As part of a series of public consultations, the National AI Office (NAIO) invites stakeholders to provide feedback on the proposed AI Governance Bill, which aims to establish a comprehensive, coherent, and future-ready AI governance framework for Malaysia. The proposed framework is intended to support the responsible development, deployment, and use of Artificial Intelligence (AI) while keeping pace with rapid technological advancements and increasing AI adoption across all sectors.
The proposed Bill seeks to establish central institutional oversight, introduce principle-based national governance requirements, and implement a risk-based regulatory framework to ensure proportionate regulation. By clearly defining the roles and responsibilities of AI actors, the framework aims to promote a safe, responsible, and trustworthy AI ecosystem that balances innovation with the protection of individuals, society, and national interests.
Your feedback is essential in ensuring that the proposed framework is practical, effective, and responsive to the needs of industry, developers, deployers, researchers, civil society, government, and the wider public.
Have Your Say
AN
Anonymous
AN
Anonymous
AN
Anonymous
AN
Anonymous
Share your thoughts and feedback
Engage with stakeholders and provide administrative oversight on feedback.
July 11, 2026
I am concerned about government or ministry having central authority to levers and weights of AI being used in Malaysia because people should be free to pick their technology
July 10, 2026
Good job NAIO. The proposed AI Governance Bill provides a strong and timely foundation for Malaysiaâs AI governance. Several aspects are particularly positive:
It adopts a principle-based and risk-proportionate approach, allowing higher-risk systems to be subject to stronger safeguards without unnecessarily burdening lower-risk innovation.
- It recognises accountability across the AI lifecycle, including the distinct roles of Developers and Deployers.
- It proposes incident reporting, testing and sandboxes, which can support continuous learning, safer deployment and responsible experimentation.
- It also seeks to balance central coordination with sectoral expertise, which is appropriate given the different risks in areas such as healthcare, finance, transport and public services.
The following seven areas may merit further consideration as the Bill is refined:
Central and sectoral roles
1. Further clarity may be useful on how the Central AI Authority and Sectoral Leads will divide responsibilities, particularly for supervision, investigation and enforcement.
Breadth of the Central AI Authorityâs mandate
2. The proposed Authority covers safety, enablement, investigation, enforcement and sandbox functions. Consideration may be given to whether sufficient functional separation, oversight and review mechanisms are needed to manage potential conflicts between these roles.
3. Regulatory interoperability
The Bill could further explain how it will interact with existing regulators and laws, and how conflicting or overlapping requirements will be resolved.
4. Definition of harm and unacceptable risk
Consideration may be given to whether the framework should more explicitly cover material economic, discriminatory, reputational, societal and systemic harm, beyond physical harm or breaches of existing law.
5. Foundation models and the wider AI value chain
The DeveloperâDeployer model is useful, but further guidance may be needed for foundation-model providers, fine-tuners, system integrators and other intermediaries.
6. Pathways from compliance to adoption
The standards, certification and sandbox mechanisms could be further developed as practical pathways to help organisations move safely from experimentation to deployment, especially for SMEs and Made-by-Malaysia AI solutions.
7. Adaptive review mechanisms
The Bill may benefit from clear periodic review arrangements so that incident data, sandbox experience, technology developments and international standards can inform future updates.
July 10, 2026
The key risk in this Bill, once enacted, is that it will lower the tort standard applicable to AI Systems rather than raise it.
AI Systems, by virtue of their capacity to produce unanticipated outcomes even from fully deterministic processes, coupled with emergent properties of systems integration, warrant a higher standard of care under ordinary negligence than conventional software â yet the Bill's undefined, self-assessed "due regard" and "proportionate" language, combined with a harm taxonomy narrower than negligence's own recoverable damage categories, functions as a statutory carve-out that would hold Developers and Deployers to a weaker standard than they already face under existing Malaysian common law.
The "AI System" gate tests behavioural resemblance to human cognition rather than the mechanism that determines actual risk, and this produces gaming in both directions: a high-stakes, opaque scoring model can argue it doesn't "resemble cognition" and escape the gate entirely, while a low-stakes, fully deterministic system can be swept in on the strength of a conversational interface alone. This asymmetry favours sophisticated, well-resourced actors with the most at stake in being exempted from a statutory scheme that, properly designed, should be tightening their liability rather than loosening it.
This carve-out runs through the Bill's remaining structure as well. The five AI Governance Principles should not sit in primary legislation at all â taken at face value, they award a self-defined duty of care to Developers/Deployers, and the consultation paper's own justification for principle-based drafting (flexibility to issue guidance without amending the Act) concedes that the principles carry no operational content in the statute itself, meaning their only function there is symbolic. They belong in a Central AI Authority code of practice the Authority can revise on a short cycle, not in an Act Parliament must reopen.
In their place, the Bill's most useful role is elucidating how existing tort doctrine â foreseeability, proximity, causation, duty of care â applies specifically to AI Systems, rather than inventing a parallel statutory standard. The clearest example is liability attribution across complex, multi-actor systems integration. Even accepting the Developer/Deployer distinction as drafted, the Bill never states how liability apportions when a foundation model provider, a system integrator, and a Deployer each contribute to a single harmful outcome â the "degree of control" test allocates regulatory compliance duties, but not which actor bears responsibility for a specific harm once several actors' contributions interact. Singapore's IMDA is working through exactly this question for agentic AI, treating value-chain allocation by control, access to information, and proximity as an open private-law problem requiring deliberate resolution, and Malaysia's Bill would benefit from the same treatment rather than leaving the question implicit. No provision anywhere allows a binding, pre-deployment classification ruling on this or any other point of scope; self-assessment stands unreviewed until an incident occurs. The AI Sandbox is well placed to serve this function if the Bill gives it binding legal effect on exit.
Full response has been communicated in the Google Form.
July 10, 2026
1. As an academician in AI and engineering, I welcome the proposed AI Governance Bill as a step towards responsible and trustworthy AI adoption in Malaysia.
2. I support the risk-based and principle-based approach.
3. The roles of the Central AI Authority and Sectoral Leads should be clearly defined to avoid overlapping responsibilities, inconsistent requirements and additional administrative burden.
4. Universities, researchers, professional bodies, industry, SMEs and civil society should remain actively involved in developing technical standards, implementation guidance and capacity-building programmes.
5. Accountability should reflect the actual control of each party, including developers, deployers, model providers, system integrators & organisations that modify/operate AI systems.
6. Practical guidance is needed on risk assessment, human oversight, documentation, data governance, cybersecurity, bias testing & redress mechanisms.
7. I support the AI Sandbox and incident-reporting mechanism, provided that they encourage learning.
8. Finally, the gov should publish a transparent summary showing how stakeholder feedback has influenced the final Bill.
No Surveys Available