Accelerate your journey for cybersecurity compliance today!

Complyan GRC Platform for Compliance
Login
Login
Login
Book a Demo

SDAIA and AI Governance in Saudi Arabia: Building Responsible AI at National Scale

June 22, 2026
COMPLYAN, Cybersecurity, Saudi Arabia
Upgrading to PCI-DSS v4.0

Saudi Arabia is not tiptoeing into artificial intelligence, it is engineering a national transformation around it. At the center of that transformation sits the Saudi Data and Artificial Intelligence Authority (SDAIA), the government body tasked with turning Vision 2030’s AI ambitions into a working, accountable system across every sector of the economy.

Across governments, enterprises, financial institutions, healthcare providers, and critical infrastructure sectors, AI is becoming part of operational decision-making. As adoption increases, the conversation is shifting from innovation alone to governance, accountability, risk management, and trust.

Saudi Arabia has taken a distinctive approach to this challenge.

Rather than treating AI governance as a future consideration, the Kingdom has positioned it as a core component of its national digital transformation strategy. At the center of this effort is the Saudi Data and Artificial Intelligence Authority (SDAIA), the government body responsible for driving the country’s data and AI agenda while establishing the governance structures required to support long-term adoption.

As AI becomes increasingly integrated into business operations, SDAIA’s work is shaping how organizations across Saudi Arabia think about responsible AI, compliance, data governance, and operational oversight.

What Is SDAIA and Why Does It Exist?

Established in 2019, SDAIA was created to serve as Saudi Arabia’s central authority for data and AI governance. Its mandate covers three broad pillars: building national data infrastructure, advancing AI capabilities, and setting the governance standards that make both of those things trustworthy.

SDAIA oversees two critical sub-bodies. The National Data Management Office (NDMO) handles data governance, including enforcement of the Personal Data Protection Law (PDPL), which came into effect in September 2023. The National Center for AI (NCAI) drives research, talent development, and AI deployment at scale. Together, these entities form the operational backbone of the Kingdom’s AI governance architecture.

The SDAIA website outlines the authority’s role as coordinating AI adoption across ministries and regulated sectors, not as a passive regulator, but as an active orchestrator setting shared standards and enabling infrastructure.

The National Strategy for Data and AI (NSDAI)

Saudi Arabia’s National Strategy for Data and AI is explicit in its ambition: position the Kingdom as a global leader in AI by 2030. The strategy is KPI-driven, with targets spanning government service efficiency, private sector adoption, AI talent pipelines, and cross-agency data readiness.

What separates this strategy from others in the region is its execution orientation. Research published in IJFMR (2026) notes that national AI success depends not only on funding and infrastructure, but on enforceable execution, translating national objectives into coordinated delivery across ministries, with audit-ready governance in place. The paper identifies five operational dimensions that matter most: interoperable data readiness, responsible AI lifecycle assurance, sector delivery pipelines, capability depth, and public trust.

Saudi Arabia’s investment posture reflects this seriousness. The Kingdom has committed over $100 billion in AI-related investment, making it one of the largest AI investors globally. Projects like NEOM, the giga-cities initiative, and partnerships with major technology companies are all wired into the NSDAI’s execution framework.

From Principles to Enforceable Policy

For years, AI governance globally has been long on principles and short on enforcement. Saudi Arabia is changing that.

In April 2026, SDAIA opened a public consultation on its draft Responsible AI Policy, a document that signals a clear shift away from broad ethics statements toward structured, operational governance. Access Partnership (2026) describes the draft as establishing a risk-tiering framework that categorizes AI systems into four levels: critical, high, limited, and low risk. Each tier carries proportionate obligations around documentation, testing, monitoring, and compliance.

The draft also introduces:

  • System registration requirements for certain AI applications
  • AI ethics labelling tied to compliance maturity levels
  • Audit and assurance obligations for high-risk AI systems
  • A regulatory sandbox for controlled testing and certification

This is not merely a governance document; it is a compliance blueprint. Organizations developing or deploying AI in Saudi Arabia will need to treat responsible AI as a design requirement, not a post-launch consideration.

The PDPL, the NCA, and a Converging Compliance Model

AI governance in Saudi Arabia does not operate in isolation. It sits alongside the Personal Data Protection Law (PDPL) and the standards issued by the National Cybersecurity Authority (NCA) and the three are increasingly converging.

The PDPL applies directly to AI systems that process the personal data of Saudi residents. It establishes obligations around consent, purpose limitation, data minimisation, and the right to be informed about automated decision-making. For any AI product that touches user data, which is most of them, PDPL compliance is table stakes not optional.

The NCA adds a cybersecurity layer. AI systems that handle sensitive government data or operate in critical infrastructure must align with NCA controls, creating a multi-dimensional compliance environment. Multinational companies and enterprise AI deployers operating in the Kingdom need their legal, privacy, product, and security functions working in close coordination, not in separate silos.

For organizations looking to operationalize AI compliance readiness across these overlapping frameworks, building a unified compliance program from the outset is far more efficient than retrofitting governance after deployment. Complyan supports organizations in mapping AI-specific regulatory obligations across jurisdictions, including data protection, cybersecurity, and sector-specific requirements like those issued by SAMA for financial services and SFDA for healthcare AI.

Sector-Specific AI Governance: Finance, Health, and Beyond

Saudi Arabia’s approach to AI regulation is not one-size-fits-all. Sector regulators are developing their own AI governance expectations within the SDAIA framework.

SAMA (Saudi Central Bank) has been active in issuing AI governance guidance for financial services, with expectations around model validation, explainability, and risk management for credit, fraud detection, and automated advisory tools.

SFDA (Saudi Food and Drug Authority) governs AI used in healthcare and medical devices, where the stakes around accuracy and transparency are highest. AI diagnostic tools, clinical decision support systems, and drug interaction models all fall within its remit.

This layered approach, national standards from SDAIA sitting above sector-specific rules, creates a coherent but complex compliance environment. For businesses, the practical implication is that a single AI product may simultaneously fall under SDAIA’s Responsible AI Policy, the PDPL, SAMA or SFDA rules, and NCA cybersecurity controls.

What Businesses Operating in Saudi Arabia Should Do Now

The draft Responsible AI Policy consultation that closed in May 2026 was an early signal, not a final product. But it confirms the direction: Saudi Arabia is building a formal, operational AI governance regime, and the window to influence or prepare for it is now.

Practical steps for organizations include:

  • Conducting an AI inventory to identify which systems will fall under high or critical risk tiers
  • Aligning AI development practices with SDAIA’s AI Ethics Principles as a baseline
  • Ensuring PDPL compliance for any AI system processing personal data of Saudi residents
  • Reviewing sector-specific guidance from SAMA or SFDA where applicable
  • Building documentation and monitoring infrastructure that can satisfy audit requirements

The draft policy makes clear that responsible AI cannot sit only with a legal or policy team. It requires product, engineering, compliance, and security functions to work from a shared framework. For organizations seeking structured support in building that framework, resources like Complyan offer practical tooling for AI governance readiness across regulatory jurisdictions.

A Governance Model With Global Significance

Saudi Arabia’s approach to AI governance is drawing attention beyond the Gulf. The UNESCO Recommendation on the Ethics of AI, which 193 member states adopted in 2021, emphasizes human rights, transparency, and accountability as core pillars of responsible AI, all of which are reflected in SDAIA’s published principles and the draft Responsible AI Policy.

The Kingdom’s ability to move from high-level alignment with international norms to domestic operational requirements, with risk-tiering, mandatory audits, and system registration, puts it ahead of many jurisdictions that are still debating principles. Whether the final policy matches the ambition of the draft will determine how much of that lead is maintained.

What is already clear is that AI governance in Saudi Arabia has moved into a new phase. The question for businesses is not whether to take it seriously, but how quickly they can build the internal capabilities to meet it.