The Compliance Brief
A risk-tiered governance framework is heading through the Senate — with real obligations for local deployers, and almost none for the foreign platforms most of them build on.
Kenya is poised to become one of the first African nations with a dedicated statutory framework for artificial intelligence governance. Sponsored by Senator Karen Nyamu, the Bill arrives as Kenya positions itself as a global voice on AI policy — co-sponsoring the UN's first AI resolution and championing the UNEA-7 resolution on AI environmental sustainability. Its ambition is real. So are the gaps businesses will have to plan around.
The Bill sorts every AI system into one of four risk tiers, modelled on the EU AI Act. Where a system lands determines what a business must do to deploy it lawfully.
Systems banned entirely, no compliance path available.
The widest, most consequential tier — and the one most businesses will land in.
Disclosure obligations rather than full compliance architecture.
Light-touch ethical principles only.
The high-risk sector list is notably wide and could quietly capture things that don't feel like "AI systems" day to day — automated HR screening, customer analytics, algorithmic pricing. If your business touches any of the seven listed sectors, assume you need to check.
Providers and deployers face six concrete obligations. None are optional, and one — the five-year record — has real storage and governance cost attached.
The Office of the Artificial Intelligence Commissioner becomes an independent State Office with corporate personality, appointed by the President with parliamentary approval.
Can enter premises and inspect AI systems directly.
Can require production of documentation and audit trails.
Enforcement notices with legal force against non-compliant deployers.
Maintains a public register of every high-risk AI system in Kenya.
Bias, discrimination, and rights-infringement complaints.
It's not all friction. Several provisions are commercially useful and worth building into your roadmap rather than resisting.
Plain-language explanation and human review of AI decisions, grounded in Articles 35, 47 and 50 — accountability for lending, employment and public-service algorithms.
Mandatory synthetic media labelling and criminal sanctions, ahead of the 2027 General Election.
Controlled testing environments with relaxed compliance requirements for new products.
Requirements extend to county governments, where algorithmic harm often actually lands.
This is where the Bill's design creates real business exposure. Expand each for the practical impact.
The Bill governs Kenyan deployers but not the foundation models underneath them. A Kenyan hospital using a diagnostic tool built on a foreign LLM carries the Section 26 obligations alone — the model provider carries none.
Citizens get a right to explanation, but no statutory cause of action in damages — unlike the EU, which links obligations to liability through its AI Liability Directive.
KES 5 million is immaterial to a multinational — less than a compliance lawyer's monthly retainer — but potentially company-ending for a Kenyan startup on KES 20–50 million in annual revenue.
Model poisoning, prompt injection, data exfiltration, model inversion — none receive legislative treatment.
No Kenyan regulator can compel a US, EU or Chinese provider to open a model for audit or submit to penalty proceedings — unlike the EU AI Act's market-based reach.
Impact assessments costing USD 10,000–50,000, five-year audit trails, explainability documentation — built for well-resourced operators.
No clear mechanism for Kenya to retain control over data used to train foreign models, which have historically scraped African data and sold finished products back.
Two reference points show what a more complete framework can look like.
| Framework | Foundation model coverage | Notable feature |
|---|---|---|
| EU AI Act (Aug 2024) | Yes — technical documentation, training data summaries, incident reporting required | Applies to any provider placing AI on the market, regardless of location |
| South Korea Framework Act (Jan 2026) | Whole-of-government coordination via the Prime Minister's office | High-impact AI services and data-quality standards treated as core, not peripheral |
| Kenya AI Bill (2026) | Not addressed — deployers regulated, model providers are not | Risk-tiered structure with independent Commissioner, but no extraterritorial reach |
Five immediate steps, and three longer-run considerations for how you structure contracts and operations.
The Artificial Intelligence Bill, 2026 is a serious legislative intervention: an independent governance institution, a risk-based architecture that tracks international best practice, and workforce provisions that show real political-economy awareness. But a Bill that governs AI deployment without governing AI infrastructure, creates obligations without remedies, and has no reach over foreign providers risks burdening domestic innovators while leaving dominant platforms untouched.
The Bill still needs to clear the National Assembly before presidential assent. Regulations from the AI Commissioner will fill in the operational detail — which is exactly where the window for shaping outcomes stays open longest.
An AI governance framework doesn't sit apart from data protection law — most AI systems in Kenya run on personal data, which means your obligations under the Data Protection Act, 2019 are already live even before the AI Bill passes.
Muchangi Patrick & Co. Advocates advises boards, AI deployers, and startups on data protection compliance, AI governance readiness, and cross-border data flows. If you're building or deploying AI systems in Kenya, we can help you map your exposure before the regulator does it for you.
Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.