Governing AI in Malaysian Enterprises: Data, Not Algorithms, Is the Real Battleground

Written By Aizat Sultan

TLDR;

  • Many organisations sit on “data swamps”: large volumes of structured and unstructured data that are underutilised and inconsistently managed.

  • Sensitive data extends beyond traditional identifiers, requiring evolving controls, zero-trust principles, and proactive risk management.

  • Generative AI amplifies visibility and control challenges, demanding integration with existing security and compliance frameworks.

  • AI governance must be horizontal, involving legal, procurement, risk, and compliance functions, not just IT or data teams.

  • Adaptable frameworks and enterprise feedback are essential to balance innovation and compliance.

Governing AI in Malaysian Enterprises: Data, Not Algorithms, Is the Real Battleground

Across Southeast Asia, artificial intelligence is moving from experiment to expectation. According to AIBP’s 2025–26 ASEAN Enterprise Innovation Market Overview, more than 80% of enterprises in the region are planning to invest in AI to remain competitive. Yet in Malaysia, as in much of the region, progress is uneven. Legacy systems, fragmented organisations and siloed data have turned what should be an acceleration into a prolonged game of catch-up. 

Across banking, telecommunications, media, infrastructure and the public sector, AI is advancing faster than the institutions designed to govern it. The result is strain: leaders juggling overlapping mandates, governance models built for slower technologies, and risk frameworks struggling to keep pace with systems that learn as they operate. Enterprises find themselves walking a narrowing line between innovation and control.

Against this backdrop, AIBP, together with Concentric AI, convened in a work discussion in Kuala Lumpur, bringing together Malaysian enterprises to examine a deceptively simple question: how can organisations embed responsible AI practices while scaling adoption across the enterprise?


The swamp beneath the surface

Most large organisations now possess what might generously be called “rich” data environments. In practice, many are closer to a swamp. Vast volumes of structured and unstructured data are collected, stored and duplicated across business units, yet only a fraction is reliably usable. The result is analysis paralysis: plenty of information, little clarity, and governance that struggles to keep up.

For Astro, Malaysia’s largest media group, their data estate spans content libraries, live broadcast feeds, digital engagement signals and audio streams. AI is already embedded in functions such as marketing, procurement, HR and content generation. With this breadth of adoption, Astro is now prioritising governance as a strategic enabler, ensuring these initiatives  are coordinated, trusted and governed for the long term. 

So in order to do the data governance itself, I think it's the culture and the buy-in from every single department. Now, when we put data governance policies across the different departments, it's about how they actually use the data, right, from different perspectives.”, Eva Poovan Head Group Data at Astro

Eva shared that data governance is more about culture than process. Each department interprets and uses data differently, applying its own metrics and assumptions.

As in many organisations, AI governance builds on strong data governance, strengthening accountability, security, and risk management. Responsibility is shared across project management, security, and data protection, with Astro coordinating these efforts through its project management office.

Chris Farrelly, VP for APAC at Concentric AI, underlines this point:

“Accountability and ownership are critical, and everyone must work together to protect data. From a technical perspective, visibility and knowing where data resides are equally essential. The culture of collaboration ensures the entire organization contributes to safeguarding sensitive information.”

In practice, this means that organisations need to create a collaborative culture where every team understands its role in securing data and guiding AI responsibly.

Sensitive data, amplified risk

Financial institutions hold some of the economy’s most sensitive data and operate under intense regulatory scrutiny. AI offers efficiency and productivity—but it also broadens the attack surface.

At AmBank, Group CISO Malini Kanesamoorthy describes governance as a progressive, collaborative journey rather than a fixed destination. Data governance, cybersecurity, technology risk, and operations jointly review policies, incidents, and gaps, reflecting the reality that AI risk cannot be confined to a single function.

The definition of “sensitive data” has evolved. Five years ago, it focused on identity numbers and credit cards; today, business registration data, transactional context, and even seemingly benign metadata can carry regulatory and reputational consequences. Many users assume that the absence of obvious identifiers implies safety. As AI adoption grows, baseline controls must also evolve. Zero-trust principles, reducing reliance on individual discretion and centralising control, are increasingly essential, though not yet universal.

There’s no one-size-fits-all. It’s a work in progress. At any audit, there will be gaps, and we need to remind auditors that governance is an evolving process. As AI interest grows, our baseline data controls must strengthen accordingly,” Malini explains.

This perspective is reinforced by discussions at the 49th AIBP Conference in 2025, particularly during the panel AI Knows Too Much – Why Data Governance Matters More. (Session 3, Strengthening Data Governance for AI-Driven Enterprises). Dr. Hon Hock Woon, Head of AI, AmBank Group highlighted that effective AI governance is inherently multi-layered. Each model is assigned clear ownership, supported by mandatory documentation, and governed by defined procedures to manage failures and exceptions. These practices are anchored to national AI principles, ensuring that data is handled responsibly while maintaining transparency and explainability as AI systems scale across the enterprise.

From a technology standpoint, visibility is the first challenge. Generative AI continuously ingests data, often through unmonitored or unsanctioned channels. “Before you can govern AI, you must know what data you have, where it resides, and what is sensitive,” says Chris Farrelly, VP for APAC at Concentric AI.

Visibility precedes control. Only then can masking, redaction, or blocking be applied effectively. Strong data hygiene including retention policies, classification, and a clear sense of what should never leave the enterprise is critical. Most organisations already have security ecosystems; the challenge lies in integrating AI into them rather than adding controls after the fact.

Governance goes horizontal

The rapid adoption of AI and technologies like Generative AI has significantly widened the scope of governance. Data governance has traditionally sat within a defined function, drawing on others as needed. AI governance does not afford that luxury.

At CelcomDigi, Stephanie Menggu, Head of Data Quality and Master Data Management, noted that AI governance requires far deeper collaboration across the enterprise. Legal, procurement, risk, and compliance teams need to play active roles. Procurement must assess not just cost and capability, but also the AI embedded in third-party solutions. Legal teams must anticipate liability, intellectual property, and disclosure risks. Risk frameworks must be redesigned to account for probabilistic outputs and model drift.

Policy, meanwhile, is racing to keep up. Across jurisdictions, including Malaysia, regulations such as the Personal Data Protection Act are evolving towards risk-based approaches that differentiate obligations based on use case and impact. Models evolve, data shifts, and oversight must adapt in tandem.

Fazlan, Head of the Technology Research & Strategy Department at Cybersecurity Malaysia, highlights the tension: regulators are aware of global developments and of industry resistance to over-regulation. Too much control risks stifling innovation; too little invites harm.

Malaysia’s response has been consultative. The National AI Office has established industry-led working groups to inform guidelines and incentives, incorporating enterprise feedback at the highest levels. Effective AI governance, Fazlan argues, must be co-designed.

Data as Destiny

In the end, intelligence is only as trustworthy as the foundations on which it is built. Data, its quality, classification, ownership, and flow through increasingly autonomous systems, must be carefully arranged and governed.

Success will depend not on the novelty of AI tools, but on the discipline, culture, and collaboration that ensure the enterprise’s data and by extension its intelligence is reliable, compliant, and safe.

—————————————-

About ASEAN Innovation Business Platform (AIBP)

Since its inception in 2012, ASEAN Innovation Business Platform (AIBP) is an initiative focused on enabling innovation and strategic partnerships across public and private organisations in Southeast Asia. Through curated engagement activities, AIBP supports the growth of regional government agencies, enterprises and solution providers in navigating key themes such as innovation, digital transformation, and sustainability.


Learn more at www.aibp.sg 

Aizat Sultan
Previous

AI That Pays Off: Inside Malaysia’s Enterprise Playbook
Next

Techcombank and Finviet Recognised at 2025 ASEAN Enterprise Innovation Award for Advancing Digital Banking and AI-Driven Retail