ASEAN AI Governance: The Regional Framework and Country-by-Country Landscape

The ASEAN framework: voluntary but influential

ASEAN's AI Governance Framework, first published in 2019 and updated in 2023, establishes voluntary principles for responsible AI across the ten-member bloc. The framework covers transparency, fairness, security and robustness, human oversight, and accountability — closely mirroring Singapore's IMDA Model AI Governance Framework, which served as a key input. The ASEAN framework is not binding on member states, but it has shaped national AI governance approaches across the region and provides a common reference point for organisations operating multi-country ASEAN operations.

Thailand

Thailand's Personal Data Protection Act (PDPA), fully effective from June 2022, includes automated decision-making provisions that apply to AI systems making significant decisions about individuals. The Personal Data Protection Committee (PDPC) has issued guidance on AI and PDPA compliance. The National AI Strategy published in 2022 covers healthcare, agriculture, manufacturing, and smart city applications with governance principles. AI in financial services is subject to Bank of Thailand oversight, with guidance on model risk and algorithmic systems.

Indonesia

Indonesia's Personal Data Protection Law (PDP Law), enacted September 2022 and effective October 2024, creates obligations for automated decision-making with significant effects on data subjects — requiring human intervention mechanisms. The Ministry of Communication and Information Technology (Kominfo) has issued AI governance guidelines. Indonesia's strategic importance as the world's fourth most populous country makes it a significant market for AI-related compliance frameworks, and regulatory development is accelerating.

Vietnam

Vietnam's National Strategy on Research, Development and Application of AI through 2030 establishes governance principles. The Cybersecurity Law and Decree 13/2023 on Personal Data Protection create specific obligations for AI platforms, content moderation AI, and recommendation systems. Organisations operating AI services in Vietnam must comply with cybersecurity requirements including data localisation provisions for certain categories of data.

Malaysia

Malaysia's Responsible AI Roadmap 2021-2025 and National AI Strategy provide the governance framework. Bank Negara Malaysia (BNM) has issued AI governance expectations for financial institutions through its Risk Management in Technology policy document. The Personal Data Protection Act (PDPA) amendments create enhanced obligations for automated processing. Malaysia's approach is broadly aligned with Singapore's IMDA framework, making regional compliance programs generally transferable.