AI in Arabia
SDAIA's Year of AI 2026 Framework Just Dropped, and Saudi Arabia Has Effectively Rewritten the GCC AI Rulebook
Policy
· 8 min read
Share:

SDAIA's Year of AI 2026 Framework Just Dropped, and Saudi Arabia Has Effectively Rewritten the GCC AI Rulebook

Saudi Arabia's Saudi Data and Artificial Intelligence Authority has published the long-awaited public sector adoption framework for...

SDAIA's Year of AI 2026 Framework Just Dropped, and Saudi Arabia Has Effectively Rewritten the GCC AI Rulebook

Saudi Arabia's Saudi Data and Artificial Intelligence Authority has published the long-awaited public sector adoption framework for the Year of AI 2026, and its reach is larger than most observers anticipated. The 112-page document, released on 22 April, sets binding obligations on every government entity, every state-owned enterprise, and every vendor selling into the public sector. It replaces an earlier draft that had closed consultation on 3 May 2026, and it raises the bar for AI governance across the GCC.

The framework is organised around five pillars: data governance, model accountability, transparency, human oversight, and risk management. Each pillar carries specific enforcement mechanisms, compliance deadlines, and links into the existing Saudi Personal Data Protection Law. Non-compliance will attract material penalties, including procurement exclusion and administrative fines calibrated against organisation revenue.

What the Framework Actually Requires

The five pillars are not aspirational. Each one maps to concrete obligations, most of which have compliance deadlines within 2026.

Advertisement

Data governance requires every public sector AI deployment to have a registered data lineage that identifies source, consent basis, and processing purpose. The registration sits inside a national SDAIA-managed inventory that will be auditable by both SDAIA and the Saudi National Cybersecurity Authority. Model accountability requires designated responsible officers inside every deploying organisation, mandatory impact assessments for models over 10 billion parameters, and quarterly performance reporting against a national benchmark.

Transparency requires public-facing disclosures for every AI system touching citizens, including a plain-Arabic description of what the system does and what it does not do. Human oversight requires sign-off authority on decisions that materially affect citizen rights, and mandatory human-in-the-loop for healthcare, justice, education, and social services. Risk management requires a national risk register maintained by SDAIA, with every deploying entity contributing risk events and near-misses in real time.

We have pushed past soft governance. The Year of AI framework gives SDAIA the enforcement tools to make sure every government AI system is accountable, transparent, and safe. Public sector vendors will need to align quickly.

Dr Abdullah Alghamdi, President, SDAIA

By The Numbers

  • 5 5 pillars structuring the Saudi Year of AI 2026 framework: data governance, model accountability, transparency, human oversight, risk management.
  • 112 112 pages in the final framework document published on 22 April.
  • $7 million $7 million maximum administrative fine per violation for non-compliant entities, with tiered multipliers for repeat offences.
  • 10 billion 10 billion parameter threshold above which mandatory impact assessments apply, matching the EU AI Act GPAI threshold.
  • 48 48 PDPL enforcement decisions issued since September 2024, providing the basis for SDAIA's expanded enforcement toolkit.
  • 14 14th place for Saudi Arabia in the 2025 Global AI Index, the highest Arab world ranking.
SDAIA's Year of AI 2026 Framework Just Dropped, and Saudi Arabia Has Effectively Rewritten the GCC AI Rulebook

The GCC Harmonisation Question

Saudi's Year of AI framework arrives in a market where every GCC state has been writing its own AI rules. Bahrain approved its 38-article AI Regulation Law in April 2024, and Oman brought its National AI Policy into force in April 2025.

The UAE's PDPL becomes fully binding in January 2027. Qatar's QCB has had mandatory AI guidelines since September 2024, and its Digital Agency has now added the region's first binding ethics code.

Saudi's move is the most consequential because Saudi public procurement sets the regional commercial tone. Vendors who want to sell into Saudi government tenders, HUMAIN portfolio companies, or PIF-backed projects now need to meet SDAIA's framework, and that operational requirement will quickly cascade into private sector contracts, Gulf peer governments, and international partners.

Harmonisation across the GCC is no longer a luxury. The Saudi framework will become the reference design, and the smart thing for Kuwait, Oman, and Bahrain is to adopt it with minor local adjustments rather than reinvent.

Dr Maha Al Mansouri, Principal, MENA Policy Observatory

Where It Overlaps With the UAE and Egypt Frameworks

The Saudi framework is not operating in isolation. Egypt's National AI Guidelines set a comparable structure, the UAE's AI Charter is evolving toward a similar enforcement model, and Qatar's AI ethics code overlaps on transparency and human oversight. The table below shows the overlap clearly.

PillarSaudi Year of AIUAE PDPLEgypt NCAI GuidelinesQatar AI Ethics
Data governanceBinding, nationally registeredBinding via PDPLOperational guidanceSectoral binding
Model accountabilityDesignated officer, IA threshold 10BVoluntary disclosureOperational guidanceSectoral binding
TransparencyPublic Arabic disclosuresVoluntaryVoluntaryBinding for financial services
Human oversightMandatory for rights-affecting systemsRequired for financial servicesOperational guidanceBinding for financial services
Risk managementNational register via SDAIAVoluntarySector-specificSectoral

Saudi has the most demanding framework by a margin. That is a strategic choice. SDAIA has concluded that the Kingdom needs to set a high governance floor to attract frontier model builders and sovereign AI capital, rather than compete on permissiveness.

What Vendors and Public Sector Buyers Should Do Now

The compliance clock is short. Most obligations take effect on 1 July 2026, with transitional provisions for existing deployments running to 31 December 2026. Vendors and public sector buyers will need to act on several fronts before then.

  • Map every AI system against the five pillars and identify compliance gaps.
  • Appoint a designated AI accountability officer inside each deploying entity.
  • Prepare impact assessments for any model over 10 billion parameters, or any system that materially affects citizen rights.
  • Align data lineage and consent records with the national SDAIA inventory format.
  • Build a live risk reporting pipeline that contributes to the SDAIA national register.
  • Publish plain-Arabic transparency disclosures for every citizen-facing AI system.
  • Review vendor contracts to ensure AI obligations flow down to subcontractors.

Vendors with existing SDAIA framework agreements, particularly HUMAIN's OneTurning marketplace, will have an easier path. Vendors who have been selling into Saudi public sector through less formal channels will need to catch up quickly or risk exclusion from 2026 tenders.

The AI in Arabia View: The Year of AI 2026 framework is the most ambitious AI governance move in the GCC, and it changes the regional game. Saudi has chosen to set the highest enforcement floor in the region, with concrete obligations, real penalties, and a national register that will make AI governance visible rather than theoretical. The framework is also a strategic bet. SDAIA is signalling that Saudi Arabia wants to be the home of trusted, auditable AI at frontier scale, not a permissive sandbox. Vendors and public sector buyers have about nine weeks to start their compliance work in earnest, and those who do will have a durable advantage through 2027. We expect other GCC states to adopt the Saudi framework with minor local adjustments within 12 months, because the alternative is regulatory fragmentation that no Gulf vendor or buyer actually wants. The HUMAIN-aligned vendors are best placed. The rest are on notice.
AI Terms in This Article 6 terms
parameters

The internal settings an AI model learns during training. More parameters generally means more capable.

benchmark

A standardized test used to compare AI model performance.

AI governance

The policies, standards, and oversight structures for managing AI systems.

sandbox

A controlled testing environment for trying out new technologies or regulations.

human-in-the-loop

AI systems that require human oversight or approval for critical decisions.

sovereign AI

National initiatives to develop domestic AI capabilities independent of foreign providers.

Frequently Asked Questions

What are the five pillars of the Saudi Year of AI 2026 framework?
Data governance, model accountability, transparency, human oversight, and risk management. Each pillar has specific enforcement mechanisms, compliance deadlines, and ties back to the Personal Data Protection Law, with administrative fines of up to $7 million per violation.
Who does the framework apply to?
Every Saudi government entity, every state-owned enterprise, and every vendor selling into the public sector. The framework also cascades to any private sector organisation with government procurement exposure, including foreign vendors and joint-venture partners.
When do the obligations take effect?
Most obligations take effect on 1 July 2026, with transitional provisions for existing deployments running to 31 December 2026. Impact assessments for models over 10 billion parameters are required before production deployment from 1 July.
How does this affect GCC harmonisation?
The Saudi framework is the most demanding in the GCC and is likely to become the regional reference design. We expect Kuwait, Oman, and Bahrain to adopt materially similar frameworks within 12 months, and the UAE to align its PDPL enforcement with the Saudi enforcement floor.
Advertisement