Thailand's AI Act came into force on 1 March 2026. The change is quiet but real. Enterprise AI teams now carry new duties on top of PDPA (the Personal Data Protection Act). Three weeks earlier, on 17 February 2026, the Personal Data Protection Committee (PDPC) released draft Guidelines on Personal Data Protection in AI Development and Use. The draft is open for public consultation. Together, these two instruments form the first serious enterprise AI governance framework in Southeast Asia. Most teams have not yet done the work.
This piece is a practical map. It shows what changed, what stayed the same, and what a Thai enterprise AI team should do in the next 90 days.
The regulatory layer cake Thai enterprises now operate inside
Three instruments now apply at the same time. First is PDPA, in force since 2022. It governs any processing of personal data. The PDPC has been clear that 'processing' covers training, fine-tuning, inference, and retrieval against personal data. It applies whether the work is manual, algorithmic, or model-based. Second is the AI Act, effective 1 March 2026. It uses a risk-based classification model inspired by the EU AI Act. But most classification authority is delegated to sector regulators. Banking AI is classified by the Bank of Thailand (BoT). Healthcare AI is classified by the Ministry of Public Health (MoPH). Third is the draft PDPC AI Guidelines. They are not yet binding. They signal where enforcement will go once they are finalised.
For enterprise teams, duties no longer come from one regulator. Take a credit-decision pipeline at a Thai bank. It is subject to PDPA at the same time as the AI Act and BoT circulars on algorithmic fairness. PDPA covers data minimisation, lawful basis, and data subject rights (DSR). The AI Act adds high-risk classification, testing, and approvals. The governance question has shifted. It is no longer 'who owns AI compliance?' It is now 'have we mapped every system to every regulator that touches it?'
What counts as 'high-risk' under the Thai framework
The AI Act borrows the EU's four-tier structure. Tiers run from unacceptable to high-risk, limited-risk, and minimal-risk. But the Thai scope is narrower and more sectoral. High-risk in practice covers AI used in loan and credit decisions. It also covers automated hiring and employee evaluation. It includes healthcare diagnostics and triage. It includes law enforcement and judicial decision support. It includes critical infrastructure control. These systems require documented risk assessments and pre-deployment testing. In some sectors, regulators must sign off before production.
Limited-risk systems include chatbots, recommendation engines, and content-generation tools. They still need clear user notice ('you are interacting with an AI'). They need output labelling where outputs could be mistaken for human work. They need a named internal owner. Minimal-risk systems, like spam filters and internal productivity AI, carry no specific duties beyond PDPA when personal data is involved.
Where the Thai Act diverges from the EU AI Act
Three differences matter for teams with both EU and Thai exposure. First, sectoral delegation means you engage individual regulators, not a single AI Office. A financial-services team works with the Bank of Thailand. A health-tech team works with the MoPH. Second, Thai penalties tie to existing sectoral enforcement regimes. They do not use the EU's headline figure of 7% of global turnover. But cumulative exposure across PDPA (up to 5M THB per violation) and sectoral fines can be substantial. Third, and most important for GenAI builders, the Thai Act says less about general-purpose AI (GPAI) models. Foundation-model governance is left mostly to the draft PDPC Guidelines.
The practical consequence is direct. A Thai enterprise selling into EU customers must still prepare for EU AI Act Annex III enforcement. Annex III kicks in on 2 August 2026. Recent audits show the gap is wide. Vision Compliance's April 2026 readiness report covered 12 sectors. It found that 78% of enterprises had taken no meaningful steps toward AI Act compliance. 83% had no formal inventory of their AI systems. 74% had no designated governance owner.
A 90-day readiness sprint
The work that closes the compliance gap is unglamorous and sequential. Weeks 1–2: inventory every AI system. Cover production, pilots, shadow tools, and vendor-embedded AI. Your CRM's AI features count. For each, capture purpose, data inputs, model provenance, decision authority, and current human-in-the-loop. Weeks 3–4: classify each system. Map it against the Thai Act's risk tiers. If you have EU exposure, also map it against the EU AI Act's Annex III list. This is where most teams discover their HR screening tool or credit triage bot is high-risk.
Weeks 5–8: build the documentation backbone. For high-risk systems this means technical documentation. That includes model cards, datasheets, and evaluation metrics. Add data-governance records and a written human-oversight procedure. Set up an incident-reporting channel with a 72-hour SLA. Weeks 9–10: assign a named owner per system. Not a committee. An individual. They need authority to pause or roll back. Weeks 11–12: run a tabletop exercise against a worst-case scenario. Pick one: algorithmic bias surfaces in production, a regulator requests your audit trail, or a data subject requests erasure from a training set.
Teams that treat this as a paper exercise will fail the first real audit. Teams that treat it as an engineering exercise win. They embed logging, lineage capture, and evaluation harnesses into the AI delivery pipeline. They end up with governance that actually works. The same systems are also easier to debug in production.
Where most teams get stuck
Three anti-patterns recur in the enterprise AI work we see in Thailand and the region. First, 'governance as a slide deck'. Legal teams write policies that never touch the delivery workflow. Engineers keep shipping. Compliance reviews happen after the fact. Second, 'shadow AI sprawl'. Business units quietly adopt SaaS tools with embedded AI. Note-takers, research assistants, and image generators silently push customer data through third-party models. The inventory misses them. Third, 'EU-first, Thailand-later'. Teams with EU customers build for the EU AI Act and assume Thai compliance follows. They miss the sector-regulator-specific duties that no EU framework covers.
The companies pulling ahead do the opposite. They treat the Thai AI Act as the base layer. The PDPC Guidelines act as the forcing function for foundation-model governance. The EU AI Act is an additive overlay for the subset of systems with EU data flows. They embed compliance into CI. Every model deployment goes through an automated governance check. They do not bolt it on with a quarterly review.
What this means for the next quarter
Thailand's enterprise AI buildout is accelerating. Microsoft's $1B investment commitment earlier this year signals the scale of infrastructure coming online. The Stanford AI Index 2026 puts generative-AI adoption ahead of the PC and internet curves. Regulators are not ahead of this wave. But they are catching up faster than most teams expect. The PDPC's 17 February draft guidelines will move from consultation to enforcement within the year.
If you have not yet mapped your AI estate, this quarter is when you do it. If you have, the next move is to automate the evidence. Capture lineage, evaluations, approvals, and incidents continuously. Do not reconstruct them under duress. Governance is becoming an engineering problem. Teams that treat it that way will ship faster, not slower.
