SDAIA and Saudi Arabia's AI governance architecture
The Saudi Data and AI Authority (هيئة البيانات والذكاء الاصطناعي, SDAIA) was established in 2019 as the primary government body responsible for data and AI governance in Saudi Arabia. SDAIA's mandate spans: the National AI Strategy, the Data Governance Framework, the Personal Data Protection Law enforcement, and the development of AI ethics principles for the Kingdom. SDAIA operates through two main bodies: the National Center for AI (NCAI) for AI development and strategy, and the National Data Management Office (NDMO) for data governance and PDPL enforcement.
The governance model reflects Saudi Arabia's approach to AI: government as an active enabler of AI adoption, with regulation designed to build trust and protect individual rights while supporting Vision 2030's ambition to position Saudi Arabia as a global AI leader. This creates a regulatory environment that is supportive of AI deployment but increasingly specific in its governance expectations.
PDPL and AI: Saudi Arabia's data protection obligations
Saudi Arabia's Personal Data Protection Law (PDPL), effective September 2023, creates data protection obligations that apply to the processing of personal data of Saudi residents by organisations operating in or targeting the Saudi market. For AI systems, the PDPL's key provisions: lawful basis for processing (consent is the default, with exceptions for contract performance, legal obligation, and vital interests); purpose limitation (personal data collected for one purpose may not be used to train AI models for different purposes without additional lawful basis); data subject rights including the right to access data, correct inaccurate data, and in some circumstances request deletion; and cross-border data transfer restrictions that affect AI systems hosted outside Saudi Arabia that process Saudi personal data.
SAMA and financial services AI
The Saudi Central Bank (SAMA) has been progressively developing AI governance expectations for financial institutions operating under its supervision. SAMA's approach draws on international standards — the FSB, IOSCO, and BIS frameworks for AI in financial services — and applies them to the Saudi banking, insurance, and payment services context. Key SAMA AI governance expectations: model risk management frameworks that apply to AI models used in credit, fraud, and investment decisions; explainability requirements for AI used in customer-facing financial decisions; and vendor management requirements for third-party AI systems used by regulated entities.
