Navigating APAC’s Mixed Approach to AI Regulation — Without Hitting Road Blocks

Asia-Pacific is emerging as a critical battleground in the global AI race. The region’s AI investments are projected to reach $175 billion by 2028, growing by more than 30% over the next few years, but this commercial momentum is building without the regulatory cohesion seen in Europe or North America.

For companies deploying AI across Asia-Pacific (APAC), expanding in the region often means navigating a regulatory environment that shifts from market to market, with few shared standards and scant coordination.

In China, companies must register their algorithms with authorities and label AI-generated content, imposing millions of dollars in fines for AI misuse, while in Singapore, firms are encouraged to self-regulate through voluntary toolkits and ethical guidelines. In South Korea, a sweeping AI law will soon impose strict oversight on high-impact systems, but in Japan, compliance with many AI principles remains optional. India is weighing transparency rules under broader tech reforms, while Australia is updating sector-specific laws without touching AI directly.

“There are no harmonized or established practices to address APAC’s highly fragmented AI regulatory environment,” Kensaku Takase, partner at law firm Baker McKenzie in Tokyo, told CCI. 

For compliance teams, the result is a network of rules that rarely connect. A green light in one country is a red light in another, creating uncertainty at every turn. The challenge is building an AI strategy that avoids fragmentation without slowing development or adding unnecessary risk. The question now is how compliance officers can navigate this shifting landscape while keeping innovation moving and staying within regulatory boundaries.

Adapting to the maze

Leesa Soulodre, founder and managing partner of deep tech venture capital firm R3i, and a founding board member of the AI Asia Pacific Institute, told CCI that most firms are stuck between two unworkable options: rebuilding governance for every jurisdiction or hoping regulators do not notice the gaps.

“The ones succeeding are taking a third approach: a global governance baseline with modular, jurisdiction-specific overlays. One compliance engine, multiple regulatory profiles,” said Soulodre, who stressed that what works in practice is centralized model registry and lineage tracking, automated risk classification and federated but auditable decision-making. “Winners invest in infrastructure that absorbs complexity, rather than throwing people at the problem.”

No one-size-fits-all approach is possible, and companies in different industries take different paths, Takase said. 

“What we are seeing, both in APAC and globally, is that companies deeply invested in AI, despite having governance frameworks in place, avoid anything that could slow innovation and therefore take a more business-friendly, less stringent approach.” In effect, this means anchoring their approach to the least restrictive regulatory regimes in the region. 

Achieving full compliance across all of APAC is a challenge, Takase said. 

“In light of these complexities, organizations should consider adopting a pragmatic, risk-based approach to AI governance, prioritizing transparency, accountability and adherence to local requirements while maintaining flexibility to adapt to emerging regulations,” he said.

Dhiraj Badgujar, senior research manager at research house IDC Asia-Pacific, specializing in AI developer strategies, told CCI that APAC businesses are dealing with the region’s fragmented AI standards by adding ongoing regulatory monitoring to their GenAI lifecycle and using Singapore’s model AI governance framework (MGF) as a regional reference point. The MGF has proved appealing given its early adoption, practical structure and alignment with risk-based regulatory thinking.

“Centralized compliance teams and regional working groups are standardizing key controls like logging, provenance and human-in-the-loop protections,” Badgujar said. “They are also making sure that regulations fit the risk profile of each market.”

Su Lian Jye, chief analyst at technology research and advisory group Omdia, told CCI that companies in APAC are taking a layered approach to AI compliance in which the global legal/compliance function establishes broad policies and local teams apply “country-specific documentation.” 

Ethics

Advice for the AI Boom: Use the Tools, Not Too Much, Stay in Charge

by Vera Cherepanova

November 19, 2025

How can ethics and compliance leaders call for prudence without being seen as resistant to progress?

Read moreDetails

Building smart defenses

For US and overseas firms deploying AI across Asia-Pacific, success increasingly hinges on the right internal safeguards, including governance measures that can flex across borders without falling short of local expectations. For example, Amazon Web Services has voiced its support for Singapore’s national AI strategy 2.0 (NAIS), while Microsoft partnered with Straits Interactive to ensure better AI compliance in the country.

Yuki Kondo, associate at Baker McKenzie in Tokyo, told CCI that for overseas firms operating in the region, key steps for building an effective governance framework include the designation of responsible officers, comprehensive assessment of AI usage and business needs and the development of internal policies and guidelines.

“Assigning dedicated officers or committees to oversee AI governance ensures accountability and facilitates consistent implementation of compliance measures,” Kondo said. “Clear, well-documented policies provide a foundation for responsible AI deployment. These should reflect both global standards and local regulatory nuances.”

Two areas that require particular attention when formulating internal policies are data handling, including safeguarding personal data and trade secrets in AI inputs, and intellectual property, addressing copyright and related IP considerations in AI outputs, Kondo said.

For Soulodre, this is where execution beats policy. Overseas firms will need “a governance platform, not a policy binder,” as manually tracking deployments and incidents can lead to failure under pressure.

“Automated provenance and transparency logs. Regulators want forensic detail: training data sources, validation tests, drift detection and benchmark history. Real-time incident response with evidence. Not ‘we think we fixed it’; instead, logged detection windows and remediation trails,” Soulodre said. “Vendor and supply-chain assurance. Most AI risk enters through third-party models. You need systematic evaluation, not ad-hoc diligence.”

Soulodre also recommends localized compliance without infrastructure duplication: “Five markets should not require five separate implementations.”

Singapore, South Korea and Australia are among the countries that are embracing “model governance” as an alternative discipline to application governance, Badgujar said. For instance, as rules change, GenAI-infused software development now routinely logs model definitions, data sources and validations to ensure compliance and traceability, he said.

For example, the Australian Prudential Regulation Authority (APRA) requires AI risk control integration in regulated businesses. This ensures that AI decision-making systems are developed in a responsible way.

Badgujar said that, to manage differing privacy and data localization requirements, overseas businesses operating across Asia-Pacific are putting in place robust data and model provenance controls, including lineage tracking, audit trails and safeguards for cross-border transfers. Formal impact and risk assessments, often based on Singapore’s framework, are also becoming standard practice.

“AI risk classification would be most important, as most AI laws or governance are risk-based,” Jye said. “Companies also need to establish clear data management and governance policies that meet the local data localization rules and data protection laws. We would also suggest that companies prepare clear documentation on model cards, lineage of datasets, versioning, test results, fairness and bias metrics and concise ‘explainability’ summaries for regulators and impacted users.”

What’s coming down the road

Looking ahead, which regulatory trends or policy developments should multinational companies be preparing for now? It’s anybody’s guess.

“This is actually an incredibly difficult question to answer,” Aya Takahashi, associate at Baker McKenzie in Tokyo, told CCI. “Unlike privacy law, where the GDPR was the clear trend setter and global gold standard, for AI, countries are adopting their own approaches.”

So far, few countries are copying the approach developed by Europe’s AI Act, Takahashi said. Instead, monitoring key legal developments, particularly in countries where a company is active and which has stronger regulation, is essential/

“While many jurisdictions in Asia still favor soft law approaches, notable developments are emerging. For example, Vietnam’s release of a draft AI law in late September signals a shift toward formal regulation in the region” Takahashi said. “Although current trends, such as the US executive order promoting AI leadership and the EU’s digital omnibus initiative, reflect a policy environment supportive of innovation, the broader adoption of AI is likely to drive stricter regulatory measures over time.”

 “APAC is moving toward more specialized, sector-based AI rules, especially in healthcare and financial services,” Badgujar said. “At the same time, Singapore, India and South Korea are having policy talks and working together to make ASEAN more unified.” Such talks are helping to set uniform standards for risk management, explainability, auditability and AI output labelling.

Badgujar said companies should be preparing for stronger forms of algorithmic accountability, including independent AI audits, explainability requirements and regulatory certification, particularly in sectors like banking, healthcare and telecommunications. He added that GenAI development teams will also need training on ethics, model limitations and liability, alongside technical guardrails to reduce risks like hallucinations and data misuse.

More countries will impose data localization or strict transfer safeguards for sensitive datasets, Jye predicted, while some governments and standard bodies will likely push for mandatory AI assessments and audits in the next few years.

The region is heading toward mandatory high-risk AI registries, said Soulodre, with regulators expecting automated, auditable reporting, not manual compilation: “Regulators want logs, not intentions. A shift from ‘policy exists’ to ‘systems enforce governance.’”

“Even without harmonized enforcement, APAC regulators are informally aligning on classification, transparency and testing expectations,” Soulodre added. “The companies winning in APAC right now are not the ones with the most sophisticated policies. They are the ones that have made AI governance operational: sustainable, auditable and scalable. Policy is no longer the constraint. Execution is.”