You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
June 25, 2025

Setting the Ground Rules: The Importance of Implementing Internal GenAI Policies

Subscribe to Updates

Generative artificial intelligence (GenAI) is no longer a distant innovation confined to science fiction and research labs; it has become an integral part of daily business operations worldwide. Employees across industries are adopting GenAI tools at a remarkable pace—including in Southeast Asia, where a tech-savvy workforce and widespread internet and mobile access have driven early adoption.

The reality facing organizations today is clear: employees are integrating GenAI into their daily work, often without official approval or clear policies. This phenomenon, often called “Bring Your Own AI,” comes out of a disconnect between organizational governance and employee behavior and reveals the urgent need for proactive AI policies and oversight.

For business leaders and legal teams, GenAI is both an opportunity and a challenge. On one hand, these tools can deliver real business value and boost efficiency. On the other, the unsanctioned and unmonitored use of GenAI introduces substantial legal risks, such as data privacy violations, confidentiality breaches, and intellectual property issues.

The widespread adoption of GenAI tools by employees, regardless of official organizational stance or guidelines, demonstrates that prohibition is neither practical nor effective. A more strategic approach involves establishing comprehensive governance policies that encourage responsible AI use while managing the risks.

Organizations that take the lead in developing GenAI governance policies are better positioned to benefit from its transformative potential. The question isn’t whether GenAI will change how we work, but how quickly organizations can put the right safeguards in place to manage this change successfully.

Risks of GenAI Use

The use of GenAI in business operations, whether sanctioned or not, exposes organizations to a unique set of risks. The following are particularly relevant:

  • Data security and confidentiality: General GenAI tools in the market may transmit data to external servers, retain conversation histories, and use inputs for model training. Further, employees may share confidential organization or client information without realizing the implications, increasing the risk of unintentional data leakage and unauthorized disclosure—especially since it can be difficult for organizations to know which GenAI tools employees are using and what types of information they are sharing.
  • Data protection and regulatory compliance: The evolving legal landscape regulating AI creates compliance challenges across multiple jurisdictions. Organizations must navigate complex data protection laws like Thailand’s Personal Data Protection Act (PDPA) and Vietnam’s Personal Data Protection Decree (PDPD), each with different compliance requirements. In the absence of AI-specific legislation, sector-specific regulations also add additional complexity, while unclear regulatory guidance often leaves organizations operating in legal uncertainty, particularly when using AI for decision-making that impacts individuals or when deploying AI systems that interact directly with customers.
  • Intellectual property risks: AI-generated content raises yet-to-be-answered questions about ownership, originality, and copyright infringement. Additionally, proprietary information shared with GenAI tools can be inadvertently incorporated into model training data, potentially compromising trade secrets or violating confidentiality agreements.
  • Governance and accountability: Disjointed and unregulated or inadequately governed GenAI adoption creates oversight gaps, making it difficult to track usage, assign responsibility for outputs, or respond to incidents. In addition, traditional approval processes may not account for AI-assisted work, creating quality control issues.

Developing an Internal GenAI Policy

Forward-thinking organizations across Southeast Asia are establishing internal policies that provide clear direction for both approved and unapproved AI use. These policies form the cornerstone of responsible AI adoption in these organizations by balancing innovation with effective risk management.

An effective AI policy functions as both a protective framework and an enablement tool. Rather than simply listing restrictions, the most effective policies provide practical guidance that empowers employees to leverage AI capabilities while maintaining organizational standards. This approach requires addressing several critical components when developing an AI policy, including, among others:

  • Policy scope: Effective AI policies begin with a clear articulation of their purpose, defining exactly which AI tools and use cases are governed by the policy, including distinguishing between enterprise-approved solutions and general AI tools in the market.
  • Access and authorization: Organizations should define user tiers and access levels, specifying which roles are permitted to use specific AI tools and under what circumstances. This includes establishing approval processes for new AI tool adoption and creating exceptions for specialized use cases.
  • Data governance and privacy protection: As GenAI tools may process personal information, policies must establish strict protocols for data handling. This encompasses defining what types of data can be shared with AI systems and ensuring compliance with regional privacy regulations such as Thailand’s PDPA or Vietnam’s PDPD.
  • Accountability and verification: Policies should also assign internal accountability for AI-generated content and outputs. It is important to establish appropriate review protocols based on the type of AI-assisted work, along with guidelines for transparently disclosing when and how AI was used, especially in client-facing materials or critical decision-making, which may require human validation.
  • Monitoring and incident response: Effective policies establish clear procedures for tracking AI usage, identifying potential misuse or unacceptable output, and responding to security incidents, policy violations, and AI-related incidents such as hallucinations or biased outputs. This includes defining escalation procedures and reporting mechanisms.
  • Vendor management: As organizations increasingly rely on third-party AI services, policies must address vendor evaluation criteria, contract requirements, and ongoing performance monitoring to ensure external AI providers meet legal obligations, data protection requirements, and operational expectations related to security, accountability, and transparency.

Given the rapid pace of AI development, policies should include review cycles, update mechanisms, and processes for incorporating new regulatory requirements or technological capabilities. They should also provide a framework for assessing emerging technologies and adapting policy coverage to reflect evolving risks and capabilities.

Finally, organizations should hold comprehensive education and training sessions to ensure that employees understand both the capabilities and limitations of AI tools, recognize potential risks, and follow organizational policies when using AI in their work.

Proactive Implementation

The GenAI revolution isn’t waiting for businesses to catch up—it’s already here, integrated into daily workflows. Organizations can either proactively implement robust governance frameworks to safely harness AI’s immense potential or risk falling behind in an increasingly complex and fast-moving landscape.

By establishing clear guidelines, accountability structures, and effective risk management protocols, organizations can confidently leverage AI capabilities to encourage innovation while maintaining oversight and minimizing risks. This approach not only builds stakeholder trust and ensures regulatory compliance but also encourages greater AI adoption and transparency among employees. With well-designed guardrails in place, employees can confidently and responsibly integrate GenAI into their work.

Ultimately, organizations that strike the right balance between innovation and responsibility will be best positioned to lead in the GenAI era.

Related Professionals

Industries

Technology

Locations

RELATED INSIGHTS​

May 26, 2025
On May 21, 2025, the Trade Competition Commission of Thailand (TCCT) published a press release signaling heightened regulation of digital platforms in response to the influx of products from foreign countries being sold in Thailand via e-commerce platforms. In recent years, the rapid expansion of cross-border multi-sided e-commerce platforms has unlocked unprecedented growth, but it has also flooded Thailand’s digital marketplaces with low-cost imports sold by unregulated foreign vendors via these platforms, unfairly undercutting local merchants’ market share and exposing consumers to uneven product quality. According to the press release, the TCCT announced progress on drafting new guidelines on unfair trade practices, monopolistic conduct, and competition restraint by multi-sided e-commerce platforms at a recent meeting of the Management Committee for Addressing Issues of Foreign Goods and Businesses Violating Laws. This regulatory push is part of a broader governmental effort to tackle issues stemming from the foregoing that create uneven playing fields and undermine consumer welfare. The draft guidelines are designed to regulate platform operators and their complex and multidimensional trade relations that cause network effects and distort competition. The forthcoming guidelines, to be issued under the Trade Competition Act B.E. 2560 (2017), will undergo public consultation to ensure platform operators, the public, and other stakeholders will have an opportunity to provide input before they are finalized and enforced. The guidelines are seen as an important priority, with the minister of commerce urging swift implementation of the measures to achieve the government’s objectives. In addition to the legislative advancement, one of the TCCT commissioners has been appointed to advise a subcommittee on preventing nominee arrangements by foreign investors and a subcommittee dedicated to promoting Thai SMEs and eliminating poor-quality imports. The appointee will also support the nationwide task force against illegal foreign products in overseeing proactive field operations and comprehensive
Read More
May 22, 2025
While digital technologies have significantly enhanced communication and information sharing, they have also created new opportunities for misuse, particularly for children, who are especially vulnerable to online abuse and exploitation. These risks are often difficult for parents and guardians to detect or prevent in a timely manner. To address these concerns, Thailand has drafted an amendment to the Criminal Code to introduce new provisions targeting offenses against children committed via online platforms. The objective is to close existing legal gaps and to provide more robust protections for children in the digital environment. The draft amendment focuses primarily on addressing online offenses against children and enhancing legal protections for children. The draft amendment proposed changes regarding the following issues: Jurisdiction and media misuse Expanding Thailand’s jurisdiction to cover sexual and liberty-related offenses committed against children outside the country. Adding offenses for misuse of media, including recording, publishing, or transmitting text, images, or sounds for unlawful or exploitative purposes. Offenses involving child exploitation Adding penalties for persuading, luring, or enticing children to engage in sexual or indecent conduct. Imposing harsher penalties for aggravated cases relating to child exploitation that result in serious harm or death. Adding penalties for sending or forwarding inappropriate sexual content to children with exploitative intent. Adding penalties for using threats involving sexual conduct to pressure or coerce victims. Removing ignorance of a child’s age as a possible defense for certain offenses (e.g., luring children or sending inappropriate content) when the child is under 13 years old. Special protections for vulnerable individuals Imposing harsher penalties for offenses committed against parents, persons under legal guardianship or parental authority, or individuals unable to protect themselves. Adding penalties to offenses such as luring children, sending inappropriate content, and cases involving serious harm or death. Child pornography Increasing liability for possession and
Read More
May 15, 2025
Thailand’s Electronic Transactions Development Agency (ETDA) held an explanatory session on the draft principles and regulatory approaches of the country’s planned artificial intelligence (AI) law on May 2, 2025. This came after a lull of two years following the initial release of draft legislation on AI. In the session, the ETDA explained that the earlier drafts were modeled after the EU’s legal framework for AI, but given the evolving Thai legal and technological landscape, it is now necessary to revisit and refine the drafts to ensure they remain relevant and effective in the local context. To aid in this process, the ETDA will accept public comments on the draft principles of the AI law until June 9, 2025. Based on gap analysis and a comparative study of how different countries have addressed AI issues, the ETDA’s draft AI law principles are structured into five key areas. These are described below. 1. Risk-Based Requirements The draft principles outline a set of approaches that the legislation will take toward mitigating risk: Delegation of powers to enforcement agency or sectoral regulators The primary legislation will not directly specify a list of prohibited risks or high-risk types of AI. Instead, it will empower an enforcement agency or relevant sectoral regulators to determine and issue such lists. This approach allows regulators in each specific industry to assess the necessity of risk classifications within their respective sectors, based on the principle that sectoral regulators are best positioned to understand the specific risks in their domains. These regulators are expected to issue subordinate legislation in alignment with the overall framework. Meanwhile, the central enforcement agency will coordinate oversight across sectors and cover areas not under the jurisdiction of any specific regulator. Duties of high-risk AI providers Providers of AI deemed by the enforcement agency or sectoral
Read More
May 14, 2025
Following the amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes in mid-April 2025, new measures were introduced by the Electronic Transactions Development Agency (ETDA) in a hearing session held on May 13, 2025, to establish shared liability between online social media platform operators and other in-scope operators for damages arising from technological crimes. Stakeholders are being invited to submit their comments on the proposed new provisions directly to the ETDA by May 20, 2025. The concept of the new measures for social media platform operators is that to be released from liability for damages arising from technological crimes, social media platform operators must demonstrate compliance with the relevant technological crime prevention standards and measures prescribed by their respective regulators (“safe harbor rules”). Safe Harbor Rules Under the principles of the proposed safe harbor rules, social media platform operators and the relevant service providers would be required to comply with the following obligations: Immediate takedown and suspension of dissemination: Disable access, remove the content from the system, or suspend the relevant service within 24 hours of receiving an official notification from the Cyber Crime Investigation Bureau’s Anti-Online Scam Operation Center (AOC) that a service or social media platform is disseminating content that is or may be used to commit or support technological crimes. Establishment of notification channels: Establish a system or channel to receive notifications from the AOC. User registration and identity verification: Require user registration (including identity verification and authentication) before allowing content to be posted, with sufficient information to identify the user. Suspending dissemination of suspect advertisements: Disable access to advertisements reasonably suspected of involving or potentially involving the commission of technology-related crimes. Reporting: Report on actions taken, including details like account owner information, IP address, email, or phone number used for account
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice