Thailand's New AI Act Could Force Global Companies to Rethink Their Strategies
Thailand has taken a major step toward comprehensive AI regulation, releasing a draft AI Act that could reshape how global companies deploy artificial intelligence in Southeast Asia. On July 2, 2026, Thailand's Electronic Transactions Development Agency (ETDA) released a revised draft for public consultation, signaling the country's shift from voluntary governance principles to enforceable regulatory requirements.
Why Should Companies Outside Thailand Care About This Law?
The most significant aspect of Thailand's draft AI Act is its extraterritorial reach. The law applies to any AI development, deployment, or activity that affects individuals in Thailand, regardless of where the AI provider is located. This means a company based in the United States, Europe, or anywhere else could face compliance obligations if its AI systems serve Thai users. Foreign AI providers may also be required to appoint a local representative or authorized coordinator in Thailand, potentially with broad authority to act on the company's behalf, similar to how Thailand's data protection laws operate.
This extraterritorial approach mirrors a broader global trend. As noted in a comprehensive regulatory tracker, jurisdictions worldwide have taken substantially different approaches to AI regulation, increasing the risk that businesses face from a fragmented and inconsistent regulatory environment. Thailand's draft law adds another layer to this complexity, particularly for companies already navigating the European Union's AI Act and other regional frameworks.
What Does Thailand's Risk-Based Framework Actually Require?
Thailand's draft AI Act adopts a risk-based model influenced by international frameworks such as the EU AI Act, but tailored to Thailand's legal and economic priorities. The framework categorizes AI systems into distinct risk tiers, each with different compliance obligations:
- Prohibited AI: Certain AI systems involving cognitive and behavioral manipulation, unfair discrimination from processing irrelevant data, and other uses deemed unacceptable are banned outright.
- High-Risk AI: Systems designated by future regulations in sectors affecting national security, healthcare, energy, telecommunications, transport, and public utilities face stringent requirements.
- Designated AI Systems: Additional registration, licensing, or regulator notification requirements may be mandatory before deployment.
For providers of high-risk AI systems, the draft Act imposes a range of governance obligations designed to embed responsible AI throughout the AI lifecycle. These include requirements to ensure AI systems are fit for purpose, transparent, subject to meaningful human oversight, fair and non-discriminatory, and supported by appropriate risk management and mitigation processes. Regulators may also issue detailed guidelines covering risk management, bias mitigation, cybersecurity, human oversight, transparency, and complaint handling.
Deployers of high-risk AI systems face similar obligations, including the need to implement risk management and mitigation processes, maintain operational logs (currently proposed as a minimum six-month retention period), designate responsible personnel, and report regulators of unforeseen AI risks.
How Should Organizations Prepare for Thailand's AI Regulation?
Organizations developing, deploying, or using AI systems that affect individuals in Thailand should begin assessing their compliance obligations now. Here are the key steps to consider:
- Audit Your AI Systems: Identify which of your AI systems could affect Thai users and classify them according to the risk-based framework outlined in the draft Act. Determine whether any systems fall into the prohibited, high-risk, or designated categories.
- Establish Local Representation: If you lack an existing presence in Thailand, begin planning for the appointment of a local representative or authorized coordinator who can act on your behalf and ensure compliance with Thai regulations.
- Implement Governance Controls: Develop policies and processes for transparency, human oversight, bias mitigation, and risk management that align with the draft Act's requirements. Document your AI systems' data sources, model logic, and known limitations.
- Monitor Generative AI Obligations: If your organization develops or uses generative AI systems, understand the specific requirements for risk assessments, machine-readable identifiers in AI-generated content, and disclosure obligations for AI-generated content related to elections, investments, national security, and impersonation.
- Track Implementation Timeline: Core measures relating to the launching of AI products take effect immediately upon publication, with others to take effect 180 days after publication. Plan your compliance roadmap accordingly.
Thailand aims to finalize the draft Act in 2026, and the law introduces a strict liability regime, meaning liability may arise independent of actual intent or negligence, subject to limited statutory defenses. Regulators can order providers and deployers to remediate non-compliant measures, seek court orders suspending AI services or deployments, require product recalls, request internet service providers block access to AI systems in Thailand, and impose administrative fines of up to 5 million Thai Baht, approximately $150,600.
How Does Thailand's Approach Compare to Global AI Regulation Trends?
Thailand's draft AI Act reflects a broader global pattern in AI regulation, though jurisdictions continue to take substantially different approaches. One foundational challenge is that "AI" means different things in different jurisdictions. The EU AI Act adopts a definition based on the OECD's definition, Canada has proposed a similar though more concise definition, various US states have proposed their own definitions that differ from one another, and many jurisdictions including the UK, Israel, China, and Japan do not currently provide a comprehensive definition of AI.
Emerging AI regulations also come in different forms. Some are statutes, some are executive orders, and some are expansions of existing regulatory frameworks. The EU AI Act is a regulation that applies directly in all EU Member States, while the UK has declined to legislate at this early stage and instead tasked existing regulators with interpreting five AI principles in their respective spheres. In the US, there is a mix of White House Executive Orders, federal and state initiatives, and actions by existing regulatory agencies.
Thailand's approach, like many jurisdictions, seeks to balance encouraging AI innovation and investment while creating rules to protect against possible harms. The draft Act includes a regulatory sandbox framework and encourages voluntary compliance with recognized AI governance best practices, signaling that Thailand intends to combine enforcement with support for innovation.
The overlap between AI regulation and other areas of law is also complex. A substantial number of laws that are not directly focused on AI nevertheless apply to AI by association within their respective spheres, including intellectual property, antitrust, data protection, and merger and acquisition law. Any use of AI will often trigger compliance issues and legal challenges even where there is not yet any enforceable AI-specific law.
For multinational organizations, the fragmented regulatory landscape creates significant compliance challenges. Many businesses are adopting a "highest common denominator" approach to identifying AI based on the strictest applicable standard across all jurisdictions where they operate. Thailand's draft AI Act, with its extraterritorial reach and comprehensive risk-based framework, represents another important piece of this evolving global puzzle.