An AI governance framework is a management structure in which an organization integrates policies, accountability assignments, risk management, and oversight mechanisms to ensure the safe and responsible use of AI. As AI adoption in business operations expands, continuing to operate without such a framework directly exposes organizations to business risks such as regulatory violations and data breaches.

This article is intended for corporate planning, legal, IT, and compliance professionals at companies operating across multiple ASEAN countries, and explains the steps for building an AI governance framework from scratch. It covers, in order: the rationale and prerequisites for establishing such a framework, a three-step construction process, recommended team structures and timelines, common pitfalls and how to avoid them, and methods for embedding and scaling the framework. By the end, readers should have a clear picture of where to begin within their own organization.

For companies operating across multiple ASEAN countries, an AI governance framework is no longer simply "nice to have" — it is becoming a prerequisite for business continuity. The reasons lie in the complexity of regulations across individual countries and the magnitude of risks that arise in the absence of governance.

This section begins by examining the unique challenges of multi-country operations, the dangers of operating without a framework, and the perspective of turning governance into a source of competitive advantage.

Each ASEAN country has developed its own legal framework governing data protection and AI use. Thailand's PDPA, Vietnam's personal data protection legislation, Indonesia's PDP Law, and others all differ in scope, consent requirements, and rules on cross-border data transfers.

A company operating in only one country can meet its obligations simply by complying with that country's regulations. However, a company with operations in multiple countries must simultaneously satisfy the differing requirements of each jurisdiction. A use of AI that is permissible in one country may violate regulations in another. Moreover, regulations will continue to be updated, meaning compliance is never a one-time effort.

This complexity exceeds what frontline staff can reasonably handle through individual, ad hoc judgments. An overarching framework is needed to track regulatory developments across each country and translate them into actionable responses for the organization. For more on regulatory differences across ASEAN, see ASEAN AI Regulation Trends by Country and A Comparison of ASEAN Data Protection Laws.

When AI use spreads internally without a governance framework in place, several typical risks tend to materialize.

One is the use of AI outside organizational oversight — commonly referred to as Shadow AI. Employees may input confidential information into tools unknown to the company, creating potential pathways for data to leak externally. Another risk is regulatory non-compliance: using AI to process personal data in ways that violate data protection laws in any given country can result in penalties or regulatory action. There is also the risk of financial loss from business decisions made on the basis of erroneous AI outputs, as well as reputational damage with clients and customers when problems come to light.

Research firms and consulting companies have noted that AI governance mechanisms are shifting in status from "optional initiatives" to "essential infrastructure." The broader a company's multi-country footprint, the wider the impact when risks materialize. The risks associated with unmanaged AI use are covered in detail in What Is Shadow AI? Organizational Risks and Management Approaches.

An AI governance framework is not solely a "defensive" measure aimed at containing risk. A well-structured framework also serves as an "offensive" foundation that actively enables AI adoption to move forward.

When rules and decision-making criteria remain ambiguous, frontline staff are left uncertain about whether they are permitted to use AI at all — while, paradoxically, unmanaged use tends to proliferate. Clear policies and approval processes allow frontline teams to use AI with confidence within sanctioned boundaries, ultimately accelerating the pace of adoption.

For companies operating across multiple ASEAN countries, having a well-established governance framework in itself serves as a signal of trustworthiness to business partners and regulators alike. Framing AI governance not as a "cost" but as "an investment that enables responsible AI adoption" is also an effective perspective for building internal momentum behind framework development.

Before getting into the steps, two prerequisites need to be firmly established: management commitment and the appointment of a responsible owner, and an inventory of your organization's current AI usage. Without these in place, any governance framework risks becoming a structure that exists in name only.

An AI governance framework is an initiative that spans departments and involves many stakeholders. Because it touches legal, IT, individual business units, and local subsidiaries, bottom-up momentum from the field alone is not enough to drive it forward. The starting point is having senior leadership understand the need for it and offer their clear support.

Appointing a responsible owner to handle day-to-day operations is equally essential. Whether a dedicated role is created or an existing executive takes it on concurrently will depend on the size of the organization, but the question of "who is accountable for AI governance" must never be left ambiguous. Creating a committee without a designated owner leads to stalled decision-making and stagnant activity.

In recent years, many companies that are scaling up their AI adoption have positioned governance as a company-wide program championed from the top. For more on organizational design with AI in mind and the role of a responsible owner, What Is an AI-Native Organization? A Guide to the Chief AI Officer Role is also worth referencing.

The next step is to take stock of how AI is currently being used within your organization. This is the foundational work for designing your governance framework.

What you need to confirm is which departments and locations are using which AI tools, for which tasks, and with what data. This should cover not just headquarters but also subsidiaries in each country. Creating a policy without first understanding the current state will result in something disconnected from on-the-ground reality — a plan that looks good on paper but goes nowhere.

It is not uncommon to discover unexpected AI usage during the inventory process. That in itself serves as evidence of why a governance framework is needed. The usage landscape you uncover will be referenced repeatedly in subsequent risk assessments and policy development. The concept of organizationally managing AI agent operations is also covered in What Is AgentOps — A Guide to Designing an AI Agent Operations Organization.

From here, we explain the actual steps for building an AI governance framework in three stages: establishing a committee and developing policies; conducting risk assessments and mapping regulations across countries; and embedding monitoring and auditing.

The first step is to establish an AI governance committee and define an AI usage policy.

The committee should be cross-functional in composition. In addition to senior leadership, legal, IT, and key business units, if you have operations across ASEAN countries, representatives from local entities should be included as well. Rules decided solely at headquarters tend to fail to reflect local realities and are prone to becoming hollow formalities. The committee's responsibilities include approving policies, reviewing significant AI use cases, and determining how to respond to regulatory changes.

The AI usage policy should clearly distinguish between permitted uses, prohibited uses, and uses that require prior approval. Examples include rules for entering confidential information or personal data into external AI services, and verification procedures for using AI outputs in business decisions. It is important that the policy goes beyond abstract principles and carries enough specificity that people on the ground can use it to make judgment calls.

Next, assess the risks associated with AI use and map them to the regulatory requirements of each country.

Begin by identifying the risks associated with your organization's AI use and compiling them into a risk register. Evaluate the likelihood and impact of risks from the following perspectives: data breaches, regulatory violations, losses due to erroneous outputs, and discriminatory or unfair outcomes.

From there, create a mapping that aligns the regulatory requirements of each country where you operate with the measures your organization should take. For example, in countries with restrictions on cross-border data transfers, define how data from those countries will be handled. In countries with strict consent requirements, design a consent process to be completed before allowing AI to use personal data. The specific details of each country's regulations can be organized starting with the Comparison of ASEAN Data Protection Laws as a reference point. This mapping will serve as the basis for frontline staff to determine "what should we do in this country?"

The third step is to embed a monitoring and auditing framework that continuously verifies whether the established rules are being followed.

Policies and risk responses, even if correct at the time of creation, are meaningless if not put into practice. Put in place a logging mechanism to record AI usage, regular internal audits, and a reporting and response flow for when policy violations or incidents occur. This enables early detection of issues and facilitates corrective action.

Equally important is periodically reviewing the framework itself. Regulations across ASEAN countries will continue to evolve, and new AI tools will emerge one after another. It is advisable to build in an operational process whereby the committee updates policies and the risk register at regular intervals to keep pace with changes in regulations and tools. AI governance is not a "build it once and you're done" endeavor—it is a framework that must be continuously maintained.

When actually working through the three steps, deciding on who will drive the process and how—along with the order of priorities for getting started—will help keep the build from stalling.

Building an AI governance framework cannot be accomplished as a side task. First, designate a person or team at headquarters to serve as the central driver, acting as a bridge between the committee and frontline operations.

It is also important to decide early on how to involve offices across ASEAN countries. Mobilizing all locations simultaneously places a heavy burden on the organization, so it is advisable to start with key locations and use them as model cases for rollout to other countries. Designate a single point of contact at each location and establish a channel for regular information exchange with the headquarters' driving team.

A common pitfall in building out the framework is treating it as a temporary project limited to the construction phase. Since the framework must continue to operate once it enters the operational phase, decide from the outset who will be responsible for maintaining it after the build is complete.

Attempting to apply all three steps simultaneously across every country and every business function places a heavy burden on the organization and is prone to failure. A practical approach is to start small with clear priorities.

Priorities should be determined by the magnitude of risk. Starting with operations that handle large volumes of personal data, offices in countries with stringent regulations, and departments where AI use is already widespread will make results more visible. Conversely, areas where AI use is still limited can be addressed later.

Begin by establishing the core structure—committee, policies, and monitoring—at headquarters and key locations, then use the insights gained to roll out to other locations. Rather than aiming for perfection from the start, build small, put it into operation, and expand while making improvements. This approach allows for flexible responses even if regulations or tools change along the way.

An AI governance framework only becomes meaningful when it is actually put into operation — not simply when it is created. There are two common failure patterns frequently observed in multinational companies that are worth keeping in mind.

The most common failure is policies becoming hollow formalities at the operational level.

Even a well-crafted policy document loses its value if it fails to reach frontline staff, or if its content is too abstract to be applied to concrete decisions — eventually, no one refers to it. Without a mechanism to verify compliance, violations can go unnoticed.

There are two ways to avoid this. First, write policies with enough specificity that frontline staff can actually use them. Rather than "manage appropriately," drill down to the level of "do not enter this type of data into this tool." Second, continuously deliver policies to the frontline through training and monitoring, and keep verifying how they are being applied in practice. Prioritize real-world effectiveness over the polish of the document itself.

A failure pattern specific to multinational companies is inconsistent implementation across subsidiaries in different countries.

Policies established at headquarters may not fully take hold locally due to differences in language, culture, and legal systems. Local AI usage can advance independently without headquarters' awareness, creating governance blind spots.

As a countermeasure, it is effective to appoint a local governance lead at each country office to serve as a bridge between headquarters and the local operation. Policies and training materials should be translated into local languages and supplemented with notes addressing country-specific regulations. Rather than uniformly imposing headquarters' policies, a "common framework + local adaptation" approach — maintaining a shared structure while allowing for adjustments to suit each country's circumstances — is the more practical path forward.

To ensure the framework does not remain a one-time effort but instead becomes embedded and scalable, the keys are cultivating a governance culture through education and leveraging tools and platforms.

Education plays a significant role in embedding AI governance. If employees understand not just the rules but why those rules are necessary, policies shift from something "enforced upon them" to something "naturally followed."

In practice, this could take the form of tiered programs: AI literacy training for all employees, risk assessment training for managers, and hands-on practical training for those who work directly with AI. For companies operating across multiple countries in ASEAN, it is advisable to deliver training in local languages and to include content that addresses the regulations of each respective country.

In recent years, many companies advancing AI adoption have placed education at the center of their talent strategy. Even with the right tools and rules in place, a framework will not take root if the people using it lack genuine understanding. Building a governance culture takes time, but it forms the foundation that sustains the framework over the long term.

There is also the option of leveraging tools and platforms that support AI governance in order to reduce the operational burden on the framework.

Tools are emerging that offer capabilities such as collecting AI usage logs, detecting policy violations, managing risk assessments, and visualizing compliance status with regulations across different countries. Once the scale of operations makes manual management difficult, it is worth considering the adoption of such platforms.

However, tools are ultimately just a means to an end. Introducing tools alone without having the structural backbone in place—committees, policies, and defined responsibilities—will yield limited results. The correct order of operations is to first solidify the foundation of your framework using the steps outlined in this article, and then position tools as instruments for streamlining operations.

Here are answers to three questions that commonly arise when building an AI governance framework.

How long does it take to build an AI governance framework in ASEAN?

It varies depending on company size and the number of locations, so no single answer applies universally. However, when accounting for everything from establishing prerequisites to setting up a committee, formulating policies, and mapping regulations across countries, a substantial preparation period should be anticipated. Rather than aiming for a perfect framework all at once, it is more practical to first build the skeleton at headquarters and key locations, then gradually expand the scope to additional countries and business functions.

Is a governance framework necessary even for small ASEAN locations?

Even if a location is small, that country's data protection laws still apply. From a regulatory compliance standpoint, the size of a location is not a valid reason to forgo governance. That said, the weight of the framework can be adjusted according to scale. For smaller locations, a lightweight approach works well—for example, applying headquarters policies as a common framework and designating a single local person in charge to handle operations.

How should we respond when regulations change in individual countries?

It is important to build the capacity to respond to regulatory changes into the framework from the outset. Specifically, this means establishing a process whereby the governance committee regularly reviews regulatory developments in each country and updates policies and risk registers as needed. Regulatory change should not be treated as an exceptional event—the framework should be designed on the assumption that it will occur on an ongoing basis.

For companies operating across multiple countries in ASEAN, an AI governance framework is a foundational prerequisite for business continuity. With regulations varying by country and the risks of ungoverned AI use being significant, building such a framework has become a topic that can no longer be deferred.

Framework development proceeds in three steps—establishing a committee and formulating policies; conducting risk assessments and mapping country-specific regulations; and embedding monitoring and auditing—after first solidifying the prerequisites of securing management commitment, appointing responsible parties, and conducting an inventory of AI usage. The process involves organizing a driving structure, starting small with clear priorities, avoiding common pitfalls such as policies becoming hollow formalities and inconsistent implementation across countries, and then embedding and scaling the framework through training and the use of tools.

The key point is that AI governance is not something you build once and consider finished—it is a mechanism that must be continuously operated and updated in response to changes in regulations and tools. Rather than striving for a perfect framework from the start, adopting a mindset of building the skeleton, putting it into operation, and refining it along the way will ultimately lead to a framework with real-world effectiveness.

If you have any questions about building an AI governance framework across ASEAN countries or managing risks related to AI adoption, please contact us.