Updated Model AI Governance Framework for Agentic AI

Dayos

An enterprise AI automation company headquartered in Singapore with operations in the US.

Dayos used tiered risk levels to guide and bound the actions taken by its agent.

Every type of IT ticket was assessed for severity of impact, reversibility and feasibility of human oversight.

Depending on this, the agent would have a different autonomy level. For example:

• For Tier 1 actions (low severity, fully reversible) such as password resets, this is fully automated by the agent but its actions are audited biweekly.
• For Tier 2 actions (moderate severity, partially reversible), the agent diagnoses and proposes the fixes but can only act with a human’s approval.
• For Tier 3 actions (high severity, limited reversibility) such as permissions modifications, the agent cannot act at all in relation to these.

Tencent

Multinational technology company headquartered in China, responsible for gaming, messaging app WeChat and AI models such as Hy.

To enable meaningful human oversight, CodeBuddy employs a mix of preset secure defaults and configurable permissions to allow for meaningful human oversight without overly fatiguing the user.

• Defining significant checkpoints for human intervention: For example, the system defines by default which actions need human approval, such as editing files, running shell commands, making network requests, or using external tools.
• Enabling humans to effectively evaluate requests for approval: Complex commands are explained in plain English to the user, aiding the user to make informed decisions.
• Complement with automated monitoring: As an additional safety net, suspicious commands will still require human approval, even if the command had been pre-approved previously.

GovTech

A statutory board in Singapore that develops digital government services and drives public sector transformation.

Govtech Singapore’s phased approach to rollouts of coding assistants allowed them to incrementally monitor risks while preparing controls for new features.

First phase – limited to internal employees, no external tools, low-risk systems: In the first phase, the tool was limited to GovTech Singapore’s employees, external tools (MCP servers) were not allowed, and only for low-risk systems. This kept the potential damage small if anything went wrong.

During this time, GovTech Singapore was able to build the necessary safeguards for a wider rollout – such as central logging, monitoring, and a framework to safely connect to approved external tools. They were also able to test the system against potential attacks to ensure effectiveness of guardrails.

Lessons from phase one also helped improve the rollout – for example, fixing early technical issues, reducing cognitive load of human approvers, and making the overall setup easier to adopt.

Workday

Global enterprise AI platform for managing people, money and AI agents.

Workday implemented AI agents to streamline its internal financial and human resources operations. The use cases for HR agents include:

• Recruiter Agent which supports screening and evaluation of candidates for job roles.
• Conversational Scheduling Agent which manages the full interview, orientation, and event session scheduling lifecycle.

To enable end-user responsibility, Workday informed users of:

• The agent’s identity and range of actions: Workday’s interface ensures that users who interact with Workday's AI agents through platforms like Slack or Microsoft Teams, are informed upfront that they are engaging with an AI-powered tool.
• Agent’s reasoning: Workday ensured that the agent’s reasoning was visible to users so that they are equipped with relevant information to review and use the results in a responsible manner.