When AI spreads across the organization, who is responsible when it goes wrong
In the early days of adopting AI, everything feels under control. A handful of teams experiment, and that is it. Before long, AI shows up across many parts of the business: customer service, document work, and analysis. The questions that follow are who approved its use in each place, who is responsible when a wrong answer reaches a customer, and whether the organization even knows how many places AI is now running.
These questions are the work of AI governance. AI governance is the set of policies, accountabilities, and oversight that an organization puts in place to use AI responsibly. This article explains what AI governance is made of, how it draws on widely accepted international frameworks, where it connects to Thai law, and why having a governance framework helps an organization scale its use of AI safely while keeping its speed.
AI governance exists to let you scale AI use with confidence, and it serves to enable rather than to forbid. Organizations with a clear governance framework adopt AI faster, because each use has an owner, a risk assessment, and someone who watches it after launch, instead of taking ad-hoc risks with no system behind them.
The pillars where international frameworks agree
AI governance frameworks come in several editions, yet the major international ones converge on a small set of pillars. These work well as the backbone for an organization’s own framework.
Clear accountability and ownership. The OECD AI Principles state that those involved with AI must be accountable for the proper functioning of the systems according to their roles and context. Every AI use should have an owner who can say who watches it and who is responsible when something goes wrong.
Risk assessment before deployment. The NIST AI Risk Management Framework lays out the work as a cycle: map the context and impact of a system, measure the risks, then manage them to reduce harm, both before and during use, rather than waiting for problems to appear first.
Transparency and human oversight. The OECD emphasizes responsible disclosure so that people can understand and contest AI outcomes, along with mechanisms for human oversight that keep decision authority with people. Work that affects people must keep a human in the decision loop and should not let AI rule alone.
Connection to data governance. AI governance is inseparable from data governance, because AI runs on data. The data pillar connects directly to personal data protection law and to the organization’s security policies.
Turning the framework into something concrete
The pillars above translate into practice through tangible governance structures, which frameworks like NIST and AI management system standards such as ISO/IEC 42001 lay out in the same direction.
At the heart of it is an AI use policy that sets the rules for what can be used and how, together with an approval process before any new AI system goes into use. An organization should keep an inventory of the AI systems it runs, carry out an impact assessment before starting, assign an owner to each system, and monitor outcomes once it is in real use. These structures make governance a repeatable process rather than a series of one-off decisions.
The advantage of building on accepted frameworks is that the organization gains a common language for talking about risk. Standards like ISO/IEC 42001, the world’s first AI management system standard, open a path to scaling AI use with consistent controls and to demonstrating to regulators, customers, and stakeholders that the organization uses AI responsibly.
Thai context: PDPA and ETDA guidance
Thai organizations have domestic reference points worth knowing. On the data side, an AI governance framework must align with the Personal Data Protection Act (PDPA), which is already in force and forms the legal basis of the data pillar.
On the AI governance side, ETDA, through its AI Governance Center (AIGC), has issued AI governance guidance for organizations, including a guideline for executives. It organizes core governance principles for trustworthy, safe, and responsible AI use, together with a set of Thai AI ethics principles covering transparency, accountability, fairness, and security.
The point to watch is that ETDA guidance is guideline-level and is not binding law. And while there has been discussion of a Thai AI law, it has not yet been enacted as law. Organizations should therefore treat this guidance as a solid starting framework and track the progress of legislation over time, while keeping clear that no binding AI law is yet in force.
Update box: status of frameworks and law (June 2026)
The status below can change, so check the official pages periodically. The governance pillars above hold across editions.
- NIST AI RMF is a voluntary framework that lays out four functions: Govern, Map, Measure, and Manage risk.
- ISO/IEC 42001 is the first AI management system standard, published in late 2023, and organizations can be certified against it.
- The OECD AI Principles are the first intergovernmental standard, adopted in 2019 and updated in 2024.
- Thailand has the Personal Data Protection Act (PDPA) in force, and ETDA has issued guideline-level AI governance guidance, while a specific AI law is still a draft and has not been enacted.
⚠️ Things to watch
A framework no one follows is the same as having none. A governance policy document with no owner and no real process does nothing. Governance happens when there is someone accountable, an inventory of the systems in use, and genuine review, and not just a document on file.
Do not let the framework become a drag. The goal of governance is to scale AI use safely. If the approval process is so heavy that teams route around it and use AI off the books, you get the opposite result. Design the framework to match the real risk of each piece of work.
Do not cite a law that does not exist. In internal communication, be careful about saying a Thai AI law is already in force, because right now it remains guidance and a draft. Holding to this fact keeps organizational policy built on solid ground.
Next steps
Start with what you can do quickly: take inventory of where the organization uses AI today and assign an owner to each place. Then draft a short AI use policy built on the pillars above, and move on to the approval process and risk assessment from there. Seeing where AI already lives is the first step toward governance you can actually carry out.
- 👉 Data and security policy when using AI in the organization the data pillar of the governance framework
- 👉 Getting started with AI in the organization sequencing AI adoption so it stays governable from the start
- 👉 Measuring the ROI of AI in the organization measuring value alongside governing risk
Last updated: 19 June 2026 · Type: Guide