MGF Implementation Architecture

How SwarmCitadel implements Singapore's Model AI Governance Framework for Agentic AI, dimension by dimension.

Last updated: July 2026

About the MGF for Agentic AI

The Model AI Governance Framework for Agentic AI was published by Singapore's IMDA and the AI Verify Foundation in January 2026 and substantially updated in May 2026. It is the first national governance framework written specifically for AI agents that plan, reason, and act autonomously.

Read the official framework

The Four MGF Dimensions

Dimension 1In Production

Assessing and Bounding Risk

What the framework asks

Identify and quantify risks of agent actions before and during execution. Bound agent autonomy. Account for multi-agent interaction and system complexity.

What an architecture must provide

Pre-execution evaluation of every proposed action against deterministic policy. Risk tiers that map to different handling (execute, require approval, block). Fleet-level visibility for correlated failures across agents.

How SwarmCitadel implements it

  • Deterministic policy engine evaluates every action pre-execution (<100ms)
  • Composable rules with defined conflict-resolution strategies
  • Fail-closed enforcement for high-risk action classes
  • Fleet-level crisis detection and policy-defined containment (roadmap)
Dimension 2In Production

Meaningful Human Accountability

What the framework asks

A human must own agent decisions in a way that is real rather than ceremonial. The accountability chain must be auditable. Monitor for automation bias.

What an architecture must provide

Approval gates calibrated to risk. Override channels that work mid-flight. Per-action decision trail linking each action to its policy evaluation and approver. Measurement of approval latencies and override rates.

How SwarmCitadel implements it

  • Risk-calibrated approval gates and human-override channels
  • Every action generates an audit record binding action, policy, and approver
  • Override rates and approval response times queryable in the ledger
  • Human-equivalent-work measurement for labor attribution (patent filed)
Dimension 3In Production

Technical Controls and Processes

What the framework asks

Pre-deployment testing, access boundaries, system-level safeguards. Select control types appropriate to each lifecycle stage. Maintain change-management discipline.

What an architecture must provide

Structural and rule-based controls in the execution path, not prompt-layer measures. Deterministic controls that hold regardless of what the model does. Versioned policies so historical actions can be interpreted against the exact policy that governed them.

How SwarmCitadel implements it

  • Layered access control (authenticated identities, role-based access, workspace scoping)
  • Decision-level authorization, not just network-level
  • Declarative, versioned, human-readable policies
  • Policy changes are themselves recorded and attributable events
Dimension 4In Production

End-User Responsibility and Transparency

What the framework asks

Agent behaviour and constraints must be visible to people affected by them and to regulators. Consider skill degradation and business continuity when agents absorb tasks.

What an architecture must provide

Offline verifiability: an auditor should be able to verify integrity on their own hardware, with no network connection to the vendor. Tamper-evident records anchored to external commitments.

How SwarmCitadel implements it

  • Tamper-evident records hash-linked in sequence
  • Periodic anchoring to external commitment store (configurable backend)
  • Regulator-grade export bundles verify offline on commodity hardware
  • Zero-knowledge policy proofs (compiler built, production roadmap)

Three Properties That Separate Aligned Architectures

The May 2026 update moved the MGF from governing individual agents to governing systems of agents. These three properties are the practical test of alignment.

1

Cross-Agent Telemetry Correlation

Telemetry joinable across agents. An architectural property designed in from the start, not bolted onto per-agent logs later.

2

Policy-Defined Graduated Containment

Options between 'ignore' and 'shut everything down.' Operators see exactly why the system recommended what it did.

3

Boundary-Level Enforcement

Gateway-style interception in front of agent egress. Third-party agents governable with no agent code changes.

Patent Notice: Five US provisional patent applications were filed in April 2026 covering tamper-evident action packets, zero-knowledge policy proofs, multi-agent crisis detection, human-equivalent-work attribution, and anchor integrity constructions.

Questions for your governance vendor?

The whitepaper includes specific questions to ask any vendor, including us. Get the complete paper.

Quick Contact

We'll respond within 24 hours