MAS AI Risk Management Guidelines: Solving the Data Governance Challenge

Key takeaways

• The MAS AI Risk Management Guidelines (AIRG) formally extend the same data governance obligations from the 2024 paper into the AI domain; institutions with strong CDE governance already have the foundation.

• Para 4.5 makes data governance a standalone AI risk control across seven dimensions: quality, lineage, representativeness, classification, privacy, security, and auditability.

• Bias, explainability, and fairness are data problems before they are model problems; the AIRG expects controls at the data layer, not only at model validation.

• Since 2024, Alation has launched five agentic capabilities — CDE Manager, Data Quality Agent, Bulk Curation, Data Products Marketplace, and Agent Studio — that directly address each AIRG requirement, so institutions can move from periodic audits to continuous, automated governance.

• Together, these capabilities shift governance from a manual compliance exercise to a continuous, automated, and auditable practice.

The Monetary Authority of Singapore (MAS) has raised the bar. The November 2025 consultation paper on AI Risk Management (the AIRG) extends those same expectations into the AI domain and adds new requirements that a data catalog alone cannot address at the speed or scale regulators now expect.

For institutions already managing critical data elements, the AIRG is not a new discipline — it is an expansion of one you know. Your existing data governance foundations are the starting point. What has changed is scope and pace: AI systems require governance that operates continuously, at scale, and with a documented audit trail. Alation has evolved to meet that — now an agentic data intelligence platform built for exactly these regulatory demands.

What the AIRG actually requires

The AIRG covers a lot of ground, including model inventories, risk materiality assessments, lifecycle controls, human oversight, and third-party AI due diligence. But its most immediate and broadly applicable requirement sits in Para 4.5, and it is not about AI at all. It is about data governance.

"An FI should put in place data management controls to ensure data used across the AI life cycle is fit for purpose and representative, of high quality, and subject to robust data governance." — AIRG Para 4.5

Seven dimensions: fitness for purpose, representativeness, quality, classification, security, privacy, auditability, and lineage. These are the same disciplines MAS called out in 2024, now applied to training datasets, inference pipelines, and the data feeding every AI system in production.

This post maps those new capabilities to the AIRG requirements they address, with advice on how to navigate each need.

The seven data governance dimensions under AIRG para 4.5

The AIRG also adds new requirements relevant to AI governance across the full lifecycle:

• Training data must be representative of the conditions under which AI will operate, including stressed ones; gaps here are the most common origin of model bias.

• Fairness controls must operate at the data layer because training data that encodes historical patterns of discrimination will produce discriminatory outputs regardless of model quality.

• Explainability requires documentation created during development and maintained through deployment, not reconstructed when an examiner asks.

• Post-deployment monitoring must detect shifts in input data distribution before they degrade model performance.

• Accountability for third-party AI data stays with the FI, not the vendor.

What was previously a manual, periodic effort to satisfy these requirements is now a continuous, agent-powered operation. That shift is what the new Alation capabilities make possible. The sections below map each capability to the specific AIRG requirements it addresses, and note where complementary tooling may be needed for requirements outside Alation's scope.

CDE Manager: Translating AIRG policy into enforceable data standards

When MAS inspectors examined D-SIBs in 2022 and 2023, one of the most consistent findings was that policies existed but were not operationalised. Institutions had data governance frameworks on paper that did not translate into consistent standards applied to individual data elements. The consequence was not just a compliance gap — it was that the data feeding business decisions and, increasingly, AI systems could not be relied upon.

CDE Manager addresses this directly. Its Policy-as-Code agents read regulatory requirements and institutional risk policies and automatically translate them into measurable data management standards. They then semantically map those standards to CDEs across the data ecosystem, link them to lineage, quality signals, and glossary terms, and continuously monitor for compliance. When a CDE falls out of standard, the system surfaces the exception in real time.

For AIRG Para 4.5, this means the seven data management dimensions — quality thresholds, lineage documentation, fitness-for-purpose assessments, and classification — can be defined once against the regulatory standard and enforced continuously across the AI data estate, not checked periodically in manual audits.

For AI use cases, fitness for purpose and representativeness are the dimensions most likely to require attention — and most likely to be where examiners look first.

The audit-ready view CDE Manager provides — consolidating each element's definition, ownership, policy linkages, compliance status, and lineage — is precisely what MAS examiners will look for as evidence that governance is operational, not aspirational. For the commercial case alongside the regulatory one, see Alation's analysis of Gartner's findings on AI-ready data.

For institutions subject to BCBS 239, the same framework governs risk reporting CDEs and AI training data CDEs within a single system. The discipline is the same. The asset class is broader.

Data Quality Agent: Continuous monitoring where the AIRG requires it most

The AIRG's Para 4.5c requires robust data quality controls, calibrated to element criticality, with regular monitoring for anomalies, drifts, and potential bias:

Data Quality: Adequacy of the quality of data used in an AI use case, system or model, including assessing data relevance, accuracy, completeness, and recency; as well as regular monitoring of data quality and checks for anomalies, drifts, and potential bias.

Para 4.23a requires ongoing checks for data drift across all deployed AI. These are continuous monitoring requirements, not point-in-time ones.

Meeting that standard manually — writing rules for hundreds of data assets, tracking freshness, checking for distributional shifts — is not realistic at the pace of modern AI deployment. The Data Quality Agent changes the economics of this.

It learns from usage patterns and behavioural metadata to identify the data assets that matter most, then automatically generates tailored quality rules for those assets: anomaly detection, freshness checks, and completeness validation, without manual rule-writing. When rules are breached, alerts surface in context — in the catalogue, in Slack, in Teams, in BI tools — so issues are caught and resolved at the point of consumption rather than discovered in the next audit cycle.

For AI-specific requirements, the Data Quality Agent operates on the data pipelines feeding production models. When input data distributions shift — the leading indicator of model drift — the agent detects that change at the data layer before it reaches model performance. This is upstream visibility that model monitoring tools cannot provide. By the time a model performance metric drops, Alation has already flagged the cause at the data layer — giving teams time to act before decisions or customers are affected.

The AIRG's Para 4.23a requirement to monitor for data drifts is satisfied at the source, not after the fact.

Bulk Curation: Making the documentation requirement achievable at scale

Most institutions running AI in production face the same problem: models are deployed faster than documentation can follow. The AIRG closes that gap by making documentation a compliance obligation, not a best-effort practice.

Para 4.17 requires that AI development be documented in sufficient detail for an independent party to understand and replicate it:

4.17 An FI should document the AI development process to enable reproducibility and auditability. Documentation should be sufficiently detailed for an independent party, such as a reviewer or auditor, to understand and potentially replicate the implementation of the AI system or model and its results. Documentation standards should cover the entire development process and may include information such as: a. data sources, processing, and quality checks; b. selection rationale; c. training procedures including code versions, environments, and hyperparameters; d. evaluation measures and performance thresholds, testing approaches, and results; e. explainability analysis, fairness assessments; and f. key assumptions, limitations and mitigants.

For institutions with dozens of AI models in production, meeting this standard manually is not a realistic programme. Documentation that lags deployment by months is one of the most common findings in model risk reviews — the blank-page problem that Bulk Curation eliminates. Agents generate draft descriptions from catalog context and metadata, apply consistent standards, and queue items for steward review and approval. The human reviewer retains judgment; the agent removes the friction that causes documentation to fall behind.

In the context of AIRG compliance, this means the training data, feature stores, and inference pipelines connected to AI model records in the catalogue can be documented consistently, at the speed of deployment, with governance built into the workflow.

Data Products Marketplace: Governing what AI consumes in production

AI systems consume data throughout the lifecycle: as inputs at training, as live feeds during inference, and — in some architectures — as context feeding downstream models and decisions. The AIRG's data governance obligations cover all of it. Para 4.5 applies across the AI lifecycle, which means the quality, provenance, and fitness of data matters not only at training time but every time an AI system uses it.

Without a governed mechanism for data access, teams make case-by-case judgements about which datasets are appropriate for AI use. That creates inconsistency, audit risk, and the undocumented lineage that MAS examiners will flag.

Deploying AI at scale while maintaining defensible governance requires data that has been explicitly assessed, documented, and certified before it reaches a model.

The Data Products Marketplace makes that possible at the point of consumption. Data products are curated, governed packages of data assets with clear ownership, defined quality standards, embedded lineage, and certification against organisational compliance requirements. Only certified products are published. AI systems that consume data from the Marketplace — by design — use data that has been assessed for quality, documented for provenance, and approved for use.

For AIRG compliance, the Marketplace provides a practical mechanism to ensure that AI systems operate on governed data. As one enterprise data architect quoted in Alation's research put it: "We'll let humans use data assets, but AI is only going to use data products." That instinct maps directly to what the AIRG requires: AI consuming data that has been explicitly assessed as fit for purpose, with the governance record to prove it.

The Marketplace also addresses the AIRG's representativeness requirement. Data products built for AI use cases can be assessed against coverage requirements, with gaps surfaced before the product is certified for use in training or inference.

Agent Studio: Building the AI governance agents FIs need today

The AIRG's scope is broad: it covers any AI system an FI uses, including AI agents operating with greater autonomy. Para 4.23a notes that for agentic workflows, information flow and decision-making paths should be monitored:

4.23 An FI should develop and implement comprehensive and robust controls for the ongoing monitoring of all deployed AI (including third-party AI used in the FI)... Key areas that the FI should consider include: a. Monitoring Measures: Based on the risks of the AI use case, system or model, define key metrics to be monitored and acceptable performance thresholds for each metric... Appropriate checks for data drifts (changes in input data distributions), concept drifts (changes in relationships between inputs and outputs), and overall model drifts should be implemented. Where relevant, information flow and decision-making paths across workflows that use AI, such as reasoning processes, actions taken, tools used should also be monitored.

Agent Studio gives FIs the tools to build governed AI agents grounded in the Agentic Knowledge Layer — the catalogue, data products, and governance metadata. Agents built in Agent Studio inherit the access controls, policies, and lineage of the underlying data products they use. Every response is transparent, showing the datasets, joins, and definitions behind it. The Evaluations feature, built into every agent, defines structured test cases representing the gold standard for agent behaviour, runs them continuously post-deployment, and surfaces changes for human review and approval before they take effect.

For the AIRG, this addresses two requirements simultaneously. First, for FIs building AI agents on governed data, Agent Studio ensures those agents operate on data whose quality, lineage, and provenance have already been established through the catalogue. Second, the Evaluations feature creates the structured monitoring and human oversight framework Para 4.10 and Para 4.23 expect: human-in-the-loop governance of agent behaviour, with documented review decisions and continuous performance tracking.

It is worth being direct about scope: this applies specifically to AI agents built within Alation. FIs with broader AI estates — third-party models, externally developed agents, or models operating outside the Alation environment — will need complementary tooling for external model oversight. Alation addresses the data and agent governance layer; model risk management platforms address the model lifecycle layer.

A platform that keeps pace with AI innovation

The institutions that will demonstrate credible AIRG compliance are not those that document their existing practices better. They are those that can show governance operating continuously and at scale: policies translated into standards automatically, quality monitored in real time, documentation kept current through the model lifecycle, and AI systems consuming only certified, governed data.

CDE Manager, the Data Quality Agent, Curation Automation, the Data Products Marketplace, and Agent Studio are what make that possible. None of them existed when MAS published the 2024 guidance. All of them are relevant to what MAS will examine under the AIRG.

The 12-month transition window is not a planning period. It is a build period. The institutions that start now have an advantage that compounds.

To see how Alation's agentic capabilities address the AIRG's requirements, visit alation.com/solutions/financial-services or book a demo.