Responsible procurement of AI applications: a risk-based framework for Malaysian government agencies

The rapid advancement of artificial intelligence (AI), driven by innovation from technology firms and academia, has expanded its capabilities and accelerated its adoption across sectors. The integration of AI into the public sector is inevitable, as it promises greater efficiency, improved decision-making, and enhanced service delivery. However, these benefits come with new and complex risks particularly due to the emergence of generative AI and autonomous agents capable of independent decision-making. Public agencies are therefore responsible for ensuring that deployed AI systems are not only effective but also secure, ethical, and cost-efficient. Current information security frameworks, such as ISO/IEC 27001:2022, remain inadequate for addressing risks associated with large language models and agentic AI. This study proposes a risk-based framework tailored for responsible procurement of generative AI solutions within Malaysian government agencies. Employing a qualitative methodology that integrates semi-structured interviews with AI practitioners from both public and private sectors, alongside qualitative document analysis, the research identifies key risk considerations and governance requirements. The resulting framework provides a structured approach to managing AI procurement risks and aligning them with the principles of responsible AI envisioned by the Malaysian government. Future research may focus on automating elements of the framework and integrating emerging risk countermeasures from technical working groups.