AI Alert: Thailand’s New AI Guideline

Thailand is once again moving forward with AI regulation in an effort to establish a comprehensive framework for the use of artificial intelligence in the country. On 1 October 2025, the National Cyber Security Agency, the agency under the Ministry of Digital Economy and Society, published the “AI Securities Guideline” (the Guideline).

The Guideline includes key information, recommendations and best practices from international standards and frameworks such as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the European Union Agency for Cybersecurity and the Open Worldwide Application Security Project, as well as relevant laws, practices, and technical reports of Thailand.

The Guideline is structured around four key sections designed to promote the secure and responsible use of AI systems:

• Introduction: This section highlights the importance of AI system security, the objectives and appropriate use of AI and the scope of secure AI deployment. For example, it emphasises that AI should not be exploited for unethical purposes, such as creating deepfakes or spreading misinformation. Instead, AI should be utilised as a tool to enhance market competitiveness, improve work efficiency and elevate the overall quality of life.

• Fundamental Principles, Standards, and Overview of AI Security Threats: This section provides an overview of the types and benefits of AI, along with the risks and security threats associated with its use. Examples of these threats include data poisoning, privacy breaches, prompt injection, model extraction and model poisoning. It also outlines standards for responsible AI adoption and references relevant Thai laws, regulations and guidelines. For instance, the use of AI can lead to greater innovation, increased accessibility (such as text-to-speech conversion), improved productivity and cost efficiency.

• Framework for AI Security System: This section introduces the fundamental principles for AI security systems and security measures based on the AI lifecycle. For example, it underscores the importance of conducting AI security assessments in accordance with ISO/IEC 23894:2023 to identify and mitigate potential system vulnerabilities. Moreover, it indicates that data disposal and erasure in AI systems should comply with ISO/IEC 27002:2022 to maintain data integrity and confidentiality.

• Good Governance and Risk Management for AI: This section focuses on establishing clear roles and responsibilities, integrating AI-related risks into corporate risk management, and ensuring compliance with Thai laws and international standards. It also highlights the need for regular inspections, certifications and training to build a strong AI governance framework. For example, AI governance should be embedded within the Enterprise Risk Management (ERM) framework and adhere to standards such as the Personal Data Protection Act B.E. 2562 (2019), Cybersecurity Act B.E. 2562 (2019), ISO/IEC 42001:2023 and ISO/IEC 23894:2023.

In summary, Thailand is advancing both its AI laws and AI guidelines. Organisations that develop and use AI should adhere to the Guideline to ensure their AI use complies with the established standards and laws, thereby avoiding any breaches.