What happened
On July 10, 2026, Malaysia's National AI Office (NAIO) released a public consultation paper on a proposed AI Governance Bill, with the consultation window open until July 31, 2026 (multiple law-firm analyses, including Baker McKenzie and Hogan Lovells, published detailed summaries on July 14, 2026). The proposal establishes a principles-based, harm-anchored risk framework classifying AI systems into three risk tiers, creates a new Central AI Authority with safety, investigation/enforcement, and enablement functions, distinguishes accountability between 'Developers' and 'Deployers' across the AI lifecycle, and proposes an AI Incident Reporting Framework and a supervised AI Sandbox. Scope is broad — covering AI systems placed on the market, designed/developed, or used in Malaysia, or used by a Malaysia-established deployer regardless of hosting location — with exemptions for personal/household use and national security systems.
Why it matters
This would be Malaysia's first comprehensive, dedicated AI statute, extending regulatory reach to both domestic and foreign organizations whose AI systems touch Malaysia in any meaningful way. It signals a broader ASEAN regional trend toward structured, risk-tiered AI governance modeled partly on the EU AI Act's risk categories but with a distinct harm-anchored and principles-based architecture. Multinational developers and deployers with Malaysian operations or users should begin assessing lifecycle governance, incident-reporting readiness, and accountability allocation now, ahead of the Bill's eventual introduction.
Action needed
Organizations developing or deploying AI systems that touch Malaysia should submit feedback before the July 31, 2026 consultation deadline and begin gap-assessing existing AI governance frameworks against the proposed Developer/Deployer accountability model, risk-tier classification, and incident-reporting obligations.