AI Governance in Hong Kong: A 2026 Compliance Checklist for Businesses

Artificial intelligence has moved from pilot projects to production. Hong Kong businesses now use generative AI to draft documents, screen transactions, serve customers and inform decisions — often faster than their governance has caught up. The risk is no longer whether to adopt AI, but whether you can demonstrate that you are using it responsibly when a regulator, client or counterparty asks.

This guide explains how AI is governed in Hong Kong, why a principles-based regime still creates real obligations, and provides a practical 13-point compliance checklist you can use to assess your own readiness.

Hong Kong has no single "AI law" — and that is the point

Unlike the European Union, Hong Kong has not enacted a standalone AI statute. There is no local equivalent of the EU AI Act, and as at 2026 none has been proposed. Instead, Hong Kong has adopted a principles-based, sector-led approach: existing laws apply to AI, and regulators issue guidance setting out how they expect AI to be governed within their remit.

For most organisations, that means obligations come from four directions at once:

• The Privacy Commissioner (PCPD) — where AI touches personal data.
• The Digital Policy Office (DPO) — which sets the government's ethical-AI expectations and technical guidance.
• Sector regulators — principally the HKMA for banks and the SFC for licensed corporations, with the Insurance Authority and MPFA increasingly active.
• Cross-border regimes — the EU AI Act, GDPR and Mainland China's rules can reach Hong Kong businesses that operate or have customers abroad.

The absence of a single statute is often mistaken for the absence of rules. In practice, the guidance below is specific, and regulators expect senior management to be able to evidence compliance.

The four pillars of Hong Kong AI governance

1. Personal data: the PCPD framework

The PCPD's "Artificial Intelligence: Model Personal Data Protection Framework" (June 2024) is the cornerstone document for any organisation using AI that involves personal data. It sets out recommended practices across AI strategy and governance, risk assessment, the development and management of AI systems, and communication with stakeholders — all underpinned by the six Data Protection Principles in the Personal Data (Privacy) Ordinance (PDPO).

In March 2025 the PCPD followed up with a "Checklist on Guidelines for the Use of Generative AI by Employees", aimed at helping organisations write an internal policy on staff use of tools like ChatGPT. It expects employers to specify which tools are approved, define permitted use cases, prohibit entering confidential or personal data into public AI tools, and require human review of AI-generated output.

2. Government expectations: the Digital Policy Office

The DPO maintains the government's Ethical Artificial Intelligence Framework and, in April 2025, released the Hong Kong Generative AI Technical and Application Guideline. The Guideline articulates governance principles around lawful use, security and transparency, and accuracy and reliability, and addresses technical risks such as data leakage, model bias and error. While framed for developers, service providers and users broadly, it is a strong indicator of the standard regulators will expect.

3. Financial services: HKMA and SFC

If you are regulated, the bar is higher and more concrete.

The HKMA issued guidance in August 2024 on consumer protection in respect of the use of generative AI in customer-facing applications, requiring authorized institutions to maintain human oversight, provide mechanisms for human intervention, and allow customers to opt out or request human review. The HKMA's GenA.I. Sandbox — expanded in 2026 into GenA.I. Sandbox++ alongside the SFC, Insurance Authority and MPFA — gives firms a supervised environment to test AI use cases.

The SFC's circular of 12 November 2024 on the use of generative AI language models applies to licensed corporations. It is built on senior-management accountability and a risk-based approach, and treats certain uses — notably providing investment recommendations, advice or research — as high-risk. For high-risk uses, the SFC expects model validation and ongoing review for accuracy, a human in the loop before output reaches the client, testing of output robustness against prompt variations, and disclosure to users that they are interacting with AI.

4. Cross-border reach

Hong Kong's businesses are international, and so is AI regulation. The EU AI Act applies extraterritorially and is being phased in between 2025 and 2027 — it can capture Hong Kong providers and deployers whose AI systems or outputs are used in the EU. GDPR continues to apply to EU personal data. For groups operating into the Mainland, the PRC Personal Information Protection Law (PIPL) and the Interim Measures for the Management of Generative AI Services add a further layer, along with data-export controls. A Hong Kong governance programme that ignores these regimes is incomplete.

The Hong Kong AI governance checklist

Use the checklist below to assess your organisation's AI governance maturity. Not every section applies to every business — the sector-specific items in particular apply only where you carry on the relevant regulated activity. Work through each area, identify what is already in place, and flag the gaps.

1. Governance, accountability and oversight

• The board or senior management has approved an AI governance policy and retains ultimate accountability for the organisation's use of AI.
• A designated committee or responsible person oversees AI adoption, with clearly documented roles across development, approval and monitoring.
• A central inventory of all AI systems in use is maintained — including third-party tools and "shadow AI".
• AI governance is integrated into existing risk-management and internal-control frameworks.

2. AI strategy, risk assessment and classification

• A risk-based approach is adopted, and each AI use case is classified by risk level.
• Each AI system has a documented risk assessment proportionate to its impact.
• High-risk use cases receive enhanced controls and senior sign-off.
• The purpose and permitted scope of each system are defined before deployment, and prohibited use cases are identified.

3. Personal data and PDPO compliance

• Use of personal data in AI complies with the six Data Protection Principles under the PDPO.
• Data collection is minimised, and a Privacy Impact Assessment is conducted where AI involves personal data.
• The Personal Information Collection Statement / privacy notice is updated to cover AI processing.
• Data subject access and correction rights, and retention and deletion policies, are applied to AI data.

4. Procurement and third-party / vendor management

• Due diligence is performed on AI vendors and model providers, including training-data provenance.
• Contracts address data ownership, confidentiality, liability, IP and audit rights.
• Data residency and sub-processing arrangements are understood and acceptable, with exit arrangements in place.

5. Model development, validation, accuracy and fairness

• Models are validated before deployment and reviewed on an ongoing basis for factual accuracy.
• Output robustness is tested against prompt variations and adversarial inputs.
• Training and testing data are reviewed for quality and bias, and fairness is monitored over time.

6. Human oversight ("human-in-the-loop")

• The level of human oversight is set according to the risk of each use case.
• For high-risk outputs, a qualified human reviews the output before it reaches the client or user.
• Mechanisms exist for human intervention and for customers to request human review or opt out.

7. Transparency, disclosure and labelling

• Users are informed when they are interacting with AI rather than a human.
• AI-generated content is watermarked or labelled where appropriate.
• The organisation can explain how each AI system works and how AI-assisted decisions are reached.

8. Security and cybersecurity

• Controls prevent data leakage and unauthorised access to AI systems.
• Entering confidential, sensitive or personal data into public AI tools is prohibited.
• Protections exist against prompt injection, model manipulation and data poisoning, and AI is included in incident-response planning.

9. Employee use of generative AI (internal policy)

• A written internal policy on employee use of generative AI is in place.
• It specifies approved tools, permitted use cases, who it applies to, and on which devices.
• All AI-generated output is subject to human review for accuracy, bias and IP infringement.
• Staff are trained, and breaches and disciplinary consequences are defined.

10. Sector-specific regulatory overlays

• Banks / authorized institutions: comply with HKMA guidance on AI and on consumer protection in respect of generative AI; consider the GenA.I. Sandbox++.
• Licensed corporations: comply with the SFC's November 2024 circular — senior-management responsibility, high-risk controls and disclosure.
• Insurers and MPF operators: consider Insurance Authority and MPFA guidance and Sandbox++ participation.

11. Intellectual property and output ownership

• IP ownership and licensing of AI inputs and outputs are addressed in contracts and policy.
• The risk of AI output infringing third-party copyright is assessed, with human review for infringement.
• Confidential information and trade secrets are protected from exposure through AI tools.

12. Monitoring, audit, record-keeping and incident response

• AI performance and outputs are continuously monitored in production.
• AI systems and controls are periodically audited, with records and audit trails maintained.
• Incident-response and escalation procedures are defined, along with a process to retire systems safely.

13. Cross-border and extraterritorial considerations

• The applicability of the EU AI Act and GDPR to systems or outputs used in or affecting the EU is assessed.
• Mainland China requirements (PIPL, the Interim Measures for Generative AI Services, data-export rules) are considered for cross-border operations.
• Cross-border data-transfer mechanisms are documented, and the evolving Hong Kong position is monitored.

Who needs this — and where to start

Every Hong Kong business using AI benefits from a baseline governance policy, but the urgency rises sharply for regulated firms, businesses handling significant volumes of personal data, and those operating across borders into the EU or Mainland China. For founders and smaller teams, the priority is usually two documents: an internal generative-AI use policy for employees, and a simple AI inventory and risk-assessment process. For regulated and cross-border businesses, governance needs to be embedded into board reporting, vendor contracts and compliance monitoring.

The most common gap we see is not the absence of any policy — it is governance that exists on paper but cannot be evidenced: no inventory of what AI is actually in use, no record of who approved a high-risk use case, and no human-review trail. In a principles-based regime, the ability to demonstrate responsible use is the compliance.

How we can help

Alan Wong LLP advises founders, funds and businesses on AI governance frameworks, internal generative-AI policies, vendor and data arrangements, and sector-specific compliance with HKMA and SFC expectations — including as part of our fractional in-house counsel service for companies that need senior legal judgement without a full-time hire. If you would like a tailored version of this checklist or a review of your current AI governance, get in touch.