TL;DR: Vietnam’s AI Law took effect on March 1, 2026, introducing risk-based oversight, role-based accountability across the AI lifecycle, mandatory safeguards for high-risk systems, and reporting obligations for serious incidents, according to OneTrust’s analysis. The law turns AI governance into an operational control problem, not just a policy exercise.
NHIMG editorial — based on content published by OneTrust: Vietnam AI Law Explained: What the New Rules Mean for AI Development and Deployment
Questions worth separating out
Q: How should organisations classify AI systems before deployment?
A: Organisations should classify AI systems by the harm they could cause, not by how advanced the model seems.
Q: Why does lifecycle accountability matter in AI governance?
A: Lifecycle accountability matters because AI risk is shared across developers, providers, deployers, and users.
Q: What do security teams get wrong about AI logging?
A: Many teams log only infrastructure events and miss the AI-specific evidence needed for oversight.
Practitioner guidance
- Classify AI systems before deployment Create a pre-release review that assigns each AI use case a risk tier based on impact, data sensitivity, and decision criticality.
- Map accountability across the AI lifecycle Record which team owns development, provision, deployment, user-facing operation, and incident response for every in-scope system.
- Add logging for AI decisions and outputs Capture prompts, outputs, configuration changes, and human overrides so investigations can reconstruct what happened.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Detailed explanation of how Vietnam’s AI Law maps responsibilities across developers, providers, deployers, users, and affected persons.
- Practical examples of high-risk AI systems and the types of conformity or impact assessments they may require.
- A closer look at prohibited AI uses, including manipulative, deceptive, and harmful applications.
- OneTrust DataGuidance context for organisations comparing Vietnam’s rules with other regional AI governance regimes.
👉 Read OneTrust’s analysis of the Vietnam AI Law and AI governance obligations →
Vietnam AI law and AI governance: what changes for practitioners?
Explore further
Vietnam’s AI Law turns AI governance into a control-execution problem, not a policy statement. The law’s emphasis on risk classification, conformity assessment, logging, and incident reporting means organisations must prove that governance works in practice. That is the same shift identity teams have seen in IAM and PAM programmes: accountability only matters when it is mapped to system ownership and enforceable controls. Practitioner conclusion: treat AI governance as an operating model with evidence, not a policy library.
A question worth separating out:
Q: Who is accountable when a high-risk AI system causes harm?
A: Accountability usually follows the role that controlled the system’s deployment and use, even if the model was built elsewhere. The deployer often remains responsible for affected people, while contractual recovery may be possible against a provider or developer. Organisations therefore need clear role definitions and incident escalation paths before an issue occurs.
👉 Read our full editorial: Vietnam AI law sets a risk-based model for AI governance