What is AI regulation in Saudi Arabia?
AI regulation: countries and regions
Saudi Arabia does not currently regulate AI through a single omnibus AI Act. Instead, it uses a layered model: SDAIA's AI Ethics Principles as the main national governance framework, public-sector guidance from SDAIA and the Digital Government Authority, and binding horizontal laws such as the Personal Data Protection Law and digital government rules. In practice, organisations need to manage AI through risk classification, data governance, human oversight, documentation and sector-specific compliance.
What this means
In Saudi Arabia, "AI regulation" usually means an official governance architecture rather than one codified AI statute. The central document is SDAIA's AI Ethics Principles. Those principles were introduced in 2023 as a national framework and were later followed by more operational guidance, especially in 2024 for generative AI and for public-sector use.
That makes Saudi Arabia different from jurisdictions that rely on a single cross-economy AI law. The practical question is not only whether there is an AI-specific statute. It is also which official framework, data law, digital government rule, procurement condition or sector requirement applies to a given AI system.
For most organisations, the right way to read the Saudi position is as a stack. At the top are ethics principles and public guidance. Underneath sit binding laws, especially personal data protection, and then contract, procurement and sector-specific duties that can make the framework operational in day-to-day work.
Why it matters
If you build, buy, deploy or govern AI in Saudi Arabia, the country expects more than technical performance. It expects documented governance. That matters for ministries, public-sector suppliers, regulated businesses and any organisation handling personal data connected to Saudi residents.
The commercial risk is straightforward. A team that ignores Saudi guidance can miss tender expectations, misuse government information, fail to document human review, or roll out a tool whose risk level calls for stronger checks. The legal risk is also real, because the ethics layer sits alongside binding rules such as the Personal Data Protection Law.
For leadership teams, the Saudi model matters because it rewards preparation. Organisations that can show risk classification, data controls, clear ownership, testing, explainability, and a route for complaints or correction are in a much stronger position than teams that treat AI as an ordinary software purchase.
How it works
The current Saudi model
As currently verified against public official material and recent legal tracking, Saudi Arabia's AI framework is built around official principles, guidance and adjacent laws, not a single omnibus AI statute. SDAIA acts as the central national authority for data and AI. The Digital Government Authority adds the public-sector layer for digital government. In other words, Saudi AI regulation is best understood as a governance system with several official instruments that work together.
The AI Ethics Principles are the core national reference
SDAIA's AI Ethics Principles are the main national reference point. They apply across the AI system lifecycle and are framed to cover all AI stakeholders in the Kingdom, not only ministries or state agencies. The framework uses seven principles: fairness; privacy and security; humanity; social and environmental benefits; reliability and safety; transparency and explainability; accountability and responsibility.
The framework also uses risk classification. It distinguishes between little or no risk, limited risk, high risk and unacceptable risk. The official text says unacceptable-risk systems are not allowed, and gives examples such as social profiling, exploitation of children and behaviour distortion. For high-risk systems, the framework envisages stronger review, including pre and post conformity assessment.
Beyond high-level values, the document is operational. It assigns governance roles, links controls to stages of planning, design, build, validation, deployment and monitoring, and allows SDAIA to use badges that reflect progress in adopting the framework.
Public-sector AI is governed more tightly
Where AI is used inside government, or supplied into digital government work, the governance expectations become more specific. SDAIA's Generative Artificial Intelligence Guidelines For Government direct government entities to apply the AI Ethics Principles when using generative AI tools. The guidance is built around responsible use of government data and recognises roles and responsibilities inside the entity, including a pivotal role for the Data Management Office.
The government guidance also pushes control into everyday practice. It warns against entering information that is not properly classified into generative AI tools and ties AI use back to data protection duties. That is particularly important because many practical failures in AI governance start with ordinary staff workflows rather than model design.
This layer is reinforced by the Digital Government Authority. The DGA's Digital Government Regulatory Framework applies to all government entities, the non-profit sector, and private developers and operators involved in digital government works. It is the umbrella under which policies, controls, standards and guidelines for digital government are organised. AI therefore sits inside a wider administrative framework for public digital services, not outside it.
Binding duties still come from other laws
Saudi Arabia's AI principles do not remove the need to comply with ordinary law. The most important horizontal law for many AI systems is the Personal Data Protection Law, or PDPL. SDAIA's own PDPL guidance describes it as the key law for personal data protection in the Kingdom. It applies to processing that takes place in Saudi Arabia and also reaches some processing carried out outside the Kingdom where it relates to individuals residing in Saudi Arabia.
That means an AI system may be acceptable at the ethics-framework level and still fail on data protection, retention, transfer or controller-processor duties. The same logic applies to procurement terms, public-sector data governance, sector supervision, and other legal instruments that touch the use case. In Saudi Arabia, AI governance is layered on top of existing legal obligations rather than replacing them.
Institutions and mechanisms make the framework real
Saudi Arabia has moved beyond publishing principles and has built practical governance mechanisms around them. The National Data Governance Platform is the main operating platform for several of these mechanisms. It hosts the AI Ethics Assessment tool, which lets controllers compare their current practices against ethical criteria and see the level of ethical commitment shown by a model.
The same platform also offers AI Service Provider Accreditation. Public materials describe this as a structured route for providers of AI software and services to assess their alignment with ethical standards. The process includes entity registration, appointment of an AI officer, submission of questionnaires and supporting files, and committee review that can lead to an Incentive Badge and an accreditation certificate.
These mechanisms matter because they create evidence. They turn abstract principles into assessable records, named owners, submitted documents and review steps. For operators, buyers and public bodies, that kind of evidence is often what separates a policy statement from a working governance system.
The framework is still expanding
Saudi Arabia's AI architecture is not static. Official material published after the core ethics principles includes generative AI guidance, deepfake-related guidance and a broader AI Adoption Framework. The direction of travel is clear: Saudi Arabia is building a larger AI governance toolkit around the ethics principles, especially for public administration and high-impact use.
What is confirmed today is the principles-and-guidance model. What is not confirmed today is an enacted cross-economy omnibus AI law with its own single enforcement code. For now, organisations should treat Saudi AI regulation as an evolving but already practical governance architecture.
Examples
A government entity that wants staff to use a generative AI drafting tool cannot treat it like an ordinary consumer app. SDAIA's government guidance expects the entity to apply the AI Ethics Principles, manage data classification, involve the Data Management Office and avoid entering information that is not properly classified. If the tool will process personal data, PDPL duties sit underneath that workflow as well.
A provider of AI software that wants formal recognition can use the National Data Governance Platform's accreditation path. The provider registers the entity, appoints an AI officer, adds the product, completes the questionnaire, uploads the required files, and then waits for committee review. If approved, the process can lead to an Incentive Badge and an AI Service Provider Accreditation Certificate.
An organisation that is building or operating an AI system can also use the AI Ethics Assessment tool on the same platform. The tool is designed to compare current practice to SDAIA's ethical criteria and indicate the level of ethical commitment shown by the model. That gives teams a concrete way to test whether their internal controls match Saudi expectations before deployment or procurement.
Common misunderstandings
"Saudi Arabia already has a single AI Act." Not at present. The current model is a set of official principles, guidance and adjacent laws rather than one consolidated AI statute.
"The AI Ethics Principles only matter to government bodies." No. SDAIA frames them as applying to AI stakeholders across the Kingdom.
"If a system is low-risk under the AI framework, the legal work is finished." No. PDPL, procurement, digital government controls and sector rules may still apply.
"Government staff can paste any internal information into a generative AI tool." No. Saudi government guidance stresses data classification and responsible handling of government data.
"AI accreditation is the same thing as a universal legal licence." No. It is an official accreditation pathway, but current public materials do not present it as a mandatory permit for every AI deployment in the Kingdom.
Risks and boundaries
Saudi Arabia's present approach is strong on governance architecture, but it is less simple than a one-stop AI Act. Organisations have to assemble their obligations from several instruments. A project can look acceptable under the AI ethics framework and still breach PDPL, procurement or sector-specific requirements.
Scope matters as well. The DGA's digital government framework is aimed at government entities and those building or operating digital government work around them. It should not be treated as a universal private-sector AI code for every commercial deployment in the Kingdom.
There is also a live boundary between official guidance and directly binding law. The ethics principles, government guidance, assessment tools and accreditation mechanisms are all important, but the exact legal force of a given requirement may depend on the underlying law, the type of entity involved, procurement terms, or the sector regulator supervising the use case.
The final boundary is timing. Saudi Arabia is still adding new material around the core framework. What is clearly confirmed is the ethics-principles and public-guidance model. What remains uncertain is whether Saudi Arabia will later codify that architecture into a single AI-specific law.
What to do next
Start with an inventory. Identify every AI use case that touches Saudi operations, Saudi residents' data or Saudi public-sector work. Then classify each use case by risk and record why that rating was chosen.
Next, assign named owners across AI governance, privacy, security, procurement and technical assurance. In Saudi Arabia, vague ownership is a weak point because the official framework expects clear internal responsibility and review.
For any government-facing deployment, confirm the DGA and SDAIA instruments that apply before pilot stage, not after contracting. Check data classification, permitted data use, staff instructions, vendor terms and the plan for human review.
Finally, build an evidence pack for each material AI system: purpose, data sources, model or service description, risk rating, testing, human oversight, incident handling and retention rules. Where relevant, use the AI Ethics Assessment tool and consider whether formal accreditation would help with procurement, trust or internal governance.
FAQs
Does Saudi Arabia have a single AI law?
Not at the moment. Saudi Arabia currently relies on SDAIA's AI Ethics Principles, public guidance, digital government regulation and existing laws such as PDPL rather than one omnibus AI Act.
Who are the main Saudi authorities for AI governance?
SDAIA is the central national authority for data and AI. The Digital Government Authority is central for public-sector digital government rules. Sector regulators can also matter where AI is used in a supervised field.
Do the AI Ethics Principles apply only to ministries?
No. SDAIA frames the principles as applying to AI stakeholders across the Kingdom, across the lifecycle of AI systems.
What are the main Saudi AI ethics principles?
They are fairness; privacy and security; humanity; social and environmental benefits; reliability and safety; transparency and explainability; accountability and responsibility.
Why does the public sector face extra AI governance steps?
Because government AI use sits inside Saudi Arabia's wider digital government framework. Public bodies must deal with data classification, internal ownership, digital government controls and, where relevant, PDPL duties.
How does PDPL affect AI projects?
If an AI project processes personal data in Saudi Arabia, or processes personal data relating to individuals residing in Saudi Arabia in circumstances covered by the law, PDPL obligations can apply alongside the AI framework.
Is AI Service Provider Accreditation mandatory?
Current public materials describe it as an official accreditation path with review steps and certificates. They do not present it as a universal statutory licence for every AI system in the Kingdom.
What should a supplier to Saudi government check first?
Check whether the project falls within the DGA digital government framework, SDAIA's AI ethics and generative AI guidance, PDPL, and any tender or contract terms that impose extra governance or data-handling duties.