ASTRA
Signals
AI Governance5 min read

In Hong Kong, AI governance is now your licence to ship

Hong Kong now has real AI rules — PCPD guidance, GenAI checklists, the critical-infrastructure ordinance. Governance isn't a brake on AI; it's the licence that lets you ship it safely. Here's the playbook.

Written for CIOs, CISOs, risk & legal leaders

ASTRA Signals· Editorial
In a bright, plant-filled lobby, a small friendly robot passes through an orderly security-style gate marked "AI" as a stylish marshal looks on — a wry image of AI cleared through governance.

For two years, "AI governance" in Hong Kong meant good intentions. Now it means specific rules. The Office of the Privacy Commissioner for Personal Data (PCPD) has published a Model Personal Data Protection Framework and guidance for generative AI; legal analysts are mapping what compliance actually requires; and the new Protection of Critical Infrastructure (Computer Systems) Ordinance raises the stakes for operators of essential services.

For a CIO, CISO or general counsel, the question has shifted from "should we have an AI policy?" to "does ours hold up?"

Governance is a deployment enabler, not a brake

The instinct is to treat governance as the thing that slows AI down. In a regulated market, it's the opposite: a clear, defensible AI policy is what lets you say yes to deployment — quickly — because the guardrails are already in place. The teams without one tend to either freeze (no one will approve anything) or ship blind (and meet the rules after an incident).

Legal guidance on the PCPD framework converges on a practical core: review the AI tools in use, approve specific use cases, keep personal and sensitive data out of public AI tools, and enforce strong authentication and encryption. The generative-AI guidance adds checklists for permissible inputs, outputs, storage and ethical guardrails.

An internal AI policy, in five controls
  • Inventory and approve specific AI use cases
  • Keep personal and sensitive data out of public AI tools
  • Define permissible inputs, outputs, storage and retention
  • Enforce strong authentication and encryption
  • Log, audit and assign accountability for every AI action

Adapted from Hong Kong PCPD guidance and legal analysis (Mayer Brown; Tanner De Witt).

Beyond privacy: critical infrastructure

The Protection of Critical Infrastructure (Computer Systems) Ordinance widens the lens from personal data to operational resilience. For operators of essential services, AI systems that touch critical operations now sit inside a security-and-continuity regime, not just a privacy one. If you're in scope, your AI governance and your cyber-resilience obligations are the same conversation.

What a CIO or CISO can do this quarter

  • Inventory where AI is already in use — including the shadow tools teams have quietly adopted.
  • Approve use cases explicitly, with a clear line on what data may and may not go into which tools.
  • Write the policy down — permissible inputs and outputs, storage, retention, accountability — and make it enforceable, not aspirational.
  • Check your critical-infrastructure exposure and align AI governance with your cyber-resilience obligations.
  • Make governance a fast lane, not a gate: pre-approved patterns let teams ship inside the lines without a committee every time.

Done well, AI governance isn't the brake — it's what lets you go fast without crashing. In Hong Kong's tightening regulatory environment, the enterprises that move with confidence will be the ones whose guardrails were built in from the start.

That's the discipline ASTRA brings to the agent and AI layer — Agentic Stewardship and the control plane that make policy, audit and accountability operational rather than aspirational.

← Back to Signals