What is AI regulation in Thailand?
Global AI regulation
Thailand does not yet have a single comprehensive AI Act in force. Its current model is a layered mix of national strategy, ethics guidance, ETDA-led governance tools, existing general laws such as personal data protection, and sector-specific supervision where regulators have moved faster than the legislature. In practice, organisations are expected to govern AI through human oversight, risk management, transparency, fairness, privacy and security, while preparing for a draft risk-based AI law that could tighten duties for higher-risk uses.
What this means
Thailand is not following a pure statute-first path for AI. Instead, it has built an emerging governance model in stages. The state first set a national direction through its AI strategy, then published ethics principles, then used public institutions, especially ETDA and its AI Governance Center, to turn broad principles into practical governance tools for organisations.
That means "AI regulation in Thailand" is currently wider than a single law. It includes soft law, operational guidance, and the ordinary Thai legal rules that already apply when AI is used in business, finance, government services, or any setting involving personal data, security, consumer trust, or regulated activity.
The practical effect is that organisations cannot wait for a future AI Act before acting. Thailand already expects responsible AI governance, but it is expressing that expectation through strategy, ethics, organisational readiness tools, and sector supervision, rather than one all-purpose code.
Why it matters
For operators, founders, advisers and public bodies, Thailand's model matters because the compliance question is not "is there an AI law yet?" but "which duties already apply to this use of AI, and how do we show we are using it responsibly?"
That affects procurement, vendor management, internal approvals, product design, model testing, data handling, customer disclosures and board oversight. A business using AI in Thailand may face soft-law expectations from ETDA, hard-law duties under privacy or sector rules, and increasing pressure to document how people remain in control when AI affects customers, staff or the public.
It also matters regionally. Thailand is positioning itself inside ASEAN as a governance-builder, not just a rule-taker. Its approach tries to make AI usable and governable at the same time, which is attractive for a region that wants interoperability without copying one foreign model wholesale.
How it works
The current model is layered
Thailand's AI framework currently rests on several layers. At the top is the national AI strategy. Beneath that sits the Digital Thailand AI Ethics Guideline, which gives the country's baseline principles. ETDA then carries much of the practical governance work through the AI Governance Center, often called AIGC, by publishing operational frameworks, tools and training. Existing Thai law still applies across the board, especially where AI touches personal data, cybersecurity, regulated financial activity or public administration. In other words, Thailand's present AI regime is partly strategic, partly ethical, partly operational and only partly statute-based.
The national strategy sets the direction of travel
Thailand's national AI strategy and action plan for 2022 to 2027 was approved by Cabinet in July 2022. It is not itself a binding AI code, but it matters because it tells regulators and public agencies what the state is trying to build. The strategy is organised around five themes: readiness in social, ethical, legal and regulatory matters; infrastructure; human capability; technology and innovation; and AI adoption in public and private sectors.
That architecture is important. It shows that Thailand treats law as one part of AI readiness, not the whole story. The strategy also makes clear that the state wants more than risk control. It wants institutional capacity, infrastructure, talent, research, sandboxes and broad adoption. So if you are trying to understand Thailand's AI policy from a business or governance perspective, the strategy says the country is trying to expand AI use while gradually building more formal guardrails around it.
The ethics guideline supplies the baseline principles
Thailand's Digital Thailand AI Ethics Guideline is the country's core ethical reference point. It does not create a dedicated AI licensing system or a full set of binding statutory duties. What it does provide is a durable baseline for how Thai public authorities expect AI to be researched, designed, developed, provided and used.
The guideline is built around six principles. In plain English, they are: sustainable and competitive development; consistency with law, ethics and international standards; transparency and accountability; security and privacy; fairness, diversity and inclusion; and reliability. The guideline is also explicitly human-centred. It stresses that AI should support human welfare and remain aligned with human rights, dignity, privacy and meaningful human control.
For organisations, that matters because these are not abstract values floating above practice. They shape later Thai guidance on governance structures, risk management, documentation, monitoring and feedback. They also tell you what "responsible AI" tends to mean in the Thai policy context.
The governance-centre model turns principles into organisational practice
Thailand's distinctive feature is its governance-centre approach. ETDA's AIGC has become the main bridge between high-level ethics and day-to-day implementation. Rather than waiting for a fully developed hard-law regime, Thailand has used AIGC to create governance tools, advisory capacity, training and cross-sector communities of practice.
ETDA's "AI Governance Guideline for Executive" is the clearest example. It proposes a three-part organisational model: AI governance structure, AI strategy and AI operation. In practice, that means an organisation should create a governing body or council for AI, assign roles across business, technical and compliance teams, decide where AI fits the organisation's objectives, manage AI risks across the lifecycle, and maintain service and feedback processes once systems are in use.
The executive guideline also brings tools into the picture. ETDA links governance to practical instruments such as an AI readiness assessment, an AI use case canvas and structured risk assessment. That makes the Thai model unusually operational. It is not just telling firms to "be ethical." It is giving them a way to assess readiness, prioritise use cases, document controls and build internal accountability.
UNESCO's account of Thailand's AIGC is helpful here. It describes the centre as a platform that connects civil servants, local experts, international advisers, civil society and industry, and notes that it has used fellowships, implementation toolkits and sector-focused learning to move AI governance from paper into practice. That is why Thailand's model is increasingly seen as institution-led and practice-oriented.
Existing law still does much of the hard-law work
Because Thailand does not yet have one comprehensive AI Act, existing law still does much of the binding regulatory work. The clearest cross-cutting example is the Personal Data Protection Act B.E. 2562 (2019), which becomes highly relevant whenever an AI system collects, trains on, profiles from or otherwise uses personal data.
That means many real AI questions in Thailand are still handled through ordinary legal channels: privacy compliance, security controls, contractual allocation of responsibility, sector supervision, and general duties around fairness and consumer trust. So an organisation that says "there is no AI Act, therefore we can wait" is reading the landscape badly. The absence of one dedicated statute does not mean the absence of legal exposure.
Thailand also shows signs of sector-by-sector hardening. The Bank of Thailand's September 2025 policy on AI risk management is a good example. For supervised financial institutions and payment operators, the regulator expects board and senior management accountability, lifecycle risk control, explainability, data quality management, cyber testing, and fair treatment of customers. In other words, some sectors are already moving from general ethics to concrete supervisory expectations.
A draft risk-based AI law is the main near-term uncertainty
The most important pending development is ETDA's draft principles for an AI law, opened for public consultation in 2025. Official statements describe this as Thailand's first national attempt to set a dedicated legal framework for AI, with a focus on higher-risk use cases and a balance between public protection and innovation.
The draft direction matters even though it is not yet final law. It points toward a risk-based approach rather than a one-size-fits-all model. It also suggests a hybrid system in which central bodies and sector regulators would both play roles. Official materials say the proposed framework is meant to support sandboxes and text and data mining rules, while paying special attention to high-risk AI and governance mechanisms that can scale from soft law to harder obligations where needed.
For now, though, it remains a draft. In the official sources reviewed for this article, the law is still presented as principles under development rather than an enacted all-economy statute. So organisations should treat it as a strong policy signal and a planning horizon, not as a finished rulebook.
Thailand sits within a voluntary ASEAN frame
Thailand's approach also makes more sense when viewed inside ASEAN. The ASEAN Guide on AI Governance and Ethics is a practical, voluntary document aimed at alignment and interoperability across member states. It is not directly binding law in Thailand, and it does not override Thai legislation. But it does give the region a common vocabulary for governance.
That regional frame fits Thailand well. Thailand's current model is ethics-led, operational and incrementally risk-based. It uses principles, guidance and capacity-building to make AI governance workable in practice, while leaving room for sector regulators and later legislation. That is broadly consistent with ASEAN's preference for practical guidance, interoperability and proportionality. As a result, Thailand is emerging as a jurisdiction to watch in Southeast Asia, not because it already has the region's strictest AI statute, but because it is building institutions and governance habits that could support one.
Examples
A Thai financial institution that uses AI for customer-facing services, fraud monitoring or decision support now has a live supervisory reference point. The Bank of Thailand's 2025 AI risk management policy expects boards and senior management to own AI decisions, classify and manage data and model risk, keep AI use consistent with responsible AI principles, and control cyber threats such as prompt injection, model inversion, data poisoning and adversarial attacks. In practice, that means AI use in finance is already governed through supervisory risk management, even without a general AI Act.
Thailand's practice-first model is also visible in ETDA's work with the Bank for Agriculture and Agricultural Cooperatives. In late 2024, AIGC ran an AI governance workshop for internal BAAC teams. The workflow was concrete: understand AI capabilities and limits, map internal use cases, then use the AI Use Case Canvas and AI Readiness Scan to assess gaps across strategy, people, data, infrastructure and governance before wider deployment.
At organisation level more generally, ETDA's executive guideline sets out a repeatable internal workflow. Leaders are expected to establish an AI governance council, assign roles across management, business, technical and compliance functions, identify where AI adds value, define risk appetite, manage lifecycle risks, and keep feedback channels open after deployment. That gives organisations a structured way to operationalise Thai AI ethics before regulators require it in harder legal form.
Common misunderstandings
"Thailand already has a national AI Act."
Not yet, at least not in the official sources reviewed here. Thailand has a draft AI law direction, but its current system is still mainly strategy, guidance, existing law and sector supervision.
"Soft law means it does not matter."
It matters a great deal. ETDA guidance influences procurement, governance design, training, regulator expectations and readiness for future legal duties, especially in higher-risk settings.
"AI regulation in Thailand is only about privacy."
Privacy is part of the picture, but not the whole picture. The Thai framework also covers transparency, accountability, fairness, human oversight, security, reliability and sector-specific risk management.
"Thailand is simply copying the EU AI Act."
No. Thai official materials point to a more context-sensitive model: start with strategy and ethics, build practice through AIGC and sector regulators, then move toward a tailored risk-based law.
"The ASEAN guide is binding law in Thailand."
It is not. The ASEAN guide is voluntary regional guidance designed to improve alignment and interoperability. Thai legal force still depends on Thai law and Thai regulators.
Risks and boundaries
Thailand's present model has clear strengths, but also clear limits. The strength is flexibility. Principles and toolkits can be updated faster than a statute, and a governance centre can build real capability across sectors. The weakness is that soft law does not settle every hard legal question. It does not by itself answer liability, evidence, remediation or enforcement in the way a mature statute might.
There is also an unevenness problem. Some sectors, especially finance, already have more specific supervisory expectations. Many other sectors do not. So the legal position can vary sharply depending on whether your AI use is in a heavily regulated environment or in a less supervised commercial setting.
Leaders should also be careful not to treat ETDA guidance as a licence or safe harbour. Following the guidance is good governance, but it is not the same thing as receiving regulatory approval, and it does not displace duties under privacy law, contract, consumer law, professional rules or sector supervision.
The biggest uncertainty is the future national AI law. Thailand has clearly moved toward a risk-based model for higher-risk uses, but the final structure, institutional powers, detailed duties and enforcement design can still change. For now, the right reading is this: Thailand is no longer lightly governed on AI, but it is not yet living under a single settled AI statute either.
What to do next
Start by treating AI as a governance issue, not just a technical purchase. Build an inventory of where AI is already used or being proposed, then rank those uses by impact on people, data sensitivity, operational importance and sector exposure.
Next, assign visible ownership. Thailand's guidance is clear that organisations need someone senior to take responsibility, supported by business, technical, legal and compliance functions. Whether you call it an AI governance council or use an existing governance forum, the point is to create a standing decision process before AI scales.
Then move from principle to evidence. Use a readiness assessment, document core use cases, record the purpose of each system, define human oversight, test for bias and reliability, and set escalation paths for failure, misuse or customer complaints. If a regulator later asks how you governed AI, this internal record will matter more than general statements about innovation.
Finally, monitor Thai regulatory development closely. Even if your current use case sits outside financial supervision or another clearly regulated sector, the draft AI law shows the direction of travel. Organisations that can already show disciplined governance, clear documentation and proportionate controls will be far better placed if Thailand moves from soft law to a firmer risk-based regime.
FAQs
Does Thailand already have a dedicated AI law in force?
Thailand appears to be moving toward one, but the official sources reviewed for this article still show a draft principles stage rather than a final comprehensive AI statute in force across the whole economy.
Who are the key public bodies for AI governance in Thailand?
The National AI Committee sets national direction, the Ministry of Digital Economy and Society is central to policy, ETDA has led much of the practical governance work through AIGC, and sector regulators such as the Bank of Thailand can apply stricter rules inside their own domains.
Are ETDA's AI ethics and governance guidelines legally binding?
Generally, they operate as soft law. They are highly relevant and increasingly influential, but they are not the same as a statute or licence condition unless a sector regulator or another legal instrument gives them harder effect in a specific context.
What principles sit at the core of Thailand's AI ethics model?
The official ethics guideline centres on sustainable development and competitiveness, legal and ethical compliance, transparency and accountability, security and privacy, fairness and inclusion, and reliability.
How does Thailand regulate high-risk AI today?
Today, high-risk uses are dealt with through a mix of existing law, sector supervision and internal governance expectations. The clearest formal move toward a dedicated high-risk system is still the draft AI law, which is not yet final.
Is the ASEAN Guide on AI Governance and Ethics binding on Thai organisations?
No. It is a voluntary regional guide. Its main value is to support alignment and interoperability across ASEAN, while each member state keeps its own legal framework.
What should a foreign AI supplier selling into Thailand do now?
Do not wait for a future AI Act. Map your Thai use cases, identify whether personal data or regulated sectors are involved, localise governance documents and disclosures where needed, and prepare evidence of human oversight, testing, accountability and incident handling.
Does Thailand's model include AI sandboxes?
Sandboxes are part of Thailand's policy direction and appear in both the national strategy and the draft AI law discussion, but a single general AI sandbox is not yet the centrepiece of the current framework. For now, sandboxes are better understood as a governance and innovation tool under development.