AI Acceptable Use Policy (Singapore)
ARTIFICIAL INTELLIGENCE ACCEPTABLE USE POLICY
[Company Name]
UEN: [UEN]
Effective Date: [Effective Date]
Policy Owner: [Policy Owner]
1. INTRODUCTION AND SCOPE
1.1 [Company Name] ("Company") recognises the significant productivity and innovation benefits of artificial intelligence ("AI") tools, including large language models (LLMs) and generative AI platforms. The Company also acknowledges the associated risks to data protection, intellectual property, accuracy, and regulatory compliance.
1.2 This AI Acceptable Use Policy ("Policy") establishes rules for the responsible use of AI tools by all employees, directors, contractors, and interns ("Users") in connection with the Company's business.
1.3 This Policy is aligned with: the IMDA Model AI Governance Framework (Second Edition, 2020); the MAS Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of AI and Data Analytics in the Financial Sector; and the Personal Data Protection Act 2012 (PDPA).
2. APPROVED AND PROHIBITED AI TOOLS
2.1 Approved AI Tools: Users may use the following Company-approved AI tools for work purposes: [Approved Tools].
2.2 Prohibited / Restricted Tools: The following AI tools are prohibited or require prior written approval from [Policy Owner]: [Prohibited Tools].
2.3 Approval of New Tools: [Approval Process]. No AI tool may be used for work purposes until approved by the Company.
3. DATA PROTECTION AND PDPA COMPLIANCE
3.1 Prohibited Data Types: Users must NOT input the following into any AI tool: [Prohibited Data Types].
3.2 Anonymisation Requirement: [Anonymisation Required]. Where required, all personal and confidential data must be anonymised or de-identified before being input into any AI system.
3.3 Under the Personal Data Protection Act 2012, personal data of customers, employees, and other individuals must not be sent to external AI platforms without appropriate consent, data processing agreements, and transfer safeguards as required by the PDPA Transfer Limitation Obligation.
3.4 Any suspected breach of personal data through AI use must be reported to [DPO Name] ([Contact Email]) immediately, and to the Personal Data Protection Commission (PDPC) where required under section 26D of the PDPA.
4. USAGE RULES AND HUMAN OVERSIGHT
4.1 Human Review: [Human Review Required]. Consistent with the IMDA Model AI Governance Framework principle of human oversight, all AI-generated outputs must be reviewed and validated by a human User before being used, relied upon, or submitted to clients.
4.2 Disclosure: [Disclosure Required]. Where required, Users must disclose to clients or counterparties when AI tools have been used in preparing deliverables, reports, or communications.
4.3 Accuracy and Reliability: Users acknowledge that AI tools may generate inaccurate, biased, or misleading outputs ("hallucinations"). Users are responsible for verifying all AI outputs against reliable sources before reliance.
4.4 Intellectual Property: AI-generated content may not be protected by copyright under the Copyright Act 2021 (Cap. 63). Users must not use AI-generated content in a manner that infringes third-party intellectual property rights.
4.5 Additional Rules: [Additional Rules]
5. PROHIBITED USES
5.1 Users must NOT use AI tools to:
- Generate, spread, or distribute false, misleading, defamatory, or illegal content;
- Engage in any form of discrimination, harassment, or bias based on protected characteristics;
- Make fully automated decisions that materially affect individuals without human oversight;
- Circumvent security controls or gain unauthorised access to systems;
- Engage in deceptive practices including impersonation of humans without disclosure; or
- Violate any applicable Singapore law, including the Computer Misuse Act 1993, the PDPA 2012, or the Cybersecurity Act 2018.
6. ENFORCEMENT AND REVIEW
6.1 Violations of this Policy may result in disciplinary action up to and including termination of employment, and may be referred to relevant Singapore authorities.
6.2 This Policy will be reviewed at least annually, or more frequently as the AI regulatory landscape in Singapore evolves.
6.3 For queries or to report a concern, contact: [DPO Name] at [Contact Email].
7. GOVERNING LAW
7.1 This Policy is governed by the laws of the Republic of Singapore.
USER ACKNOWLEDGEMENT
I acknowledge that I have read, understood, and agree to comply with the AI Acceptable Use Policy of [Company Name].
User / Employee
________________
Signature
Authorised Signatory (Company)
________________
Signature
What Is a AI Acceptable Use Policy (Singapore)?
An AI Acceptable Use Policy in Singapore sets out the standards and procedures the organisation expects its people to follow.
Singapore's regulatory approach to AI governance operates through a principles-based framework rather than prescriptive legislation. The IMDA Model AI Governance Framework, developed in collaboration with the World Economic Forum's Centre for the Fourth Industrial Revolution, establishes four core principles: internal governance structures and measures, human involvement in AI-augmented decision-making, operations management covering risk and data management, and parties interaction and communication. Singapore's National AI Strategy 2.0, launched by the Smart Nation Group in December 2023, reinforces the government's commitment to responsible AI adoption across all sectors of the economy while maintaining Singapore's position as a global AI innovation hub.
The Personal Data Protection Commission (PDPC), operating under the PDPA 2012, has issued Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (2024) clarifying that organisations using AI tools to process personal data must comply with all PDPA obligations — including consent (Section 13), purpose limitation (Section 18), accuracy (Section 23), and protection (Section 24). Employees who input customer data, employee records, or other personal data into external AI tools without organisational authorisation risk creating a PDPA breach carrying financial penalties of up to S$1 million or 10% of annual turnover (whichever is higher) under Section 48J of the PDPA as amended by the Personal Data Protection (Amendment) Act 2020.
The Monetary Authority of Singapore (MAS) has established sector-specific AI governance requirements through the Fairness, Ethics, Accountability and Transparency (FEAT) Principles and the Veritas toolkit for financial institutions. Companies in the banking, insurance, and capital markets sectors must comply with MAS Notice on Technology Risk Management (MAS TRM) requirements when deploying AI systems that affect customer outcomes, credit scoring, or fraud detection. An AI Acceptable Use Policy for MAS-regulated entities must incorporate FEAT Principles assessments and document the human oversight mechanisms for AI-driven decisions affecting customers.
The Cyber Security Agency of Singapore (CSA) has published guidelines on securing AI systems against adversarial attacks, prompt injection, and data poisoning — risks that organisations must address when permitting employees to use AI tools connected to internal systems or databases. An AI Acceptable Use Policy serves as the primary governance instrument through which Singapore employers discharge their obligation to manage AI-related risks under the IMDA framework, PDPA requirements, and sector-specific regulations.
Singapore's AI Verify Foundation, launched by IMDA in June 2023, provides an open-source AI governance testing framework that organisations can use to validate the performance of AI systems against internationally recognised principles including fairness, strongness, and transparency. Companies developing or deploying AI tools internally may reference AI Verify test results in their AI Acceptable Use Policy to demonstrate due diligence in assessing AI tool capabilities and limitations before granting employee access.
When Do You Need a AI Acceptable Use Policy (Singapore)?
A Singapore AI Acceptable Use Policy is needed whenever an organisation permits, plans to permit, or discovers that employees are using AI tools in connection with workplace activities, regardless of whether the AI tools are company-provided or personally accessed by employees.
When a Singapore company deploys enterprise AI tools such as Microsoft 365 Copilot, GitHub Copilot, or Salesforce Einstein across its workforce, an AI Acceptable Use Policy defines which tools are approved for use, what data categories may be processed through AI systems, and the review obligations for AI-generated outputs before external distribution. Without a formal policy, individual employees make ad hoc decisions about AI tool usage, creating inconsistent data handling practices that expose the organisation to PDPA enforcement action by the Personal Data Protection Commission (PDPC).
When employees in financial services firms regulated by the Monetary Authority of Singapore (MAS) use AI tools for credit assessment, customer communications, or compliance reporting, an AI Acceptable Use Policy documenting human oversight mechanisms satisfies the MAS FEAT Principles requirement for accountability and transparency in AI-augmented decision-making. MAS inspection teams review AI governance documentation during supervisory examinations, and the absence of a formal policy may trigger regulatory findings.
When a technology company or startup develops proprietary AI models or fine-tunes open-source models using company data, an AI Acceptable Use Policy addresses intellectual property ownership of AI-generated code and content, restrictions on using copyrighted training data, and the obligation to review AI outputs for accuracy before deployment. The Intellectual Property Office of Singapore (IPOS) has not issued definitive guidance on copyright ownership of AI-generated works, making clear contractual and policy provisions essential for protecting the company's IP position.
When employees handle sensitive categories of personal data — including healthcare records subject to the Private Hospitals and Medical Clinics Act (Cap. 248), student records under the Ministry of Education's data governance framework, or financial records subject to MAS confidentiality requirements — an AI Acceptable Use Policy must prohibit the input of such data into external AI tools and define approved internal AI systems that meet the organisation's data protection standards.
When a company operating in Singapore engages remote workers, contractors, or offshore teams who may use AI tools on personal devices, an AI Acceptable Use Policy extends governance controls beyond the physical workplace. Organisations should consider pairing the AI Acceptable Use Policy with a BYOD Policy for Singapore and a Data Protection Policy for Singapore to create a layered governance framework addressing all vectors of AI-related data risk.
What to Include in Your AI Acceptable Use Policy (Singapore)
A Singapore AI Acceptable Use Policy must include several governance elements to satisfy the IMDA Model AI Governance Framework, PDPA 2012 requirements, and sector-specific regulations applicable to the organisation.
Policy scope and definitions must clearly identify which AI tools, systems, and technologies are covered — including generative AI (ChatGPT, Claude, Gemini), code generation tools (GitHub Copilot, Amazon CodeWhisperer), image generation tools, and any internally developed AI systems. The definition should encompass both company-provided tools accessed through enterprise licences and personal AI tools accessed by employees on company or personal devices during work activities.
Approved and prohibited AI tools must list specific tools that employees are authorised to use for work purposes, the approval process for requesting new AI tools, and a clear prohibition on using unapproved AI tools for processing company data. The policy should specify which tools have been assessed against the organisation's data processing requirements and PDPA obligations — the PDPC's Advisory Guidelines recommend that organisations conduct a Data Protection Impact Assessment (DPIA) before deploying AI tools that process personal data.
Data handling requirements must define categories of data that may and may not be input into AI tools. Personal data protected by the PDPA 2012 — including NRIC numbers, addresses, financial information, and health data — must not be entered into external AI tools unless the tool operator has been assessed as a data intermediary meeting the organisation's data protection standards under Section 4(2) of the PDPA. Confidential business information, trade secrets, source code, and client-privileged communications should be subject to similar restrictions.
Human oversight obligations must specify that AI-generated outputs — including reports, customer communications, code, legal documents, and financial analyses — must be reviewed by a qualified human before use, distribution, or publication. The IMDA Model AI Governance Framework's Principle 2 requires meaningful human involvement in AI-augmented decision-making, particularly for decisions that materially affect individuals.
The forms-legal.com Singapore AI Acceptable Use Policy template includes 13 sections covering company details, approved tools, data protection, usage rules, prohibited uses, and enforcement provisions aligned with IMDA, PDPC, and MAS governance requirements.
Intellectual property provisions must address ownership of AI-generated content created by employees during employment, restrictions on inputting the company's proprietary code or trade secrets into AI tools, and the company's position on using AI-generated code in production systems. Under the Copyright Act 2021 administered by IPOS, copyright subsists in original literary, dramatic, musical, and artistic works — the application of originality requirements to AI-generated content remains an evolving area of Singapore law.
Enforcement and compliance provisions must specify the consequences for policy violations — ranging from verbal warnings to termination of employment for serious breaches — the reporting mechanism for suspected violations, and the role of the Data Protection Officer (DPO) or policy owner in investigating incidents. Organisations should also address the Code of Conduct for Singapore expectations that employees will exercise professional judgment when using AI tools in client-facing or regulatory contexts.
Training and awareness requirements must mandate that all employees complete AI governance training before accessing approved AI tools, with periodic refresher training aligned with updates to the IMDA framework, PDPA amendments, or changes to approved tools. MAS-regulated entities must document AI training as part of their technology risk management programme under MAS TRM Notice requirements.
Incident response procedures must define the process for reporting and investigating AI-related security incidents — including data breaches resulting from AI tool misuse, adversarial manipulation of AI outputs, or unintended disclosure of confidential information through AI-generated content. The PDPC's Guide to Managing Data Breaches 2.0 requires organisations to notify the PDPC within 3 calendar days of assessing that a notifiable data breach has occurred, and AI-related data breaches must be escalated through the same notification framework under Section 26D of the PDPA.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). AI Acceptable Use Policy (Singapore) (Singapore) [Legal document template]. Forms Legal. https://forms-legal.com/singapore/business/policies/ai-acceptable-use-policy-singapore
"AI Acceptable Use Policy (Singapore) (Singapore)." Forms Legal, 2026, https://forms-legal.com/singapore/business/policies/ai-acceptable-use-policy-singapore.
@misc{formslegal-ai-acceptable-use-policy-singapore,
author = {{Forms Legal}},
title = {AI Acceptable Use Policy (Singapore) (Singapore)},
year = {2026},
howpublished = {\url{https://forms-legal.com/singapore/business/policies/ai-acceptable-use-policy-singapore}},
note = {Free legal document template. Based on Companies Act 1967 (Cap. 50)}
}Also available for these jurisdictions:
Frequently Asked Questions
Singapore does not currently mandate AI-specific legislation requiring organisations to adopt an AI Acceptable Use Policy. However, several regulatory frameworks create strong practical obligations that make a formal policy essential for compliance. The Personal Data Protection Act 2012 (PDPA) requires organisations to implement reasonable security arrangements to protect personal data under Section 24, and the Personal Data Protection Commission (PDPC) has issued Advisory Guidelines confirming that AI tools processing personal data trigger full PDPA compliance obligations. The IMDA Model AI Governance Framework (Second Edition, 2020) — while voluntary — is referenced by government agencies, industry regulators, and contractual counterparties as the baseline standard for responsible AI governance in Singapore. MAS-regulated financial institutions must comply with the FEAT Principles and MAS Technology Risk Management Notice, which require documented governance frameworks for AI systems affecting customer outcomes. Organisations operating without a formal AI Acceptable Use Policy face increased regulatory risk, particularly in sectors where AI tool usage intersects with personal data processing, financial services regulation, or healthcare data governance.
Unauthorised input of personal data into external AI tools may constitute a breach of the Personal Data Protection Act 2012 (PDPA) by the employing organisation, not merely a policy violation by the individual employee. Under the PDPA, the organisation — not the individual employee — bears primary responsibility for personal data protection against unauthorised disclosure and processing. The PDPC may impose financial penalties of up to S$1 million or 10% of annual turnover in Singapore (whichever is higher) under Section 48J of the PDPA as amended by the Personal Data Protection (Amendment) Act 2020. The PDPC has issued enforcement decisions against organisations whose employees transferred personal data to unauthorised cloud services, establishing that the employer's failure to implement adequate policies and training constitutes a breach of the protection obligation under Section 24. Criminal liability under Section 48B of the PDPA may apply to individuals who knowingly or recklessly misuse personal data obtained through their employment. Organisations should implement technical controls — such as data loss prevention (DLP) tools and network-level blocking of unapproved AI services — alongside the AI Acceptable Use Policy to prevent unauthorised data transfers.
The IMDA Model AI Governance Framework (Second Edition, 2020) provides the primary governance standard that Singapore organisations reference when developing AI Acceptable Use Policies. The framework establishes four pillars: internal governance structures requiring board-level or senior management accountability for AI decisions; human involvement in AI-augmented decision-making proportionate to the risk level of the AI application; operations management covering data quality, model testing, and risk assessment; and stakeholder interaction requiring transparency about how AI systems affect individuals. While the IMDA framework is voluntary, Singapore government agencies incorporate framework compliance into procurement requirements for vendors deploying AI systems in public sector projects. The Smart Nation Group's National AI Strategy 2.0, launched in December 2023, signals increased regulatory attention to AI governance across all sectors. Organisations that adopt AI Acceptable Use Policies aligned with the IMDA framework demonstrate responsible governance practices that satisfy contractual counterparties, international business partners, and regulatory expectations — particularly when operating across ASEAN markets where Singapore's AI governance standards are increasingly referenced as regional benchmarks.
The selection of approved AI tools for a Singapore workplace depends on the organisation's industry, data sensitivity, and regulatory obligations. Enterprise-grade tools with contractual data processing agreements — such as Microsoft 365 Copilot (with data residency in Singapore or approved regions), GitHub Copilot for Business (with organisational policy controls), and Google Workspace AI features — generally present lower risk because they offer enterprise data protection commitments, audit logging, and compliance certifications. Organisations should conduct a Data Protection Impact Assessment (DPIA) as recommended by the PDPC before approving any AI tool that processes personal data, evaluating the tool's data retention policies, server locations, subprocessor arrangements, and compliance with PDPA transfer restriction obligations under Section 26. MAS-regulated entities must additionally assess AI tools against FEAT Principles requirements for fairness, explainability, and accountability before deployment in customer-facing processes. Free-tier consumer AI tools that lack enterprise data protection agreements should generally be classified as prohibited for processing company data, as their terms of service may permit the AI provider to use input data for model training. The AI Acceptable Use Policy should establish a formal approval workflow — typically involving the Data Protection Officer (DPO), IT security team, and business unit head — for evaluating and onboarding new AI tools.
A Singapore employer may monitor employee AI tool usage within the boundaries established by the Personal Data Protection Act 2012 (PDPA) and employment law principles. The PDPA's business contact information exception (Section 4(5)) and the employee exception provisions permit employers to collect and use employee data for managing the employment relationship, including monitoring compliance with workplace policies. However, the PDPC has advised that monitoring should be proportionate, transparent, and conducted for legitimate business purposes — not for general surveillance of employee activities. The AI Acceptable Use Policy should clearly state that the employer reserves the right to monitor, log, and audit employee use of approved AI tools through enterprise administration consoles and network monitoring systems. Employees must be informed of the monitoring through the policy document, the employment contract, or a separate notice — the PDPC has indicated that notification satisfies the consent framework for employment-related monitoring. Technical monitoring controls may include reviewing AI tool audit logs, implementing data loss prevention (DLP) solutions that flag sensitive data transfers, and conducting periodic reviews of AI usage patterns. Monitoring of personal AI tool usage on employees' personal devices falls outside the employer's legitimate monitoring scope unless the employee has consented through a BYOD Policy for Singapore.
A Singapore AI Acceptable Use Policy should be reviewed at minimum annually and updated whenever material changes occur in the regulatory environment, the organisation's AI tool ecosystem, or the threat environment. The IMDA Model AI Governance Framework recommends that AI governance measures be reviewed periodically to reflect evolving AI capabilities and risks. Trigger events requiring immediate policy review include: new PDPC enforcement decisions or Advisory Guidelines affecting AI data processing; updates to the MAS FEAT Principles or Technology Risk Management Notice for financial institutions; deployment of new AI tools or significant upgrades to existing tools; security incidents involving AI systems (data breaches, prompt injection attacks, or model manipulation); and changes to the organisation's business operations that alter AI risk exposure. The Cyber Security Agency of Singapore (CSA) recommends that organisations conducting AI governance reviews assess emerging threats including adversarial AI attacks, supply chain risks from third-party AI model providers, and the evolving regulatory environment in Singapore's key trading partner jurisdictions. Policy updates should be communicated to all employees through mandatory acknowledgement, and refresher training should accompany material policy changes to maintain compliance awareness across the workforce.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
BYOD Policy (Singapore)
A Bring Your Own Device (BYOD) policy establishing rules for employees using personal devices for work purposes in Singapore. Incorporates PDPA data protection obligations, MAS Technology Risk Management guidelines where applicable, and IT security standards. Defines acceptable use, data handling, and device management requirements.
Data Protection Policy (Singapore)
An internal PDPA 2012 compliance policy for Singapore organisations covering the nine data protection obligations, DPO appointment and responsibilities, data inventory, consent management, breach response, and staff training requirements. Demonstrates the organisation's accountability to the PDPC and provides the internal governance framework for handling personal data responsibly.
Code of Conduct (Singapore)
A comprehensive employee Code of Conduct establishing workplace behavioural standards, ethical obligations, and disciplinary procedures for Singapore companies. Aligned with the Employment Act (Cap. 91A), Workplace Safety and Health Act (Cap. 354A), and Tripartite Advisory on Managing Workplace Harassment.
Social Media Policy (Singapore)
An employee Social Media Policy governing the use of social networking platforms in relation to an organisation's business activities. Drafted to comply with Singapore's Protection from Harassment Act 2014, Personal Data Protection Act 2012, and the Broadcasting Act (Cap. 28) licensing framework for online content.