This Legal Update takes stock of Artificial Intelligence ("AI") regulation in Singapore and Hong Kong at the mid-point of 2026. Both jurisdictions continue to rely on existing laws, voluntary frameworks and sector-specific guidance, but the first half of the year has seen a sharper emphasis on practical controls: agentic AI governance, assurance and testing, financial-sector oversight and cyber resilience.
This reflects a broader global pattern. AI regulation remains fragmented, with jurisdictions choosing different tools—statutes, regulator guidance, voluntary standards and sector-specific supervision—but common themes are becoming clearer: risk-based controls, transparency, human accountability, incident management, safety testing, data governance, cybersecurity and assurance. Singapore and Hong Kong fit within that trend, while continuing to avoid a single horizontal AI statute for now.
Singapore entered 2026 without a standalone AI law. Its approach remained anchored in voluntary governance frameworks, AI Verify and sector-specific guidance. AI Verify is a testing framework and software toolkit, launched by Singapore's Infocomm Media Development Authority and Personal Data Protection Commission in 2022 in consultation with various industry partners. It is meant to help companies assess the responsible implementation of their AI system against 11 internationally recognised AI governance principles.
The developments in the first half of 2026 build on—rather than replace—that approach, translating it into more concrete expectations around assurance, testing and operational risk management.
For agentic AI specifically, MindForge identifies risks including unauthorised actions, cascading errors across connected systems, data breaches, tool-access risks and governance scalability challenges. Recommended controls include weighting "agenticness" in risk assessments, tracking all agents, tools and access rights, applying least-privilege design, logging and traceability, limited rollouts, and human-in-the-loop approvals for higher-risk actions.
Cybersecurity and Frontier AI Risks: The Cyber Security Agency of Singapore ("CSA") issued an advisory in April 2026 warning that frontier AI models can reportedly reduce the time required to identify vulnerabilities and develop exploits from months to hours. CSA recommends immediate actions—patching critical vulnerabilities on internet-facing systems, implementing multi-factor authentication, securing development environments and enforcing least-privilege access—alongside longer-term measures including network segmentation, AI-powered vulnerability detection, shortened patch cycles, and comprehensive asset visibility.
Similar to Singapore, Hong Kong began 2026 with no single AI statute. Hong Kong's governance position remained distributed across the Personal Data (Privacy) Ordinance ("PDPO"), guidance issued by the Office of the Privacy Commissioner for Personal Data ("PCPD") and the Digital Policy Office, and sectoral rules for financial services, healthcare and insurance. The developments in the first half of 2026 are therefore best read as an intensification of supervisory expectations under existing regimes, especially where AI use involves personal data, autonomous agents or cyber-risk exposure.
In late-May/early-June 2026, the HKMA and the Securities and Futures Commission ("SFC") issued circulars calling for enhanced cybersecurity measures in response to evolving risks from AI-enabled cyberattacks. The HKMA circular reminded authorised institutions to review the adequacy of their cyber risk management, incident response, recovery testing and third-party resilience arrangements. The SFC circular applies to licensed corporations, SFC-licensed virtual asset service providers and associated entities, and highlighted areas such as patching and vulnerability management, detection and monitoring, and incident response and recovery. Together, the circulars underline that financial institutions are expected to continuously reassess existing cyber controls to ensure they remain fit for purpose as frontier AI capabilities evolve.
Singapore and Hong Kong are taking different but converging paths: Singapore through frameworks and assurance infrastructure, Hong Kong through sectoral guidance and active privacy and financial-services supervision. The common expectation is that organisations must demonstrate, not merely assert, responsible AI governance.
Companies should not wait for comprehensive AI legislation. A practical governance framework—anchored in existing privacy, financial-services and cybersecurity obligations, and supplemented by current regulatory guidance—will put them in a stronger position as and when binding requirements emerge.
At this juncture, measures that companies implementing AI in Singapore or Hong Kong may consider implementing include the following:
Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.
Attorney Advertising. Prior results do not guarantee a similar outcome.