Regulating AI Without Illusions: Technical Limits, Legal Chokepoints, and Practical Accountability

Posted by on | Featured

Why AI governance must move beyond abstract model control toward enforceable duties where AI affects work, markets, institutions, and human decision-making

Artificial intelligence must be regulated. The question is not whether law should respond to AI, but whether legal systems are regulating the right object.

Much of the current global debate assumes that AI can be governed like a conventional product, software service, database, or licensing category. That assumption is increasingly fragile. Modern AI is not a stable legal object. It is a probabilistic, general-purpose capability distributed across models, data, compute, cloud infrastructure, application programming interfaces, user interfaces, prompts, agents, open-weight systems, vendors, deployers, and downstream users.

The central thesis of this paper is therefore not that AI regulation is unnecessary. It is that AI regulation will fail if it relies too heavily on the illusion that AI can be comprehensively controlled through abstract statutory categories or model-level classifications alone. The practical role of law is to impose accountability at the points where AI becomes operationally consequential.

This is not a call for lighter regulation. It is a call for more honest regulation.

1. The problem is not whether AI should be regulated

The case for AI regulation is no longer difficult to make. AI systems are increasingly used in financial services, healthcare, employment, education, public administration, customer service, cybersecurity, digital platforms, media, logistics, manufacturing, and professional services. They may influence credit decisions, medical triage, hiring, promotion, insurance pricing, law enforcement, immigration screening, public benefits, political communication, consumer behavior, and access to essential services.

The potential benefits are real. AI may increase productivity, support medical diagnosis, improve fraud detection, accelerate research, expand access to services, and reduce the cost of routine analytical work. But the risks are also real: privacy intrusions, discrimination, opacity, manipulation, cyber misuse, disinformation, unsafe automation, dependency on foreign infrastructure, and changes to the structure of work and opportunity.

The more difficult question is whether conventional lawmaking can control AI as legislation often implies. Law is most comfortable when it can identify a regulated actor, define a regulated activity, specify duties, prove a breach, establish causation, and impose remedies. AI strains each part of that structure.

An AI system may be designed in one jurisdiction, trained on data from multiple jurisdictions, hosted in another, accessed through an API, fine-tuned by an enterprise customer, integrated into a local workflow, and used by employees or consumers in ways the original model provider did not foresee. The relevant risk may arise from the model itself, the data used to train or operate it, the interface through which it is accessed, the prompt given by a user, the retrieval database connected to it, the tool it controls, or the institutional decision that relies on its output.

In that environment, broad legal categories may create the appearance of control without resolving the underlying enforcement problem. The task is not to abandon regulation. It is to regulate with a clearer understanding of where legal leverage actually exists.

2. Why AI is technically difficult to regulate

AI is difficult to regulate not merely because governments move slowly. It is difficult because the technology itself does not behave like the objects that law is accustomed to governing.

The OECD definition of an AI system captures the challenge. An AI system is a machine-based system that, for explicit or implicit objectives, infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions that may influence physical or virtual environments, with varying levels of autonomy and adaptiveness after deployment.[1] This definition is important because it makes clear that AI is not simply software executing fixed instructions. AI systems infer.

Six consequences follow.

First, AI outputs are probabilistic. The same model may produce different responses depending on prompts, context, retrieval sources, system instructions, temperature settings, fine-tuning, tools, and user history. A legal regime that assumes stable system behavior will struggle when the system’s behavior varies with context.

Second, AI is general-purpose. A single model may summarize contracts, write code, support customer service, draft marketing content, generate legal text, assist with medical information, conduct sentiment analysis, screen job applicants, or produce political messaging. The same underlying capability may be low risk in one setting and high risk in another. Risk often attaches less to the model itself than to the way the model is deployed.

Third, AI systems are modular. The practical system used by a business may not be a single model. It may be a chain involving a foundation model, retrieval-augmented generation, proprietary databases, user prompts, system prompts, plug-ins, workflow tools, cloud infrastructure, audit logs, and human review. The regulated “system” may therefore be an operational stack rather than a discrete product.

Fourth, AI is opaque in a way that ordinary disclosure obligations cannot fully cure. Documentation, testing, audit logs, and risk assessments are necessary. But they do not necessarily produce a human-readable explanation of why a particular output emerged in a particular context. In modern machine-learning systems, the relevant capability is often embedded in model weights and statistical relationships, not in a rulebook that can be inspected line by line.

Fifth, AI increasingly acts through tools. The most serious regulatory questions may not concern text or images alone. They may concern AI systems connected to email, HR, payment, and customer databases, public records, vehicles, drones, industrial equipment, trading systems, or cybersecurity tools. At that point, the risk is no longer merely an output. It is an AI-mediated action chain.

Sixth, AI is global by design. Data, compute, chips, cloud services, open-source models, application providers, enterprise vendors, and users are distributed across borders. National law remains essential, but no national regulator controls the entire AI supply chain. This makes purely territorial regulation incomplete.

The result is a structural mismatch. Law seeks stable legal objects. AI operates as a capability moving through a technical and institutional ecosystem.

3. The limits of abstract AI legislation

The European Union AI Act is the most significant attempt to date to create a comprehensive risk-based legal framework for AI. It is serious, ambitious, and globally influential. Its structure is understandable: prohibited practices, high-risk systems, transparency obligations, general-purpose AI obligations, conformity assessments, documentation duties, and enforcement mechanisms.[2]

The EU AI Act is also entering into application in phases. It entered into force on 1 August 2024 and is generally applicable from 2 August 2026, subject to exceptions. Prohibited-practices rules and AI literacy obligations began to apply from 2 February 2025; governance rules and obligations for general-purpose AI models began to apply from 2 August 2025; and certain high-risk AI obligations are subject to later transition periods. This phased implementation reinforces the point that even the most ambitious AI statute must be translated into practical supervisory, technical, and institutional mechanisms before it can operate effectively.

The EU AI Act also illustrates the central difficulty of AI regulation. Some provisions seek to regulate harms that are normatively important but difficult to administer in practice.

Consider the prohibition on AI systems that deploy subliminal, purposefully manipulative, or deceptive techniques in a manner that materially distorts behavior, impairs informed decision-making, and causes or is reasonably likely to cause significant harm.[4] The policy objective is legitimate. AI should not be used to manipulate people below the level of conscious awareness or deceive them into harmful decisions. But the legal test is demanding. A regulator or court may need to determine whether a technique was subliminal, whether it was manipulative or deceptive, whether behavior was materially distorted, whether informed decision-making was appreciably impaired, whether the person or group would have acted differently but for the AI system, and whether significant harm occurred or was reasonably likely.

Each element may be defensible in isolation. Together, they expose the difficulty of translating AI ethics into administrable law.

The same problem appears in the treatment of emotion recognition. A legal framework may seek to distinguish between emotion inference, fatigue detection, observable facial expressions, gestures, voice characteristics, safety monitoring, behavioral analysis, and biometric processing. These distinctions are conceptually understandable. But in practice, the same camera, microphone, interface, or behavioral dataset may be used for productivity monitoring, safety analysis, customer sentiment, fraud detection, student engagement, workplace discipline, or consumer profiling. Whether the system is merely detecting an observable state or inferring an emotion may depend on technical design, deployment context, vendor documentation, user interface, and evidentiary records.

This is not a criticism of the underlying values. Autonomy, dignity, non-discrimination, and democratic integrity matter. The problem is that some legal standards depend on reconstructing a technical and psychological chain of causation that may be distributed across model architecture, training data, prompts, interface design, personalization, ranking systems, commercial incentives, and human vulnerability.

The lesson is not that these harms should be ignored. The lesson is that regulation must distinguish between legitimate objectives and legal standards that can actually be administered.

4. Thailand as a practical case study

Thailand is a useful case study, but not because its challenge is unique. Thailand illustrates the problem facing many jurisdictions outside the EU: how to regulate AI in a way that is locally administrable, economically proportionate, and technically realistic.

As of March 2026, Thailand did not have a comprehensive AI law. AI-related activities were governed through a combination of existing laws, sector-specific regulations, policy frameworks, and soft-law tools.[5] The Thailand National AI Strategy and Action Plan 2022–2027 provides the broader policy direction. Its objectives include enhancing Thailand’s readiness in social, ethical, legal, and regulatory matters; developing national infrastructure; increasing human capability; driving innovation; and promoting the use of AI in the public and private sectors.[6]

Thailand’s regulatory development has continued through ETDA-led draft AI law principles and governance materials. Official materials emphasize high-risk AI, responsible use, protection of rights, innovation, soft law, hard law, sectoral flexibility, and the need to avoid one-size-fits-all regulation.[7] The Personal Data Protection Committee, or PDPC, has also begun consulting on how the Personal Data Protection Act, or PDPA, applies to AI systems, including personal data involved in training datasets, user inputs, and outputs.[8]

This trajectory is important. Thailand should not treat AI governance as a binary choice between doing nothing and copying a comprehensive foreign statute wholesale. The better approach is to use the country’s existing legal and institutional architecture: data protection, cybersecurity, sectoral regulation, public procurement, consumer protection, financial regulation, healthcare regulation, employment law, telecommunications infrastructure, administrative oversight, contracts, insurance, corporate governance, and liability.

FOSR has previously addressed parts of this developing landscape in its analyses of AI regulation and data privacy in Thailand, artificial intelligence, machine learning, and big data legal developments, and Thailand’s National AI Strategy and Action Plan. Those analyses point toward the same practical conclusion: Thailand’s AI governance challenge is not simply the absence of a standalone AI Act. The deeper challenge is coordination.

AI may be developed abroad, accessed through cloud infrastructure, modified downstream, deployed by local businesses, and used in sectors already supervised by existing regulators. A centralized AI statute may be useful, but it will not be sufficient unless it is connected to practical enforcement nodes.

For Thailand and similar jurisdictions, the most realistic model is not abstract model control. It is accountable deployment.

5. Where law can still work: legal chokepoints

AI cannot be effectively governed through model-level classification alone. But it can be governed where it becomes operationally consequential.

The most useful legal question is therefore not “how do we control AI?” It is “where does AI touch people, rights, infrastructure, markets, contracts, and regulated decisions?”

Several chokepoints matter.

Data governance

AI systems often depend on large-scale data collection, data preparation, data labeling, training datasets, user inputs, prompts, logs, outputs, and feedback loops. Where personal data is involved, existing data protection laws remain central. Lawful basis, purpose limitation, transparency, data minimization, security safeguards, cross-border transfer, sensitive data, data subject rights, and processor-controller allocation remain practical regulatory tools.

Data law will not solve all AI problems. But it is one of the few areas where regulators already have concepts, enforcement authority, institutional practice, and remedies.

This is particularly important in Thailand, where AI-related activity is likely to be governed through both broader AI governance initiatives and existing PDPA principles where AI systems process personal data. FOSR has addressed this shift in its analysis of Thailand’s PDPA in its second phase and in its earlier discussion of PDPA enforcement and cross-border data transfers. The key point is that AI data governance will increasingly be judged not only by the existence of documents, but by whether controls function in practice.

Market access

A state may not be able to inspect or control every model update. But it can impose conditions on the sale, deployment, procurement, or use of AI systems in regulated markets. Market access rules are particularly relevant for high-risk sectors such as finance, healthcare, education, insurance, telecommunications, transport, energy, public administration, law enforcement, immigration, and critical infrastructure.

This is where risk-based regulation can work if it is tied to concrete deployment contexts rather than abstract model categories alone.

Public procurement

Government procurement is one of the most practical AI governance tools. A government may not need to wait for a perfect AI statute before imposing contractual requirements on vendors. Public-sector AI contracts can require audit rights, logs, data-use restrictions, cybersecurity controls, human oversight, explainability at an appropriate level, incident reporting, termination rights, indemnities, and restrictions on secondary use of public-sector data.

Procurement is not merely purchasing. In AI governance, procurement can become regulation by contract.

Compute, cloud infrastructure, and data centers

Compute and cloud access are real chokepoints, especially for advanced AI systems. Governments may consider data-center obligations, cloud security requirements, critical infrastructure duties, audit rights, incident reporting, and emergency powers for high-risk uses. But compute governance must be precise. A law that targets all computational infrastructure would be overbroad and economically damaging. A law that targets frontier-scale training, high-risk inference, critical infrastructure deployment, or regulated-sector use may be more administrable.

Compute governance is among the most coercive instruments available to the state. It should be available for genuinely high-risk scenarios, particularly where critical infrastructure or public safety is involved, but it should not become the ordinary governance model for routine AI deployment.

In Thailand, data centers already sit within a broader legal and regulatory environment involving building control, telecommunications, investment promotion, cybersecurity, and operational permits. FOSR has addressed this in its analysis of why data centers are not factories under Thai law and in its discussion of Thailand’s data center growth and energy supply issues. AI governance will increasingly intersect with this infrastructure layer.

High-risk sector deployment

The most administrable AI rules will often be sector-specific. A medical regulator is better placed to supervise AI used in diagnosis than a general AI authority. A financial regulator is better placed to supervise AI used in credit scoring, fraud detection, or customer suitability. A labor authority is better placed to address workplace monitoring, automated discipline, or AI-enabled termination decisions.

The more concrete the use case, the more enforceable the rule.

This is also consistent with Thailand’s broader digital regulatory structure, where ministries and sector regulators often divide policy and implementation functions. FOSR has addressed this institutional point in its analysis of regulatory reasoning in Thailand’s digital communications framework.

Contracts and liability allocation

AI governance will depend heavily on contracts. Vendors, deployers, resellers, integrators, cloud providers, and customers should allocate responsibility for data provenance, output use, intellectual property, security, audit rights, logging, incident notification, indemnities, acceptable use, regulatory cooperation, and liability.

This is not a second-best solution. It is one of the most important practical governance mechanisms. AI supply chains are contractual supply chains. If responsibility is not allocated contractually, it will often become unclear precisely when accountability is needed most.

FOSR has separately discussed the enforcement of AI-use obligations in professional services contracts in Thailand in Enforcing AI-Use Obligations in Professional Services Contracts. That issue is part of the broader point: AI governance will often be enforced through contracts before it is tested through standalone AI legislation.

Documentation and audit trails

Documentation will not make AI fully explainable, but it can make AI governance defensible. Businesses should maintain AI inventories, use-case classifications, risk assessments, vendor diligence records, data-flow maps, testing records, system logs, human-review procedures, incident records, and board-level reporting.

The purpose is not bureaucratic formality. The purpose is traceability. When an AI system causes harm, the first question will not be whether the organization had perfect foresight. It will be whether the organization can show that it understood the system, assessed the risk, allocated responsibility, monitored use, and responded appropriately.

Human oversight

Human oversight is often invoked too casually. Simply keeping a person “in the loop” is not enough if the person lacks authority, training, time, information, or independence. But meaningful human oversight remains essential for rights-impacting decisions. The law should require clear escalation paths, review standards, override authority, and records of human intervention where AI affects employment, credit, health, education, access to services, liberty, or safety.

Incident reporting

AI regulation should not assume that all harm can be prevented. Serious-incident reporting is therefore essential. Regulators cannot learn from AI failures they never see. Businesses cannot improve governance if incidents are hidden inside operational teams, vendor relationships, or informal workarounds.

A practical AI regime should require timely reporting of material AI-related incidents involving safety, unlawful discrimination, data leakage, cybersecurity compromise, significant financial harm, public-sector error, or rights-impacting automated decisions.

Corporate governance

AI risk is no longer only an IT issue. It is a board and management issue. Directors and senior executives should understand where AI is used, what data it uses, which vendors are involved, what decisions it affects, what controls exist, and what incidents have occurred.

Corporate governance does not require directors to become machine-learning engineers. It does require them to treat material AI deployment as a governance, legal, operational, and reputational risk.

6. AI, work, and the next generation

AI governance cannot remain confined to privacy, bias, intellectual property, cybersecurity, and transparency. Those issues are important, but they may not capture the deeper social question: whether AI changes the structure of work and opportunity for the next generation.

The labor-market evidence does not support simplistic predictions of universal job destruction. The International Labour Organization, in its 2025 working paper on generative AI and jobs, refined global measurement of occupational exposure to generative AI using task-level data, expert input, AI model predictions, and survey evidence.[9] The IMF has estimated that almost 40 percent of global employment is exposed to AI, with different exposure patterns across advanced economies, emerging markets, and low-income countries.[10] The OECD has identified both workplace benefits and risks, including automation, loss of agency, bias, discrimination, privacy breaches, and lack of transparency.[11] The World Bank has noted that new technologies have boosted employment in East Asia and the Pacific overall, but unevenly, favoring skilled workers while some less-skilled workers in routine and manual jobs have been pushed toward informality.[12]

The central issue may not be whether AI eliminates work wholesale. It may be whether AI hollows out the training ladder.

Many professions depend on entry-level work to develop judgment. Junior lawyers review documents, draft clauses, conduct research, and learn how senior lawyers think. Junior analysts build spreadsheets, prepare summaries, and learn commercial judgment. Junior programmers debug code. Designers, translators, accountants, clerks, paralegals, customer-service agents, and administrative workers all learn through tasks that may become increasingly automatable or AI-assisted.

If AI removes too much of that work too quickly, the harm may not appear only as unemployment. It may appear as weaker professional formation, reduced wage progression, fewer training pathways, lower bargaining power, diminished autonomy, and greater concentration of economic power among organizations that own or control AI infrastructure.

This is a governance issue, not merely an economic forecast. If AI changes the structure of opportunity, privacy notices and transparency labels will not be enough. Governments may need to consider worker-transition funds, retraining incentives, AI-related levies, public education, support for SMEs, and policies designed to preserve human capability in strategically important sectors.

Businesses should also be cautious. Replacing entry-level tasks may create short-term efficiency but long-term institutional weakness. Organizations that eliminate junior learning pathways may later find themselves without experienced human judgment when AI systems fail, markets shift, regulators intervene, or clients demand accountability.

7. Hard governance options may enter the debate

Some AI governance measures may appear heavy-handed today. They may become politically inevitable if visible harm occurs at scale.

Governments are unlikely to rely indefinitely on voluntary guidelines if AI materially affects employment, financial stability, public trust, democratic integrity, critical infrastructure, national security, or human autonomy. Stronger measures may enter the debate, including:

  • registration or licensing for frontier-scale model training above defined thresholds;
  • mandatory serious-incident reporting for high-risk AI deployment;
  • data-center and cloud-provider obligations for certain advanced systems;
  • restrictions on AI use in employment, credit, healthcare, insurance, education, immigration, law enforcement, and critical infrastructure;
  • public procurement controls;
  • mandatory human review for rights-impacting decisions;
  • insurance requirements for high-risk AI deployers;
  • board-level AI governance duties;
  • worker-transition mechanisms, retraining levies, or public-private reskilling funds; and
  • emergency intervention powers where AI systems threaten critical infrastructure or public safety.

These are not statements of current Thai law. They are possible policy responses that may enter the regulatory debate if voluntary governance, soft-law guidance, and ordinary sectoral enforcement prove insufficient.

This paper does not endorse all such measures. The point is more limited: the AI governance debate will not remain soft if AI harms become visible, concentrated, and politically salient. Hard governance measures may appear excessive before a crisis. They may appear unavoidable after one.

The objective should be to build practical accountability before crisis-driven regulation produces blunt intervention.

8. What businesses should do now

Businesses should not wait for perfect AI legislation. The immediate standard is defensibility, not perfection.

A defensible AI governance program should include at least the following measures.

Build an AI inventory

Organizations should know where AI is used, by whom, for what purpose, with which vendors, with what data, and in which business processes. A company cannot govern AI systems it has not identified.

Classify use cases by risk

Not every AI use requires the same controls. Drafting an internal memo is not the same as screening job applicants, assessing creditworthiness, diagnosing patients, monitoring employees, pricing insurance, or making public-sector decisions. Businesses should classify AI use cases by legal, operational, reputational, data-protection, cybersecurity, and human-impact risks.

Review vendors and contracts

Vendor diligence should address model purpose, data use, security, subcontractors, logging, audit rights, incident notification, output ownership, data retention, regulatory cooperation, and liability. AI contracts should not be treated as ordinary software agreements.

Map data flows

Organizations should understand whether personal data, sensitive data, confidential business data, customer data, employee data, or regulated-sector data enters the AI system. They should also know whether prompts, inputs, outputs, or feedback are retained, used to improve the model, transferred abroad, or made accessible to third parties.

Update data protection compliance

When personal data is involved, businesses should reassess lawful basis, transparency, purpose limitation, data minimization, retention, security, roles of processors and controllers, and data subject rights. AI does not suspend data protection law. It often makes data protection compliance even more important.

Implement acceptable-use policies

Employees need clear rules on which AI tools may be used, which data may be entered, which outputs may be relied upon, and when human review is required. Shadow AI use is already a serious governance risk.

Require human oversight for high-risk decisions

Businesses should define when AI outputs may be used only as recommendations, when human approval is required, and who has authority to override or reject AI-generated results.

Maintain logs and audit trails

AI governance depends on records. Organizations should preserve logs, risk assessments, vendor documentation, testing records, review decisions, incidents, and remediation steps.

Prepare incident-response procedures

AI incidents should not be improvised. Businesses should identify who receives reports, who investigates, who contacts vendors, who evaluates regulatory notification, who manages affected persons, and who communicates internally and externally.

Review insurance

Existing insurance policies may not clearly cover AI-related losses, including data breaches, professional negligence, product liability, employment claims, IP disputes, cyber incidents, or regulatory penalties. Businesses should review coverage before an incident occurs.

Create board-level reporting

Material AI deployment should be reported to senior management or the board. AI governance should not sit only with IT teams or enthusiastic business units.

The point of these measures is not to predict the final form of AI law. The point is to build internal accountability that will remain defensible under any serious regulatory model.

9. Conclusion: accountability without illusions

Abstract model regulation alone will not be enough. The technology is too probabilistic, general-purpose, modular, opaque, adaptive, and global. Its risks may arise from model design, training data, prompts, interfaces, cloud infrastructure, fine-tuning, access to tools, vendor relationships, institutional incentives, downstream deployment, and human reliance.

But this does not make law irrelevant. It makes practical law more important.

AI can be governed where it enters the real world: data flows, contracts, procurement, cloud infrastructure, public services, regulated sectors, employment, credit, healthcare, education, insurance, telecommunications, critical infrastructure, and decisions affecting rights and livelihoods.

The countries and companies that succeed will not be those that pretend to have domesticated AI. They will be those that regulate without illusions by imposing enforceable accountability at the points where AI becomes operationally consequential.

The next generation will not judge AI governance by the elegance of statutory categories. It will judge it by whether legal systems preserved human agency, economic opportunity, public trust, and institutional responsibility in the face of a technology no one fully controls.

Sources

  1. OECD, Explanatory Memorandum on the Updated OECD Definition of an AI System.
  2. European Union, Regulation (EU) 2024/1689: Artificial Intelligence Act; European Commission, AI Act overview.
  3. European Commission, “AI Act,” implementation timeline, accessed 10 June 2026, available at: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
  4. European Commission AI Act Service Desk, Article 5: Prohibited AI Practices.
  5. Formichella & Sritawat, Thailand chapter, Global Legal Insights – AI, Machine Learning & Big Data 2026, reflecting developments up to March 2026.
  6. AI Thailand / NECTEC, Thailand National AI Strategy and Action Plan 2022–2027.
  7. Electronic Transactions Development Agency, Draft Principles of AI Law public materials.
  8. Formichella & Sritawat, Thailand chapter, Global Legal Insights – AI, Machine Learning & Big Data 2026, discussion of PDPC consultation on PDPA implementation for AI systems.
  9. International Labour Organization, Generative AI and Jobs: A Refined Global Index of Occupational Exposure.
  10. International Monetary Fund, AI Will Transform the Global Economy. Let’s Make Sure It Benefits Humanity.
  11. OECD, AI and Work.
  12. World Bank, Future Jobs: Robots, Artificial Intelligence, and Digital Platforms in East Asia and Pacific.

Disclaimer

This article is provided for general information purposes only and does not constitute legal advice. It should not be relied upon as legal advice or as a substitute for specific advice on any particular facts or circumstances. For advice on AI governance, data protection, technology regulation, or related matters in Thailand, please contact Formichella & Sritawat Attorneys at Law.

Tags: , , , , , ,