against the Handbook today carries over when the guidelines land. Where a buyer or counterparty demands the ISO 42001 certificate specifically, the same control set delivers the AIMS in parallel.
MAS-first. Certificate where needed.
One programme. One evidence layer.
The MAS-first framing matters because the supervisor reads for institutional judgement on material risk, not for a generic compliance posture. We build against the Handbook because the Handbook is what the supervisor will use to assess your posture when the finals land.
The ISO 42001 certificate is the buyer leg. A US enterprise asking for AI governance evidence does not read MAS guidelines; they read a certificate. We map the same control set into the AIMS structure so one programme delivers both outputs and the two evidence packs stay aligned over time.
Four weeks.
One AI governance posture, two evidence outputs.
- Week 1
Inventory and material-risk mapping.
We inventory every AI system in scope: in-production models, vendor-supplied AI features, agentic workflows, and the procurement pipeline of AI tools the team has not surfaced yet. Each is mapped against the MAS material-risk test and the MindForge Handbook's risk taxonomy.
- Weeks 2 to 3
Governance build.
AI risk policy, model lifecycle controls, human-oversight model, third-party AI vendor controls, incident response for AI-specific failure modes. Authored against the draft MAS AI Risk Management Guidelines, the MindForge Operationalisation Handbook, and IMDA's agentic AI framework so the posture carries when finals land.
- Week 4
ISO 42001 certificate leg.
Where a customer or counterparty demands ISO 42001 specifically, we map the same control set into the AIMS structure so the certificate path runs from the same evidence layer. One programme, two outputs; the supervisor pack and the buyer evidence pack do not diverge.
- Throughout
Senior partner presence.
The partner who scoped is the partner who delivers. No analyst handoffs on the AI risk register, no junior-led correspondence with the audit committee.
A posture that carries to finals.
A certificate path that runs from the same evidence.
An AI risk register and governance posture aligned to the Operationalisation Handbook today. When the MAS AI Risk Management Guidelines finalise in H2 2026, the work is the format change, not the content rebuild.
An AIMS that earns the ISO 42001 certificate on the timeline an enterprise buyer expects. One audit, one evidence package, one renewal cycle.
A control set you can defend in front of an audit committee and a procurement reviewer in the same week, without writing two different documents.
MAS-regulated entities with material AI risk, and SG platforms whose buyers are asking.
Banks and payment institutions with model-driven decisions on credit, fraud, or AML. Capital markets services firms with AI-augmented research, trading, or surveillance. SaaS platforms selling AI features into MAS-regulated counterparties or US-EU enterprises that have added ISO 42001 to procurement questionnaires.
The buyer is the Head of Model Risk, the CISO, the Head of AI, or the founder whose AI feature is sitting in a procurement review.
Three things this is not.
This is not a model audit. We work alongside model risk teams; the sprint covers governance posture, not statistical validation.
This is not a certificate-only project. If you want an ISO 42001 paper with no MAS-defensible posture behind it, hire someone else.
This is not a finals-watching exercise. The Handbook is the authority we build against now; the guidelines finalising will confirm the structure, not invalidate the work.
Part of our Singapore practice. See the regulatory map →