Malaysia is about to do something most jurisdictions have avoided: legislate AI and copyright in the same instrument. The country's first dedicated AI Governance Bill, drafted through the National AI Office (NAIO) under Digital Minister Gobind Singh Deo, is being finalised for submission to Cabinet in June 2026 (U.S. International Trade Administration). It takes a risk-based approach and, unusually, folds copyright directly into its scope — covering both the copyrighted input used to train models and the AI-generated output — rather than amending the Copyright Act 1987. Prime Minister Anwar Ibrahim has said the law will span the full AI lifecycle, including intellectual property, deepfakes, and data sovereignty.
Why The 1987 Act Was Never Going To Cope
The choice to route around the Copyright Act 1987 is defensible on the merits. That Act is silent on machine authorship. Peer-reviewed analysis of Malaysian law notes it "is silent on the legal status of works generated without human intervention" and "excludes the possibility of AI being recognized as an author," in contrast to the UK, whose Copyright, Designs and Patents Act 1988 (s.178) expressly protects computer-generated works by attributing authorship to "the person who made the arrangements" (IJRISS). A statute built around a human author cannot be patched into an output-ownership regime with a few amendments. Bolting AI onto it would produce decades of litigation over definitions the drafters never contemplated.
So the steelman for Malaysia's approach is strong. A purpose-built Bill with an explicit risk classification framework, harm assessment, and incident reporting obligations on both developers and deployers (Marketing-Interactive) gives businesses something the patchwork cannot: a single place to look for the rules. NAIO frames this as the final stage of a deliberate three-phase pathway — standards, then compliance, then legislation — rather than a reflexive crackdown (KPMG Malaysia). That sequencing is more disciplined than the rush we have criticised elsewhere.
The Input Problem Is Where Good Intentions Go To Die
The danger lies in the input half. Regulating the copyrighted material used to train a model sounds like basic fairness to creators — and it is the strongest argument for the provision. But the practical record is sobering. California's AB 412, which would force AI developers to identify and disclose every copyrighted work in their training data, has been described by the Electronic Frontier Foundation as demanding developers "do the impossible," because frontier models are trained on billions of items whose provenance cannot be reconstructed after the fact (EFF). A disclosure or licensing mandate that is technically uncompliable does not protect creators; it simply makes lawful model-building in Malaysia infeasible and hands the market to firms that train offshore and serve in.
Malaysia's stated ambition — AI-nation status by 2030, an RM2 billion Budget 2026 allocation for sovereign AI cloud infrastructure, and a national standards platform indexing more than 80 ISO/IEC AI standards (KPMG Malaysia) — is a domestic-development play. That ambition is in direct tension with an input rule that punishes anyone who actually trains a model on Malaysian soil. The proportionate design is a transparency-and-remedy regime (documented data sources where feasible, a workable opt-out, and a clear infringement remedy for identifiable harm) — not a pre-clearance mandate that presumes every training run is a licensing event.
Output Rules And The Deepfake Pull
The output side is more tractable, and here the Bill's instincts are reasonable. The Intellectual Property Corporation of Malaysia (MyIPO) is slated to strengthen enforcement on AI-generated works, and the Bill ties output rules to concrete harms — most visibly deepfakes (Marketing-Interactive). The political energy is real: regulators temporarily blocked Grok's image tool after it generated non-consensual manipulated images. Targeting non-consensual and fraudulent synthetic media is legitimate and overdue.
The risk is scope creep — letting the deepfake panic justify a labelling or provenance mandate on all AI output, including the lawful, creative, and trivial. Output ownership (can an AI-assisted work be copyrighted, and by whom?) and output abuse (is this a fraudulent deepfake?) are different problems. Collapsing them into one provision because both involve "AI output" would chill ordinary generative tooling to chase a narrow class of bad actors.
What Good Drafting Looks Like
Malaysia has made the right structural call: a dedicated, risk-tiered Bill beats mutilating a 1987 statute. The execution risk is entirely in the granularity. Three tests should decide whether this Bill helps or hurts the open, innovative internet Malaysia says it wants:
- Compliability — input obligations must be ones a real developer can actually meet, not AB 412-style impossibilities.
- Harm-tethering — output rules should bite on demonstrable harm (fraud, non-consensual imagery, passing-off), not on the mere fact that a machine was involved.
- Interoperability — aligning with ISO/IEC standards and ASEAN guidance lowers compliance cost and keeps Malaysian developers globally competitive.
Get those right and Malaysia ships a model the rest of ASEAN can borrow. Get the input rule wrong and it exports its own AI industry before that industry is born.