Building a Sovereign AI Strategy for AI in Malaysia

Key Takeaways:

• Capability must match infrastructure. Hardware investment without a corresponding investment in data, engineering, and institutions creates dependency, not sovereignty.

• Risk classification comes first. Organisations that start with a clear view of AI workloads by risk tier make better infrastructure decisions. The classification drives the choice, not the other way around.

• The data middle ground is missing. Where the only options are publish or withhold, the dataset is not in a usable state. Discovery, licensing, and conditional sharing are infrastructure decisions in their own right.

• Profit and loss accountability changes behaviour. The value is not in the metrics, but rather the accountability it creates. The question is whether that discipline spreads beyond the organisations that have already adopted it.

• Talent development is a three-part commitment.Workforce reskilling, university pipelines, and K-12 teacher capability require different approaches. Organisations that address all three together are the ones that build lasting capability.

Two-thirds of Southeast Asia's entire data centre capacity currently under construction is committed to Malaysia. Johor alone is set to hold 60% of Malaysia's total capacity by 2030. 

But data centres employ fewer than 200 people at full operation. Infrastructure, by itself, does not build a sovereign nation. Capability does. 

The standard the conversation settled on was not resilience but antifragility: systems that grow stronger under stress rather than merely surviving it.

That was the thread running through the Red Hat Executive Exchange in Kuala Lumpur on 21 May 2026. AIBP brought together senior leaders from Malaysia's public sector to examine what sovereign AI demands in practice.

The session featured Sam Majid, CEO of the National AI Office (NAIO); Ts. Shaharuddin Hamid Mustapha, CEO of Petronas Digital; Ahmad Fadhlul Irham Yusoff, Director of the Centre for Knowledge, Communication and Technology at Universiti Sains Malaysia (USM); Chris Butler, Chief Architect from the CTO Office at Red Hat APAC and Yue Yeng Fong, Vice President of AIBP, with the session moderated by Tammy Tan, Country Manager of Red Hat Malaysia.

The investment vs. capability trade-off in Malaysia's AI Roadmap 

The distinction between resilience and antifragility is not semantic. Resilient systems survive stress and return to where they were. Antifragile systems use that same stress to grow. 

What separates the two approaches is between investment-led growth and capability-led growth. 

Investment-led growth attracts foreign capital, builds infrastructure, and lets the ecosystem follow. Capability-led growth anchors every investment to local talent, institutions, and knowledge.

The first produces faster visible results, while the latter produces results that compound.

The standard worth aiming for is not resilience but antifragility: systems that do not merely survive stress, but grow stronger because of it.

For a sovereign AI ecosystem, that means investing in what outlasts the hardware: the governance, talent, and data infrastructure that allows a country to act with genuine autonomy.

Building an antifragile ecosystem means every infrastructure investment is matched by an equal investment in what runs on top of it: data, governance, talent, and institutional capacity. 

Without that balance, hardware becomes a dependency rather than a foundation.

Sovereign AI Cloud and the Risk Decision

Geopolitical risk is no longer an abstract concern for the public sector in Malaysia's AI landscape. Subsea cable disruptions, cyber breaches with national economic consequences, and supply chains concentrated in a handful of countries have made sovereignty a practical decision rather than a doctrinal one.

"AI is an accelerator for all of that. It decreases the cost for adverse actors to take effect on us." — Chris Butler, Chief Architect, CTO Office APAC, Red Hat

Sovereign AI is a question of risk classification, not infrastructure ownership. 

Organisations need to classify which AI projects are high risk before deciding what level of sovereign infrastructure they require. This includes knowing what your systems are doing, who has access, and whether you can prove it at any point in time.

Malaysia’s forthcoming AI Governance Bill, which will mandate sector-by-sector risk classification across the country's 28 government sectors, sets a floor for these questions. 

Open source AI platforms play a specific role here in keeping the risk decision tractable. Open models run roughly six months behind frontier models at a fraction of the cost.

For middle powers, like Malaysia, that gap is a strategic opportunity. It means capability without dependency and the geopolitical strings that come attached to proprietary platforms.

"Open source and open models become a great geopolitical equaliser. A country like Malaysia can access the greatest capability while maintaining control of the ecosystem." — Chris Butler, Chief Architect, CTO Office APAC, Red Hat

Antifragility, in governance terms, looks like a system whose risk posture improves with each incident logged, each classification refined, and each access trail closed.

The data problem hiding in plain sight

The infrastructure challenge is visible. The data challenge is not, and it may matter more.

Malaysia currently has only two states of public data: fully open or fully closed. There is almost nothing in between. No mechanism to discover, license, or purchase datasets. No data economy to speak of.

Sam Majid, CEO, National AI Office (NAIO), puts it plainly: Malaysia does not yet have a data economy, and a national conversation about a data commission and a Freedom of Information Act is overdue.

The structural consequence is already visible in the models. The Bahasa Melayu AI training corpus is severely underrepresented in global training sets.

AI responses in Malay are shaped by data from elsewhere: social media, informal usage, sources that do not reflect the language or the country as it is.

"If you are an owner of a national data set and the culture is still not a sharing culture, then the response will come from somebody or somewhere else." — Sam Majid, CEO, National AI Office (NAIO)

Data owners, whether government agencies or private sector organisations, carry the responsibility. Withholding data is not a neutral act. 

An antifragile ecosystem treats national datasets as public assets: shared, improved, and built upon over time. When they are withheld, AI does not go without. 

It simply learns from somewhere else, and gets better at understanding Malaysia from sources that are not Malaysian.

How Petronas Digital's AI Transformation Is Setting the Accountability Standard

For enterprises, the most practical starting point for any AI initiative is financial accountability. Ts. Shaharuddin Hamid Mustapha, Chief Executive of Petronas Digital, advocated for putting a profit-and-loss (P&L) against every digital and AI initiative.

Within two years, that approach reduced operating costs at Petronas Digital by 30 to 40 per cent, and the savings were reinvested into capability and innovation.

"AI is beyond the utility of tools and systems. It's about culture, behaviour, maturity, and responsibility." — Ts. Shaharuddin Hamid Mustapha, CEO, Petronas Digital

AI talent development is the second pressure point. The challenge spans three layers: reskilling for AI in today's workforce, shaping university graduates entering the job market, and influencing the K-12 generation whose teachers are being shaped now. 

Each requires a different intervention. Producing graduates who genuinely understand sovereignty, as Ahmad Fadhlul Irham Yusoff noted, requires sustained collaboration between industry, government, and academia, not curriculum reform alone.

Majid added an observation that cuts against a common assumption. Successful AI projects in the public sector are overwhelmingly business-driven, not IT-driven. 

In practice, sovereign capability cannot be delegated to a technology function. It is a leadership posture, and the accountability for it sits accordingly.

What Outlasts the Hardware: The Future of AI in Malaysia

Malaysia has the investment and the policy intent behind its national AI office and governance framework.

What determines the outcome is whether capability compounds at the same pace as infrastructure. That is the antifragility test.

Because AI sovereignty that lives only in hardware can be switched off. 

What cannot be switched off is capability: the people, the data, and the institutions built to last.

The conversation on sovereign AI, data governance, and Malaysia's digital future continues at the AIBP Conference and Exhibition Malaysia 2026, 8 to 9 July at the W Hotel, Kuala Lumpur. Register your interest here.