Kenya is moving beyond policy ambition and towards legislative action in its regulation of artificial intelligence (AI), as reflected in the recently tabled draft Artificial Intelligence Bill, 2026 (AI Bill). To date, momentum has been more visible at the policy level, with instruments including the National AI Strategy 2025–2030 having been adopted and the formal policy drafting process being well underway.
The AI Bill has not yet been tabled before the Senate, but it has been published as a Senate Bill and was first read in the Senate in early April 2026. On 21 Apri, the Senate invited the public and interested stakeholders to comment on the AI Bill, which they must do by 5 May this year. Because it concerns county governments, it must also be considered by the National Assembly before it can be presented for presidential assent.
Whilst the Bill’s stated objectives of ethical use, transparency and the safeguarding of human rights are laudable in principle, several of its provisions raise concerns about regulatory overreach, legal uncertainty and the potential effect on innovation.
Key provisions
- Risk classification of AI systems
The Bill adopts a risk-based classification model, loosely modelled on the EU AI Act, with four categories: unacceptable risk (prohibited outright), high risk, limited risk, and minimal risk.
However, the Bill leaves the detailed criteria for classification to future regulations, creating significant uncertainty for businesses seeking to understand where their systems fall. The breadth of sectors designated as high risk including healthcare, finance, security, employment and public administration, risk capturing a very wide range of routine AI applications and imposing disproportionate compliance burdens.
- Obligations for high-risk AI systems
The compliance burden on providers and deployers of high-risk AI systems is considerable. Pre-deployment obligations include risk assessments and human rights impact assessments, transparency and explainability of decision-making, and the maintenance of records of data inputs, outputs and performance metrics for at least five years.
- Privacy and data protection
The Bill ties AI governance to Kenya’s Data Protection Act 2019, requiring high-risk AI providers and deployers to comply with that Act in relation to personal data processing, including conducting data protection impact assessments. Additionally, the layering of AI-specific obligations on top of existing data protection requirements risks creating a duplicative and potentially conflicting compliance regime.
- Transparency and disclosure
Notably, all providers and deployers of AI systems, not only high-risk ones, must disclose to users the nature, purpose and limitations of the system, the extent of automated decision-making, and the measures taken to mitigate biases. The universal application of this obligation, regardless of risk level, is arguably disproportionate and may impose unnecessary costs on low-risk or minimal-risk AI applications.
- The AI Commissioner
The Bill establishes the Office of the Artificial Intelligence Commissioner as an independent body with expansive enforcement powers, including the ability to enter premises, inspect AI systems, issue enforcement notices and impose administrative fines. The Commissioner will maintain a public register of high-risk AI systems. However, the breadth of the Commissioner’s powers raises questions about proportionality and the risk of inconsistent enforcement.
The Artificial Intelligence Bill, 2026 marks a significant step in Kenya’s digital regulatory landscape. Though its ultimate impact will depend on the legislative process ahead and the regulations that follow. While there is still a long road ahead, if enacted in its current form, the Bill will apply to any business that develops, deploys or uses AI systems in Kenya, including international businesses operating in the Kenyan market.
