The Artificial Intelligence Bill, 2026: Establishing a Regulatory Framework for Algorithmic Governance in Kenya
As the global race to regulate artificial intelligence (AI) intensifies, Kenya has taken a definitive step forward with the introduction of the Artificial Intelligence Bill, 2026. Published in February 2026, this bill aims to position Kenya as a leader in African tech governance. By seeking to balance the promotion of local innovation with the protection of fundamental human rights, the Bill addresses a critical regulatory vacuum that currently exists between the Data Protection Act and the Science, Technology and Innovation Act.
The Institutional Architecture
At the center of this framework is the establishment of the Office of the Artificial Intelligence Commissioner, an independent body corporate with the mandate to enforce the Act, conduct audits, and maintain a public register of high-risk systems. To provide technical and ethical guidance, the Bill also creates an Advisory Committee on Artificial Intelligence, which includes representatives from the private sector, civil society, and regulatory bodies such as the Data Protection Commissioner.
Practically, this legislation transitions AI from a self-regulated sector into a structured environment subject to state oversight. Businesses must prepare for the Commissioner’s extensive powers, which include the authority to enter premises for inspections, summon individuals to give evidence, and issue administrative fines for non-compliance.
Financial and Reporting Requirements
The Office will be funded through National Assembly allocations, grants, and other vestments, ensuring it has the resources to perform its regulatory functions. To ensure accountability, the Commissioner is required to submit annual reports to the Cabinet Secretary detailing risk assessments conducted, the impact of the Office’s mandate, and any impediments to achieving the Act’s objectives. This reporting structure ensures that the evolution of AI technology is tracked at a parliamentary level, facilitating periodic legislative reviews every three years to maintain relevance.
Risk-Based Governance and Prohibitions
The Bill adopts a risk-based classification model that determines the level of regulatory scrutiny applied to a system. Under Section 25, the Commissioner will classify AI systems into four categories: (a) unacceptable risk, (b) high risk, (c) limited risk, and (d) minimal risk. This classification has significant legal weight, as any system deemed to pose an unacceptable risk is strictly prohibited from being deployed or operated within the country.
This model changes the current legal position by creating a proactive “gatekeeper” system. Instead of addressing harms after they occur, the Bill requires a determination of risk levels before or during the system’s lifecycle, which will directly impact the speed at which businesses can bring new technologies to market.
Obligations for High-Risk AI Systems
Providers and deployers of high-risk AI systems, typically those used in critical sectors like healthcare, finance, and public administration, face the most rigorous compliance burdens. These entities are legally required to:
(a) conduct risk and human rights impact assessments before deployment;
(b) ensure the transparency and explainability of decision-making processes;
(c) maintain records of data inputs and performance metrics for at least five years; and
(d) incorporate measures for cybersecurity and accuracy.
For businesses, these provisions mean that black box algorithms will no longer be legally permissible in high-stakes environments. There is a clear shift toward explainable AI, where entities must be able to demonstrate how a system reached a particular output or decision.
Transparency, Ethics, and Human-Centric Design
The Bill introduces specific safeguards to protect individuals from the deceptive use of AI. Any AI system that generates or manipulates media content, such as synthetic media or deepfakes, must be clearly labeled as AI-generated. Furthermore, providers must obtain explicit consent before using a person’s image or likeness in AI-generated content.
A central pillar of the legislation is the requirement for human-centric AI. Section 32 mandates that systems must be designed to enhance rather than replace human capabilities and must include review mechanisms that allow a qualified person to intervene or override automated decisions that affect human rights or safety. This legal requirement for a “human-in-the-loop” ensures that automated systems do not operate without accountability.
Workforce Protections and Public Sector Use
Recognizing the potential for economic disruption, the Bill requires any provider or deployer whose system is likely to impact employment to conduct a workforce impact assessment. This must include an assessment of potential job displacement and the implementation of mitigation measures, such as reskilling programs. Additionally, public entities and county governments are explicitly required to comply with the Act, ensuring that the state leads by example in the ethical adoption of AI.
Enforcement, Penalties, and Liability
The Bill provides for stringent penalties to ensure compliance. Deploying a prohibited unacceptable-risk system or failing to conduct mandatory risk assessments can result in fines of up to five million shillings, imprisonment for up to two years, or both. Less severe infractions, such as failing to comply with disclosure mandates, carry fines of up to one million shillings or six months’ imprisonment.
A critical implication for corporate governance is found in Section 35(3), which extends liability to individual directors and officers. If an offence is committed by a body corporate, every officer who had knowledge of the offence and failed to exercise due diligence is also guilty, making AI compliance a matter of personal legal risk for company leadership.
Legal Risks and Ambiguities
The primary area of potential dispute lies in the definitions of significant risk and unacceptable risk, which remain subject to future regulations prescribed by the Cabinet Secretary. This reliance on subsidiary legislation creates initial uncertainty for developers regarding how their systems will be categorized. Furthermore, the Commissioner’s power to inspect records and premises upon “reasonable notice” may lead to litigation concerning the balance between regulatory oversight and constitutional protections against arbitrary searches. Businesses should also monitor the intersection between this Bill and the Data Protection Act, as the Commissioner is empowered to investigate bias and discrimination, which often overlap with data processing violations.