Skip to main content

Sri Lanka AI Governance: Compliance for Growing Technology Operations

Sri Lanka does not yet regulate AI through a single horizontal AI act. That does not mean AI operations are ungoverned. The Personal Data Protection Act, No. 9 of 2022, cybersecurity expectations, outsourcing discipline, and ordinary confidentiality obligations already shape how technology teams should run AI in production. For software companies, BPO providers, fintech operators, and shared-service organizations, the operational challenge is straightforward: keep personal data exposure low, restrict which providers can receive sensitive traffic, and make higher-impact routes reviewable.

That is where runtime governance matters more than strategy decks. A growing technology business can write a responsible AI policy and still fail operationally if employees send customer transcripts, identity documents, or internal case notes through a generic copilot path. Keeptrusts does not replace privacy notices, contractual analysis, or data-subject rights handling. It does make Sri Lanka-style compliance easier to sustain because the live route can be minimized, filtered, and evidenced.

Use this page when

  • You are introducing AI in Sri Lanka and need a control model before a dedicated AI statute exists.
  • You run delivery, support, or BPO workflows that may contain customer or employee data.
  • You want a practical boundary between low-risk productivity routes and higher-risk operational workflows.

Primary audience

  • Primary: Privacy officers, operations leaders, platform engineers
  • Secondary: legal counsel, security teams, outsourcing program managers

The problem

Sri Lanka's fast-growing technology and services sector often works with foreign clients, outsourced processes, and mixed data environments. That creates a predictable AI governance problem. The same assistant that helps a team write release notes today may be used tomorrow to summarize support tickets, analyze customer complaints, or draft responses from HR or finance records. Once those routes collapse into one shared model path, it becomes hard to apply proportional controls.

The Personal Data Protection Act raises the stakes because AI traffic that includes names, account references, contact details, or other identifiable information is still personal-data processing. Cross-border delivery models add more pressure. Even when the organization is contractually authorized to process or transfer the data, it still needs to justify how much data was sent upstream and why. If the route could have redacted identifiers or used a more constrained provider path, failing to do so is weak control design.

The same is true for operational decisions. A team may say an assistant is only “supporting” a human reviewer, but if the route quietly produces summaries that shape customer or employee outcomes with no review stop, the system is closer to automation than the organization admits.

The solution

The right pattern is to create separate lanes for separate risk levels. Keeptrusts makes that practical because it can govern both the content sent to the model and the provider selected to receive it.

Use pii-detector to redact identifying information by default on workflows that touch customer or employee records. Use data-routing-policy to limit providers to a reviewed posture, especially where retention and training restrictions matter. On higher-impact support, HR, or complaint-handling routes, add human-oversight so the output does not go straight to end users or case systems. Keep audit-logger active so disputes and internal reviews have real evidence.

This gives Sri Lankan technology teams something they often lack: a disciplined middle ground between banning AI outright and allowing every route to run in the same low-control lane.

Implementation

For a Sri Lanka delivery or support route that may contain client personal data, use a configuration that treats minimization and provider discipline as defaults.

pack:
  name: sri-lanka-client-data-lane
  version: "1.0.0"
  enabled: true

providers:
  targets:
    - id: privacy-reviewed-provider
      provider: openai
      model: gpt-5.4-mini-mini
      secret_key_ref:
        env: OPENAI_API_KEY
      data_policy:
        zero_data_retention: true
        training_opt_out: true
        retention_days: 0
        accepts_tokenized_input: true
        allow_internet_egress: false

policies:
  chain:
    - pii-detector
    - data-routing-policy
    - audit-logger

policy:
  pii-detector:
    action: redact
    redaction:
      marker_format: label
      include_metadata: true

  data-routing-policy:
    require_zero_data_retention: true
    require_no_training: true
    max_retention_days: 0
    tokenize_sensitive_fields: true
    allow_internet_egress: false
    on_no_compliant_provider: block
    log_provider_selection: true

  audit-logger:
    retention_days: 365

This route is intentionally narrow. It does not claim to solve every Sri Lanka compliance question. It does solve an important one: whether the organization can show that client and workforce data are minimized before upstream processing and that only approved providers remain eligible. When a route grows in impact, add Human Oversight so the output becomes reviewable instead of automatic.

For rollout teams, the most useful references are Quickstart, Configuration & Policy Overview, PII Detector, Data Routing Policy, and Data Residency & Compliance.

Results and impact

The first impact is simpler governance. Privacy, legal, and delivery teams can talk about specific lanes instead of arguing about AI in the abstract. The second is better client trust. Outsourcing and shared-services work depends on being able to explain what leaves the environment, why it leaves, and which safeguards are attached.

That is especially valuable in a growth market. Sri Lanka organizations can adopt AI without pretending that every use case has the same risk. The runtime route becomes part of the compliance posture rather than the part that quietly erodes it.

Key takeaways

  • Sri Lanka AI governance is currently shaped by privacy, cyber-risk, and outsourcing discipline more than a dedicated AI law.
  • Shared model routes are a weak fit for mixed-risk technology operations.
  • pii-detector and data-routing-policy are strong baseline controls for client-data workflows.
  • Review-heavy workflows should add human-oversight instead of relying on informal human judgment.
  • Evidence and lane separation matter as much as policy statements.

Next steps