Saudi Arabia has moved faster than most of its peers from AI ambition to AI governance. The Kingdom established a dedicated data and AI authority in 2019, published ethics principles in two iterations, enacted a comprehensive data protection law, and issued targeted guidance on generative AI and synthetic media. Operators entering this market, or running cross-border services that reach individuals in the Kingdom, need to understand which instruments bind and which set the expected standard of care before deployment.
Key takeaways
- The Saudi Data and Artificial Intelligence Authority (SDAIA) is the central supervisor. Its AI Ethics Principles version 2.0, adopted 14 September 2023, introduce a four-tier risk classification (little or no risk, limited risk, high risk, unacceptable risk) built on seven principles, and apply to all AI stakeholders operating within the Kingdom.
- The Personal Data Protection Law (PDPL, Royal Decree M/19, amended by Royal Decree M/148) became fully enforceable on 14 September 2024 after a one-year grace period. It has extraterritorial reach over processing that targets data subjects in Saudi Arabia and restricts cross-border data transfers.
- SDAIA published Generative AI Guidelines for Government and for the Public in January 2024, and Deepfakes Guidelines Version 1.0 in September 2024, covering watermarking, content authenticity, consent, traceability, and human oversight.
- The four SDAIA risk tiers map closely to the EU AI Act risk pyramid. Operators already EU AI Act compliant will find the structural gap modest, concentrated on PDPL data-transfer mapping and SDAIA self-assessment documentation.
- The framework reaches international vendors two ways: directly via the PDPL's extraterritorial scope, and indirectly through procurement, where Saudi government and SAMA-regulated financial customers pass down AI governance obligations by contract.
The regulatory landscape
Saudi Arabia's AI governance environment in 2026 consists of four interacting layers. Identifying which layer applies to a given operator is the starting point for any compliance analysis.
The first layer is the AI-specific standard set by SDAIA. The AI Ethics Principles, now in version 2.0, establish the seven ethical principles and the four-tier risk classification that frame how AI systems are to be designed, developed, and deployed in the Kingdom. SDAIA is named as the supervisory authority within this framework.[1]
The second and most directly enforceable layer is data protection law under the PDPL. This applies to any operator processing personal data of individuals residing in Saudi Arabia, including foreign operators that target Saudi data subjects, and constrains AI deployments that handle personal data for training, inference, or profiling.[2]
The third layer is the generative AI and synthetic media guidance: SDAIA's Generative AI Guidelines for Government, Generative AI Guidelines for the Public, and the Deepfakes Guidelines. These set the expected standard of care for content authenticity and watermarking and bind public-sector adopters and their suppliers most directly.[3]
The fourth layer is sector supervision in financial services. The Saudi Central Bank (SAMA) does not yet publish a standalone AI statute but governs AI through its existing Cyber Security Framework, counter-fraud framework, and risk management mandates, requiring regulated entities to assess AI systems within those controls.[4]
SDAIA AI Ethics Principles 2.0: the four-tier risk model
The AI Ethics Principles 2.0, adopted on 14 September 2023, are the backbone of the Kingdom's AI-specific governance. They rest on seven principles: fairness; privacy and security; humanity; social and environmental benefits; reliability and safety; transparency and explainability; and accountability and responsibility. The Principles apply to all AI stakeholders designing, developing, deploying, using, or affected by AI systems within Saudi Arabia, including public entities, private entities, non-profits, researchers, and individuals.[1]
How the risk tiers operate
Version 2.0 introduced a tiered risk categorisation. The depth of obligation scales with the assessed risk of the system.
| SDAIA risk tier | Obligation | EU AI Act analogue |
|---|---|---|
| Little or no risk | Compliance with the Principles is recommended but not required | Minimal risk (voluntary codes) |
| Limited risk | Must comply with the Principles and applicable controls; transparency expectations apply | Limited risk (transparency obligations) |
| High risk | Must comply with the Principles and the full set of additional controls; documentation and oversight intensify | High risk (Annex III obligations) |
| Unacceptable risk | Prohibited; cannot be developed or deployed | Prohibited practices (Article 5) |
SDAIA provides self-assessment tools for mapping a system against the seven principles and against the risk tiers. The practical workflow for an operator is to classify each AI system into a tier, then apply the principle-level controls proportionate to that tier and retain the self-assessment as evidence. This is the same logical structure an operator follows when classifying a system under EU AI Act Annex III, which makes the cross-mapping straightforward.[1]
The PDPL: the binding data obligation for AI operators
The Personal Data Protection Law was issued under Royal Decree M/19 (1443H) and amended by Royal Decree M/148 (1444H). The Implementing Regulations and the Regulation on the Transfer of Personal Data Outside the Kingdom were issued on 7 September 2023, with the transfer regulation replaced by a new version effective 1 September 2024. After a one-year grace period, the PDPL became fully enforceable on 14 September 2024. SDAIA is the enforcing authority.[2]
Scope and territorial reach
The PDPL applies to the processing of personal data of individuals that takes place in Saudi Arabia, and reaches processing by entities outside the Kingdom where that processing relates to data subjects residing in Saudi Arabia. For AI operators, the territorial scope is broad. An AI agent operated abroad that processes personal data about Saudi residents is within scope, in the same way that the GDPR and the South African POPIA reach foreign operators who target their respective data subjects.[2]
Cross-border transfer: the operative constraint for model training
For AI operators, the most consequential PDPL feature is the transfer regime. Personal data may be transferred outside the Kingdom only where conditions in the Transfer Regulation are met, which include adequacy-style assessments, appropriate safeguards, and purpose limitation. Operators who send Saudi personal data abroad for model training, fine-tuning, or cloud inference must document the transfer basis and apply the required safeguards before the data leaves the Kingdom. This is the single most common point of friction for foreign AI platforms entering the Saudi market.[2]
Lawful basis, records, and breach notification
The PDPL requires a lawful basis for processing, records of processing activities, breach notification to SDAIA and affected data subjects, and respect for data subject rights of access, correction, and deletion. Operators who maintain EU AI Act Article 26 deployer records and GDPR Article 30 records of processing will generally have the substrate needed to satisfy the PDPL equivalents, with the transfer documentation being the principal incremental task.
Generative AI and deepfakes guidance
SDAIA published two sets of Generative AI Guidelines in January 2024: one addressed to government entities and one addressed to the public. The Generative AI Guidelines for Government set out principles, risk classifications, data handling rules, role definitions, and a compliance checklist for the responsible adoption and oversight of generative AI by public bodies and, by extension, their suppliers. The Guidelines for the Public articulate the same principle set (fairness, reliability and safety, transparency and explainability, accountability, privacy and security, and humanity) with practical examples and recommended practices to mitigate misuse, deepfakes, and privacy intrusion.[3]
In September 2024, SDAIA issued the Deepfakes Guidelines Version 1.0, an ethics-informed policy instrument addressing synthetic media. It emphasises transparency, consent, privacy protection, accountability, and risk-management measures including watermarking, traceability, consent forms, and consumer awareness. For an operator deploying generative agents that produce images, audio, or video about identifiable people, these are the reference expectations: label synthetic content, watermark outputs where feasible, obtain consent for likeness use, and maintain traceability.[3]
These guidelines are guidance rather than primary legislation, but they bind public-sector adopters most directly and set the standard of care SDAIA expects across the market. The watermarking and content-authenticity expectations align with the transparency obligations in EU AI Act Article 50 for AI-generated content.
Financial sector supervision
The Saudi Central Bank, SAMA, supervises banks, insurers, and finance companies. SAMA has not published a dedicated AI statute, but its Cyber Security Framework, counter-fraud framework, and broader risk management mandates require regulated entities to govern technology risk, including AI and machine learning models. The expected controls cover governance, model and technology risk management, third-party and supply-chain risk, incident response, and cybersecurity maturity assessment.[4]
An international AI vendor to a Saudi bank is not directly SAMA-supervised, but the bank must manage third-party AI risk within its SAMA-mandated frameworks. Vendors will face contractual AI governance requirements flowing from the bank's SAMA obligations, including model documentation, validation evidence, and incident reporting passed down through the supply chain. This is the same supply-chain pass-down mechanism that operates in other Gulf markets covered in this series.
Comparison with the EU AI Act and NIST AI RMF
Operators already compliant with the EU AI Act will find substantial structural overlap with the Saudi framework. The SDAIA four-tier risk model maps almost directly onto the EU risk pyramid, and both regimes prohibit an unacceptable-risk top tier and concentrate substantive obligations on high-risk systems. The principal gaps for an EU-compliant operator are three: the PDPL cross-border transfer regime requires explicit documentation before Saudi personal data is sent abroad; the SDAIA self-assessment tooling must be completed and retained as the local evidence of compliance; and the generative AI and deepfakes watermarking expectations should be mapped to existing EU AI Act Article 50 transparency processes.[6]
| Dimension | Saudi Arabia (SDAIA / PDPL) | EU AI Act |
|---|---|---|
| Instrument type | National AI standard plus binding data law | Binding Regulation (2024/1689) |
| Risk classification | Four tiers (little or no, limited, high, unacceptable) | Four tiers (minimal, limited, high, prohibited) |
| Prohibited tier | Unacceptable risk cannot be developed | Article 5 prohibited practices |
| Conformity assessment | Self-assessment against principles and tiers | Formal conformity assessment for high risk |
| Data transfer rule | PDPL Transfer Regulation (2024 version) | GDPR Chapter V transfers |
| Synthetic media | Deepfakes Guidelines, watermarking expected | Article 50 transparency obligations |
| Supervisor | SDAIA (plus SAMA in finance) | National market surveillance authorities |
The NIST AI RMF 1.0 and the NIST AI 600-1 Generative AI Profile (July 2024) map well onto the SDAIA principles. NIST's GOVERN, MAP, MEASURE, and MANAGE functions correspond to the accountability, reliability and safety, transparency, and oversight principles in the AI Ethics Principles. Operators using the NIST AI RMF as their primary governance tool will find it straightforward to demonstrate alignment with SDAIA expectations and to populate the self-assessment.[5]
For a comparison with other major non-EU jurisdictions covered in this series, see the UAE and Gulf AI governance guide, the India AI regulatory framework guide, and the US-EU-UK comparison. For EU AI Act Article 26 deployer obligations, see the full Article 26 guide on agentliability.eu.
Enforcement landscape
SDAIA is a well-resourced national authority with a mandate spanning data, AI, and the national data management office. The PDPL enforcement regime carries administrative penalties, and certain offences such as unlawful disclosure of sensitive data can attract criminal liability. The transition period for PDPL compliance ended on 14 September 2024, so 2026 is a live enforcement environment rather than a grace period. The most likely points of exposure for AI operators are unlawful cross-border transfer of personal data, processing without a valid lawful basis, and deployment of generative systems that produce synthetic media without the consent, labelling, and watermarking expected under the Deepfakes Guidelines.
What operators should do
The minimum compliance programme for an AI operator deploying in Saudi Arabia consists of five elements. First, classify each AI system against the SDAIA four-tier risk model and complete the self-assessment, applying principle-level controls proportionate to the assessed tier. Second, conduct a PDPL scope assessment to identify which deployments process personal data of Saudi residents and document the lawful basis for each. Third, build the cross-border transfer documentation before any Saudi personal data leaves the Kingdom for training, fine-tuning, or cloud inference. Fourth, for any generative or synthetic-media capability, implement labelling, watermarking, consent capture, and traceability aligned to the Generative AI and Deepfakes Guidelines. Fifth, if selling into government or SAMA-regulated financial customers, prepare the model documentation, validation evidence, and incident-reporting capability that those customers will pass down by contract.
Frequently asked questions
Does Saudi Arabia have a dedicated AI law in 2026?
Not a single binding AI statute. Saudi Arabia governs AI through a layered framework administered by SDAIA. The central instruments are the AI Ethics Principles version 2.0 (adopted 14 September 2023) with a four-tier risk classification, and the PDPL (Royal Decree M/19, as amended), fully enforceable since 14 September 2024. SDAIA also published Generative AI Guidelines for Government and for the Public (January 2024) and Deepfakes Guidelines (September 2024). The Ethics Principles are a national standard rather than an Act, but SDAIA is the designated supervisor.
What is the SDAIA four-tier AI risk model and how does it work?
The AI Ethics Principles 2.0 classify systems into four tiers: little or no risk, limited risk, high risk, and unacceptable risk. Little or no risk systems are not required to comply, though it is recommended. Limited risk and high risk systems must comply with the Principles and applicable controls, scaling with risk. Unacceptable risk systems are prohibited and cannot be developed. SDAIA provides self-assessment tools to map a system against the seven principles and the tiers.
How does the Saudi PDPL apply to AI agents processing personal data?
The PDPL applies to processing of personal data of individuals residing in Saudi Arabia, including foreign entities targeting Saudi data subjects. It requires a lawful basis, restricts cross-border transfers under the Transfer Regulation (current version effective 1 September 2024), mandates breach notification, and grants access, correction, and deletion rights. AI operators must document their lawful basis, keep records of processing, and apply transfer safeguards before sending data abroad for training or inference.
Are the SDAIA Generative AI and Deepfakes Guidelines mandatory for operators?
The Generative AI Guidelines for Government are addressed primarily to public entities and their suppliers and are authoritative for government adoption. The Guidelines for the Public and the Deepfakes Guidelines (Version 1.0, September 2024) are guidance rather than primary legislation, but they set the standard of care SDAIA expects and align with the binding PDPL and AI Ethics Principles. Vendors selling generative AI to Saudi government bodies will face these as contractual requirements, including watermarking, content authenticity, consent, traceability, and human oversight.
How does Saudi Arabia's AI framework compare to the EU AI Act?
The structural logic is similar. The SDAIA four-tier risk model mirrors the EU AI Act risk pyramid, and both prohibit an unacceptable-risk top tier while concentrating obligations on high-risk systems. The principal difference is enforcement architecture: the EU Act is a binding Regulation with conformity assessments and market surveillance, while Saudi Arabia uses the AI Ethics Principles as a national standard plus the binding PDPL and sector rules. EU-compliant operators face a modest gap, focused on PDPL transfer mapping and SDAIA self-assessment documentation.
Do Saudi rules reach international AI vendors selling into the Kingdom?
Yes, through two channels. The PDPL has extraterritorial reach over processing that targets data subjects in Saudi Arabia, so a foreign AI vendor handling Saudi residents' personal data is directly in scope. Separately, where a vendor sells AI to a Saudi government entity or SAMA-regulated financial institution, the customer's own SDAIA and SAMA obligations flow down through procurement, imposing Ethics Principles alignment, model documentation, watermarking for generative outputs, and incident reporting on the vendor.
References
- Saudi Data and Artificial Intelligence Authority (SDAIA). AI Ethics Principles, version 2.0, adopted 14 September 2023. Seven principles and a four-tier risk classification (little or no risk, limited risk, high risk, unacceptable risk), with SDAIA designated as supervisory authority and self-assessment tools provided. Available at sdaia.gov.sa.
- Personal Data Protection Law (PDPL), Royal Decree M/19 of 1443H, amended by Royal Decree M/148 of 1444H. Implementing Regulations and Regulation on the Transfer of Personal Data Outside the Kingdom issued 7 September 2023; transfer regulation replaced by a new version effective 1 September 2024. Fully enforceable from 14 September 2024 following a one-year grace period. Enforced by SDAIA. Available at sdaia.gov.sa.
- SDAIA. Generative AI Guidelines for Government and Generative AI Guidelines for the Public, January 2024; Deepfakes Guidelines, Version 1.0, September 2024. Cover principles, risk classification, watermarking, content authenticity, consent, traceability, and human oversight. Available at sdaia.gov.sa.
- Saudi Central Bank (SAMA). Cyber Security Framework, Counter-Fraud Framework, and technology and model risk management requirements applied to regulated banks, insurers, and finance companies; AI systems assessed within these existing controls. Available at sama.gov.sa.
- NIST AI Risk Management Framework (AI RMF 1.0), January 2023, NIST AI 100-1; NIST AI 600-1 Generative AI Profile, July 2024. Available at nist.gov/artificial-intelligence.
- EU Regulation 2024/1689 (the EU AI Act). Risk classification, Article 5 prohibited practices, Article 26 deployer obligations, and Article 50 transparency obligations for AI-generated content. Available at eur-lex.europa.eu.