The recent Sessions Court ruling ordering a local bank to pay RM166,000 for failing to monitor anomalous transactions represents a critical inflection point for corporate governance in Malaysia. By holding the institution liable for ignoring sudden, uncharacteristic account activity, the court effectively dismantled the legacy defence that merely having a secure system—such as sending automated SMS alerts—absolves an organisation of its duty of care.

The ruling sets a clear legal baseline: financial institutions cannot remain passive when faced with glaring transactional anomalies. It reinforces the expectation that financial compliance requires active, intelligent monitoring of escalation triggers, particularly when a transaction drastically deviates from established customer behaviour.

However, if our institutions are currently facing legal liability for missing traditional, rudimentary anomalies, they are alarmingly exposed to the incoming wave of AI-driven financial manipulation. What used to be neatly divided into IT risk versus finance risk is now one combined problem. Cybersecurity and financial compliance can no longer sit in separate rooms.

AI does not necessarily create new categories of fraud; it amplifies existing ones with devastating precision. The 2024 Arup incident, where a multinational engineering firm lost US$25mil after an employee transferred funds based on a deepfake video call with fabricated “senior management,” serves as the global anchor case. It proves an uncomfortable reality: we can no longer trust the channel. Relying on email authenticity, or even live video confirmation, is now an outdated assumption.

Furthermore, AI enables virtually undetectable fraud at scale. Instead of a single large, suspicious transfer, malicious actors can execute hundreds of micro-transactions over time. In this modern “One Cent Thief” scenario, each transaction sits comfortably below automated detection limits and approval thresholds, yet aggregates into significant corporate losses.

This is where our current regulatory frameworks face a critical gap. The Cybersecurity Act 2024 provides a strong foundation for strengthening system resilience and reporting breaches. However, AI introduces a fundamentally different risk. It does not necessarily hack the system; rather, it manipulates how human decisions are made. While current cybersecurity laws protect the infrastructure, they do not fully address the deception embedded within the financial workflow itself.

To survive this shift, corporate boards and audit committees must recognise that the answer is not simply telling employees to “be careful.” Financial approval systems must be actively redesigned to withstand deception. High-risk actions—such as large payments, urgent transfers, or changes to vendor bank details—must trigger mandatory, independent, out-of-band verification using pre-approved contact channels.

Equally critical is the human factor. Fraud often succeeds not because a policy does not exist, but because an employee is pressured by urgency or perceived authority into bypassing it. Corporate culture must empower people to pause, question, and escalate suspicious, time-sensitive instructions. Crucially, no employee should ever be penalised for slowing down a transaction to exercise independent judgment.

The future of financial security is not just building stronger firewalls. It is disciplined human decision-making, better audit trails, and structured verification built directly into financial processes. As the recent court ruling demonstrates, the expectation of accountability is not new. The law is simply evolving to demand that our internal controls are robust enough to manage exactly how decisions are made and acted upon.

A recent Chinese court ruling—declaring that replacing a worker with AI to cut costs does not legally justify termination—serves as a stark warning: rapid technological adoption cannot bypass established labour protections.

For Malaysia, where TalentCorp projects nearly 700,000 workers will face disruption from AI, digitalisation and the green economy within three to five years, this is a legal reality we must urgently confront.

Under the Industrial Relations Act 1967, terminations require “just cause or excuse.” While companies will inevitably claim “redundancy” to justify AI-driven layoffs, procuring an enterprise AI license is not a legal blank cheque. The burden remains on employers to prove a role has genuinely ceased to exist.

If a company dismisses junior staff but uses algorithms to produce the exact same volume of work—still requiring human prompting, editing, and supervision—the role has simply evolved, not disappeared. Claiming redundancy here could be successfully challenged in the Industrial Court as a sham.

However, the most profound threat to our workforce is not the legally actionable layoff; it is “invisible displacement.” This silent attrition occurs when departing employees are simply not replaced because AI absorbs their workload. No termination letter is issued, and no legal claim arises, but entry-level opportunities permanently evaporate.

We must acknowledge the employer’s reality: in a hyper-competitive global landscape, it is economically irrational to artificially sustain obsolete roles. The law can punish unfair dismissals, but it cannot compel companies to create new jobs.

While TalentCorp anticipates the emergence of 120 new high-value roles, placing the burden entirely on workers to aggressively upskill is a flawed strategy. We cannot rely on 20th-century labour laws to manage 21st-century technological disruption. We urgently need a new “digital social contract” bridging statutory reform and corporate governance.

First, the Human Resources Ministry must establish modernised guidelines explicitly defining “technological redundancy.” The Industrial Court should not be left to interpret AI displacement using decades-old precedents designed for factory closures. We need clear statutory definitions that distinguish genuine business restructuring from opportunistic AI cost-cutting.

Second, corporate governance must evolve. Adopting enterprise AI is a profound human resources event, not merely an IT procurement. Environmental, Social, and Governance (ESG) standards should encourage internal workforce impact audits. Before defaulting to silent attrition or redundancy, employers hold a duty of care to explore how at-risk workers can be transitioned to manage the very AI systems replacing their tasks.

AI will undoubtedly alter existing roles, but more importantly, it will dictate the jobs companies choose not to create tomorrow. True job security in the algorithmic age requires not just an agile workforce, but modernised labour laws and a corporate sector willing to take responsibility for its technological upgrades.

The government’s plan to restrict children under 16 from accessing social media by June, using the framework of the Online Safety Act (ONSA), signals a strong commitment to youth protection. However, a “total lockout” approach and the proposed MyKad-based age verification raise critical practical and cybersecurity concerns.

A sweeping ban is a blunt regulatory tool that is notoriously difficult to enforce. Banning youths will inevitably drive them to use Virtual Private Networks (VPNs) or migrate to encrypted messaging apps like Telegram, rendering them entirely invisible to parents and regulators. What we need is to foster digital literacy alongside these restrictions.

In this context, Meta’s recent rollout of revamped “Teen Accounts” offers a highly instructive case study. By placing younger users under strict default settings for privacy, disabling recommendations for sensitive content, and embedding mandatory parental controls, Meta has provided a tangible blueprint for what “safety by design” looks like in practice, rather than relying on reactive moderation after the fact.

From a regulatory standpoint, this is a significant and welcome shift. By mandating safe, highly restricted environments, we give youths a secure “training ground” to develop digital resilience.
Rather than pursuing an unenforceable blanket ban, policymakers should use this model to establish an industry-wide baseline. The Malaysian Communications and Multimedia Commission (MCMC) regulatory sandbox should pivot from testing how to block youths entirely, to testing how to protect them. The upcoming ONSA subsidiary instruments should make these strict default privacy settings and restricted algorithmic feeds a mandatory licensing condition for all platforms operating in Malaysia.

This brings us to a major cybersecurity concern. The Communications Minister recently suggested standardising “age verification” using official government documents like the MyKad. If this verification requires platforms to directly collect and store MyKad, we are facing a massive risk.

Social media platforms suffer massive data breaches. The 2021 Facebook data leak exposed details of 533 million users, and in 2023, hackers posted email addresses linked to 200 million Twitter accounts. If social media giants cannot guarantee the absolute security of user data based on these past incidents, trusting them to directly verify and store our MyKad could expose millions to severe identity theft. Trading one potential harm for another, more severe one is a deeply flawed policy.

Furthermore, if age verification requires platforms to collect and store MyKad, it does not meet the spirit of data minimisation under Section 6 of Malaysia’s Personal Data Protection Act (PDPA). The General Principle of the PDPA dictates that personal data processed must be “adequate but not excessive” in relation to its purpose. We cannot create a system where ONSA requirements actively conflict with the spirit of the PDPA.

If age verification is deemed absolutely necessary, we must look to privacy-preserving global best practices. Rather than submitting MyKad to tech companies, Malaysia should adopt the “double-blind tokenised approach” recommended by Australia’s eSafety Commissioner.

This approach involves an independent, regulated third party that verifies a user’s age. This verifier then provides a secure token to the social media platform, confirming only that the user meets the age requirement. Crucially, the platform never receives or handles the user’s personal identification documents, thereby protecting their privacy.

We must protect our youths, but not at the expense of their digital literacy or national data security. By pivoting towards mandated “safety by design” and privacy-preserving tokenisation, Malaysia can create a gold-standard regulatory framework that avoids the dangerous pitfalls of blunt bans and mass data collection.

The recent US$375mil verdict against Meta in a New Mexico court represents a watershed moment in digital governance. While the staggering financial penalty has dominated headlines, the true significance lies in the legal precedent it establishes for corporate risk and product liability in the tech sector.

Crucially, the jury did not penalise the platform merely for a failure in content moderation. The liability was rooted in the finding that the platform’s core recommendation algorithms actively steered underage users towards harmful material, violating unfair practices laws. This verdict effectively signals the death knell for the industry’s legacy playbook of reactive content moderation.

For multinational tech companies operating in Malaysia, this global legal shift arrives at a critical juncture. Under our Online Safety Act 2025 (ONSA), tech executives face personal liability for platform failures. However, the legislation provides a crucial defence clause, allowing leadership to avoid liability if they can demonstrate they took “reasonable steps” to prevent the offence.

The New Mexico verdict serves as a stark warning on how courts and regulators will interpret this threshold moving forward. Relying on after-the-fact measures, such as launching new parental controls or relying on human moderators only after a crisis has occurred, is no longer a viable legal strategy. As public scrutiny intensifies, this landmark verdict demonstrates that relying on reactive fixes is an increasingly perilous legal position when the underlying product design remains fundamentally flawed.

Instead of viewing legislation like ONSA as a hostile threat, the tech industry must embrace “safety by design” as its ultimate corporate shield. Implementing mandatory Algorithmic Impact Assessments before launching new features is no longer just red tape. It is the most effective way to transform unpredictable litigation risks into a predictable, manageable compliance framework.

By building architectural safety measures into their code from the outset, platforms provide a clear, auditable trail of these “reasonable steps”, thereby protecting their executives and ensuring regulatory certainty. Beyond mere legal compliance, there is a profound governance and reputational imperative. Tech giants play an undeniable role in shaping society, and the loss of parental trust is a devastating blow to long-term brand equity.

Ensuring the safety of children and making parents feel secure that their families are protected online is not just a moral obligation. It is foundational to maintaining a platform’s social license to operate.

Ultimately, robust digital governance is a competitive advantage. By proactively pivoting from reactive moderation to structural safety by design, tech platforms can simultaneously protect their leadership under ONSA, fulfill their societal responsibilities, and secure the enduring trust of their user base.

Just as we require safety certifications for physical infrastructure, we must now demand Algorithmic Impact Assessments from our digital landlords. The message is unequivocal: the future belongs to these algorithmic platforms, but their deployment requires a social license to operate.

The recent declaration by the government that overseas tech executives could face legal action under the new online safety law has predictably sparked dramatic headlines. The imagery of tech billionaires answering to a Malaysian court is certainly compelling political theatre. However, this spectacle risks obscuring the profound structural realignment actually taking place within our digital borders.

Malaysia is not acting as a rogue regulator; we are merely waking up to a hardened global reality. For too long, multinational platforms operated under a doctrine of digital exceptionalism, treating foreign jurisdictions as lucrative revenue streams free from sovereign oversight.

But with the introduction of frameworks like the UK’s Online Safety Act, and the watershed arrest of Telegram’s CEO in France, the illusion of Silicon Valley immunity has permanently shattered. We are witnessing the global collision between the “move fast and break things” ethos and the sovereign duty of nations to protect their citizens.

Beyond the headline-grabbing prospect of charging foreign executives, the operational spine of the Online Safety Act 2025 (ONSA) is far more pragmatic: the mandatory appointment of a local representative.

This provision bridges a critical jurisdictional gap. Where regulators previously grappled with the friction of enforcing domestic laws against entities domiciled abroad, a local presence ensures that accountability is no longer remote or theoretical, but actionable within our own courts.

Yet, the ultimate success of this framework hinges on a critical legal caveat. Executives can avoid liability if they demonstrate the offence occurred without their consent and that they took “reasonable steps” to prevent it. How our courts and regulators define this threshold will be the defining legal battleground of the next decade.

This is where the intersection of law and generative AI becomes inherently perilous. Consider the controversy where X (formerly Twitter) permitted its Grok AI to generate and manipulate user images without robust, market-ready guardrails.

If a platform deliberately designs and deploys a tool that inherently bypasses consent and facilitates the creation of explicit material, can its leadership legitimately claim they took “reasonable steps” to protect the public?

Relying on after-the-fact user reporting for foreseeable harms is no longer an acceptable defence; it is an abdication of duty.

For global tech entities, this legislation should not be viewed as a death knell for innovation, but as a demand for regulatory certainty. To maintain market access in Malaysia, platforms must pivot from relying on flawed, reactive content moderation to a proactive “safety by design” framework.

Just as we require safety certifications for physical infrastructure, we must now demand Algorithmic Impact Assessments from our digital landlords. The message is unequivocal: the future belongs to digital innovation, but that innovation requires a local license to operate.

As a society, we are currently grappling with a profound sense of violation. Recent global reports surrounding certain generative AI platforms, highlighting their capacity to generate non-consensual, sexually explicit deepfakes of women and children, have rightly sparked widespread outrage. It forces us to confront a reality many find difficult to process: the troubling potential for automated exploitation.

The strong global reaction to these non-consensual deepfakes—a clear violation of human dignity and online safety—stems from a collective understanding that our image, our body, and our identity are intrinsically our own.

Yet, almost simultaneously, we witness a jarring paradox. While we recoil from the potential theft and misuse of our digital identity, we often voluntarily surrender intimate details for the sake of a viral trend.

This is evident in phenomena like recent AI caricature trends, where users upload selfies and provide detailed personal prompts—or simply instruct the AI to generate portraits based on ‘everything it knows.’ Whether actively describing their jobs and home environments or passively granting permission to scour their cumulative chat history, the result is the same. Users are allowing the AI to aggregate scattered data points into a cohesive, high-resolution psychographic profile linked to their biometric data.

This cognitive dissonance is alarming. On one hand, there is a global call for stricter measures against AI misuse. On the other, we treat our sensitive personal data as currency to purchase a fleeting moment of social media engagement.

From a legal and data privacy perspective, this normalization of “data surrender” carries inherent risks. When individuals participate in these trends, they are not merely “playing” with AI; they are actively training it. Algorithms learn to recognise faces, understand contexts, and map lives with increasing precision. Every piece of data fed into these models contributes to a digital profile that renders individuals increasingly identifiable and vulnerable to targeting.

The implications for the vulnerable—particularly children—are profound. While children cannot legally provide consent, the long-term privacy implications of their digital footprints, established by well-meaning adults uploading their images for AI-generated content, are significant. Such actions contribute to an ever-expanding digital dossier for a child, established without their future agency or understanding.

This is not to suggest that technology is inherently malicious, nor that progress should be halted. Innovation offers immense benefits and is crucial for societal advancement. However, it is imperative to critically assess the terms of our engagement with these powerful tools.

We cannot effectively advocate for robust protections against the non-consensual weaponization of AI if we simultaneously cultivate a culture of uncritical over-sharing. Responsible digital citizenship requires a clear understanding that privacy is not merely a passive right to be enforced, but an active discipline that individuals must exercise.

To foster a digital ecosystem that genuinely respects human dignity and drives
responsible innovation, we must shift our collective mindset. We must recognise that in the age of AI, our identity—our face, our history, our context—is our most valuable asset. Protecting it demands not just robust legal frameworks against exploitation, but also a conscious cultivation of data hygiene and digital discernment.

PETALING JAYA: The Artificial Intelligence (AI) Governance Bill is a necessary and timely step toward responsible AI deployment in Malaysia, which demonstrates that clearer laws give confidence and certainty to investors, developers, as more users adopt AI in their daily lives, say experts on the matter.

Lawyer Thulasy Suppiah, who specialises in cybersecurity, AI, data centres and emerging technologies, said that clear rules can help reduce regulatory ambiguity, allowing companies to design, deploy and invest in AI without fear of sudden bans, inconsistent enforcement or reputational risk.

“A legal framework signals that Malaysia welcomes AI driven investment responsibly, with accountability across the AI life- cycle. Without clear rules, trust erodes and trust is essential for sustainable AI growth and foreign investment.

“It ensures innovation grows with safeguards, not at the expense of women, children and vulnerable groups who are often the first to be victims of misuse of AI.

“Embedding accountability across the AI lifecycle also strengthens protection against misuse, including exploitation, harassment and deception,” she said in response to Malaysia’s first AI Governance Bill.

Asked about the challenges in coordinating with other agencies and laws on AI and threats such as deepfakes and AI-enabled scams, Thulasy said AI risks cut across multiple domains, including data protection, cybersecurity, content safety, fraud and consumer protection, requiring close coordination.

As such, she said aligning enforcement while avoiding overlap or gaps between agencies is complex, but necessary to ensure real-world protection, especially for women and children.

“The challenge is balancing speed, clarity, and proportionality without stifling legitimate innovation,” she said.

Cybersecurity expert Fong Choong Fook said the Bill should include risk classifications when it comes to AI systems alongside mandating impact assessments for high-risk AI.

Independent audits and conformity assessments are needed to ensure compliance alongside constant monitoring.

Fong said the Bill should enhance coordination efforts with existing enforcement regulations.

“It should supplement instead of duplicate. The key is ensuring accountability across the entire AI lifecycle.”

Malaysia, he said, should adopt a hybrid model when it comes to regulating AI.

This would comprise the formation of a central AI authority to set standards and coordinate oversight while sector regulators, such as those in the finance and telecommunication industries, carry out enforcement through their own domains.

“This provides consistency without losing on expertise,” he said. On deepfake content, Fong said watermarks must be made mandatory for high-risk and high reach content.

“We also need stronger platform takedown obligations, where platforms must comply with local regulations and will take swift action to remove non-compliant content, upon request” he said.

Universiti Putra Malaysia (UPM) AI specialist Azree Nazri said the Bill should mandate security-by-design standards to mitigate risks such as automated scams, system abuse and AI-enabled attacks.

“High-risk AI systems should undergo mandatory adversarial testing, strict model access controls and continuous monitoring with incident reporting,” he said.

On AI-enabled scams. Azree said telecom style deterrents could form part of new measures to curb this.

He also stressed avoiding regulatory overlap to ensure aligned enforcement, prevent duplicate investigations, and deliver consistent oversight.

THE decision by the Malaysian Communications and Multimedia Commission (MCMC) to block access to the AI chatbot Grok is a decisive, albeit reactive, measure. This action, taken to prevent content that creates liability under Malaysian laws including Section 233 of the Communications and Multimedia Act 1998, serves as a necessary firebreak against the unchecked proliferation of non-consensual, sexually explicit deepfakes.

However, this incident also underscores the timeliness of the Online Safety Act 2025 (ONSA), which came into force on Jan 1. ONSA fundamentally reshapes the liability landscape by designating social media platforms as Licensed Service Providers. It explicitly classifies child sexual abuse material and financial fraud as ‘priority harmful content’ which must be blocked as swiftly as possible.

While the ban addresses the immediate symptom, we must recognise that the threat is no longer theoretical or confined to foreign platforms. It is local, and it is already in our classrooms.

The case in Johor Bahru last year, where a teenager allegedly used AI to create explicit deepfake images of his schoolmates, was an early warning. More recently, in December 2025, a school in Muar expelled three students for similar conduct, where manipulated images of female classmates were circulated online.

These incidents demonstrate that the technology is accessible, easy to use, and weaponisable by anyone. This highlights the limitations of reactive bans. Even if we block commercial platforms like Grok, open-source models remain accessible to the tech-savvy.

Therefore, for the legal and business fraternity, the Grok controversy is a case study in product liability.

The developers of Grok deployed a tool with known vulnerabilities—specifically, the capability to “digitally undress” subjects, including minors—without adequate safeguards. From a legal standpoint, relying on after-the-fact reporting for foreseeable harms is no longer an acceptable defense. We are witnessing the collision between the Silicon Valley ethos of “move fast and break things” and the sovereign duty of nations to protect human dignity.

Critics often argue that strict regulation will stifle innovation and deter foreign direct investment (FDI). This is a false dichotomy.

High-value, institutional investors and serious technology majors do not seek a regulatory “Wild West.” They seek regulatory certainty. An ecosystem where AI tools can be weaponized to generate pornography or harass citizens is inherently unstable and fraught with legal risk. By enforcing clear standards, Malaysia is not repelling investment; it is filtering out high-risk actors and creating a safe harbour for responsible AI development.

Thus, we must pivot from reactive bans to a proactive “Safety by Design” framework.

Any AI entity seeking market access in Malaysia should be compelled to demonstrate that safety guardrails are intrinsic to the code, not an afterthought. Just as we require safety certifications for imported vehicles or pharmaceuticals, we must require Algorithmic Impact Assessments for generative AI tools. If a platform cannot technically guarantee that it will not generate child sexual abuse material (CSAM) upon a simple prompt, it is not “market-ready.”

Our legal response moving forward must be two-pronged.

First, on the supply side, we must enforce corporate accountability. Tech giants can no longer claim neutrality; if their product design facilitates abuse, they must share the liability.

Second, on the demand side, we need urgent digital legal literacy. The public, especially the youth, must understand that using AI to generate non-consensual explicit imagery is not a “prank” or a technological experiment. It is a potential criminal offence with severe consequences under our Penal Code and the Sexual Offences Against Children Act.

The Grok ban is a necessary firebreak, but it is not a permanent solution. The future belongs to AI, but sustainable innovation requires a social license to operate. Malaysia has the opportunity to lead ASEAN not just in digital adoption, but in crafting a governance framework where technology respects the law, and the law understands technology.