airmap.my
REVIEW
rev 2026-06
airmap.my
Policy › AI Governance Framework
Policy · Governance

AI Governance & the Coming Law

Malaysia governs AI through guidelines, not yet law — the voluntary AIGE today, and the risk-based statute expected next.

Guidelines AIGE (2024)Status voluntaryLaw expected Cabinet 2026

Malaysia governs AI today through guidelines, not law — but that is changing. This page tracks the governance framework as it stands: the voluntary AIGE guidelines built on seven principles, the supporting laws already in force, and the risk-based AI bill expected to give the principles teeth.

It is the regulatory companion to the Action Plan and the institutional story of NAIO.

Where it stands

The AIGE guidelines (2024)

On 20 September 2024, MOSTI launched the National Guidelines on AI Governance & Ethics (AIGE) under the theme “AI for Malaysia, AI for All.” The AIGE is structured for three audiences — end users, policymakers, and developers/providers — and is built on the same seven Responsible-AI principles the roadmap introduced: fairness; reliability, safety & human control; privacy & security; inclusiveness; transparency; accountability; and the pursuit of human benefit. It is inspired by UNESCO, OECD and EU frameworks, and Malaysia was among the first in ASEAN to publish national-level AI guidelines.

The crucial limitation: AIGE is voluntary. It urges best practice but creates no binding obligations and no penalties.

The laws already in force around AI

Cybersecurity Act 2024Gazetted and enforced from August 2024 — duties for national critical information infrastructure.
PDPA amendments (2025)Updates to the Personal Data Protection Act, with new rules being prepared on profiling and automated decision-making.
Data Sharing BillTabled to enable cross-government data sharing — an enabler the roadmap had called for.
Existing instrumentsThe Communications & Multimedia Act 1998 and the Penal Code, which ministers say need updating for AI.

The coming AI law

The clear direction of travel is from voluntary guidance toward binding, risk-based regulation. The Ministry of Digital, through NAIO, is developing an AI governance framework that takes a risk-based approach to AI harm, incident reporting and ethical principles; a complete AI legislative framework is expected to reach Cabinet in 2026. Officials have been candid that the voluntary AIGE was only ever a first step, that generative AI is straining voluntary guidance, and that it will take time for guidelines to mature into law.

For now, Malaysia sits in a familiar transitional posture: principles published, enabling laws in place, and the substantive AI statute still ahead. We track each step as it lands.

Sources & method

Based on the public record: the AIGE launch (20 Sep 2024, MOSTI), its seven principles and three-audience structure; the Cybersecurity Act 2024; PDPA amendments (2025); the Data Sharing Bill; and statements that a risk-based AI legislative framework is expected at Cabinet in 2026.

This is not legal advice. Full sources: airmap.my/sources. Independent of MOSTI, the Ministry of Digital and NAIO.

Related
Archive
The 7 principles
Where AIGE’s ethics began.
Analysis
Responsible AI, then & now
Principles to AIGE to law.
Sector
AI in Legal Services
What the law means in practice.
Overview
Policy Tracker
The full timeline.