AI 风险管理指南咨询稿

金融机构应评估关键领域对AI模型、系统或用例的相关性，并相称地应用。

FIs should assess the key areas for relevance to the AI model, system or use case, and apply in a proportionate manner.

MAS邀请金融机构及其他相关方对指南提出意见。

MAS invites comments from FIs and other interested parties on the Guidelines.

所有金融机构在部署AI（包括生成式AI和AI代理）时应遵守一套高层期望。

All FIs should adhere to a set of high-level expectations as they deploy AI and AI technologies, including Generative AI and newer developments such as AI agents.

金融机构应根据其活动规模和性质以及AI使用可能带来的重大风险程度来实施这些指南。

FIs should implement these Guidelines in a manner commensurate with the size and nature of their activities, and the extent to which their use of AI could lead to material risks to them.

请在2026年1月31日前通过此链接提交书面意见。

Please submit your written comments to the consultation paper by 31 January 2026 via this link: https://form.gov.sg/690b2a3b024ee5eebbfcf7f1

将AI作为业务流程组成部分的金融机构应至少建立框架、政策和程序来监督AI使用；对AI用例、系统或模型进行明确识别和稳健的风险重要性评估；并建立充分的AI清单。

FIs using AI as an integrated part of their business processes should minimally establish frameworks, policies and procedures to oversee their use of AI; apply clear identification and robust risk materiality assessments of AI use cases, systems or models; and have an adequate AI inventory in place.

所有金融机构应至少根据其AI采用水平制定基本的AI使用政策。

All FIs should minimally institute basic policies for the use of AI commensurate with the FI’s level of AI adoption.

这些基本政策应明确谁负责监督AI使用、允许和禁止的AI使用指南，以及这些指南的沟通、检查和审查。

These basic policies should address who is responsible for overseeing AI use, guidelines on allowed and disallowed uses of AI, as well as the communication, checks and reviews of such guidelines.

MAS期望在客户或风险管理结果方面具有重大影响的AI使用的金融机构拥有更健全的AI生命周期标准和控制，以及更强的能力和技术基础设施。

MAS would expect an FI using AI in a manner that has a material impact on customer or risk management outcomes to have more robust AI life cycle standards and controls, as well as stronger capabilities and technology infrastructure.

与数据管理、安全和网络安全相关的AI生命周期标准和控制应适用并应以相称的方式应用。

AI life cycle standards and controls relating to data management, safety and cybersecurity would be relevant and should be applied in a proportionate manner.

MAS期望金融机构定期审查其AI风险管理工作的充分性，以应对AI发展带来的新风险或加剧的风险。

MAS expects FIs to regularly review the adequacy of its AI risk management efforts against AI developments and address new or accentuated AI risks that may arise due to such developments.

金融机构应应对因在关键任务领域过度依赖少数生成式AI提供商或使用安全控制薄弱的开源模型而产生的第三方风险。

FIs should address third-party risks arising from over-reliance on a few dominant Generative AI providers for mission critical areas, or using open-source models with poor security controls.

金融机构应应对因使用基于侵犯版权或专利数据训练的生成式AI而产生的法律和知识产权风险。

FIs should address legal and intellectual property risks arising from the use of Generative AI trained on data that infringes existing copyrights or patents.

金融机构应应对因使用第三方生成式AI产品或服务导致的机密或客户数据泄露风险，以及未经适当同意不当使用客户数据的风险。

FIs should address privacy risks arising from the leakage of confidential or customer data due to the use of third-party Generative AI products or services, or the inappropriate use of customer data in Generative AI without proper consent.

金融机构应应对因对关键任务领域生成式AI缺乏有效人工监督或因过度依赖导致技能退化而产生的人为因素风险。

FIs should address human-factor risks arising from poor human oversight over Generative AI used in mission critical areas, or skill degradation due to over-reliance on Generative AI.

金融机构应应对生成式AI系统面临的对抗性攻击风险，如提示注入或数据投毒。

FIs should address security risks arising from adversarial attacks on Generative AI systems via prompt injection or data poisoning.

金融机构应应对因生成式AI中断和部署前测试不足导致的运营风险。

FIs should address operational risks arising from potential service disruptions due to Generative AI outages and problems arising from inadequate pre-deployment testing.

董事会和高级管理层应建立并实施稳健的框架、结构、政策和流程，以发展在金融机构中开发和部署AI用例、系统或模型所需的能力和容量。

The Board and senior management should establish and implement robust frameworks, structures, policies, and processes to develop the capabilities and capacity needed for the development and deployment of AI use cases, systems, or models in the FI.

董事会和高级管理层应建立并实施稳健的框架、结构、政策和流程，以管理AI用例、系统或模型的整个生命周期。

The Board and senior management should establish and implement robust frameworks, structures, policies, and processes to manage an AI use case, system or model throughout its entire lifecycle.

董事会和高级管理层应建立并实施稳健的框架、结构、政策和流程，以识别AI用例、系统或模型（包括内部开发和第三方AI）。

The Board and senior management should establish and implement robust frameworks, structures, policies, and processes to identify AI use cases, systems or models (both internally developed and third-party AI).

董事会和高级管理层应建立并实施稳健的框架、结构、政策和流程，以维护AI用例、系统或模型的清单，并根据预定义的风险偏好管理其使用。

The Board and senior management should establish and implement robust frameworks, structures, policies, and processes to maintain an inventory of AI use cases, systems or models and govern their use according to a predefined risk appetite.

董事会和高级管理层应建立并实施稳健的框架、结构、政策和流程，以评估AI相关风险的重要性。

The Board and senior management should establish and implement robust frameworks, structures, policies, and processes to assess the materiality of AI-related risks.

董事会和高级管理层应保持对AI相关风险的有效监督，培养适当的AI风险文化，并确保AI的使用不会影响其满足其他监管期望的能力。

The Board and senior management should maintain effective oversight of AI-related risks, foster the appropriate risk culture for the use of AI, and ensure that its use of AI would not conflict with its ability to meet other supervisory expectations.

董事会和高级管理层应确保现有风险管理框架、政策和实践充分识别、评估和处理AI风险。

The Board and senior management should ensure that existing risk management frameworks, policies, and practices across the organisation adequately identify, assess, and address risks posed by AI.

识别和评估所有相关AI风险。

Identify and assess all relevant AI risks.

更新相关政策和程序以应对此类风险。

Update relevant policies and procedures to address such risks.

制定适当的策略和控制措施以缓解此类风险。

Institute appropriate strategies and controls to mitigate such risks.

定义金融机构对此类风险的风险偏好。

Define the FI’s risk appetite in relation to such risks.

建立相关指标和适当的风险偏好阈值。

Establish relevant indicators and appropriate risk appetite thresholds for such risks.

监控这些指标及风险偏好阈值的遵守情况。

Monitor such indicators and the adherence to risk appetite thresholds.

明确不同业务线和职能中管理AI风险的职责。

Articulate clear roles and responsibilities for managing AI risks across different business lines and functions.

制定明确的政策和程序，向董事会和高级管理层报告风险偏好阈值违反和AI相关事件。

Set out clear policies and procedures for updating the Board and senior management on breaches of such risk appetite thresholds and AI related incidents.

定期审查，考虑新的AI发展、风险状况和业务策略变化以及AI监管发展。

Perform regular reviews to take into account newer AI developments, changes in the FI’s risk profile and business strategies, and AI regulatory developments.

董事会和高级管理层应确保在金融机构内管理AI风险时保持一致标准、明确问责和稳健协调。

The Board and senior management should ensure consistent standards, clear accountability, and robust coordination across the FI to manage AI risks.

董事会和高级管理层还必须确保金融机构在采用AI时继续遵守与这些风险领域相关的所有现有监管要求。

Board and senior management must also ensure that the FI continues to comply with all existing regulatory requirements relevant to these risk areas, even when AI is adopted.

如果金融机构的整体AI风险暴露被视为重大，则应设立专门的跨职能委员会以确保充分监督并主动解决风险管理覆盖中的潜在差距。

Where overall AI risk exposure of the FI is deemed material, the FI should establish a dedicated cross-functional committee to ensure adequate oversight and to proactively address potential gaps in risk management coverage.

董事会或其授权的委员会负责为董事会和高级管理层设定关于AI风险管理监督的明确角色和职责。

The Board, or a committee delegated by it, is responsible for setting clear roles and responsibilities for the Board and senior management concerning AI risk management oversight.

董事会或其授权的委员会负责批准AI风险管理的整体治理方法，包括旨在持续评估和管理金融机构AI风险的关键框架、结构、政策和程序。

The Board, or a committee delegated by it, is responsible for approving the overall governance approach for AI risk management, including key frameworks, structures, policies and procedures designed to assess and manage the FI’s AI risk on an ongoing basis.

董事会或其授权的委员会负责确保定期审查金融机构AI使用风险管理的方法、风险偏好框架、角色和职责、能力和文化，以跟上AI新发展和金融机构风险状况及业务战略的变化。

The Board, or a committee delegated by it, is responsible for ensuring that the FI’s approach, risk appetite framework, roles and responsibilities, capabilities and culture for risk management of AI use are regularly reviewed to keep pace with newer AI developments, as well as changes in the FI's risk profile and business strategies.

董事会或其授权的委员会负责确保在金融机构的风险偏好框架中明确处理重大AI风险，包括设定适当的定性陈述和定量措施或限制。

The Board, or a committee delegated by it, is responsible for ensuring that AI risks, where material, are explicitly addressed within the FI’s risk appetite framework, including the setting of appropriate qualitative statements and quantitative measures or limits.

董事会或其授权的委员会负责确保其对AI有足够的理解，以提供有效的监督和质疑。

The Board, or a committee delegated by it, is responsible for ensuring it has an adequate understanding of AI to provide effective oversight and challenge.

MAS建议将指南适用于所有金融机构。

MAS proposes to apply the Guidelines to all FIs.

金融机构应采用一致且稳健的方法来识别、盘点并确定AI的风险重要性，并根据评估的风险重要性应用相应的控制措施。

The FI should apply consistent and robust approaches to identify, inventorise and determine the risk materiality of AI, and apply controls proportionate to the assessed risk materiality.

新加坡的金融机构若为其他司法管辖区母公司的分支或子公司，可利用母公司的AI风险管理框架，前提是该框架符合本指南的期望。

FIs in Singapore that are branches or subsidiaries with parent entities in other jurisdictions may leverage the AI risk management frameworks of their parent entities, as long as such frameworks meet the expectations set out in these Guidelines.

金融机构应确保其AI风险管理框架涵盖识别、盘点和风险重要性评估的关键系统、政策和程序。

An FI should ensure that its AI risk management framework encompasses key systems, policies and procedures for the identification, inventorisation, and risk materiality assessment of AI.

风险重要性评估应考虑影响、复杂性和依赖性三个维度。

The risk materiality assessments should consider various risk dimensions relevant to the FI’s context, minimally covering: Impact, Complexity, and Reliance.

金融机构应明确AI风险重要性评估的角色与职责，并指定控制职能确保一致性。

An FI should assign clear roles and responsibilities for AI risk materiality assessment. A control function should be assigned to ensure the consistent application of the assessment process across the FI, setting up attestation processes, ensuring clear documentation is maintained, and acting as the final arbiter in determining the risk materiality of an AI use case, system or model.

应实施清晰的定义、标准和流程，并辅以稳健的系统，以促进这一识别过程。

Clear definitions, criteria and processes, supported by robust systems, should be implemented to facilitate this identification process.

金融机构应建立系统、政策和程序，以确保在所有相关业务和职能领域一致地识别AI的使用。

An FI should establish systems, policies and procedures to ensure the consistent identification of AI usage across all relevant business and functional areas.

金融机构可以按比例实施本指南，即与其活动规模、性质、AI使用情况、风险状况以及指南对特定AI模型、系统或用例的相关性相称。

FIs may implement these Guidelines in a proportionate manner, i.e., commensurate with the size and nature of their activities, use of AI, and their risk profiles, as well as the relevance of these Guidelines to the specific AI model, system or use case.

金融机构应明确AI识别的角色和职责，包括指定一个控制职能部门负责AI识别系统和流程。

An FI should assign clear roles and responsibilities for AI identification, including the designation of a control function to be responsible for AI identification systems and processes.

指定的控制职能部门还应确保维护识别过程和结果的清晰文档，并定期审查和更新识别系统和流程，以考虑更新的AI技术。

The designated control function should also ensure that clear documentation of the identification process and outcomes is maintained, and that identification systems and processes are regularly reviewed and updated to take into account newer AI technologies.

所有金融机构应制定与AI采用水平相称的基本AI使用政策。

All FIs should institute basic policies for the use of AI commensurate with the FI’s level of AI adoption.

这些政策应明确谁负责监督AI使用、允许和禁止的AI使用指南，以及此类指南的沟通、检查和审查。

These policies should address who is responsible for overseeing AI use, guidelines on allowed and disallowed uses of AI, as well as the communication, checks and reviews of such guidelines.

金融机构可以增强现有清单以纳入AI用例、系统或模型，或建立专门的AI用例清单。

The FI can enhance existing inventories to include AI use cases, systems or models or establish a dedicated inventory for AI use cases.

AI清单与金融机构其他相关清单之间应有明确联系。

There should be clear linkages between the AI inventory and other relevant inventories in the FI.

应有明确的政策和程序来维护清单，确保新增、更新或停用的AI用例、系统或模型得到准确反映。

There should be clear policies and procedures on the maintenance of the inventory, with new, updated or decommissioned AI use cases, systems or models reflected accurately.

金融机构应建立并维护准确且最新的AI用例、系统或模型清单，以支持治理、监督和风险管理。

An FI should establish and maintain an accurate and up-to-date inventory of AI use cases, systems or models across the FI to support governance and oversight, as well as risk management, throughout the AI lifecycle.

AI清单应捕获关键属性，以实现有效的治理、监督和风险管理。

The AI inventory should capture key attributes to enable effective governance and oversight, as well as risk management.

应定期审查清单设计，确保捕获的属性考虑到较新的AI技术，可能需要额外的相关属性或护栏，或与第三方AI相关的额外信息。

The design of the inventory should be regularly reviewed to ensure that the attributes captured take into account newer AI technologies where there may be additional relevant attributes or guardrails needed, or additional information relating to third-party AI.

金融机构应明确AI清单管理的角色与职责，指定控制职能部门负责AI清单，包括政策程序、维护更新、认证流程及定期审查。

The FI should assign clear roles and responsibilities for the inventorisation of AI, including the designation of a control function to be responsible for the AI inventory, in areas such as policies and procedures relating to the inventory, maintenance and update of the inventory, attestation process, and regular reviews of the scope of the inventory.

金融机构应建立基于业务性质的AI用例、系统或模型风险重要性评估方法。

An FI should establish an assessment methodology to evaluate the risk materiality of an AI use case, system or model based on the nature of its business.

评估方法应一致地应用于每个AI用例、系统或模型的风险重要性评估。

The assessment methodology should be applied consistently to perform risk materiality assessments for each AI use case, system or model used by the FI.

评估应考虑AI用例、系统或模型在应用风险管理控制前的固有风险重要性和控制后的剩余风险重要性。

The assessment should take into account both the inherent risk materiality of an AI use case, system or model before the appropriate risk management controls are applied, as well as the residual risk materiality after risk management controls are applied.

金融机构应确保AI用例、系统或模型的剩余风险重要性在部署前符合其风险偏好。

The FI should ensure that the residual risk materiality of the AI use case, system or model meets the FI’s risk appetite before deployment.

风险重要性评估方法及每个AI用例、系统或模型的风险重要性评估应定期审查，以确保其持续相关性和适当性。

The risk materiality assessment methodology and risk materiality assessments for each AI use case, system or model should also be regularly reviewed to ensure their continued relevance and appropriateness.

具有类似以下示例的AI用例的金融机构将被视为将AI作为其业务流程的组成部分

FIs with AI use cases similar to any of the following examples would be regarded as using AI as an integrated part of their business processes

AI生命周期控制应定期审查，以考虑新AI技术的使用。

AI life cycle controls should be regularly reviewed to take into account the use of newer AI technologies.

如果金融机构的整体人工智能风险暴露被视为重大，MAS建议该机构设立专门的跨职能委员会以确保充分监督并主动解决风险管理中的潜在差距。

Where the overall AI risk exposure of an FI is deemed material, MAS proposes that the FI establish a dedicated cross-functional committee to ensure adequate oversight and to proactively address potential gaps in risk management.

董事会和高级管理层应培养适当的人工智能风险文化，并确保更新现有组织范围的风险管理以应对人工智能引入的风险。

Board and senior management should foster the appropriate risk culture for the use of AI, and ensure that existing organisation-wide risk management is updated to address risks introduced by the use of AI.

金融机构应规划并实施覆盖AI用例、系统或模型全生命周期的稳健控制，并明确角色与职责。

An FI should plan for and implement robust controls covering the entire life cycle of an AI use case, system or model and assign clear roles and responsibilities for such controls.

金融机构应建立并定期审查控制措施，确保在AI用例、系统或模型的整个生命周期中进行适当的人工监督。

An FI should put in place and regularly review controls to ensure appropriate human oversight over an AI use case, system or model across its life cycle.

明确分配人工监督的角色和职责，包括与人工监督相关的升级和决策流程。

Clear assignment of roles and responsibilities for human oversight, including escalation and decision-making processes relating to human oversight.

为负责监控AI使用的合格人员配备必要的能力，包括必要的干预权限和能力。

Equip competent personnel assigned to monitor AI use with the necessary capabilities, including the necessary authority and ability to intervene.

从一开始就设计开发AI系统或模型，以启用和促进适当的人工监督。

Designing and developing AI systems or models from the outset to enable and facilitate appropriate human oversight.

建立流程以记录并定期审查人工监督决策和干预（包括事件和未遂事件），评估人工监督的有效性。

Establishing processes to document and regularly review human oversight decisions and interventions (including incidents as well as near misses) to assess the effectiveness of human oversight.

包括在金融机构用例背景下测试第三方AI产品和服务（包括使用自有数据），并进行补偿性测试以解决第三方AI提供商披露不足导致的信息缺口。

This would include testing third-party AI products and services in the context of the FI’s use cases (including using the FI’s own data), and performing compensatory testing to address informational gaps arising from inadequate disclosures by third-party AI providers.

金融机构应确保第三方AI的引入、开发和部署控制措施与用例、系统或模型的风险重要性相匹配。

An FI should ensure that onboarding, development and deployment controls for third-party AI are adequate for the risk materiality of the use case, system or model which uses or depends on third-party AI.

金融机构还应确保第三方开发的AI接受适当审查，并建立流程以接收第三方AI更新或变更的通知，并管理和评估此类更新或变更的影响。

The FI should also ensure that AI developed by third parties are subject to appropriate reviews, as well as establish processes to receive notifications of updates or changes to third-party AI and manage and assess the impact of such updates or changes.

评估第三方AI提供商在开发和部署过程中如何处理数据、模型、技术和网络安全等关键风险的透明度；并在整个金融机构内设定对第三方AI提供商透明度水平的明确一致期望。

Assessing the level of transparency from third-party AI providers on how key risks, such as those relating to data, model, technology and cybersecurity risks, are addressed during the development and deployment of such third-party AI; and setting out clear and consistent expectations on the level of transparency needed from third-party AI providers across the FI.

当第三方AI需要透明度和可解释性但无法获得时，金融机构应考虑采取补偿措施，例如额外测试以了解第三方AI的行为。

Where transparency and explainability is required but not available for third-party AI, the FI should consider employing compensatory measures, such as additional testing to understand the behaviour of third-party AI.

金融机构应要求开发人员证明并记录其选择过程，特别是在选择更复杂的算法或不太理解的特征而非简单或传统替代方案时。

The FI should require developers to justify and document their selection process, particularly when selecting more complex algorithms or less understood features over simpler or conventional alternatives.

选择应尽可能得到理论、研究或公认行业实践的支持。

The selection should be supported by theory, research, or accepted industry practice where possible.

金融机构还应考虑纳入领域专家或用户的审查，以确保算法或特征的选择与AI使用的背景一致。

The FI should also consider incorporating reviews by domain experts or users, to ensure that the selection of algorithms or features aligns with the context of the AI use.

在选择AI算法或特征时，金融机构应考虑AI用例、系统或模型的目标和风险。

When selecting AI algorithms or features in data to use, an FI should consider the objectives and risks of the AI use case, system or model.

选择较新且较复杂的AI算法时，应权衡收益与风险。

Where newer and more complex AI algorithms which are less understood are selected, an FI should carefully weigh the benefits of deploying such AI algorithms against new or heightened risks to the FI, such as hallucination, opaqueness, security risks, and the FI’s capabilities to mitigate such risks.

每个AI用例、系统或模型在部署前应评估和测试以达到适当的可靠性和安全性。

Each AI use case, system or model should be evaluated and tested to meet an appropriate level of reliability and safety based on the assessed risk materiality before deployment.

应识别关键AI风险并设定清晰可衡量的阈值。

An FI should identify key AI risks and set clear, measurable thresholds.

应进行与风险重要性相称的评估和测试。

An FI should conduct relevant evaluation and testing that is proportionate to the assessed risk materiality of the AI use case, system or model.

评估和测试应评估AI在从真实场景到边缘情况的各种条件下的性能。

Evaluation and testing should assess performance of the AI use case, system or model under a range of plausible conditions, from real-world scenarios to edge cases.

AI风险识别及可靠性安全性评估应考虑AI使用背景，并参考最佳实践。

Identification of AI risks and reliability and safety assessments should take into account the context of AI use, and assessments should take reference from best practices.

性能阈值应明确定义、记录并由业务所有者、开发者和评审者共同同意。

Performance thresholds should be clearly defined, documented, and mutually agreed upon by business owners, developers and reviewers.

定义与AI目标一致的评估指标并设定可接受的性能阈值。

Define appropriate evaluation measures aligned with the AI’s objectives and establish acceptable performance thresholds for these evaluation measures.

采用相关测试方法，如样本外测试、敏感性分析、稳定性分析、子群体分析、压力测试、错误分析和基准测试。

Employ relevant testing methods, such as out-of-sample or out-of-time testing, sensitivity analysis, stability analysis across different data distributions or time periods, sub-population analysis, stress testing (including edge cases and adversarial testing where appropriate), error analysis, and benchmarking against alternatives.

用于测试的数据集应代表FI中的使用环境。

Datasets used for testing should be representative of the context of use in the FI.

可能涉及偏好简单模型，除非更高复杂度有明确的性能提升理由，限制复杂度，适当的特征选择，以及使用交叉验证等稳健的验证技术。

This may involve favouring simpler models unless higher complexity is justified by a clear performance uplift, constraining complexity (e.g., via regularisation of AI models), appropriate feature selection, and using robust validation techniques like cross-validation.

尽可能实施防止过拟合的技术，尤其是对于更复杂的AI。

Where possible, implement techniques to prevent overfitting, especially for more complex AI.

在开发过程中识别出AI相关风险和限制时，金融机构应在部署前设置适当的控制和防护措施以减轻这些风险和限制。

Where there are risks and limitations associated with AI identified during development, an FI should put in place appropriate controls and guardrails to mitigate these risks and limitations before deployment.

对生成式AI和AI代理等较新AI发展的评估和测试应涵盖其关键故障模式。

Evaluation and testing of newer AI developments such as Generative AI and AI agents should cover their key failure modes.

金融机构应确保AI系统安全、治理良好，并得到适当控制措施的支持，以管理技术和网络安全风险。

An FI should ensure that the AI system is secure, well-governed, and supported by appropriate controls to manage technology and cybersecurity risks.