What is the ASEAN Guide on AI Governance and Ethics?
Global AI regulation
The ASEAN Guide on AI Governance and Ethics is a voluntary regional guide, endorsed by ASEAN in 2024, that helps organisations and governments design, develop and deploy AI responsibly across Southeast Asia. It is not a binding law. Instead, it sets a shared governance baseline, built around core ethical principles, risk-based human oversight, operational controls and stakeholder communication, so that AI practices are more interoperable across ASEAN's different legal systems.
What this means
The ASEAN Guide on AI Governance and Ethics is ASEAN's common reference point for responsible AI governance at organisational level. It was developed by ASEAN member states as practical guidance for people who build, buy, deploy or oversee AI, especially in a region where legal systems, regulatory maturity and business contexts differ from one country to another.
It is important to separate this guide from hard law. The guide itself says adoption is voluntary and that it does not replace or change legal duties under member state law. In practice, that means it is a governance playbook, not an ASEAN-wide AI Act.
The guide is also more practical than a short list of abstract principles. It combines ethical principles with a four-part governance framework, a risk impact assessment template, policy recommendations for governments and real use cases from organisations operating in ASEAN.
Why it matters
For organisations, the guide matters because AI risk in ASEAN is rarely a one-country issue. A business may build a model in one place, deploy it in another, process data across borders and sell into several markets at once. The guide gives boards, founders, procurement teams, compliance leads and public sector operators a shared structure for asking the right questions before AI is put into real use.
That structure is especially useful where formal law is still uneven or still developing. The guide helps organisations document who is responsible, how much human oversight is needed, what testing and monitoring should happen, how users should be informed and how complaints or review requests should be handled. Even where it is not mandatory, that kind of record can support internal approval, buyer due diligence, risk management, assurance work and conversations with regulators.
It also matters as a signal of regional direction. ASEAN has since used the guide as a foundation for follow-on work, including a working group on AI governance, a 2025 expansion for generative AI and a 2026 to 2030 plan to operationalise the guide through regional coordination and national adaptation. So while the guide is voluntary, it is also part of the architecture shaping how ASEAN expects responsible AI to mature.
How it works
Legal status and scope
The guide was published in February 2024 and endorsed at the 4th ASEAN Digital Ministers' Meeting in Singapore. It presents itself as an ASEAN-endorsed framework and a "living document" that should be reviewed over time as technology and regulation change. Its core audience is organisations in the region that design, develop and deploy traditional AI, and it also contains national and regional recommendations intended for policymakers.
Its legal status is the first thing to understand properly. The guide states that adoption is voluntary. It also says nothing in it replaces or supersedes existing or future law in ASEAN member states. So the guide can influence practice, procurement, policy and future regulation, but it does not itself create direct binding duties in the way a statute or regulation would.
That point matters because the guide is meant to improve interoperability, not impose legal uniformity. ASEAN is using it to reduce fragmentation in governance practice while leaving domestic law, sector supervision and national policy choices to member states.
The seven principles
The guide sets out seven principles that anchor responsible AI governance in the region. These are transparency and explainability, fairness and equity, security and safety, human-centricity, privacy and data governance, accountability and integrity, and robustness and reliability.
Taken together, they push organisations to do more than publish high-level ethics statements. Transparency and explainability ask whether people know when AI is being used and can get an understandable account of how important decisions are reached. Fairness and equity ask whether data and model design could disadvantage particular groups. Security and safety ask whether the system has been assessed for harmful failure, misuse or attack. Human-centricity asks whether the system serves people rather than manipulating or sidelining them.
Privacy and data governance are especially important in ASEAN because organisations often operate across several data protection regimes. Accountability and integrity require named responsibility, governance ownership and documented decision-making. Robustness and reliability push organisations to test systems properly, monitor them in operation and maintain performance when real-world conditions shift.
The organisational governance mechanics
The guide turns those principles into a four-part governance framework for organisations.
First, it covers internal governance structures and measures. Organisations are encouraged either to adapt existing governance arrangements or create new ones so that AI has clear oversight. The guide gives examples such as a multi-disciplinary AI ethics advisory board or committee with input from legal, technical, privacy, risk and business functions. The core point is not that every organisation needs a grand new committee. The point is that somebody must own AI governance, roles must be clear and decisions must be traceable.
Second, it covers the level of human involvement in AI-augmented decision-making. The guide proposes a risk-based method that looks at factors such as the severity and likelihood of harm and how many people could be affected. On that basis, organisations can decide whether a use case should be human-in-the-loop, human-over-the-loop or human-out-of-the-loop. That makes the guide practical for teams trying to decide when humans should review, override or simply monitor an AI system.
Third, it covers operations management. This is where the guide becomes operational rather than rhetorical. It addresses data collection and processing, dataset quality, representativeness, bias checks, documentation of data lineage, explainability techniques, testing before deployment, monitoring after deployment and ongoing model review or tuning where appropriate. It also recognises that AI systems change over time and that data drift, performance degradation and reinforcement of bias can appear after launch, not just before it.
Fourth, it covers stakeholder interaction and communication. The guide expects organisations to think about what users, affected individuals, employees and other stakeholders need to know. That can include telling users when AI is being used, giving fuller explanations where decisions materially affect them, providing channels for feedback or complaints, allowing decision review where appropriate and considering whether people should be able to opt out of an AI-enabled service in some contexts.
The guide also includes an annexed AI Risk Impact Assessment template, adapted from Singapore's implementation guidance. That matters because it shows the kind of evidence the guide is meant to generate: governance charters, risk assessments, approval records, test logs, data lineage records, user notices, complaint routes and human review trails. Those records are what make governance visible to audit, assurance and procurement teams.
What policymakers are invited to do
Although the guide is often discussed as an organisational framework, it also contains explicit recommendations for governments. At national level, it encourages member states to nurture AI talent, support the innovation ecosystem, invest in AI research and development, raise public awareness and promote practical tools businesses can use to implement AI governance.
At regional level, the guide proposed three notable next steps. One was the creation of an ASEAN working group on AI governance. Another was follow-on work to adapt the guide for generative AI. A third was to build a compendium of use cases showing how organisations in ASEAN apply the guide in practice.
ASEAN has since moved on each of those fronts. In 2024, ministers in the science and technology track described the guide as a foundational document for effective AI governance in the region and noted the establishment of a working group on AI governance under the ASEAN digital track. In 2025, ASEAN welcomed the Expanded ASEAN Guide on AI Governance and Ethics - Generative AI. In the ASEAN Digital Masterplan 2030, adopted for 2026 to 2030, ASEAN scheduled work to operationalise the guide, the generative AI expansion and the Responsible AI Roadmap, and it linked that work to regional coordination, risk oversight and member state adaptation into law, policy and sector rules.
How it relates to domestic law
The guide is intentionally interoperable, but it is not detached from domestic law. It tells organisations to consider the legal and regulatory requirements of the countries where an AI system will be deployed. It also points to privacy and data protection law across ASEAN member states as a live compliance layer that remains fully applicable.
That means a company cannot treat the guide as a compliance shield. A deployer still needs to ask ordinary legal questions country by country: is personal data being processed, is there a sector rule that applies, are there consumer protection duties, are there employment implications, is there a public procurement requirement, is there a product safety issue, and who is accountable if harm occurs?
The guide's real value here is as a cross-border baseline. It gives multinational and regional operators a common internal governance structure that can then be adjusted for local legal requirements. In that sense, it sits between global principles and national law.
How it compares with adjacent instruments
The guide did not appear in a vacuum. It expressly draws from Singapore's Model Artificial Intelligence Governance Framework, the OECD Recommendation on AI, UNESCO's Recommendation on the Ethics of Artificial Intelligence and the European Commission's ethics guidance. That matters because ASEAN is not trying to invent a wholly separate doctrine. It is trying to build a regional guide that can talk to other international frameworks.
Compared with the OECD AI Principles, the ASEAN guide is narrower geographically but more operational for organisations. The OECD instrument is a broader intergovernmental standard with values-based principles and recommendations to governments. The ASEAN guide keeps that spirit of trust and interoperability but adds more detail on governance structures, human oversight, testing, monitoring and communication inside organisations.
Compared with an AI management system standard such as ISO/IEC 42001, the ASEAN guide is less formal and not a certifiable management standard. ISO/IEC 42001 specifies requirements for establishing, implementing, maintaining and continually improving an AI management system across an organisation. The ASEAN guide is better understood as governance content that can be mapped into that kind of management system. If a team wants a practical route from principle to documented process, the guide can supply the substance and an AI management system can supply the operating discipline.
Examples
A Philippine conglomerate example in the guide shows what internal governance can look like in practice. Aboitiz describes a model governance framework with clear responsibilities for AI-related programmes, defined risk assessment protocols and a management committee that includes security, data protection, risk, technology, audit and business leaders. It also uses pre-development and pre-deployment AI risk assessments to decide risk appetite and the right level of human involvement in AI-driven decisions. That is a concrete example of the guide's "internal governance" and "human involvement" components being turned into approval machinery.
An Indonesian platform example shows the guide's operations discipline. Gojek tests machine learning models against predefined offline benchmarks before release, checks whether variation stays within acceptable thresholds and then continuously monitors models after deployment. In other words, the guide's ideas on pre-deployment testing, monitoring, repeatability and ongoing review are not abstract. They can be translated into a release process with gates, thresholds and post-launch observation.
A Singapore healthcare example shows how the guide connects privacy, data governance and transparency. UCARE.AI's hospital billing predictor is described as using consent-based personal data handling, encryption of sensitive data, anonymisation at source, central logging for data lineage and clear communication to clients and patients about the model's use. That reflects the guide's expectation that responsible AI is not just about model quality. It is also about lawful data handling, documentation and an understandable account of how AI affects people.
Common misunderstandings
"It is ASEAN law." No. The guide is voluntary regional guidance, not a binding ASEAN regulation.
"It is only for companies that build foundation models." No. It is written for developers and deployers across the AI value chain, including public bodies and organisations buying or operating AI.
"It is basically a privacy document." No. Privacy is only one part of it. The guide also covers fairness, safety, human oversight, governance ownership, robustness and stakeholder communication.
"It already fully settles generative AI governance." No. The 2024 guide focused on traditional AI and flagged generative AI as an area needing follow-on work. ASEAN later issued a separate expansion for generative AI.
"If we follow it, we are legally compliant everywhere in ASEAN." No. The guide itself says local law still applies and must be checked in each country and sector.
Risks and boundaries
The guide is useful precisely because it is broad and flexible, but that is also its limit. It does not tell every organisation exactly what control to apply in every sector, nor does it create a regional certification, a common regulator or a single ASEAN risk taxonomy with legal force. Two organisations can both say they "follow the guide" while producing very different levels of documentation and control.
Its original scope is another boundary. The 2024 text was framed around traditional AI, even though it already identified important generative AI risks and asked ASEAN to build follow-on guidance. ASEAN has since done that through the Expanded ASEAN Guide on AI Governance and Ethics - Generative AI, but organisations using large language models, synthetic media or other generative tools should not stop at the 2024 guide alone.
There is also a practical boundary around evidence. A principle-based guide only works if organisations translate it into records and routines. Without risk assessments, approval gates, testing logs, monitoring procedures, user notices and review channels, a business may have a policy document but little real governance.
Finally, the legal setting around the guide can still develop. The guide's voluntary status is clear, but member states may increasingly adapt its principles into domestic law, sector rules, procurement conditions or supervisory expectations. That means the guide is stable as a regional baseline, while the legal force around it may become stronger indirectly through national implementation.
What to do next
Start by identifying where AI is actually being used across the organisation, including models bought from vendors, internal analytics tools and customer-facing features. Then classify those uses by the guide's logic: what harm could occur, how severe would it be, how likely is it, how many people could be affected and what level of human review is justified.
Next, assign governance ownership. That does not always require a new committee, but it does require named accountability across legal, privacy, security, risk, technical and business teams. Leaders should make sure AI governance is connected to existing enterprise risk, data protection and internal control processes rather than left as a side project.
Then create an evidence pack. In practice that means an AI governance policy, role and responsibility records, risk impact assessments, data lineage and data quality controls, benchmark and monitoring records, user-facing disclosures, feedback routes and decision review procedures. If the organisation operates across several ASEAN markets, map that pack to local law in each jurisdiction.
Finally, treat the guide as a baseline, not the end state. For senior teams, the next step is usually to map the guide to adjacent frameworks, especially domestic regulation in the countries where they operate, the OECD principles for broader policy alignment and an AI management system if they need a more formal operating model.
FAQs
Is the ASEAN Guide on AI Governance and Ethics legally binding?
No. It is voluntary guidance endorsed by ASEAN. It does not replace or change legal duties under member state law.
Who is the guide for?
It is aimed at organisations and governments in the region, especially people who design, develop, deploy, buy or oversee AI systems.
Does it apply to generative AI?
The 2024 guide was mainly framed around traditional AI, but it flagged generative AI as a major area for follow-on work. ASEAN later issued a separate expansion for generative AI in 2025.
Can a company outside ASEAN use the guide?
Yes. Any organisation operating in ASEAN, selling into the region or looking for an interoperable governance baseline can use it. It is not limited to ASEAN-headquartered firms.
How is it different from the OECD AI Principles?
The OECD AI Principles are a broader intergovernmental benchmark. The ASEAN guide is more region-specific and more operational for organisations, especially on governance structures, human oversight and day-to-day controls.
Does following the guide prove compliance with local law?
No. It can help organise governance and create useful records, but organisations still need to comply with the laws and sector rules of each country where the AI system is used.
Does the guide require every company to create an AI ethics board?
No. It allows organisations to adapt existing governance structures where that is more proportionate. The key requirement in practice is clear ownership and traceable decision-making.
How does it relate to an AI management system?
The guide provides governance content and practical control areas. An AI management system standard gives a more formal organisation-wide structure for running those controls consistently and documenting them over time.