Five ways that GovTech Singapore is derisking AI development for the public sector

Not using artificial intelligence (AI) is no longer an option, said Goh Wei Boon, Chief Executive at Government Technology Agency of Singapore (GovTech Singapore) and Government Chief Digital Technology Officer at the Ministry of Digital Development and Information (MDDI). 

He was speaking in the keynote titled “Rising flames: Trust in the line of fire” at the STACKx Cybersecurity event on April 17, highlighting AI as a key enabler for addressing the emerging cybersecurity challenges. 

Attended by more than 1,000 public and private sector professionals, the event is currently in its second edition, and the sessions focus on actionable strategies to use AI for cyber defence. 

Still referencing the “flames” in his keynote title, Goh highlighted GovTech Singapore’s response to emerging AI-driven cybersecurity challenges.

This is to tame the flame (by empowering whole-of-government to build more secure AI systems), harness the flame (by using AI to give defenders an edge), and master the flame (by equipping public officers to secure and use AI effectively). 

GovInsider highlights five ways that the agency is making it more secure for public officers to develop and use digital systems.  

1. Policy reforms that engender ownership, and clear guidelines 

To move from “ticking checkboxes” to greater ownership in one’s security posture, GovTech Singapore has revamped the IM8 policy to give digital system owners more autonomy to customise their security plans based on unique business needs. 

IM8 is the core policy governing information and communications technology (ICT) and smart systems (SS) in the Singapore public sector. 

“Instead of a one-size-fits-all approach, the new IM8 contains different levels of controls which can be clearly mapped to a system’s risk level,” Goh explained. 

To reduce the manual toil of compliance, GovTech Singapore also launched the WOG IM8 portal in 2024, which allows agencies to customise their system controls and automate checking. 

The digital portal can translate human-readable compliance information into machine-readable codes (known as OSCAL), which is then fed into GovTech Singapore’s platforms like CloudSCAPE and CodeSCAPE. 

These platforms allow system owners to run checks daily, so that they can quickly check if their code is in line with the policy. 

By streamlining these processes, the government is ensuring that security is a continuous, tailored priority rather than just a yearly compliance exercise, he says. 

“AI-specific security guidance helps our people build with confidence,” Goh adds, sharing about the WOG agentic AI standard released by his agency to provide guidance to public officers on common threats and security best practices for AI agents. 

2. Bake security into centralised WOG platforms 

Security by design is “baking security in rather than patching it in as an afterthought,” says Goh, highlighting the importance of secure-by-design centralised platforms. 

He shared a range of such platforms built by GovTech Singapore that cover the entire development lifecycle, from securing the development environment (SEED and TechPass), the code repositories (SHIP-HATS and CodeSCAPE), to deployment environment (Government on Commercial Cloud, Container Stack, and CloudSCAPE). 

He also shared about PlatformAI as a one-stop shop to help Singapore government agencies build, test, and deploy AI applications, such as audio-to-text transcription and document classification, in a secure and compliant environment. 

PlatformAI also provides API access to pre-approved commercial large language models (LLMs) that have Sentinel guardrails built in. 

While the Sentinel guardrails focus on protecting prompts, GovTech Singapore has developed Litmus, a testing-as-a-service (TaaS) tool to protect GenAI applications. 

Aside from creating platforms for experimentation and adoption, GovTech Singapore is also looking to provide an agentic AI assistant for every public officer to support daily tasks, enable vibe coding among officers to rapidly prototype useful applications, and use AI coding agents and agentic engineering to enhance their developers’ productivity. 

3. Test, test and test 

With more than 2,000 digital systems across the Singapore government, GovTech Singapore has adopted a multi-layered testing strategy that leverages industry expertise. 

Through the Cybersecurity and Audit Services (CSAS) bulk tender, agencies could easily procure professional testing services from the private sector. 

“We’ve recently introduced a capability-based tiering system to make sure our most critical services get the highest quality [or level] of testing. 

“The idea is not just to go for the lowest quote. Certain systems require more advanced testing that might require a higher degree of expertise, which could potentially cost more,” he explained. 

Additionally, the Government Bug Bounty Program (GBBP) invites hackers to uncover vulnerabilities in government systems, which has identified over 1,000 vulnerabilities since 2018.

Goh also shared about the evolution of Government Cyber Security Operation Centre (GCSOC), which is a central hub to monitor WOG cyber threats. 

Following internal tests which revealed gaps, GovTech Singapore subsequently developed GCSOC 2.0 to reduce false positives and to make sure that tools really detect. 

“To reduce false positives, we’ve adopted detection engineering best practices. We now test and tune our rules based on the alerts iteratively before deployment. We’ve also begun incorporating threat intelligence to prioritise specific tactics, techniques, and procedures. 

“To validate our detection rules, we’ve adopted automated Breach Attack Simulation tools. This means that we regularly simulate the latest attacks on our networks to see if we detect them,” he explained.

The next step is an agentic SOC, which Goh said GovTech Singapore is exploring together with industry partners.  

“An agentic SOC could empower us to deeply investigate all generated alerts instead of having to prioritise only a few,” he noted.

4. Experiment with AI for defence 

GovTech Singapore is exploring the use of AI agents to scale security testing, which could potentially unlock continuous testing for more than 2,000 government systems.  

The agency will soon launch a multi-agent system that mirrors how experienced penetration testers (ethical hackers) work. 

To catch vulnerabilities before they make it to production – what Goh called "our push to shift left” - GovTech Singapore has integrated an AI-powered reviewer with their GitLab instance. 

“Think of it as an always-on, digital code reviewer that examines code changes on every merge-request to catch bugs, find vulnerabilities, and detect bad coding practices,” he said. 

5. Upskill both public officers and CISOs 

Goh shared that GovTech Singapore has established an AI security foundation course for every officer in the Cyber Security Group to ensure that they have the skills to secure new systems. 

This upskilling push extends to the leadership level, ensuring that CISOs are equally equipped to navigate rapidly evolving cyber threats. 

“We need knowledgeable and skilled people to design the right security controls for their organisations.  

“Our cyber leaders also need to keep up with the rapidly changing technology, to close the knowledge gap and empower sound decision making,” he explained, highlighted the importance of continued investment in the next generation of cyber practitioners. 

“Tech alone is not the answer. New technology like AI may help with our execution, but ultimately it is people who must define the “why” and the “what,” he added. 

You can read other articles covering GovTech Singapore here in our digital government directory.