ETDA’s Proposed AI Sandbox Signals a New Phase of AI Governance
The Electronic Transactions Development Agency (ETDA) has opened a public consultation on a draft notification establishing an Artificial Intelligence (AI) Sandbox. Although the notification has not yet been adopted, it represents one of the clearest regulatory signals that Thailand is moving toward a structured governance framework for AI systems through a controlled testing environment.
For businesses developing or deploying AI solutions, the proposed AI Sandbox is more than a pilot initiative. It is likely to establish regulatory expectations that may influence future AI compliance standards across multiple sectors.
Why the AI Sandbox matters
Regulatory sandboxes have long been used in the financial sector to facilitate innovation while allowing regulators to observe risks under controlled conditions. The proposed AI Sandbox extends this concept to AI technologies by providing an environment where AI systems can be tested before wider deployment.
Unlike traditional compliance regimes that focus primarily on post-deployment enforcement, an AI Sandbox emphasizes governance during the development and testing stages. This reflects an international regulatory trend toward proactive AI risk management.
Although participation in the Sandbox may initially be voluntary, organizations should not view it merely as an experimental program. Regulatory sandboxes frequently become the foundation for future best practices and may ultimately shape industry standards and supervisory expectations.
A shift toward risk-based AI governance
While the draft notification remains subject to consultation, it suggests that AI governance in Thailand is moving toward a risk-based model.
Businesses should expect greater emphasis on governance measures such as:
- AI risk identification and assessment;
- testing and validation before deployment;
- documentation of AI models, datasets, and development processes;
- human oversight over significant AI-assisted decisions;
- ongoing monitoring throughout the AI lifecycle; and
- governance mechanisms for accountability and incident management.
These principles are broadly consistent with international AI governance developments and demonstrate a growing expectation that organizations should be able to explain not only what an AI system does, but also how risks have been identified and managed.
The proposed framework has implications across numerous industries, particularly where AI systems influence commercial or operational decision-making.
- Technology companies and SaaS providers
- Software developers offering AI-enabled products may need to implement more formal governance processes throughout the product lifecycle. Technical documentation, testing records, model validation, and change management procedures could become increasingly important in demonstrating responsible AI practices.
- Organizations that currently rely on informal development processes may eventually need governance structures comparable to those already used for cybersecurity and information security compliance.
- Financial services and fintech
- Financial institutions already operate within a highly regulated environment. AI governance requirements may become an additional layer of compliance where AI is used for credit scoring, fraud detection, investment services, customer onboarding, or automated decision-making.
- Existing risk management frameworks may therefore need to expand to include AI-specific controls.
- Healthcare and health technology
- Healthcare providers and health technology companies using AI for diagnostics, treatment recommendations, clinical decision support, or patient management are likely to face heightened expectations regarding accuracy, validation, human supervision, and patient safety.
- Testing within a controlled environment could become an important mechanism for demonstrating reliability before deployment.
- HR technology
- Organizations using AI in recruitment, employee evaluation, workforce management, or performance assessment should anticipate closer scrutiny of automated decision-making processes.
- Transparent governance, human review, and measures to reduce discriminatory outcomes are likely to become increasingly significant compliance considerations.
- Digital platforms
- Platform operators deploying generative AI, recommendation algorithms, content moderation systems, or AI-powered customer services may also need stronger governance over system performance, monitoring, and accountability.
- The ability to document how AI systems operate and respond to identified risks may become an important aspect of regulatory compliance.
Interaction with existing legal frameworks
Although the AI Sandbox is intended to facilitate innovation, participation is unlikely to exempt organizations from existing legal obligations.
Organizations testing AI systems would still be expected to comply with applicable laws, including those governing:
- personal data protection under the Personal Data Protection Act;
- electronic transactions;
- cybersecurity obligations;
- consumer protection;
- intellectual property rights; and
- sector-specific regulatory requirements.
For example, organizations using personal data for AI model training or testing should ensure that appropriate legal bases, transparency obligations, data security measures, and data subject rights continue to be observed.
Similarly, businesses developing generative AI applications should continue to assess potential intellectual property risks relating to training data, generated outputs, and ownership of AI-assisted content.
Preparing for future regulatory expectations
Although the draft notification has not yet entered into force, organizations should consider using the consultation period to evaluate their existing AI governance practices.
Practical steps may include:
- identifying AI systems currently in operation;
- classifying AI use cases according to potential risk;
- documenting AI development and deployment processes;
- establishing internal AI governance policies;
- implementing human oversight for significant AI-assisted decisions;
- reviewing contractual allocation of AI-related responsibilities with vendors and customers; and
- ensuring that AI governance aligns with existing data protection and cybersecurity compliance programs.
Organizations that begin implementing these governance measures now are likely to be better positioned if the AI Sandbox becomes operational and if similar requirements are incorporated into future regulatory frameworks.
Looking ahead
The draft AI Sandbox notification demonstrates that Thai regulators are moving beyond high-level discussions about artificial intelligence and toward practical governance mechanisms.
Even if participation remains voluntary during its initial stages, the Sandbox is likely to influence regulatory expectations regarding responsible AI development and deployment. Businesses should therefore view the proposal not simply as a testing initiative, but as an indication of the governance standards that may shape future AI regulation.
The proposed AI Sandbox represents a significant step toward a structured AI governance framework.
The initiative reflects a broader shift toward risk-based regulation and responsible AI development.
Organizations developing or deploying AI should begin strengthening governance, documentation, testing, and oversight processes.
Existing obligations under data protection, cybersecurity, consumer protection, and intellectual property laws will continue to apply during AI development and testing.
Author: Panisa Suwanmatajarn, Managing Partner.
Other Articles
- Thailand Launches “Economic Cabinet Plus” Plan to Drive High-Growth and High-Income Status
- Thailand’s Draft Immigration Act and Hotel Act: A Major Step Towards Digitalization and Regulatory Reform
- PDPC Certification: Turning Privacy Compliance into a Competitive Advantage
- PDPC Opens New Path for Intra-Group Cross-Border Data Transfers
- National Semiconductor Policy Committee Signals New Opportunities and Legal Considerations for High-Tech Investment
- Consumer Protection: Proposed Lemon Law Strengthens Remedies for Defective Goods