Free Tool

SAFR Readiness Checklist — Gap Assessment for Agentic AI Governance

35 questions built from the MAS BuildFin.ai white paper. Scored in your browser. Ungated.

Safeguards for Agentic Finance at Runtime (SAFR) is the white paper MAS's BuildFin.ai initiative published in July 2026, written with Ant International, Circle, HSBC, J.P. Morgan Chase, Manulife, Mastercard, OCBC, and Visa. It describes a runtime governance layer that sits between an AI agent and the systems it acts on, and it sets one standard for every proposed action: "no agentic action reaches execution without having been declared, authorised, and assessed."

This checklist converts that standard into 35 questions across eight sections, following the paper's four runtime components — Agent Identity, Controls Repository, Disposition Engine, Audit Log — and its treatment of mandates, governance envelopes, escalation, and deployment. Each question names the evidence an assessor would request, so an answer of Yes means you can produce the artifact this week.

Answer Yes, Partial, or No. Scores compute in your browser, per section and overall. The full question set is on this page; the email gate applies to the editable spreadsheet download only. If the framework is new to you, start with SAFR, explained. Once your score is in, the SAFR implementation guide covers how to close each gap, and the SAFR implementation page shows how KLA Control Plane maps to the framework.

SAFR readiness: 0%

Assessed 0/35 · 0 gaps

Agent inventory and identity

SAFR's Agent Identity component binds each proposed action to a recognized, registered agent, verified against a registry entry before any other evaluation proceeds.

Evidence: An export of the inventory listing each agent, the systems it acts on, and its current release state.

SAFR A1

Evidence: The registry records showing an owner field populated with a named individual for each agent.

SAFR A2

Evidence: The version history for one agent, and a sample action record referencing the version that acted.

SAFR A3

Evidence: A written designation of the authoritative registry per agent class, or confirmation that all agents operate in a closed-loop environment against a single internal registry.

SAFR A4

Evidence: A log entry for a rejected action showing failed identity verification as the recorded basis.

SAFR A5

Mandates and authorization

The paper defines a mandate as "the mechanism through which a user defines the bounds of the authority delegated to an agent" — explicit, structured, and machine-readable.

Evidence: One production mandate in the machine-readable form the runtime actually consumes, with the issuing principal identified.

SAFR B1

Evidence: The mandate's permitted action-type list, plus a test or log showing an out-of-scope action rejected at the checkpoint.

SAFR B2

Evidence: The authorization rules covering delegation, with the maximum chain depth stated.

SAFR B3

Evidence: A mandate showing its validity window, and the outcome recorded for an action proposed after expiry.

SAFR B4

Evidence: The revocation procedure, and a test record showing an action under a revoked mandate rejected.

SAFR B5

Controls repository

The Controls Repository is the institution's configurable rulebook, drawn from organizational policies, regulatory requirements, product rules, and user-provided mandates.

Evidence: The repository location, and a configuration or trace showing the evaluation path retrieves controls from it.

SAFR C1

Evidence: The version history for one control, and a decision record citing the version applied.

SAFR C2

Evidence: The approval record for the most recent control change, showing author and approver as different people.

SAFR C3

Evidence: One example control per source, mapped to its origin in the repository.

SAFR C4

Disposition engine

The Disposition Engine evaluates each in-scope action against the retrieved controls, producing "a defined, binding outcome for every proposed action calibrated to the specific risk it presents."

Evidence: An execution trace showing the checkpoint positioned ahead of the action with no bypass route, plus a repeat-evaluation test confirming determinism.

SAFR D1

Evidence: One logged decision of each type, or configuration showing all four outcomes reachable.

SAFR D2

Evidence: A decision record showing rule identifiers and reason codes alongside the outcome.

SAFR D3

Evidence: The calibration parameters for one agent workflow, with the rationale recorded for each threshold.

SAFR D4

Evidence: A failover or chaos test record showing an action held or rejected while evaluation was unavailable.

SAFR D5

Governance envelope and lineage

Before an action executes it is packaged in a Governance Envelope — the action, the trace of how the agent arrived at it, and the context needed to assess it — "treated as a document to be authenticated against its origin."

Evidence: A captured action trace for one production or pilot action, showing the ordered tool-call sequence.

SAFR E1

Evidence: A sample envelope with all four metadata fields populated.

SAFR E2

Evidence: A description of the authentication mechanism — for example, envelope assembly at an interception point in the execution path — and the adversarial test that exercised it.

SAFR E3

Evidence: A lineage reconstruction for one past action, produced without reference to application logs or to the agent itself.

SAFR E4

Escalation operations

SAFR names three operational dimensions for escalation — volume, turnaround, and reviewer authority — and warns that ad hoc escalation yields "the appearance of human oversight without the substance of it."

Evidence: One escalation record showing the held action, the assigned reviewer, and the context packaged with the request.

SAFR F1

Evidence: A role definition granting reviewers that authority, with their decisions binding on the workflow.

SAFR F2

Evidence: A test record showing a self-approval attempt rejected by the platform.

SAFR F3

Evidence: The timeout and default outcome configured per decision class, with coverage rules for overnight and weekend hours.

SAFR F4

Evidence: A volume forecast at expected traffic set beside the reviewer roster, with turnaround data from a pilot or production period.

SAFR F5

Audit and evidence

The Audit Log is the record every other component feeds — "the authoritative record, independent of any party with an interest in how events are characterised after the fact."

Evidence: The log design (hash chaining or equivalent) and one sample entry per outcome type.

SAFR G1

Evidence: One complete log entry showing all six elements.

SAFR G2

Evidence: One export produced end to end, with the elapsed time to produce it.

SAFR G3

Evidence: An offline verification run against an exported bundle, with the verifier's output attached.

SAFR G4

Deployment pattern

SAFR defines two integration patterns — native instrumentation and gateway interception — and requires per-action authorization across multi-step work.

Evidence: The pattern decision recorded per agent class, with the rationale for each.

SAFR H1

Evidence: The rollout plan listing every currently ungoverned agent and its target coverage date.

SAFR H2

Evidence: A multi-step run record showing a separate evaluation and outcome at every step.

SAFR H3

Prioritised gaps
35 item(s) to address
  • Do you maintain a complete inventory of every AI agent able to initiate actions against production systems — payments, trading orders, credit approvals, regulatory filings, claims? Not assessed
  • Does every agent in that inventory have a named human owner accountable for its behavior? Not assessed
  • Is every agent versioned, so any past action can be traced to the specific agent version that produced it? Not assessed
  • Where an agent could appear in more than one registry — an internal registry, a payment network's agent registry, an inter-institutional directory — have you determined which registry is authoritative? Not assessed
  • Is agent identity verified against the registry at runtime, before each proposed action is evaluated, with verification failures rejected and logged? Not assessed
  • Is the authority delegated to each agent recorded as an explicit, machine-readable mandate stating what the agent may do, within what limits, and under what conditions? Not assessed
  • Are the action types each agent may initiate enumerated in its mandate, with a scope the agent cannot extend through its own reasoning or inference? Not assessed
  • Is delegation depth defined — who may delegate authority to whom, and how many links a delegation chain may carry? Not assessed
  • Does every mandate carry a validity period, with actions proposed after expiry rejected until the mandate is renewed? Not assessed
  • Can a mandate be revoked or suspended with immediate effect, applying from the next proposed action? Not assessed
  • Are the controls governing agent actions held in one designated repository, and does the runtime evaluation read from it? Not assessed
  • Is every control versioned, so any past decision can be traced to the exact control version in force when it was made? Not assessed
  • + 23 more in the export.

Export your scored assessment and prioritised gap list. Everything stays in your browser — nothing is uploaded.

How to read your score

Yes = 2, Partial = 1, No = 0. Scores are percentages of available points, per section and overall.

Foundational gaps
0–39%

Scores in this band point to missing structures: an agent inventory with named owners, machine-readable mandates, and a checkpoint that evaluates actions before they execute. Until those exist, disposition calibration and evidence tooling have nothing to attach to. Start with Sections A and B — inventory every agent that can initiate an action, name an owner for each, and write its delegated authority down as a mandate. The SAFR implementation guide sequences the work.

Partial coverage
40–75%

The core structures exist, with gaps an assessor would find in the first hour: controls scattered through agent code, escalations without timeout defaults, an audit record no outside party can verify. Close the lowest-scoring section first; each section maps to one workstream in the implementation guide. Re-score after each workstream.

Pilot-ready
76–100%

The structures SAFR describes are substantially in place. The remaining work is calibration: disposition thresholds tuned against live traffic, escalation volume sized to reviewer capacity, evidence exports tested with the auditors who will consume them. A four-week governed pilot on one agent workflow is a realistic next step; the SAFR implementation page outlines one, week by week.

Take the score into a working session

A 30-minute gap review walks your lowest-scoring sections against KLA Control Plane, which implements the SAFR pattern and is shipping today. The review takes your section scores and maps each gap to a specific control.

Book a 30-minute SAFR gap review

Download the editable checklist

The same 35 questions as a spreadsheet: one row per question with its evidence note, plus Status, Owner, and Notes columns and per-section scoring. Built for internal gap reviews.

Used to send the file and for one follow-up at most.

About the framework

SAFR — Safeguards for Agentic Finance at Runtime — was published in July 2026 by MAS's BuildFin.ai initiative, written with eight industry members including HSBC, J.P. Morgan Chase, Mastercard, and Visa. It is a reference approach for institutions to implement within their own infrastructure. The paper states it "does not constitute regulatory guidance or supervisory expectations."

SAFR, explained — the full framework

What a passing score produces

An implementation that scores well here can hand an assessor four artifacts on demand: a decision record with machine-readable reasons, a reconstructable trace of the steps the agent actually took, an approval record naming the reviewer and their rationale, and an evidence export a third party can verify offline. Sections D through G test for each.

SAFR implementation, component by component

Closing the gaps

KLA Control Plane implements the SAFR pattern, shipping today: Agent Registry for identity, Policy Builder for the controls repository, KLA Policy Engine for dispositions, Audit Trail for the evidence record. A thirty-minute session covers one governed run end to end: policy, decision, escalation, sealed evidence.

FAQ

Frequently asked questions

Is this an official MAS assessment?

No. This is a self-assessment built from the structures the SAFR white paper defines, and it carries no official status. SAFR itself is an industry reference — the paper states it "does not constitute regulatory guidance or supervisory expectations" — and each institution remains responsible for determining how its deployment aligns with applicable supervisory expectations and internal governance requirements. KLA is independent of MAS and BuildFin.ai.

When should we answer Partial?

Answer Partial when the capability covers part of the agent estate, runs only in a pilot, or exists without the evidence named under the question. The evidence note is the test: Yes means you could hand the artifact to an assessor this week.

Who should complete the checklist?

Three roles cover it: whoever owns the agent platform, whoever owns the relevant compliance controls, and whoever runs the review operation. Each question is answered Yes, Partial, or No, so a first pass is quick; the evidence notes are where the real review time goes. Scores compute in your browser; the email gate applies to the spreadsheet download only.

What should we do with the gaps the score surfaces?

Take the lowest-scoring section first. Each section maps to one workstream in the SAFR implementation guide; re-score after each workstream and the per-section breakdown shows where the score moved. A gap counts as closed when you can produce the evidence artifact named under its question.

Disclaimer: Self-assessment against Safeguards for Agentic Finance at Runtime, white paper v1.0 (July 2026), MAS BuildFin.ai. Quoted passages are copyright the Monetary Authority of Singapore. SAFR is an industry reference and does not constitute regulatory guidance or supervisory expectations. KLA is independent of and not affiliated with, endorsed by, or certified by MAS or BuildFin.ai.

SAFR Readiness Checklist (MAS): Free Agentic AI Gap Assessment | KLA