Malaysia: From Guidelines to Legislation

Malaysia is transitioning rapidly from voluntary AI governance to a comprehensive legislative framework. The National Guidelines on AI Governance and Ethics (AIGE), published by the Ministry of Science, Technology, and Innovation in September 2024, established seven core principles for responsible AI. In December 2024, the government launched the National AI Office (NAIO) under MyDIGITAL Corporation to centralise AI policy, adoption strategy, and regulatory development. NAIO is now leading the drafting of Malaysia's first dedicated AI legislation, expected to be submitted to Cabinet by June 2026. The approach is risk-based, covering the full AI lifecycle from development through deployment and monitoring. Malaysia is also hosting the ASEAN AI Safety Network secretariat in Kuala Lumpur, reinforcing its ambition to serve as a regional governance standard-setter alongside Singapore. The MY-AI Standards platform, launched in March 2026 with access to 80+ international AI standards, provides organisations with practical compliance tools ahead of the legislation.

Malaysia's AI governance landscape is shifting from soft-law instruments to binding regulation. The voluntary AIGE guidelines of September 2024 established seven principles (fairness, reliability and safety, privacy and security, inclusiveness, transparency, accountability, and human-centricity) but carried no enforcement mechanism. NAIO's seven first-year deliverables include a code of ethics, an AI regulatory framework, the AI Technology Action Plan 2026-2030, a risk-based governance framework, incident reporting mechanisms, sector-specific guidelines, and stakeholder engagement initiatives. The forthcoming AI legislation will introduce a risk classification system for AI applications, mandatory harm assessments for high-risk systems, a central incident reporting portal, cross-sector market surveillance, and administrative enforcement pathways. Digital Minister Gobind Singh Deo confirmed in February 2026 that the bill will address deepfakes, synthetic media, and non-consensual content, alongside broader obligations covering the full AI lifecycle. The government is simultaneously developing the National Digital Trust and Data Security Strategy 2026-2030 through CyberSecurity Malaysia, and a proposed independent Data Commission is under planning to safeguard national data sovereignty.

Government agencies across all ministries face new obligations as NAIO coordinates AI implementation through a multi-ministry approach. Financial institutions are directly impacted through existing requirements and the forthcoming risk-based regulation, particularly in areas like credit scoring, anti-money laundering, and automated decision-making. Technology companies developing or deploying AI systems in Malaysia will need to comply with risk classification, incident reporting, and transparency requirements once legislation takes effect. Small and medium enterprises, which comprise the bulk of Malaysia's 2.4 million businesses now using AI tools, face the challenge of navigating compliance with limited resources, though 73% remain at basic adoption levels. The healthcare sector is increasingly affected as AI diagnostic tools expand, with initiatives like the DR. MATA diabetic retinopathy screening tool signalling government appetite for sector-specific guidance. Educational institutions are targeted through the National AI Education Blueprint and professional upskilling programmes. Foreign investors benefit from Malaysia's positioning as a regional AI hub, with significant data centre investments and AI-ready infrastructure. Platform operators face heightened scrutiny following the January 2026 blocking of Grok in Malaysia and Indonesia over non-consensual deepfake content, which demonstrated the government's willingness to act decisively on AI harms.

Malaysia's AI governance framework is anchored in seven principles established by the AIGE guidelines and carried forward into the legislative drafting process. Fairness requires equitable treatment across populations and guards against algorithmic bias. Reliability, safety, and human control mandate that AI systems remain dependable with meaningful human oversight. Privacy and security protect personal data and information integrity, reinforced by Malaysia's Personal Data Protection Act 2010 and the forthcoming Digital Trust Strategy. Inclusiveness ensures broad accessibility and benefit distribution, with NAIO explicitly championing equitable AI development for marginalised communities and developing nations. Transparency demands clear communication about AI decision-making processes. Accountability establishes defined responsibility chains for AI outcomes, with the proposed legislation introducing mandatory impact assessments and designated responsible officers for high-risk deployments. Human-centricity ensures technology serves human interests above commercial imperatives. The legislative framework draws from the EU AI Act's risk-based classification model, Singapore's AI Verify testing framework, and the OECD AI Principles, while maintaining alignment with the ASEAN Guide on AI Governance and Ethics. NAIO CEO Sam Majid has emphasised creating a 'structured yet flexible regulatory environment' through 'continuous dialogue with stakeholders.'

Businesses operating in Malaysia should prepare for a structured transition from voluntary guidelines to mandatory compliance. Organisations already processing personal data through AI systems must comply with the Personal Data Protection Act 2010, and the forthcoming AI legislation will layer additional obligations including risk assessments, transparency notices, and incident reporting for higher-risk applications. The MY-AI Standards platform at aistandards.my provides a practical starting point, offering access to 80+ international AI standards developed with ISO, CyberSecurity Malaysia, and the Department of Standards Malaysia. The AI Technology Action Plan 2026-2030 identifies healthcare, finance, transportation, agriculture, education, and public services as priority sectors, with the government targeting AI contribution of over RM60 billion to GDP. The 2025 budget committed MYR 600 million for AI R&D and MYR 50 million for AI-related education, creating grant and partnership opportunities for businesses aligned with national priorities. Foreign investors should note Malaysia's growing data centre ecosystem and its role hosting the ASEAN AI Safety Network secretariat, which positions KL as a regional governance hub. Early engagement with NAIO on standards development and pilot programmes can position businesses favourably ahead of binding regulation. Companies should also track the proposed Data Commission, which will establish independent oversight of data sovereignty.

The most critical milestone is the submission of the comprehensive AI bill to Cabinet, targeted for June 2026. Prime Minister Anwar Ibrahim confirmed in February 2026 that the legislation will cover the full AI lifecycle, though the bill is 'still taking shape.' NAIO's first full year of operations through 2025-2026 will set the agenda for code of ethics development, sector-specific guidelines, and the AI Technology Action Plan 2026-2030. The MY-AI Standards platform will expand with additional implementation guidance and compliance tools. The ASEAN AI Safety Network, with its KL-based secretariat, is expected to intensify regional cooperation through policy harmonisation and joint safety efforts in 2026. CyberSecurity Malaysia's National Digital Trust and Data Security Strategy 2026-2030 will introduce complementary security frameworks. The proposed independent Data Commission represents a significant institutional development for data sovereignty oversight. The government's response to the Grok deepfake crisis demonstrated willingness to act before legislation is in place, suggesting interim enforcement measures may emerge. AI adoption rates are accelerating (27% of companies in 2024, up from 20% in 2023), but 52% of businesses cite lack of digital skills as a primary barrier, making the success of national upskilling programmes essential to the overall governance trajectory.