Thailand’s New AI Laws: Business Compliance Guide for 2026

BANGKOK – Thailand is close to locking in new rules for artificial intelligence, with enforcement expected from 2026. These rules, often called Thailand’s New AI Laws, are still in draft form in late 2025, but the main direction is already clear. Businesses that use AI, even in simple ways like chatbots or scoring tools, will feel the impact.

The draft law follows a risk-based and sector-specific model, similar in spirit to the EU AI Act but tuned to local needs. AI systems that could harm safety or rights will be labelled high risk and will face strict duties around documentation, human oversight, and transparency. Some types of AI, such as hidden manipulation, abusive use of sensitive data, or certain biometric systems in public spaces, are likely to fall into a prohibited group.

For Thai companies, from SMEs to banks and retailers, this means early preparation is not optional. Teams will need to map where AI is used, judge the risk level, and align with upcoming rules, including any sector guidance that builds on Thailand’s broader AI regulations for Thai businesses. Getting ready in 2025 will reduce cost, pressure, and business disruption in 2026.

This guide is written for owners, managers, and in-house counsel who want clear, plain-language answers, not legal jargon. It will walk through key concepts like high-risk and prohibited AI, practical steps for compliance, and what to watch as the draft moves toward final law. It is a practical overview, not formal legal advice, so readers should treat it as a starting point for their own compliance planning.

Overview of Thailand’s New AI Laws for 2026

Thailand’s New AI Laws are not yet final in late 2025, but the shape of the rules is already clear. The Electronic Transactions Development Agency (ETDA) has set out Draft Principles of the AI Law, and these give businesses a good picture of what to expect from 2026 onwards. For any company that uses AI, from chatbots to credit scoring tools, this is the right moment to prepare rather than wait for the final law to land.

Current status of Thailand’s AI regulation in late 2025

As of late 2025, Thailand still has no single, final AI law in force. What it has are draft rules, led by ETDA, that are going through public consultation and revision.

Key points about the current status:

• ETDA restarted work on AI regulation in 2025 after a long pause.
• It published the Draft Principles of the AI Law and opened them up for comments.
• Public feedback ran through mid-2025, followed by more hearings and expert reviews.

Legal and policy summaries, such as Thailand Resumes Development of AI Regulatory Framework, confirm that ETDA is now refining the text and aligning it with feedback from industry, academics, and civil society.

In simple terms, Thailand is in the last big review stage. The process looks roughly like this:

1. Draft Principles published and opened for comments.
2. Feedback collected from companies, tech groups, and the public.
3. ETDA revises the draft, with more hearings expected through late 2025.
4. The government moves a final bill through formal law-making in 2026.

No one has an exact date for the final law, but most observers expect the main rules to start to bite from 2026. The delay does not mean the law is weak. It shows that officials want to test the ideas and close gaps before turning them into binding duties.

The draft framework is risk based and sector specific. That means there will not be one heavy rulebook that treats a spam filter the same as a medical diagnosis tool. Instead:

• Higher risk AI (like credit scoring that affects loans, or medical triage systems) will face stricter controls.
• Lower risk tools (like basic customer service chatbots) will face lighter, more flexible duties.
• Individual regulators in finance, health, transport, and other fields will set detailed rules for their own sectors.

So, the Ministry of Finance and related regulators will define what “high-risk AI” means in banking. Health authorities will do the same for hospitals and clinics. A central AI body will sit on top to handle cross-sector issues.

The Draft Principles also make clear who will be affected by Thailand’s New AI Laws:

• AI developers that build systems inside or for use in Thailand.
• Importers that bring AI products or models into the Thai market.
• Providers that offer AI as a service or embed it in their platforms.
• Users (often called deployers) such as banks, retailers, hospitals, and even some SMEs that rely on AI in their operations.

Early preparation matters. Companies that start in 2025 and early 2026 can:

• Map where AI is used in their business.
• Identify which uses may fall into “high-risk” categories.
• Clean up data practices so they already match PDPA and expected AI duties.
• Design simple human oversight steps for important AI decisions.

Firms that wait for the final law will face a tight deadline, higher consultancy costs, and more stress. Those that prepare now will spread the workload and avoid rushed, expensive fixes later. Practical guidance in sources such as Thailand’s AI Law Draft: Risks & Responsibilities already helps businesses sketch out future compliance plans.

Key goals behind Thailand’s New AI Laws

Thailand’s New AI Laws are built around a simple idea: support useful AI while protecting people from serious harm. The Draft Principles reflect a few clear policy goals that most businesses can understand without legal training.

The main goals include:

• Protect people’s rights so AI does not unfairly damage someone’s job chances, income, health, or privacy.
• Avoid serious harm from risky AI uses, such as faulty medical tools or unfair credit scoring.
• Support trustworthy innovation so Thai and foreign companies still want to build and test AI in Thailand.
• Keep Thailand competitive as other countries, including those in the EU and Asia, move ahead with their own AI laws.

To reach these goals, the law uses a risk-based approach. AI that can seriously affect someone’s life gets the most attention. For example:

• A credit scoring system that decides who gets a loan must avoid unfair bias, explainable errors, and hidden discrimination.
• A medical AI tool that helps doctors spot cancer must be tested properly, monitored in real use, and backed up by human review.

Low-risk uses, like a simple chatbot that tracks order status, will not face the same heavy rules. They still need basic transparency and respect for data privacy, but the duties will be more flexible.

The draft also tries to strike a balance:

• If the law is too strict, small businesses might stop using AI at all, which would slow growth and reduce innovation.
• If the law is too weak, people will lose trust in AI, and scandals could slow adoption anyway.

To find the middle ground, the Thai model looks in part at the EU AI Act, but it does not copy it. The EU model is more centralised, with long lists of banned and high-risk systems. Thailand, by contrast, wants a sector-led structure, where local regulators and experts can tune the rules to Thai markets and risks.

Three themes run through the Draft Principles:

• Safety: AI should not create unreasonable risk to health, security, or public order.
• Transparency: People should know when AI is used and, in important cases, get clear information on how decisions are made.
• Growth: Companies should still feel free to test and roll out helpful AI, including through tools like regulatory sandboxes and shared datasets.

For business readers, Thailand’s New AI Laws are not meant to kill AI projects. They are designed to push bad and sloppy AI out of the market and reward systems that are safe, explainable, and fair. Firms that already build AI with these values in mind will find the shift to the final law much easier.

Risk Categories and What They Mean for Business Compliance

Thailand’s New AI Laws work on a simple idea: the higher the risk, the tighter the rules. Every AI system will sit in a risk category, and that label will drive how much governance, documentation, and human control a business needs to show in 2026.

In practice, Thai companies will need to do three things:

• Work out which category each AI system falls into.
• Apply the right level of controls to match that risk.
• Record those choices in a way that can be explained to regulators, clients, and users.

Public summaries of the draft, such as Thailand’s draft AI law overview from Norton Rose Fulbright, confirm that prohibited and high risk uses will sit at the top of the pyramid, while most business tools will be treated as lower risk but not risk free.

Prohibited‑risk AI: Systems likely to be banned outright

Prohibited‑risk AI sits at the top of the risk ladder. These are systems that lawmakers see as inherently harmful or deeply manipulative, where no amount of control can make them safe enough for normal use.

Under Thailand’s New AI Laws, once an AI use is formally tagged as prohibited risk, it is likely to be banned altogether, with possible criminal or heavy administrative penalties for those who provide or use it. Legal briefings such as Thailand’s comprehensive AI governance strategy note that this top tier will be reserved for the most worrying practices.

Examples that are likely to fall into this category include:

• Covert behavioural manipulation AI that secretly targets a person’s weaknesses or emotions, for example a system that uses hidden profiling to push gambling or high‑interest loans at people who are in debt or mentally unwell.
• Exploitative social scoring Systems that score or rank people based on behaviour, beliefs, or background in a way that can cut them off from housing, jobs, or public services. For instance, a scoring tool that downranks job candidates based on their neighbourhood, religion, or political views.
• Unlawful mass surveillance Real‑time facial recognition in public spaces that tracks people across Bangkok without a clear legal basis, proper safeguards, or court oversight. This kind of tool mixes biometric data, location tracking, and profiling in a way that regulators view as very hard to control.
• Abusive use of sensitive traits AI that tries to infer race, health conditions, or sexual orientation from images, voice, or browsing patterns, then uses that output for targeting, discrimination, or exploitation.

For Thai businesses, the message is clear: anything that looks like manipulation, repression, or blanket surveillance is a red flag. Even if the final law leaves details to sector regulators, companies should not wait.

Practical steps before 2026:

1. Map any AI with a strong influence on emotions or behaviour, especially in ads, political content, or financial offers.
2. Check for hidden profiling based on sensitive traits, or systems that track people in public spaces.
3. Plan to phase out or radically redesign any tool that might fall into a prohibited pattern.
4. Record decisions, so if a regulator asks in 2026, the company can show it checked and adjusted use in good faith.

This is not a theoretical exercise. By 2026, using prohibited‑risk AI will not just be poor practice, it could be unlawful and expensive.

High‑risk AI: Extra rules for sensitive and powerful systems

High‑risk AI sits on the next rung down. These systems are allowed, but they can affect people’s rights, safety, or income in a direct way, so regulators will expect strong controls and clear evidence of responsible use.

According to commentaries on the draft, such as Thailand’s AI Law Draft: Risks & Responsibilities, the final law will probably leave detailed lists to sector regulators. Even so, most businesses can already guess the typical high‑risk areas.

Common examples include:

• Hiring and HR Screening CVs, ranking candidates, or predicting performance and attrition. Bias or errors here can shut people out of work.
• Credit scoring and lending Scoring systems that decide if someone gets a loan, card, or mortgage, as well as what interest rate they pay.
• Insurance underwriting and claims Models that set premiums, flag fraud, or decide if a claim is paid.
• Healthcare and medical support AI that helps with diagnosis, triage, imaging, or treatment planning in hospitals and clinics.
• Education and exams Tools that grade tests, rank students, or decide who gets into courses and programmes.
• Critical infrastructure and security AI used in power grids, traffic management, industrial control systems, or key cybersecurity tools.

For these kinds of systems, Thailand’s New AI Laws are likely to expect a package of controls, for example:

• Risk assessments before deployment and on a regular basis.
• Testing and validation to check for accuracy, bias, and unwanted side effects.
• Human oversight, where trained staff can review and override AI decisions.
• Logging and monitoring so decisions and model behaviour can be traced and audited.
• Clear documentation covering data sources, training methods, model limits, and known risks.
• User‑facing explanations for people affected by the decision, especially where income, health, or access to services is involved.

For a typical Thai business, this does not need to turn into an academic exercise. A practical approach might look like:

• Writing a short AI risk register that lists high‑impact systems and why they count as higher risk.
• Using simple checklists or templates when new high‑risk tools are rolled out.
• Training HR, credit, or operations staff on how and when to override AI decisions.
• Keeping basic logs and version history, so the company can trace what the model did, and on which data.

Companies that treat high‑risk tools as “black boxes” will struggle in 2026. Those that can explain what an AI system does, how it was tested, and who is in charge of it, will be in far better shape.

Lower‑risk and everyday AI tools: Still need basic safeguards

Most AI in Thai businesses will not be prohibited or high risk. Customer service chatbots, sales recommendation engines, simple marketing tools, and basic analytics will often sit in a lower‑risk or general‑purpose category.

This does not mean “no rules”. As public summaries like the Lexology overview of Thailand’s draft AI legislation point out, even lighter categories must still respect transparency, safety, and Thai data protection law.

Common lower‑risk tools include:

• Chatbots for FAQs, order tracking, and simple support.
• Product and content recommendation engines on e‑commerce sites.
• Ad targeting tools that use non‑sensitive behavioural data.
• Internal productivity tools, such as AI summarisation and drafting assistants.

For these systems, sensible baseline duties are likely to include:

• Truthful information Marketing copy, chat responses, and AI‑written content should not make deceptive claims or fake human authorship where this would mislead people.
• Basic transparency to users People should know when they are dealing with AI, not a human. A short label like “Virtual assistant powered by AI” is a smart default.
• Respect for PDPA and data rules AI tools must respect Thailand’s PDPA, especially when they track customers across channels, combine datasets, or send data to third‑party providers.
• Simple safety checks For example, configuring a chatbot so it does not give health or legal advice, or limiting automated messages so they do not spam or harass users.
• Light documentation A short record of what the tool does, who provides it, what data it uses, and who is responsible for it inside the business.

Lower‑risk AI often feels “harmless” because it sits in marketing or customer experience rather than core operations. That can tempt teams to roll it out quickly with little review. In 2026, this will be short‑sighted.

Three reasons to treat even everyday tools with care:

1. Risk can grow over time A harmless chatbot can shift into high‑risk territory if it starts collecting health details, salary data, or political opinions.
2. Data misuse spreads fast Poor controls around log data, prompts, and user conversations can lead to PDPA problems, even if the core use looks simple.
3. Transparency builds trust Customers are more willing to engage with AI services when the business is open about where and how AI is used.

A practical rule of thumb for Thai companies in 2026 is simple: assume every AI tool needs at least some transparency, some documentation, and a named owner inside the business. Most tools will stay in the lower‑risk bucket, but the organisation should be able to show that this was a conscious, recorded judgement, not guesswork.

By treating risk categories as a living part of governance, not just a legal label, Thai businesses can keep compliance manageable and still get real value from AI under Thailand’s New AI Laws.

Core Compliance Duties Under Thailand’s New AI Laws

This section turns the big ideas behind Thailand’s New AI Laws into a practical checklist. The focus is simple: who is in charge of AI, how risks are checked, what users must be told, how data is handled, and what proof a company can show if regulators or customers ask questions.

Whether a business is a small online retailer or a major bank, the same pattern applies. Higher risk AI needs stricter controls, deeper records, and closer human oversight. Lower risk tools still need clear owners, basic documentation, and honest communication with users.

Managers can treat the duties below as a starter compliance blueprint for 2026.

AI governance: Who controls AI and who is accountable

Good AI governance is about three things: clear roles, clear rules, and clear oversight. Without these, even a modest AI tool can create big legal and reputational problems.

Thailand’s New AI Laws are likely to expect that someone inside the organisation is visibly in charge of AI use. For most firms, this does not mean building a new department. It usually means adapting existing structures.

A practical setup might include:

• AI lead or focal person One named person, often in legal, risk, IT, or operations, who coordinates AI issues. This person does not have to be a data scientist. Their job is to link technical teams, management, and compliance.
• Small AI committee for bigger organisations In banks, insurers, hospitals, and listed companies, a simple cross‑functional committee can work well. It might include representatives from:
  • IT or data
  • Legal or compliance
  • Risk or internal audit
  • A business owner, such as HR or product
• Clear decision rights The company should define who can:
  • Approve new AI projects
  • Sign off risk assessments for high‑risk use
  • Approve model changes that affect customers or staff
  • Pause or switch off an AI system if things go wrong

  These rights can be written into existing approval flows, rather than starting from zero.

Crucially, high‑risk AI must not run on auto‑pilot. Human oversight means:

• Staff know when AI is making or shaping a decision.
• They have authority to review and override that decision.
• They get training on how to use the system safely and when to say no.

For example, an HR manager who uses an AI CV screener should still review shortlists, not simply accept the top 20 names.

Small and mid‑sized firms can keep this lean. A short AI policy, an appointed AI contact person, and a basic approval checklist may be enough at first. Larger players, especially in sensitive sectors, will likely need more formal governance that lines up with existing risk and audit frameworks, similar to what regulators describe in overviews such as Navigating Thailand’s New AI Playbook.

Written policies do not need to be long. They should cover at least:

• Where AI is allowed or not allowed in the business.
• How high‑risk use is identified and treated.
• Who is responsible for AI risk, testing, and user communication.
• How incidents and complaints will be reviewed.

If a regulator visits in 2026, or asks questions in writing, this simple governance map will be one of the first things they expect to see.

Risk assessments and impact checks before AI goes live

For high‑risk AI, Thailand’s New AI Laws are likely to make formal risk assessments and testing before deployment a core duty. In practice, this means no more silent rollouts of powerful models that touch credit, health, work, or safety.

The good news is that a basic assessment can follow the same pattern every time. It does not have to feel like a legal textbook.

A simple pre‑deployment checklist could look like this:

1. Purpose and scope
   • What problem is the AI meant to solve?
   • Who will be affected, such as customers, staff, or the public?
   • Is it supporting decisions or making them automatically?
2. Data sources
   • Which datasets feed the model, for example internal history, partner data, or public data?
   • Is personal data included, and is there a lawful basis to use it under Thai privacy rules?
   • Are any sensitive traits involved, like health or religion?
3. Possible harms
   • What could go wrong for a single person?
   • What could go wrong at scale if the system fails or behaves badly?
   • How likely are those harms?
4. Bias and fairness risks
   • Could the system treat groups unfairly, such as by gender, age, or region?
   • Has the team run basic fairness tests or sample checks?
   • Are there known blind spots because of missing data?
5. Security and resilience
   • Who can access the system and its data?
   • Could prompts or inputs be abused to gain secrets or break controls?
   • Is there protection against basic attacks, like model misuse or data theft?
6. Fallback and fail‑safe plans
   • What happens if the AI is unavailable or clearly wrong?
   • Can the process continue with human review only?
   • Who is allowed to switch off or roll back the system?

For genuinely high‑risk systems, this assessment should be written down, signed off, and kept up to date. Testing should support the assessment, with evidence of accuracy checks and scenario runs.

Businesses should also document why an AI system is not high risk if they decide that is the case. A short note that explains:

• What the system does.
• Why it is seen as low or moderate risk.
• Which controls apply instead.

This record shows that management thought about risk, rather than guessing. External commentaries on the draft law, such as Thailand’s AI Law Draft: Risks & Responsibilities, already stress the value of this kind of paper trail when regulators ask how an AI was classified.

Early assessments help in three ways:

• They guide design choices while changes are still cheap.
• They allow managers to reject risky ideas before they hit customers.
• They demonstrate good faith if a problem later reaches a regulator or court.

In short, risk assessments should move from being “nice” to “non‑negotiable” for any AI that affects people’s money, health, safety, or legal position.

Transparency, user notices, and human‑readable explanations

Transparency is where legal duty meets customer trust. Under Thailand’s New AI Laws, users should not be left guessing whether they are dealing with a person or a model, especially in high‑impact settings.

Businesses can break transparency into three pieces: notices, explanations, and contact points.

1. User notices about AI use People should be told, in clear language, when AI is used to:
   • Chat or answer questions.
   • Make or support important decisions, such as loan approvals or hiring.
   • Analyse traits or behaviour that might affect how they are treated.

   A short line is often enough, for example: “This service uses AI to help review applications. A human will still make the final decision.”

2. Human‑readable explanations for key decisions Where high‑risk AI is involved, the company should be able to explain in plain Thai (and, if useful, English) how a decision was made. This does not mean revealing trade secrets or complex maths. It means:
   • Naming the main factors that influenced the outcome, such as income range, repayment history, or job requirements.
   • Stating any limits of the system, for example that it does not see certain documents.
   • Giving a basic idea of how the AI is used, like “AI is used to rank applications for review by our staff”.

   Other sectors, such as media, are already wrestling with these issues. For instance, guidance on Generative AI ethics in Asian newsrooms shows how clear labelling of AI‑generated content can support trust when audiences see automated text or images.

3. Contact points, questions, and appeals Users should have an easy way to:
   • Ask if AI was involved in a decision.
   • Request a human review where the decision has serious impact.
   • Complain about errors or unfair outcomes.

   A simple email address or web form that routes to a trained team can meet this duty for many organisations. Larger firms may add phone support or in‑app flows.

To make life easier, companies can create standard templates:

• Short AI use notice for chatbots and online forms.
• A standard “how decisions are made” paragraph for credit, HR, or claims.
• FAQs that explain AI use in each major product.

These templates can be reused and adapted across services, saving time while still respecting the law. They should be drafted in plain Thai, with clear, everyday terms that match local expectations and cultural tone. For international brands serving Thai users, English versions can sit beside Thai text, but local language clarity should be the default, not the afterthought.

Data protection, data quality, and secure AI training

Thailand’s New AI Laws do not sit in a vacuum. They sit beside Thailand’s data protection rules, including the PDPA, and growing guidance on tech governance, for example the analyses found in Thailand Resumes Development of AI Regulatory Framework.

Three themes dominate this area: lawful data use, strong security, and good data quality.

1. Lawful data use AI systems must respect:
   • How personal data was collected, for example consent, contract, or legal duty.
   • What people were told at the time of collection.
   • Any limits on reuse, especially for sensitive data like health records.

   If a dataset was collected for one purpose, such as customer support, and is now used for training a recommendation engine, the company should check if this is compatible with the original notice and PDPA duties. If not, fresh consent, anonymisation, or a different approach may be needed.

2. Strong security controls AI training and operations often involve large, rich datasets. These are attractive targets for criminals and insiders. Practical controls include:
   • Access limits so only staff who need the data can see it.
   • Encryption for data in storage and in transit.
   • Segregation of training environments from live systems where possible.
   • Supplier due diligence for cloud and AI vendors, checking how they protect data.

   Logs should show who accessed which data and when. Security testing should cover both classic IT risks and new AI‑specific risks, such as prompt injection or model extraction.

3. Data quality and fairness Poor data leads to unfair outputs. Skewed history can bake old discrimination into new tools. Companies can reduce this risk by:
   • Removing obvious errors and duplicates through regular data cleaning.
   • Sampling records to check whether certain groups are under‑represented or mislabelled.
   • Avoiding blind reliance on public datasets that may be outdated or biased.

   Where firms use public or synthetic data in regulatory sandboxes or testbeds, they should still respect privacy and confidentiality. Even in a sandbox, personal data must follow PDPA and any sector rules. Guidance on tech governance, such as Rules in Action: Thailand’s Evolving Tech Governance, highlights how experiments with AI should still sit inside proper guardrails.

For small and mid‑sized firms, a short “AI data standard” can bring these threads together. It might say:

• Which data can be used for training and under what conditions.
• How long training and log data will be kept.
• How data will be anonymised or minimised where full identity is not needed.
• Which approvals are required before using new datasets for AI.

Clean, lawful, and secure data is not only a legal issue. It is the foundation for AI outputs that are accurate and fair enough to stand up to regulatory and customer scrutiny.

Documentation, logs, and proof of compliance

Documentation is the backbone of AI compliance under Thailand’s New AI Laws. Regulators, courts, and customers cannot see inside a model. What they can see are the records that show how it was built, tested, and run.

Good documentation does not have to be heavy. It has to be structured, consistent, and honest. Small teams can use short templates; large groups may choose more formal systems, but the core ideas are the same.

Key items to document include:

• Design and purpose A short description of each AI system, its goal, and where it sits in business processes.
• Data sources and processing Lists of key datasets, how they were collected, and how they are used in training or operation.
• Risk assessments and decisions Copies of pre‑deployment assessments, notes on risk classification (prohibited, high, or lower risk), and any mitigation steps taken.
• Testing and validation results Records of accuracy tests, bias checks, scenario runs, and any issues found and fixed.
• Policies and procedures Current versions of AI policies, governance diagrams, and incident response playbooks.

A simple way to keep this manageable is to create a one or two‑page “AI system file” for each meaningful tool. This can sit in shared storage and be updated when things change.

Logging is the other side of this coin. AI systems, especially high‑risk ones, should keep logs of:

• When and how the system was used.
• Key decisions or recommendations the system produced.
• Any overrides or manual interventions.
• Errors, anomalies, or user complaints linked to the system.

These logs do not need to record every technical detail, but they should be rich enough to:

• Reconstruct what happened in a disputed case.
• Spot patterns that show bias, drift, or misuse.
• Support internal audits and external reviews.

External input to the draft law, such as the BSA Recommendations for Draft Principles of the Law on AI, underlines how important traceability and logging are for high‑risk use.

When problems appear, good records can turn a crisis into a manageable incident. They help a business:

• Show that it took reasonable steps.
• Fix root causes rather than only symptoms.
• Communicate clearly with customers, partners, and regulators.

In practice, proof of compliance is a mix of:

• Written policies and system files.
• Signed assessments and approvals.
• Logs and reports that match daily reality.

If all three lines up, the company stands on solid ground in 2026, even if something goes wrong. Without them, it will struggle to defend its AI use, no matter how advanced the technology may be.

Sector‑Specific Impacts: How Thailand’s New AI Laws Affect Key Industries

Thailand’s New AI Laws use one risk framework, but the real pressure will come through sector regulators. Banks, hospitals, retailers, and manufacturers will all work under the same core rules, yet each will see extra guidance, checklists, and inspections tailored to its own risks.

For readers planning ahead for 2026, it helps to look at how regulators in finance, commerce, health, and industry are likely to apply the general AI law in practice, building on early legal analysis such as the sector‑focused overviews in Key Concerns and Provisions in Thailand’s Draft AI Regulation.

Financial services and fintech: High scrutiny for AI credit and fraud tools

Finance will sit at the sharp end of Thailand’s New AI Laws. Banks, non‑bank lenders, brokerages, and payment firms already rely on AI for credit scoring, fraud detection, AML monitoring, trading, and claims review. These systems touch people’s money and access to basic services, so they are natural candidates for the high‑risk label.

Sector regulators are likely to combine the AI law with existing banking, securities, and consumer‑protection rules. That means AI will not replace older standards on fair lending, KYC, or conduct; it will sit on top, raising the bar for controls and documentation. Commentators already expect stricter oversight of AI in credit and trading, as seen in coverage of Thailand’s AI regulations in finance.

Firms in this space should expect at least:

• Explainable models Credit and fraud models do not need to be simple, but they must support clear explanations for customers and regulators. Lenders will need to state the main factors behind a loan refusal, such as income level, repayment history, or recent defaults, and show that protected traits did not drive the outcome.
• Bias checks and fair lending controls Supervisors are likely to ask for regular testing to spot indirect discrimination, for example where postcode, employer, or education acts as a proxy for race, religion, or social class. This ties into long‑standing rules on fair treatment, but with stronger expectations for written tests and remediation plans.
• Human review for hard or borderline cases High‑impact decisions, such as large loans or account closures for suspected fraud, will need human oversight. Staff should be able to override an automated score if context suggests the AI is wrong, and firms will need to log when and why this happens.
• Clear customer appeal channels Customers who are refused a product, flagged as high risk, or put under extra checks by AI tools should have simple ways to contest the decision. That might mean an appeal form, hotline, or branch process that triggers a human re‑review, with response times set out in policy.
• Layering with existing financial regulation The Bank of Thailand, SEC, and other bodies will not drop existing circulars or guidelines. Instead, they are likely to issue AI‑specific notices that refer back to long‑standing rules on model risk, outsourcing, and IT governance. Firms should treat AI compliance as an extension of current model‑risk and operational‑risk frameworks, not as a separate project.

For fintech start‑ups, this can feel demanding, but there is an upside. Those that can show strong governance and explainable AI are more likely to win licences, bank partnerships, and cross‑border approvals as regional standards tighten.

Retail, e‑commerce, and marketing: Personalisation without unfair manipulation

Retailers and online platforms already use AI in almost every part of the customer journey. Product recommendations, search ranking, stock prediction, chatbots, loyalty offers, and dynamic pricing engines are now standard for many Thai businesses.

Most of these tools will sit in a lower‑risk category under Thailand’s New AI Laws, because they rarely decide on core rights such as health or housing. They can still cause harm, however, if they mislead shoppers, hide key information, or put unfair pressure on vulnerable users.

Practical safeguards in this sector are likely to focus on fairness and transparency, not heavy technical audits:

• Honest and visible AI chatbots Customer service bots should be clearly labelled, for example “AI virtual assistant”. Users must have an easy way to reach a human for complex issues, refunds, or complaints. This simple step reduces frustration and aligns with expected transparency duties.
• Limits on targeting vulnerable groups Marketers may need internal rules that restrict aggressive targeting of children, people in debt, or those searching for health or addiction support. For instance, an ad engine could be barred from pushing high‑interest credit to users browsing debt‑relief pages.
• Guard rails for dynamic pricing and recommendations Dynamic pricing can be useful, but if it quietly charges higher prices based on traits like device type or location in a way that feels unfair, it risks drawing regulatory attention. Retailers should document how pricing rules work and review them for unreasonable bias or exploitation.
• Easy opt‑outs from personalisation Customers should be able to switch off certain kinds of tracking or profiling without losing access to basic services. A simple toggle for “less personal recommendations” or “standard pricing only” can both support PDPA duties and build trust.

Better transparency in this space is not only a compliance shield. Clear labels, honest recommendations, and simple controls for personal data tend to drive repeat sales, because customers feel respected rather than tricked into buying more than they planned.

Healthcare and life sciences: Patient safety and data sensitivity first

Healthcare will carry some of the strictest expectations under Thailand’s New AI Laws. Hospitals, clinics, insurers, and health‑tech start‑ups are already testing AI for diagnosis support, triage, imaging analysis, personalised treatment plans, and remote monitoring. These tools promise faster care and earlier detection, but even small errors can hurt patients.

This sector is almost certain to sit in the high‑risk bucket, with health regulators adding detailed guidance on top of the general AI framework. Three pillars will stand out: testing, data protection, and human oversight.

• Careful testing and clinical validation Any AI that influences clinical decisions should go through structured trials and validation, ideally with local data and Thai clinical input. Providers will need to show accuracy levels, failure rates, and known limits, and they should keep records of updates and post‑deployment performance.
• Strong protection for medical and genetic data Health information is both sensitive and attractive to attackers. AI projects will have to respect PDPA, medical secrecy rules, and sector norms on consent and secondary use. De‑identification, access controls, and strict purpose limits will be central for training and operating models in hospitals and labs.
• Doctors and clinicians stay in charge The law is unlikely to accept “AI‑only” decisions for diagnosis or treatment. Human professionals should remain responsible for key calls, with AI treated as a support tool. That means clear interfaces that highlight when AI is speaking, training so clinicians understand strengths and weaknesses, and procedures for overriding AI advice.
• Clear communication with patients Patients deserve to know when AI is helping with their care, what role it plays, and who they can speak to if they are worried. Simple notices and consent forms can explain, for example, that an AI helps read scans, but a doctor reviews all results before any treatment is chosen.

Health‑tech firms that invest early in medical partnerships, robust validation, and privacy‑by‑design will find it far easier to convince regulators, hospital boards, and insurers that their products are safe for wide rollout.

Manufacturing, logistics, and smart infrastructure: Safety and reliability

In factories, ports, warehouses, and city systems, AI is less about credit scores and more about physical outcomes. Robotics, computer vision, predictive maintenance, route optimisation, and smart traffic control are already part of Thailand’s growth plans, as seen in policy pushes tied to automation and smart cities.

Under Thailand’s New AI Laws, many of these tools will start in a medium or lower‑risk category. They can move into higher risk if they control machines or infrastructure where failures could injure workers or disrupt key services.

Businesses in these sectors should expect compliance to revolve around safety, reliability, and response plans:

• Strong testing before AI touches physical systems Any system that directs robots, vehicles, or heavy machinery should be tested in controlled environments first. Simulation, sandbox lines, and supervised trial runs can reveal edge cases before a model gets near a live production floor or public road.
• Continuous monitoring and incident response Predictive maintenance tools, routing engines, and smart sensors should feed into clear dashboards and alerts. When behaviour looks odd or error rates rise, staff must know how to intervene, roll back to manual control, and log the event for later review.
• Pilot projects and staged rollouts Rather than switching entire factories or logistics networks to AI in one step, firms are likely to favour pilots, then phased expansion by site, shift, or product line. Each phase can include a safety review, worker feedback, and, if needed, model retraining.
• Worker involvement and training Operators, drivers, and maintenance staff are often the first to spot unsafe behaviour from AI‑driven systems. Training them to recognise problems, stop operations, and report incidents will be as important as the technical checks. Their experience should feed into risk assessments and model updates.

For smart infrastructure projects, such as traffic signals or public transport scheduling, city authorities will probably issue extra guidance on resilience and public communication. If an AI glitch disrupts services, officials will want clear logs, a timeline, and proof that there were fallbacks and manual controls.

Across all these sectors, the pattern is clear. Thailand’s New AI Laws set the risk‑based frame, but sector regulators will define the daily rules. Businesses that already treat safety, fairness, and clear human control as design requirements, not add‑ons, will be in the strongest position by 2026.

Related News:

AI Breakthroughs Reshaping Thailand’s Startup Scene in 2025