What Businesses Must Know in 2026

Thailand is quietly engineering one of Southeast Asia’s most consequential regulatory shifts. As artificial intelligence becomes increasingly embedded in commerce, finance, and governance, the kingdom is developing a legal framework that will redefine how companies, both local and multinational, build, deploy, and govern AI systems within Thai territory.

Key takeaways

• Thailand is building a comprehensive, risk-based national AI framework that will impose direct legal duties on both AI providers and deployers, with a dedicated AI Governance Center set to oversee enforcement.
• Sector-specific AI regulations in judicial processes, consumer protection, and financial services are already in force, meaning legal exposure for businesses is current, not future.
• Companies must act now by strengthening internal AI governance, updating external-facing documents, and maintaining clear documentation to stay ahead of tightening transparency and accountability requirements.

According to a legal update published on March 9, 2026, by Baker McKenzie, the country’s AI regulatory framework is no longer a distant ambition. It is a developing legal reality, and businesses that fail to prepare now risk being caught flat-footed when the full weight of legislation arrives.

A Framework in Motion, But Not Yet Law

At the heart of Thailand’s regulatory evolution is a comprehensive national AI framework currently in development, with enactment projected within the next few years. The framework is not a patchwork of ad-hoc rules. It is a structured, principles-driven architecture built on a risk-based model, one that classifies AI systems by the severity of harm they may cause and assigns corresponding legal obligations.

This is a design philosophy already proven in the European Union’s landmark AI Act, and Thailand’s adoption of a similar tiered approach signals that Bangkok is watching the global regulatory conversation carefully and choosing to align itself with emerging international standards rather than chart an isolated course.

Under the forthcoming framework, the obligations will be sharpest for those operating at the frontier. High-risk AI providers, those who develop and commercialise AI systems, and deployers, businesses that implement AI tools in their products and services, will face explicit legal duties. The specifics are still being shaped, but the direction is clear: accountability will be demanded at every link in the AI value chain.

Individual Rights at the Centre

Critically, the national framework does not only address industry compliance. It also establishes individual rights in relation to AI, a move that places human dignity and autonomy at the normative centre of Thailand’s AI governance model.

The inclusion of individual rights signals that Thai regulators understand AI regulation is not merely a business compliance exercise. It is, fundamentally, a question of how technology mediates the relationship between citizens, institutions, and power. These rights, when enacted, are expected to give Thai individuals recourse when AI systems affect decisions that touch their lives, from credit assessments and job applications to healthcare triage and judicial processes.

A New Regulator on the Horizon: The AI Governance Center

Oversight of this framework will fall to a newly created body: the AI Governance Center. While its full mandate, staffing, and enforcement powers are yet to be publicly detailed, its creation is the clearest institutional signal yet that Thailand is not merely passing laws. It is building the bureaucratic infrastructure to enforce them.

For businesses, the emergence of a dedicated AI regulator is a pivotal development. It means that, unlike today’s diffuse enforcement environment, there will soon be a single authoritative body empowered to investigate, sanction, and guide AI use across sectors.

Sector-Specific Rules Already in Force

Critically, businesses should not mistake the pending national framework for a regulatory vacuum. Multiple sector-specific rules are already in effect, covering domains as varied as judicial processes, governing the use of AI in legal and court proceedings, consumer protection, setting standards for AI-driven transactions and interactions, and financial services, addressing algorithmic decision-making, risk modelling, and customer-facing AI in banking and fintech. These rules carry immediate legal force. Non-compliance is not a future risk; it is a present one.

Soft Law Is Shaping Hard Expectations

Beyond binding regulations, Thailand has also cultivated a growing body of non-binding guidelines on ethical and responsible AI use. While these documents carry no direct legal penalty, their significance should not be underestimated.

In regulatory practice globally, soft law often precedes hard law. Guidelines shape how regulators interpret ambiguous situations, how courts assess reasonableness, and how enforcement priorities are set. Businesses that dismiss ethical AI guidelines as voluntary risk misunderstand how they function in practice as pre-competitive compliance benchmarks.

The AI and Privacy Nexus: A Draft Under Public Scrutiny

One of the most closely watched recent developments is the release of a draft regulation addressing the intersection of AI and privacy, which has been sent for public hearing. This reflects a recognition, increasingly common among regulators worldwide, that AI and data protection law are inseparable.

AI systems are, at their core, data-processing engines. They ingest personal information, learn from it, generate outputs that reflect it, and often make decisions that affect the people it belongs to. Treating AI governance and privacy regulation as distinct silos was never intellectually coherent, and Thailand’s move to address them together is a significant step toward regulatory coherence.

The Prescription for Businesses: Act Now, Not Later

Baker McKenzie’s Bangkok partners Pattaraphan Paiboon and Kritiyanee Buranatrevedhya, along with associates Aue-angkul Santirongyuth, Pimpisa Ardborirak, and Pirun Suttiprapha, are unambiguous in their guidance to businesses navigating this hybrid environment.

The advice is to act proactively, not reactively. Companies are advised to build internal AI governance frameworks before regulators demand it, documenting how AI is used internally, who is responsible for oversight, and what risk controls are in place. Businesses should also update external-facing documentation, including terms of service, privacy notices, and consumer disclosures, to reflect AI use, particularly as transparency obligations crystallise in law. Maintaining clear, defensible documentation is equally important, as the strength of a company’s position will depend heavily on its paper trail when regulators eventually scrutinise AI deployments. Finally, companies must mitigate legal exposure under existing law, since consumer protection, data privacy, financial services, and tort law already apply to AI-related harms, regardless of whether a dedicated AI law is yet in force.

The Bottom Line

Thailand’s AI regulatory moment has arrived, not with a bang, but with the steady, deliberate accumulation of frameworks, guidelines, sector rules, and now a dedicated oversight institution. The national framework will take time to enact, but the direction is set, and the pace is quickening.

For businesses operating in Thailand, the message from Baker McKenzie is both simple and urgent: the time to build AI governance infrastructure is now, not when the ink dries on legislation, but while there is still space to shape internal culture, update documentation, and get ahead of what will inevitably become mandatory.

Those who treat this moment as a preview rather than a warning will have a significant competitive and legal advantage when Thailand’s AI regulatory architecture reaches full force.

Other People are Reading