Agentic Risk & Capability Framework

The ARC Framework is a technical governance framework for identifying, assessing, and mitigating safety and security risks in agentic AI systems. The framework provides:

• A hierarchical capability taxonomy for classifying agentic system capabilities
• A structured risk mapping distinguishing component, design, and capability-specific risks
• Technical control specifications with risk-to-control mappings
• An implementation methodology for organisational adoption and per-system assessment

Major Update

We have significantly updated the ARC Framework since our initial release in August. The main changes include:

• Updated theoretical foundations: Added a comprehensive introduction with design rationale, literature review, real-world case studies (Replit, Antigravity incidents), as well as detailed justifications for the capability-based approach
• Restructured documentation: Consolidated Components and Design elements together with the Capabilities element into a unified Elements reference page with clearer taxonomy and detailed definitions
• Interactive Risk Register: Introduced a filterable, searchable risk register consolidating all 46 risks and 88 controls with risk-to-control mappings in a single interactive interface
• Framework positioning: Added a comparison table benchmarking ARC against NIST AI RMF, EU AI Act, Dimensional Governance, OWASP Agentic AI, Google SAIF 2.0, CSA MAESTRO, and other governance frameworks
• Enhanced implementation guidance: Updated implementation guides with more detailed methodologies for both organizational adoption and per-system assessment
• ARCvisor tool: Launched ARCvisor, an AI-powered risk assessment assistant achieving 50%+ time savings with live demo and open-source repository
• Research publications: Published two technical papers available in Resources — the ARC Framework paper (accepted at IASEAI 2026) and the ARCvisor preprint

Navigation

On this website, you'll find all the resources you need to get started with understanding and applying the ARC Framework in your organisation.

📚 Reference Documentation

• Framework Introduction — Design rationale, literature review, and theoretical foundation
• Agentic System Elements — Detailed examination of components, design, and capabilities
• Capability Taxonomy — Cognitive, interaction, and operational capability categories with definitions
• Risk Register — Component, design, and capability-specific risks with impact/likelihood assessment
• Comparison Table — Comparison to NIST AI RMF, EU AI Act, Dimensional Governance, OWASP Agentic AI, Google SAIF 2.0, and CSA MAESTRO

🛠️ Implementation Guides

• Implementation Overview — Macro and micro implementation levels, timelines, and resources
• Organisational Adoption — Multi-phase rollout methodology for governance teams
• System Assessment — Per-system risk assessment process for developers

🧰 Tools & Resources

• ARCvisor Tool — Open-source web application for automated risk assessment
• Resources — Slide deck, paper, and code for implementing the ARC Framework for your organisation

Referenced By

The ARC framework has been mentioned in:

• Cybersecurity Agency of Singapore's draft Addendum on Securing Agentic AI
• Opening Address by Minister Josephine Teo at HLP (AI) on 22 Oct 2025
• AI Agents and Global Governance: Analyzing Foundational Legal, Policy, and Accountability Tools by Talita Dias (Partnership on AI)
• Engineering responsible AI: How Singapore builds trust in emerging technologies by GovTech Singapore

About the Authors

The ARC Framework is developed by the Responsible AI team in GovTech Singapore's AI Practice. We develop deep technical capabilities in Responsible AI to improve how the Singapore government develops, evaluates, deploys, and monitors AI systems in a safe, trustworthy, and ethical manner.

In developing this framework, we work closely with other teams in the Singapore government, such as the Ministry for Digital Development and Information, the Cybersecurity Agency of Singapore, and the Infocomm Media Development Authority. We are grateful for their feedback and contributions, which have helped to make this framework more effective, robust, and thorough.

To reach out to us, please fill out the Google form here.

Citation

To cite this work, please use the following BibTeX citation:

@article{agentic_risk_capability_framework,
    title   = {Agentic Risk & Capability Framework},
    author  = {GovTech Singapore},
    year    = {2025},
    month   = {December},
    url     = {https://govtech-responsibleai.github.io/agentic-risk-capability-framework/}
}

Alternatively, you may use the APA-formatted citation below:

GovTech Singapore (2025) Agentic Risk & Capability Framework. URL https://govtech-responsibleai.github.io/agentic-risk-capability-framework/

This page was last updated on 29 Dec 2025