Malaysia's AI Governance Bill arrived at Cabinet in June 2026 bearing a provision its neighbours have not attempted: treating both sides of the AI value chain — the data fed into models during training, and the content those models generate — as intellectual property under a single legislative framework. When Digital Minister Gobind Singh Deo presented the bill's provisions to Dewan Rakyat on June 22, he described intellectual property as "the heaviest" of the three pillars the legislation rests on, ahead of ethics and civil rights. That ordering is a deliberate signal about where Malaysia thinks the real economic stakes lie.
What the Dual IP Framework Does
The framework works in two directions. On the input side, the bill confronts a long-running industry dispute: whether using copyrighted text, images, audio, and video as AI training data without a licence constitutes infringement. The Intellectual Property Corporation of Malaysia (MyIPO) would be the enforcement body, anchoring the provision in Malaysia's existing Copyright Act 1987 and extending it for the AI context. Developers and deployers of AI systems would be required to demonstrate that training datasets were lawfully assembled.
On the output side, the bill moves into territory that most jurisdictions still treat as legally unresolved. AI-generated content would be recognised as intellectual property, with ownership settled in advance through contracts and workflows between developers and clients. This gives Malaysian creative and technology businesses — design studios, media companies, software firms — a legal foundation to claim rights over AI-assisted output rather than treating it as ownerless.
The National Artificial Intelligence Office (NAIO), housed under the Ministry of Digital, drafted the framework and will administer it under a risk-based regime. That regime organises AI applications into four tiers: those requiring no dedicated law, those addressed by voluntary standards, those handled by sector regulations, and those demanding primary legislation. High-risk applications in finance, safety-critical systems, and biometric identification face strict controls; lower-risk tools are given room to innovate.
Deepfakes and the Two-Tier Enforcement Strategy
The bill pairs its IP provisions with a two-tiered approach to synthetic media. The first tier relies on existing statutes — the Communications and Multimedia Act, the Penal Code — to prosecute individuals who weaponise deepfakes for fraud, defamation, or identity theft. The second tier embeds the AI Governance Bill as a preventive layer: developers and deployers who fail to build governance safeguards against deepfake abuse at the design stage could face enforcement action, including mandatory incident reporting for AI-related harms.
Gobind confirmed at Dewan Rakyat that the legislation aims to establish "early preventative blocks rather than merely reacting after damage has occurred," with explicit protection for vulnerable groups including children. This framing positions the bill less as a punitive instrument and more as a duty-of-care framework imposed on the supply chain.
The Governance Gap the Bill Is Designed to Close
Proponents have a substantive case. Malaysia has absorbed a striking volume of AI investment for a country of 33 million: roughly MYR 144 billion in data-centre and cloud commitments since 2021, with Microsoft, Google, Oracle, and NVIDIA all making multi-billion dollar pledges. That capital runs on legal certainty. A framework that clarifies who owns training data and AI-generated outputs reduces commercial risk for firms building on Malaysian sovereign AI infrastructure — including ILMU, Malaysia's domestic AI model trained on licensed datasets.
The governance gap is also demonstrably real. A Trend Micro survey of 3,700 decision-makers across 23 countries found that 75 percent of Malaysian IT leaders felt pressure to approve risky AI deployments — the highest share globally, nine points above the global average — while local teams detected only about a third of malicious AI behaviour. Mandatory incident reporting and lifecycle accountability are a proportionate response to that combination of high deployment pressure and low threat detection.
Malaysia's MyDigital blueprint targets 30 percent of national GDP from the digital economy by 2030, up from approximately 23 percent in 2022. Regulatory clarity on AI ownership is a legitimate precondition for hitting that number — but only if the compliance architecture created is proportionate for the startups and SMEs that MyDigital has explicitly prioritised.
Where the Bill Creates Real Risks
The strongest concern is definitional imprecision at the IP layer. Treating all training data as subject to copyright-style protection without carving out a text-and-data mining exception — the path the EU chose in its AI Act and the DSM Directive — could make it structurally difficult for smaller players to build foundational models in Malaysia without licensing deals they cannot afford. The Copyright Act 1987 was not designed for the scale at which modern AI systems ingest data; extending it by interpretation risks creating a compliance minefield that well-resourced incumbents can navigate but startups cannot.
The bill also inherits Malaysia's regulatory-convergence problem. The Cybersecurity Act 2024 already mandates incident reporting for critical infrastructure. The Personal Data Protection Amendment Act 2024 adds breach notifications. Layering AI-specific reporting obligations on top, without harmonised timelines and thresholds, risks burdening the same compliance teams with overlapping duties from three separate regimes.
Finally, there is the interoperability question. Malaysia holds the secretariat of the ASEAN AI Safety Network, which has emphasised cross-border coherence. A bespoke dual-IP framework that diverges from Singapore's voluntary AI Verify approach and Vietnam's December 2025 standalone AI law — Southeast Asia's first — could fragment the legal environment for companies operating across the region.
Where Malaysia Stands in the Region
Vietnam passed Southeast Asia's first standalone AI law in December 2025. Singapore remains committed to voluntary frameworks. Malaysia's bill, if enacted broadly as drafted, would be the first ASEAN instrument to place both input and output IP rights at the legislative centre — a meaningful distinction that could shape how the rest of the region thinks about the ownership question.
The MY-AI Standards Platform, launched on March 10, 2026 with centralised access to more than 80 global ISO/IEC AI standards, shows Malaysia understands that voluntary norms should precede enforceable rules. Whether the June 2026 bill strikes the right balance — offering enough legal certainty to attract investment without generating enough compliance overhead to suppress the local AI ecosystem it is designed to serve — will define whether this is a model for ASEAN or a cautionary tale.