For the past few years, artificial intelligence has felt like a digital wild west for businesses in Thailand. Companies have raced to integrate generative AI platforms, launch automated credit scoring tools, and use algorithmic models to optimize logistics frequently operating in a regulatory vacuum.
However, that vacuum is officially closing. According to a landmark analysis by global law firm Baker McKenzie, Thailand is transitioning into a sophisticated, hybrid regulatory environment for AI. While a comprehensive national AI framework is currently winding its way through the legislative pipeline, binding sector-specific regulations from financial, judicial, and consumer bodies are already live and enforcing real compliance burdens.
If your organization is currently deploying AI in Thailand, waiting for a final, single “AI Act” to drop before you build your compliance model is a dangerous strategy. Immediate regulatory exposure is already here. This breakdown unpacks the dual reality of Thailand’s AI laws today, provides an interactive compliance mapping tool, walks through a real-world corporate use case, and maps out exactly what your enterprise needs to do next.
The Master Blueprint: The Upcoming National AI Law
The centerpiece of Thailand’s long-term regulatory approach is the Draft Principles of Artificial Intelligence Law (referred to as the “Draft AI Principles”). This framework was released for public consultation by the Electronic Transactions Development Agency (ETDA) and is being actively refined for enactment over the next two to three years.
Derived fundamentally from the UNCITRAL Model Law, the framework builds consumer trust by anchoring AI applications to a risk-based classification model. Much like the European Union’s regulatory model, the Thai draft will empower a newly formed central oversight body the AI Governance Center (AIGC) under the ETDA alongside existing sector regulators to categorize AI applications into distinct risk brackets.
Understanding your company’s position within this impending classification framework is critical:
- Prohibited-Risk AI: Systems that pose an unacceptable threat to human safety or fundamental rights are completely banned. Violations will trigger direct administrative fines.
- High-Risk AI Providers (Creators): Companies building foundational models or critical infrastructure inside Thailand or offshore providers selling into the country via a mandatory local legal representative face stringent obligations. They must establish formal risk management architectures aligned with international benchmarks like ISO/IEC 42001:2023 or the NIST Risk Management Framework. They must also report serious algorithmic failures or accidents immediately to the AIGC.
- High-Risk AI Deployers (Users): If you purchase and deploy a high-risk system (for example, automated HR screening or medical diagnostic aids), you are legally responsible for designating oversight personnel, maintaining operational data logs for auditing, ensuring data source quality, and proactively notifying individuals if an AI decision impacts their life or physical well-being.
The Shift to a “Duty of Care” Model
One of the most consequential inclusions in the Draft AI Principles is a formal duty of care approach to liability. Under standard tort claims, determining fault in complex automated systems can be incredibly muddy. The draft text addresses this directly: if an AI provider can document that they have exhaustively fulfilled their regulatory duty of care, they are granted a legal shield against liability if things go wrong. If they fail to meet this baseline, they are presumed exposed to significant damage claims.
Furthermore, individual citizens will gain robust legal rights regarding automated actions. These include the Right to be Notified when AI is handling their case, the Right to be Explained (understanding the primary variables that generated an algorithmic output), and a comprehensive Right to Appeal, allowing individuals to demand that a human operator review and replace a purely automated decision.
Interactive 2026 Thailand AI Compliance Assessment
To evaluate your company’s immediate exposure and see where your systems sit within the active and upcoming regulatory buckets, use the assessment builder below. Select your operating parameters to receive a customized risk profile.
The Reality Right Now: Active Sectoral Mandates
Many business leaders falsely assume they can put AI compliance on the back burner until the Draft AI Principles pass parliament. Baker McKenzie warns that this is a critical legal mistake. Multiple governing bodies in Thailand have already weaponized their existing statutory powers to issue binding or quasi-binding AI rules.
If your company operates across any of the following three segments, you must comply with these specialized requirements immediately:
1. Consumer Protection & Advertising Laws
If your marketing department uses tools like Midjourney, Stable Diffusion, or ChatGPT to spin up promotional materials, you are subject to the Office of Consumer Protection Board (OCPB) Notification issued on July 18, 2025.
To combat deceptive or exaggerated advertising claims, the OCPB requires absolute transparency. If an advertisement uses content or graphics generated by AI, the advertiser must affix a clear, conspicuous disclosure label directly onto the asset (such as "image was created by AI"). Fictionalized product photos or hyper-realistic text variations can no longer be mixed seamlessly into consumer feeds without clear signage.
2. Financial Services Sector
On September 12, 2025, the Bank of Thailand (BOT) launched its formal Policy Direction on Risk Management of the Use of Artificial Intelligence Systems. This directive overlays pre-existing IT risk and market conduct frameworks, meaning compliance is actively scrutinized during standard institutional audits.
The BOT splits AI-driven operational failures into three explicit risk categories:
- Data Risk: Ensuring training pipelines do not ingest corrupted, biased, or illegally harvested information.
- Model Development Risk: Monitoring for model drift (gradual loss of predictive accuracy) and algorithmic bias (systematic errors that create unfair outcomes for protected consumer groups).
- Cyber Threat Risk: Safeguarding models against adversarial injections or data-poisoning attacks.
Financial companies must structure their AI strategies around the core “FEAT” principles: Fairness, Ethics, Accountability, and Transparency.
3. The Judicial System and Court Filings
Thailand’s judiciary has acted aggressively to keep pace with technological advancements. Under the Civil Court’s Directive on Using Artificial Intelligence Technologies for Preparing Pleadings or Other Documents in Court Filings B.E. 2568 (2025), legal departments and external counsel face strict rules.
If a lawyer utilizes generative AI to research, draft, or edit pleadings or affidavits submitted to the Civil Court, they are legally obligated to attach an explicit disclosure statement:
[the following content is created with artificial intelligence technology]
Furthermore, the filing attorney must sign a formal representation verifying that they have manually checked all data citations, factual assertions, and case law precedents for accuracy, shielding the justice system from machine-generated fabrications. Parallel guidelines have rapidly expanded to first-instance courts across the provinces, including the Maha Sarakham Court Notification in early 2026.
Real-World Use Case: “Siam FinTech & Commerce (SFC)”
To see how these concurrent layers of law intersect in practice, let’s explore a hypothetical scenario featuring a mid-sized Thai company, Siam FinTech & Commerce (SFC).
SFC operates an e-commerce marketplace and is launching a new micro-lending consumer app called SiamCredit. The platform relies on two primary AI modules:
- An Automated Credit Engine that analyzes user shopping data, smartphone device metadata, and transactional history to approve small loans instantly.
- A Generative Marketing Engine that crawls user browsing profiles to create personalized, AI-generated image ads featuring custom discounts.
+---------------------------------------------------------------------------------+
| SIAM FINTECH & COMMERCE (SFC) |
| |
| [ Generative Marketing Engine ] [ Automated Credit Engine ] |
| | | |
| v v |
| OCPB ADVERTISING RULES BANK OF THAILAND LAWS |
| Label: "Image created by AI" FEAT Framework Audit |
| | | |
| +--------------------+-------------------+ |
| | |
| v |
| THAILAND PDPA ENFORCEMENT |
| Compliant with Draft AI & Privacy Framework |
+---------------------------------------------------------------------------------+
The Legal Intersection
Because SFC is touching multiple distinct business ecosystems, their product launch triggers a cascade of regulatory responsibilities under current 2026 conditions:
- The Marketing Campaign: The moment SiamCredit rolls out its personalized banners on Facebook and Line, the OCPB notification applies. SFC’s creative team must ensure every single automated graphic features an legible watermark stating the asset is AI-constructed. Skipping this step leaves the company vulnerable to consumer fraud investigations.
- The Loan Underwriting: Because SFC is extending credit lines via an algorithm, they enter the crosshairs of the Bank of Thailand’s AI Policy Direction. Their risk officers must document how the model operates, prove that the training data excludes discriminatory factors (ensuring Fairness), and run penetration testing against Cyber Threat Risks.
- The Impending National Act: Under the upcoming ETDA framework, an automated loan engine that alters an individual’s financial standing will almost certainly be tagged as High-Risk. SFC must build an infrastructure capable of handling the Right to be Explained. If a customer is rejected by the SiamCredit algorithm, SFC must be prepared to give an understandable breakdown of why they failed the score, and provide a clear pathway for a human customer support agent to override the decision if appealed.
- The Privacy Core: Powering both tools requires harvesting deep customer data. This triggers rigid exposure under Thailand’s active Personal Data Protection Act (PDPA), reinforced by the newly released public draft guidelines specifically targeting AI and data privacy. SFC must secure explicit, unbundled consents to feed historical user data into automated training pipelines.
Strategic Action Plan: Preparing Your Organization
Navigating this hybrid environment requires moving away from ad-hoc developer deployment and shifting toward centralized, defensive governance. Baker McKenzie highlights five core strategic pillars that Thai companies should execute immediately to build long-term legal resilience.
The Operational Steps
-
Establish a Formal AI Governance Model: Immediate Priority.
Create an internal AI Steering Committee combining legal counsel, risk officers, and data engineering leads. Do not let engineering teams download open-source models or integrate third-party APIs into commercial products without a formal clearance protocol. -
Implement Internal AI Usage Policies: Month 1.
Draft explicit internal rules setting boundaries on employee activities. Detail exactly which corporate data classification sets are safe to feed into public generative systems, and completely ban the input of trade secrets, intellectual property, or source code into unverified external tools. -
Update External-Facing Documents: Month 2.
Audit customer terms of service, privacy policies, and digital promotional assets. Add transparent, easily accessible statements explaining if, how, and why AI algorithms process consumer information, while embedding mandatory OCPB disclosure watermarks on synthetic visual content. -
Conduct Comprehensive Review of AI-Related Agreements: Month 2-3.
Re-evaluate vendor contracts, enterprise licensing agreements, and service level agreements (SLAs). Ensure your commercial terms clearly outline liability allocations, data ownership boundaries, and indemnify your business if a third-party software model causes an unexpected legal infraction or data leak. -
Maintain Robust Technical Documentation: Continuous Compliance.
Systematically log the lifecycles of your active commercial models. Maintain comprehensive registers detailing data sourcing mechanics, algorithm testing logs, model validation history, and algorithmic risk mitigation strategies. Doing so lays the groundwork to claim the protective “duty of care” shield under coming national statutes.
The Compliance Takeaway: AI is an extraordinary accelerator for business growth, but the era of unaccountable experimentation in Thailand has officially ended. By building structural governance pipelines today, your enterprise can confidently leverage advanced technology without exposing its balance sheet to regulatory fines, court-filing rejections, or damaging consumer class-actions.