The rapid adoption of generative AI tools across Southeast Asian workplaces has created an urgent governance gap. Employees are already using ChatGPT, Claude, Copilot, and other AI tools — often without their employer's knowledge or approval. Without a formal AI policy, companies face uncontrolled risk exposure in data privacy, intellectual property, regulatory compliance, and output quality.
A well-crafted AI policy does not restrict innovation. It channels it safely. Companies with clear AI policies adopt AI faster, with fewer incidents, than those relying on informal guidelines or no guidance at all.
This template is designed specifically for companies operating in Malaysia and Singapore, incorporating the regulatory requirements of both jurisdictions.
Below is a comprehensive template you can adapt for your organisation. Sections marked with [COMPANY] should be replaced with your company name.
This policy establishes guidelines for the responsible use of artificial intelligence tools and systems at [COMPANY]. It applies to all employees, contractors, and third-party service providers who use AI tools in the course of their work for [COMPANY].
Objectives:
| Term | Definition |
|---|---|
| AI Tool | Any software that uses artificial intelligence or machine learning to generate text, images, code, analysis, or other outputs |
| Generative AI | AI systems that create new content (text, images, code) based on prompts |
| Prompt | The input or instruction given to an AI tool |
| AI Output | Any content, analysis, or recommendation generated by an AI tool |
| Personal Data | Any data that can identify a living individual, as defined under PDPA |
| Confidential Data | Information classified as confidential under [COMPANY]'s data classification policy |
[COMPANY] has approved the following AI tools for business use:
| Tool | Approved Use | Data Classification Allowed | Licence Type |
|---|---|---|---|
| [e.g. ChatGPT Enterprise] | General writing, research, analysis | Internal, Public | Enterprise |
| [e.g. Microsoft Copilot] | Office 365 integration | Internal, Public | Enterprise |
| [e.g. GitHub Copilot] | Code generation and review | Internal code only | Enterprise |
Unapproved tools: Employees must not use AI tools that have not been approved by [COMPANY]'s IT department. If you wish to request approval for a new tool, submit a request through the [AI Tool Approval Process].
Free/consumer versions: The free or consumer versions of AI tools (e.g. free ChatGPT, free Claude) are not approved for work use, as they may use your inputs for model training and lack enterprise data protection.
This is the most critical section of the policy. Data mishandling is the primary risk of AI use in the workplace.
Never input into any AI tool:
Permitted inputs:
When in doubt: Do not input the data. Consult your manager or the [COMPANY] Data Protection Officer.
AI outputs must be reviewed before use in any business context:
Singapore:
Malaysia:
Employees must report AI-related incidents immediately to [designated contact]:
Replace all [COMPANY] placeholders, fill in the approved tools table, and add any industry-specific requirements.
Have your legal team or external counsel review the policy for compliance with your specific regulatory obligations.
The policy should be endorsed by the CEO or Managing Director, not just IT or HR. This signals that AI governance is a company-wide priority.
Distribute the policy with a mandatory training session — not just an email. Employees need to understand the "why" behind each rule.
Review the policy quarterly. AI tools and regulations evolve rapidly, and your policy must keep pace.
Singapore's IMDA Model AI Governance Framework is principles-based, emphasising transparency, fairness, and accountability. While not legally binding, it is considered best practice and is increasingly referenced by regulators including MAS and the PDPC.
Malaysia's PDPA governs the processing of personal data in commercial transactions. Companies using AI tools that process personal data must ensure compliance with the seven data protection principles, particularly the General Principle, Notice and Choice Principle, and Disclosure Principle.
Generic AI policy templates provide a starting framework but require significant customization to address organization-specific risk profiles, regulatory environments, and operational realities. Before adopting a template, organizations should conduct a gap analysis comparing the template's provisions against their existing policies, industry regulations, and identified AI risk areas. Sections addressing data handling should reference the organization's existing data governance framework and privacy policies. Sections covering acceptable use should reflect the specific AI tools deployed within the organization and the business contexts in which they are used. Legal counsel should review all customized policies before adoption to ensure alignment with applicable employment law, intellectual property protections, and industry-specific regulatory requirements.
Policy adoption requires more than distributing a document through email. Effective rollout strategies include mandatory training sessions that walk employees through the policy using scenario-based examples relevant to their specific roles and departments. Department managers should lead follow-up discussions applying the policy to their team's most common AI use cases, identifying any ambiguities or gaps that require policy clarification. Organizations should establish a dedicated communication channel where employees can ask questions about policy interpretation and report potential policy violations without fear of punitive consequences during the initial adoption period.
AI capabilities evolve rapidly, making policy currency an ongoing challenge. Organizations should establish a formal policy review cycle of at least every six months, triggered additionally by significant events such as the release of major new AI models, changes in regulatory requirements, or internal AI incidents that expose policy gaps. The review process should include feedback collection from employees about policy provisions that are unclear, impractical, or overly restrictive. Version control and change tracking ensure that all employees are working from the current policy version, and policy update communications should highlight specific changes and their rationale rather than simply redistributing the entire document.
AI policies should include measurable success criteria that enable organizations to evaluate whether the policy achieves its intended objectives. Track metrics including employee awareness rates measured through periodic assessments, reported policy violations and their resolution outcomes, shadow AI usage rates detected through IT monitoring, and employee satisfaction with AI tool access and policy clarity. Organizations should set annual improvement targets for each metric and use the results to guide policy refinements during scheduled review cycles. Declining awareness scores or rising violation rates signal that the policy requires updated training materials, clearer language, or revised provisions that better match actual workplace AI usage patterns.
Yes. While there is no specific law requiring an AI policy, both Malaysia's PDPA and Singapore's PDPA impose obligations on how personal data is handled — including when processed through AI tools. An AI policy is the practical mechanism for ensuring compliance and managing risk.
At minimum, an AI policy should cover: approved AI tools, data handling rules (what can and cannot be input), quality assurance requirements for AI outputs, disclosure guidelines, compliance with local data protection laws, and an incident reporting process.
AI policies should be reviewed quarterly and updated whenever there are significant changes to AI tools, regulations, or company operations. Major updates such as new tool approvals or regulatory changes should trigger immediate policy revisions.
