Building AI for Regulated Industries: Sovereignty, RAG, and Evals — Shin Wee Chuang, Pand.ai

Shin Wee Chuang is the CEO of Pand.ai, a Singapore-based AI company building solutions for highly regulated industries. He presented at apidays Singapore 2026 as part of the AI & Data Strategy track. This article is based on his conference presentation.

The three questions that kill AI projects in regulated industries are always the same. How do we ensure the data stays secure? How do we prevent the model from hallucinating? And how do we stay within the regulatory framework? In financial services and adjacent sectors across Asia-Pacific, these are not hypothetical objections — they are the conditions that any deployment must satisfy before it goes anywhere near production.

Shin Wee Chuang, CEO of Singapore AI company Pand.ai, has built his business around answering all three. The case study he presented at apidays Singapore 2026 — an on-premises GenAI deployment for one of Singapore's largest law firms — is a precise illustration of what satisfying those conditions actually looks like in practice, and why the lessons transfer directly to finance.

The case study: Allen & Gledhill's on-premises AI brain

Pand.ai's name is a Bahasa word — pandai, meaning clever. The company builds AI solutions for clients in financial services, law, insurance, and healthcare: sectors where the standard playbook of deploying a frontier model via API simply does not apply.

Their engagement with Allen & Gledhill (A&G) is the clearest demonstration of that. A&G is one of Singapore's most prominent law firms, and when Pand.ai began the conversation, the firm's requirements were unambiguous. Data confidentiality meant that sensitive client information could not be exposed to any third-party cloud provider, even a private instance. Hallucination risk was treated as a hard constraint — in a legal context, an AI that fabricates or misrepresents carries professional and reputational consequences that cannot simply be corrected after the fact. And the firm had to operate within MAS regulatory frameworks governing data handling and automated decision support.

For most enterprise AI deployments, a private cloud instance resolves the data question. For A&G, it did not. The firm's position was that data must not leave the building — literally. The system had to be on-premises, within the physical walls of the office, with no connection path to the internet.

Pand.ai took that constraint at face value. They went to Sim Lim Square — Singapore's electronics mall — purchased a six-figure machine, assembled it, and carried it into A&G's office. That was the proof of concept.

One hundred use cases, narrowed to four

Before writing a line of code, Pand.ai spent two months scoping potential applications with A&G, identifying over a hundred possible use cases before filtering down to four that met the combined bar of technical feasibility, data availability, and governance readiness:

• Contract review — automated analysis of agreements against defined legal standards and risk criteria
• Contract translation — A&G operates across multiple jurisdictions, requiring translation that respects the precise legal terminology of each
• Document generation — producing full contracts from structured prompts, fine-tuned to Singapore's legal context
• Advisory summaries — condensing complex case materials for efficient review by senior partners

The filtering process is itself instructive. One hundred potential use cases is a realistic count for a large professional services firm — and arriving at four is not about limiting AI's role, but about identifying where AI capability, available data, and governance requirements can actually converge into something measurable and trustworthy.

That measurability matters. As Aki Ranin argued in his keynote at the same conference — and as the evals practitioner guide on this site explains in detail — no regulated-sector deployment can proceed without a quantified performance baseline. A&G's four use cases were chosen precisely because their success criteria could be defined, tested, and verified. The lawyers needed to know the error rate before any agent touched client work.

The architecture decision: RAG over fine-tuning

When the project began in 2024, enterprise AI practitioners were debating whether to fine-tune models on proprietary data or build retrieval-augmented generation (RAG) architectures. Pand.ai chose RAG — and their reasoning has since been validated by events in the wider market.

Bloomberg GPT is the cautionary tale Shin Wee cited. In 2023, Bloomberg released a large language model trained on its proprietary financial data. Nine months later, GPT-4 rendered it largely obsolete — whatever Bloomberg GPT could do, the new general model did better. The investment in fine-tuning was overtaken before it could be amortised.

"We decided that eventually all LLMs are going to get better and better," Shin Wee explained. "For most companies, it would be a complete waste of time and resources to fine-tune an LLM."

RAG preserved optionality. Rather than encoding A&G's knowledge into a specific model, the architecture kept the firm's data in a separate, swappable retrieval layer. As models improved, A&G could capture those improvements without rebuilding anything. The knowledge base remained constant; the model underneath was a replaceable component.

Cycling through models: sovereignty in practice

That optionality proved immediately valuable. Over twelve months of production deployment, Pand.ai cycled through four models — a sequence that maps closely onto the open-source LLM landscape of the period.

They started with Llama 2 from Meta, then the best available open model. Performance was insufficient for the legal workload. They moved to Phi-4 from Microsoft — a small language model that, despite its modest parameter count, performed well in the structured, precision-demanding context of contract review. When DeepSeek arrived, the lawyers were significantly happier with output quality, though the model's computational weight made it slow. Qwen 2.5 addressed the speed problem. Each transition required no architectural change: the RAG layer held, the model swapped out.

Shin Wee declined to disclose which model is currently in production. The point he was making does not depend on the specific answer: "Whichever model is made available on the market, we will be able to take advantage of all the investment, all the effort, all the engineering ingenuity that the big techs have put in place."

This is exactly the model-independence argument Aki Ranin makes for data sovereignty at the organisational level — discussed in depth in his Loop Asia interview. A&G's air-gapped, open-model deployment is a working instance of that principle: the firm controls its own agents, its own data, and its own model selection. No vendor has a red button.

Data sovereignty as architecture, not aspiration

The A&G deployment is a concrete answer to the question Aki Ranin poses when discussing sovereign AI: who controls the infrastructure your business depends on? In this case, A&G controls all of it. The hardware is theirs. The data never moves. The model can be changed without vendor negotiation. If a better open model appears next month, the firm can evaluate and deploy it on its own schedule.

This architecture also handles the hallucination problem structurally, not just operationally. RAG grounds every model output in the firm's actual documents — contracts, precedents, case materials — rather than in the model's general training data. Outputs are traceable to source documents. When a partner asks what a clause means in a specific context, the answer comes from that context, not from a statistical approximation of what legal language usually means.

The senior partner at A&G, Tham Kok Leong, articulated the governing principle: "In implementing any sort of GenAI solutions, we want to let the subject matter experts be subject matter experts." AI augments the expert. It does not replace the lawyer.

What this means for finance

The translation from legal to financial services is direct. Contract review maps to trade finance document processing. Contract translation maps to multi-jurisdiction regulatory documentation — a daily reality for any bank or insurer operating across APAC. Document generation maps to compliance reporting and board paper submissions. Advisory summaries map to the synthesis that investment committees and risk functions require on tight timelines.

The constraints are the same. Financial services organisations face MAS requirements on data residency and model governance. They cannot afford agents that fabricate interest rates, misquote product terms, or hallucinate regulatory citations. And like A&G, they hold data — proprietary risk models, client portfolios, transaction records — that should not sit in a hyperscaler's cloud if the institution takes its own data sovereignty seriously.

The A&G deployment demonstrates that the technical barriers to deploying AI under these constraints are solvable. The harder work is the discipline: scoping use cases tightly, building ground truth against which outputs can be evaluated, and committing to measuring performance rather than assuming it. For financial services teams watching the regulated professional services sector work through these problems first, the playbook is now available.

Connect with Shin Wee Chuang on LinkedIn and learn more about Pand.ai at pand.ai.

The Loop Asia: www.theloop.asia apidays Singapore 2026: apidays.co/singapore