Este artigo está disponível apenas em inglês no momento.
AI Governance in Saudi Arabia: SDAIA, Vision 2030, and the Kingdom's AI Regulatory Framework
Saudi Arabia is investing massively in AI as part of Vision 2030 — with SDAIA (Saudi Data and AI Authority) leading a regulatory framework that is maturing rapidly. The 2026 guide for organisations operating in the Kingdom.
Key Takeaways
SDAIA (Saudi Data and AI Authority) is the primary AI governance authority in Saudi Arabia — it has published the National AI Strategy, the Data Governance Framework, and AI ethics principles that establish the regulatory expectations for AI in the Kingdom.
The Personal Data Protection Law (PDPL), enforced by SDAIA's National Data Management Office (NDMO), creates data protection obligations for AI systems processing personal data of Saudi residents — including consent, purpose limitation, and data subject rights.
Saudi Arabia's Vision 2030 creates a clear government expectation that organisations operating in the Kingdom will adopt AI — but adoption must be consistent with SDAIA's AI governance principles and the emerging regulatory framework.
SAMA (Saudi Central Bank) and other sector regulators have issued AI governance guidance for their regulated entities — financial services AI governance in Saudi Arabia is developing rapidly.
Organisations entering the Saudi market should engage with SDAIA's voluntary AI ethics framework as a starting point — it signals regulatory expectations and aligns with international AI governance standards.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
SDAIA and Saudi Arabia's AI governance architecture
The Saudi Data and AI Authority (هيئة البيانات والذكاء الاصطناعي, SDAIA) was established in 2019 as the primary government body responsible for data and AI governance in Saudi Arabia. SDAIA's mandate spans: the National AI Strategy, the Data Governance Framework, the Personal Data Protection Law enforcement, and the development of AI ethics principles for the Kingdom. SDAIA operates through two main bodies: the National Center for AI (NCAI) for AI development and strategy, and the National Data Management Office (NDMO) for data governance and PDPL enforcement.
The governance model reflects Saudi Arabia's approach to AI: government as an active enabler of AI adoption, with regulation designed to build trust and protect individual rights while supporting Vision 2030's ambition to position Saudi Arabia as a global AI leader. This creates a regulatory environment that is supportive of AI deployment but increasingly specific in its governance expectations.
PDPL and AI: Saudi Arabia's data protection obligations
Saudi Arabia's Personal Data Protection Law (PDPL), effective September 2023, creates data protection obligations that apply to the processing of personal data of Saudi residents by organisations operating in or targeting the Saudi market. For AI systems, the PDPL's key provisions: lawful basis for processing (consent is the default, with exceptions for contract performance, legal obligation, and vital interests); purpose limitation (personal data collected for one purpose may not be used to train AI models for different purposes without additional lawful basis); data subject rights including the right to access data, correct inaccurate data, and in some circumstances request deletion; and cross-border data transfer restrictions that affect AI systems hosted outside Saudi Arabia that process Saudi personal data.
SAMA and financial services AI
The Saudi Central Bank (SAMA) has been progressively developing AI governance expectations for financial institutions operating under its supervision. SAMA's approach draws on international standards — the FSB, IOSCO, and BIS frameworks for AI in financial services — and applies them to the Saudi banking, insurance, and payment services context. Key SAMA AI governance expectations: model risk management frameworks that apply to AI models used in credit, fraud, and investment decisions; explainability requirements for AI used in customer-facing financial decisions; and vendor management requirements for third-party AI systems used by regulated entities.