MGF Implementation Architecture
How SwarmCitadel implements Singapore's Model AI Governance Framework for Agentic AI, dimension by dimension.
Last updated: July 2026
About the MGF for Agentic AI
The Model AI Governance Framework for Agentic AI was published by Singapore's IMDA and the AI Verify Foundation in January 2026 and substantially updated in May 2026. It is the first national governance framework written specifically for AI agents that plan, reason, and act autonomously.
Read the official frameworkThe Four MGF Dimensions
Assessing and Bounding Risk
What the framework asks
Identify and quantify risks of agent actions before and during execution. Bound agent autonomy. Account for multi-agent interaction and system complexity.
What an architecture must provide
Pre-execution evaluation of every proposed action against deterministic policy. Risk tiers that map to different handling (execute, require approval, block). Fleet-level visibility for correlated failures across agents.
How SwarmCitadel implements it
- Deterministic policy engine evaluates every action pre-execution (<100ms)
- Composable rules with defined conflict-resolution strategies
- Fail-closed enforcement for high-risk action classes
- Fleet-level crisis detection and policy-defined containment (roadmap)
Meaningful Human Accountability
What the framework asks
A human must own agent decisions in a way that is real rather than ceremonial. The accountability chain must be auditable. Monitor for automation bias.
What an architecture must provide
Approval gates calibrated to risk. Override channels that work mid-flight. Per-action decision trail linking each action to its policy evaluation and approver. Measurement of approval latencies and override rates.
How SwarmCitadel implements it
- Risk-calibrated approval gates and human-override channels
- Every action generates an audit record binding action, policy, and approver
- Override rates and approval response times queryable in the ledger
- Human-equivalent-work measurement for labor attribution (patent filed)
Technical Controls and Processes
What the framework asks
Pre-deployment testing, access boundaries, system-level safeguards. Select control types appropriate to each lifecycle stage. Maintain change-management discipline.
What an architecture must provide
Structural and rule-based controls in the execution path, not prompt-layer measures. Deterministic controls that hold regardless of what the model does. Versioned policies so historical actions can be interpreted against the exact policy that governed them.
How SwarmCitadel implements it
- Layered access control (authenticated identities, role-based access, workspace scoping)
- Decision-level authorization, not just network-level
- Declarative, versioned, human-readable policies
- Policy changes are themselves recorded and attributable events
End-User Responsibility and Transparency
What the framework asks
Agent behaviour and constraints must be visible to people affected by them and to regulators. Consider skill degradation and business continuity when agents absorb tasks.
What an architecture must provide
Offline verifiability: an auditor should be able to verify integrity on their own hardware, with no network connection to the vendor. Tamper-evident records anchored to external commitments.
How SwarmCitadel implements it
- Tamper-evident records hash-linked in sequence
- Periodic anchoring to external commitment store (configurable backend)
- Regulator-grade export bundles verify offline on commodity hardware
- Zero-knowledge policy proofs (compiler built, production roadmap)
Three Properties That Separate Aligned Architectures
The May 2026 update moved the MGF from governing individual agents to governing systems of agents. These three properties are the practical test of alignment.
Cross-Agent Telemetry Correlation
Telemetry joinable across agents. An architectural property designed in from the start, not bolted onto per-agent logs later.
Policy-Defined Graduated Containment
Options between 'ignore' and 'shut everything down.' Operators see exactly why the system recommended what it did.
Boundary-Level Enforcement
Gateway-style interception in front of agent egress. Third-party agents governable with no agent code changes.
Patent Notice: Five US provisional patent applications were filed in April 2026 covering tamper-evident action packets, zero-knowledge policy proofs, multi-agent crisis detection, human-equivalent-work attribution, and anchor integrity constructions.