Key takeaways

On 22 October 2025, the Cyber Security Agency of Singapore (CSA) released Securing Agentic AI, an Addendum to its Guidelines and Companion Guide on Securing AI Systems, for public consultation that ran through 31 December 2025. If you run a Singapore business and you are thinking about securing agentic AI before you switch on your first AI agent, this is the document to know about. It explains, in plain practical terms, how an AI agent that can take actions and call tools creates a new kind of risk most SMEs have never had to think about, and what to do about it at the design stage.

This is not abstract policy. The Addendum is illustrated with use cases that look a lot like things Singapore SMEs are already trying: coding assistants, automated client onboarding, and automated fraud detection. The message is direct. Bound your agents before you deploy them, not after something goes wrong.

What did CSA release on 22 October 2025?

The Addendum is a companion resource that supplements CSA's existing AI security guidance, focused specifically on agentic AI. CSA describes agentic systems as software with the ability to understand context, formulate plans, and take independent actions to achieve specified objectives. That autonomy is exactly what makes them useful, and exactly what makes them riskier than a chatbot that only answers questions.

According to the CSA press release, the Addendum does two things that matter for owners. First, it recommends mapping out agentic workflows to identify where threat actors could potentially exploit vulnerabilities. Second, it provides practical controls to mitigate those risks across the development lifecycle, illustrated with worked examples at different levels of system autonomy. The public consultation ran from 22 October to 31 December 2025, with feedback invited to CSA directly; as of June 2026, a finalised version is expected to fold in that feedback, so treat the current text as guidance still being refined.

It helps to see where this sits. The CSA Addendum is the security counterpart to Singapore's broader governance push. On 22 January 2026, IMDA launched the Model AI Governance Framework for Agentic AI, which centres on assessing and bounding risks upfront, keeping humans meaningfully accountable, and implementing technical controls. We unpack that side in our IMDA agentic AI governance framework SME guide and the companion agentic AI governance checklist for 2026. CSA handles the security half; IMDA handles the governance half. Together they point to the same conclusion: design safety in early.

Why an AI agent creates a new attack surface

A traditional chatbot gives you words. An agent gives you actions. It might read your CRM, send emails, update records, call a payment API, or merge code. Each of those abilities is a tool, and each tool is a door an attacker can try to push through. That is the shift CSA is asking owners to take seriously, and it is why securing agentic AI is a different exercise from securing an ordinary chatbot.

Three risks come up repeatedly when we look at how SMEs are deploying agents:

For a Singapore SME, the consequences are concrete. An agent breach that exposes customer details is a potential PDPA matter, with reporting obligations and reputational fallout. Client trust, once broken by an automated system acting on its own, is hard to rebuild. This is the same lesson emerging from the wider vibe coding security reckoning of 2026: speed without guardrails creates liabilities that surface later, usually at the worst time.

What CSA recommends you do before deploying

The Addendum's practical thrust is about bounding agents at the design stage. Two ideas do most of the work here.

Map the workflow first. Before building, lay out every step the agent takes, every tool it can call, and every data source it can read or write. Mapping the workflow is how you spot where a threat actor could slip in, exactly as CSA recommends. If you cannot draw the agent's reach on a single diagram, it is probably too broad.

Restrict tools and data to the minimum necessary. This is the long-standing security principle of least privilege, applied to agents, and it follows naturally once you have mapped the workflow. An onboarding agent that verifies a new client does not need write access to your finance system. A coding assistant does not need production database credentials. By scoping each agent down to only what its job requires, and putting access controls around the sensitive parts, you shrink the blast radius before an attacker ever shows up. Pair that with human approval steps for high-stakes actions, such as releasing funds or deleting records, and most of the alarming scenarios lose their teeth.

None of this is exotic. It is disciplined engineering applied to a new category of software. The hard part is that it has to happen during design. Retrofitting permissions onto a live agent that already touches everything is painful and error-prone. That is why CSA, like IMDA, keeps returning to the same idea: bound risks upfront.

Why securing agentic AI matters for SMEs adopting now

Singapore SMEs are not waiting. AI adoption is climbing fast, helped along by grants and a maturing local ecosystem, as we cover in our piece on SME AI adoption and Budget 2026 grants. The danger is a gap opening between how quickly businesses deploy agents and how carefully they secure them. There is also a parallel problem of agent washing, where a vendor labels a simple workflow as an autonomous agent, which muddies both what you are buying and how it should be secured.

The honest framing as of June 2026 is this: CSA's guidance is voluntary, and the Addendum is still being finalised following its consultation period. But voluntary does not mean optional in spirit. If your agent mishandles personal data, your PDPA obligations are real regardless of whether you followed a guideline. Treating the CSA Addendum as a free, practical checklist for design-stage security is simply good business, and it costs far less than cleaning up after an incident. Agentic coding has gone mainstream too, as we explore in agentic coding in 2026, which means even your internal development tools now deserve the same scrutiny.

How Outsourced SG can help

At Outsourced SG, we build agentic systems the way CSA describes: on the principle of least privilege from the very first design conversation. We start by mapping the workflow, exactly as the Addendum recommends, then scope each agent to only the tools and data it genuinely needs. Access controls go around sensitive resources, and human approval steps are wired in for anything that moves money, touches customer records, or changes production. That mirrors the Addendum's design-stage bounding guidance, rather than bolting security on after launch.

We are a small, founder-led Singapore studio. Joshua Lim personally leads a vetted team of AI-trained developers, and he hands every project over in person, walking you through exactly how the safeguards work and where the human approval gates sit. Our developers are trained on Cursor, Claude Code, and agentic workflows, so they understand both how to build agents and how to constrain them. Over 60 projects delivered, with recognition including NES Ground Zero 2019 Champion and Carousell 2025 Buyer's Choice for Professional Skills.

On commercials, our pricing is simple and always in SGD: Starter Squad at S$400/mth per developer (1 to 2 developers) and Product Team at S$550/mth per developer (3 to 5 developers). See full pricing here. There is no CPF and no foreign-worker levy. Every engagement comes with an NDA and 100% IP assignment, so the agent and its code are entirely yours, plus a 30-day replacement guarantee, and teams typically go live in under two weeks. If you are weighing the build decision, our guides on whether outsourcing is worth it and the cost to hire a developer in Singapore lay out the numbers honestly.

Security and ownership are not afterthoughts here. They are baked into how we design every agent. If you are planning to launch an AI agent and want it bounded properly before it touches a single customer record, message us on WhatsApp at +65 9456 2307 for a free, no-pressure consultation.

Frequently asked questions

What is CSA's Securing Agentic AI Addendum?

It is a document the Cyber Security Agency of Singapore (CSA) released on 22 October 2025 as an Addendum to its existing Guidelines and Companion Guide on Securing AI Systems. It gives system owners practical guidance for securing agentic AI, including mapping agentic workflows to identify where threat actors could exploit vulnerabilities, and applying practical controls across the development lifecycle. It went out for public consultation that ran through 31 December 2025.

Is the CSA Securing Agentic AI guidance mandatory for my business?

As of June 2026 the guidance is voluntary, and the Addendum is still being finalised following a consultation period that closed on 31 December 2025. However, your existing legal obligations still apply. If an AI agent mishandles personal data, your PDPA responsibilities do not disappear just because the guidance was voluntary, so following the design-stage advice is sensible regardless.

What are the main security risks of an AI agent?

Three come up most often: prompt injection, where an attacker hides instructions in content the agent reads; over-permissioned agents that can access far more data or tools than their task requires; and unintended actions, where an agent is steered into making a transaction, change, or deletion it should not. CSA recommends mapping the agentic workflow to find where these risks live, then applying controls across the development lifecycle.

How is securing agentic AI different from securing a normal chatbot?

A normal chatbot only produces words, so the main risks are around the content it generates. An agent can take actions, calling tools, reading and writing data, and triggering transactions, which means each ability is a new attack surface. That is why securing agentic AI in Singapore involves bounding what the agent can touch, not just reviewing what it says.

How does Outsourced SG secure the agentic AI it builds?

We map the workflow first, then design agents on the principle of least privilege, mirroring CSA's design-stage guidance. Each agent gets only the tools and data it needs, with access controls on sensitive resources and human approval steps for high-stakes actions like payments or data deletion. Founder Joshua Lim hands the project over in person and walks you through how the safeguards work.

How much does it cost to build a secure agentic AI system with Outsourced SG?

Pricing is in SGD: S$400/month per developer on the Starter Squad plan (1 to 2 developers) and S$550/month per developer on the Product Team plan (3 to 5 developers). There is no CPF and no foreign-worker levy. Every engagement includes an NDA, full IP assignment, and a 30-day replacement guarantee, with most teams live in under two weeks. Message +65 9456 2307 on WhatsApp to start.

Want to build with agentic AI — the right way?

I'm Joshua. I'll personally scope your project and lead a vetted team to build it — from S$400/month per developer, with governance and IP assignment baked in.

WhatsApp me →

Sources

Related guides