Malaysia's New AI Governance Legislation — What Businesses Should Expect

The Regulatory Shift

Malaysia has announced plans to tighten AI governance with sweeping new legislation and enhanced enforcement mechanisms. This follows a global trend — the EU's AI Act, Singapore's AI governance framework, and China's AI regulations have all established precedents that Malaysia is now following.

The move reflects growing concern about AI-related risks: deepfake scams, AI-generated misinformation, automated discrimination in hiring and lending, and privacy violations through AI-powered surveillance and data collection.

What to Watch For

While detailed provisions are still being finalised, Malaysian businesses using AI should prepare for:

• Transparency requirements — You may need to disclose when AI is used in decision-making that affects customers (loan approvals, hiring, pricing).
• Risk assessments — High-risk AI applications may require documented risk assessments and mitigation measures.
• Data governance — AI systems trained on personal data will face stricter requirements under the intersection of AI legislation and the PDPA.
• Accountability frameworks — Businesses will need to demonstrate human oversight of AI systems, particularly in sensitive domains.

Practical Steps for SMEs

1. Inventory your AI usage — Document every tool, platform, or system in your business that uses AI. This includes chatbots, recommendation engines, automated email tools, and analytics platforms.
2. Assess risk levels — Which of your AI applications affect customer decisions? These will likely face the strictest scrutiny.
3. Review vendor contracts — If you use third-party AI services, understand their data handling practices and ensure your contracts address compliance responsibilities.
4. Build human oversight — Ensure a human reviews AI-driven decisions before they are acted upon, especially in hiring, lending, and customer service.

Frequently Asked Questions

Does Malaysia have an AI regulation law?

Malaysia has announced plans for sweeping AI governance legislation, but detailed provisions are still being finalised as of 2026. In the meantime, businesses using AI are already subject to the PDPA for personal data used in AI systems and should prepare for transparency, risk assessment, and accountability requirements.

How does AI regulation affect SMEs in Malaysia?

If your business uses any AI tools, including chatbots, recommendation engines, automated email marketing, or analytics platforms, you may need to disclose AI-driven decision-making to customers, conduct risk assessments for high-risk applications, and ensure human oversight of automated decisions, particularly in hiring, lending, and customer service.

What should Malaysian businesses do to prepare for AI governance?

Start by inventorying every tool, platform, or system in your business that uses AI, then assess which applications affect customer decisions and review vendor contracts for data handling and compliance responsibilities. Building human oversight into AI-driven decisions now will put you ahead of requirements when regulations take effect.