In the autumn of 2024, a Saudi fintech startup deployed what its technical team called a "breakthrough" credit scoring model. The algorithm used machine learning to analyze transaction patterns and predict creditworthiness with unprecedented accuracy, or so the pitch deck claimed. The company had raised significant capital. It had government backing through a Vision 2030 innovation program. What it did not have, as internal auditors would later discover, was any mechanism to detect that its model was systematically denying credit to applicants from certain Riyadh neighborhoods—not because those applicants were higher risk, but because the training data reflected decades of informal lending patterns that had systematically excluded those communities.
The startup had an AI policy. Its legal team had reviewed the deployment. Its executives had signed off on the ethics checklist. What it lacked was the connective tissue between Vision 2030's transformation mandate and the operational reality of governing algorithms that make consequential decisions about people's lives.
This is the central tension of artificial intelligence in the Kingdom today. Saudi Arabia has committed to becoming a global AI power by 2030, backed by hundreds of billions of dollars in investment, a national strategy that rivals any in the world, and a regulatory architecture that is, on paper, genuinely sophisticated. What most organizations have not yet built is the capacity to deploy AI systems at scale without creating the kinds of failures that attract regulatory enforcement, reputational damage, and the erosion of public trust that Vision 2030 depends upon.
The gap between vision and reality is not theoretical. It is measurable, consequential, and growing.
The Ambition: What Vision 2030 Promised
To understand where compliance gaps emerge, one must first understand what the Kingdom has committed to achieving. The National Strategy for Data and AI, announced in 2020, established Saudi Arabia's ambition to become a global leader in artificial intelligence by the end of the decade. The strategy encompasses massive investment in AI infrastructure, the training of thousands of data scientists and AI engineers, and the deployment of AI across every priority sector: healthcare, financial services, energy, logistics, education, and government services.
NEOM, the $500 billion giga-project rising along Saudi Arabia's northwest coast, embodies this ambition at its most audacious. The cognitive city concept envisions AI managing transportation, energy distribution, healthcare delivery, and urban services at a scale never before attempted. The Line, NEOM's 170-kilometer urban development, promises that residents will have AI-powered services within a five-minute walk of any location. These are not marketing aspirations; they are infrastructure commitments backed by capital deployment.
The Public Investment Fund has directed billions toward AI-focused investments, from acquiring stakes in global AI companies to funding domestic startups. Saudi Arabia now hosts major AI conferences, has established research partnerships with leading global institutions, and is actively recruiting AI talent from around the world. The Kingdom has made AI central to its economic diversification strategy, treating technological capability as a matter of national competitiveness.
This is not empty rhetoric. The investment is real, the institutional commitment is sustained, and the pace of AI deployment across the Kingdom has accelerated dramatically in the past three years. Saudi organizations are adopting AI faster than most of their global peers, driven by a combination of top-down mandate and bottom-up opportunity.
What Vision 2030 did not anticipate—and what no transformation strategy honestly can—is that the speed of AI adoption would outpace the speed of AI governance by a margin that now creates systemic risk.
The Regulatory Architecture: Frameworks That Exist, Structures That Don't
Saudi Arabia does not lack regulatory frameworks for AI. The Saudi Data and AI Authority, established by Royal Decree in 2019, has developed comprehensive guidelines organized around three pillars: Human-Centric and Ethical AI, Secure and Reliable AI, and Data Governance. The Personal Data Protection Law, effective since 2023, creates enforceable obligations around the collection, processing, and automated use of personal data, with penalties reaching SAR 5 million for violations involving sensitive information.
The Saudi Central Bank has issued model risk management requirements that treat AI models as financial infrastructure subject to independent validation and documented governance. The National Cybersecurity Authority has extended its Essential Cybersecurity Controls to explicitly address AI systems, with specific requirements around data poisoning prevention, adversarial attack defense, and incident reporting within 72 hours of discovery. Sector regulators—the Ministry of Health, the Saudi Food and Drug Authority, the General Authority of Civil Aviation—have each begun developing AI-specific requirements for their domains.
The regulatory architecture, in other words, exists. What most organizations lack is the internal capacity to translate regulatory requirements into operational practice.
A bank deploying a credit scoring model must satisfy SAMA's model risk framework, SDAIA's AI ethics principles, NCA's cybersecurity controls, and PDPL's data protection requirements simultaneously. Each framework has different documentation requirements, different validation expectations, and different enforcement mechanisms. Most organizations have not built the cross-functional structures necessary to manage these overlapping obligations coherently. They have compliance teams that understand regulation but not machine learning, technical teams that understand machine learning but not regulation, and governance structures that bring these groups together only after systems are already built.
The result is a pattern that repeats across sectors: AI systems deployed with policy documents that nobody has operationalized, compliance checklists completed without genuine risk assessment, and governance committees that meet to approve deployments rather than to evaluate them.
The Common Gaps: Where Organizations Fail
Three patterns of failure dominate the KSA AI compliance landscape. Understanding them is prerequisite to addressing them.
The first is the documentation gap. Most Saudi organizations deploying AI have some form of AI policy, often developed by legal or compliance functions. What they typically lack is documentation that actually describes how their AI systems work. Model inventories are incomplete or nonexistent. Training data sources are not systematically tracked. Decision logic is not documented in ways that would allow an auditor—or a regulator—to reconstruct how a particular output was produced. When SDAIA requires organizations to explain AI decisions affecting individuals, or when SAMA examiners ask to see model validation records, organizations discover that the documentation they need does not exist.
The second is the expertise gap. Effective AI governance requires individuals who understand both machine learning and regulatory requirements. These people are rare globally and particularly scarce in a market where AI talent is in high demand and compliance expertise has historically developed separately from technical functions. Organizations frequently assign AI governance to compliance officers who cannot evaluate technical claims, or to technical teams who view governance as bureaucratic overhead. Neither arrangement produces effective oversight.
The third is the monitoring gap. AI systems degrade over time. The data they process in production drifts from the data they were trained on. New biases emerge as user populations change. Models that performed well in validation begin to fail in ways that are invisible to conventional monitoring. Most Saudi organizations have deployed AI systems without the monitoring infrastructure necessary to detect these failures before they become regulatory problems or cause harm. The first indication of a problem is often a customer complaint, a regulatory inquiry, or a public incident—rather than proactive detection through governance systems.
These gaps share a common root: organizations have treated AI governance as a compliance exercise to be completed rather than an operational capability to be built. The difference is consequential. A compliance exercise produces documentation. An operational capability produces outcomes.
Sector by Sector: Where the Gaps Manifest
The patterns of compliance failure take different forms across Saudi Arabia's major sectors, shaped by the specific regulatory environments and operational contexts of each.
Financial Services: The SAMA Effect
Saudi Arabia's banking sector has made the most progress on AI governance, driven primarily by SAMA's explicit requirements and the sector's sensitivity to regulatory scrutiny. Banks deploying AI for credit scoring, fraud detection, and customer service automation must satisfy model risk management frameworks that require documented validation, ongoing performance monitoring, and explainability for customer-affecting decisions.
Even here, gaps persist. Many banks deployed AI systems before SAMA's requirements were fully articulated and are now retrofitting compliance onto systems not designed with governance in mind. Islamic finance institutions face additional complexity: AI systems that influence Shariah-compliant products require oversight that integrates both technical validation and Shariah review, a combination that most organizations have not structured effectively.
The sector's most common failure mode is partial compliance. Organizations have model inventories but not comprehensive documentation. They have validation processes but not continuous monitoring. They have governance committees but not clear authority to halt deployments. The gap is narrowing, driven by regulatory pressure, but the distance between policy and practice remains substantial.
Healthcare: The Stakes Are Different
Healthcare AI in Saudi Arabia operates under perhaps the most complex regulatory environment, combining clinical safety requirements, data protection obligations, and patient consent frameworks that most organizations have not fully integrated.
The Ministry of Health has announced that AI-assisted diagnostics will be deployed across government hospitals. The Saudi Food and Drug Authority classifies AI medical devices under a risk-based framework that requires clinical validation studies for higher-risk systems. The National Health Information Center mandates data governance and interoperability standards for health IT. The PDPL requires explicit consent for processing health data, which is classified as sensitive. Each requirement is reasonable in isolation. Together, they create a compliance burden that most healthcare organizations are struggling to meet.
The most consequential gap in healthcare is human oversight. Both SDAIA's principles and PDPL's automated decision-making provisions require meaningful human review for AI systems that significantly affect individuals. In clinical contexts—diagnostic recommendations, treatment pathways—this requirement is essential. Yet many healthcare organizations have not defined what "meaningful" means in practice. A physician who routinely approves AI recommendations without independent evaluation has not provided meaningful oversight, regardless of whether a human was technically in the loop.
Healthcare AI failures carry stakes that most enterprise AI failures do not. A biased credit model can be corrected. A diagnostic AI that misses a cancer diagnosis carries consequences that are difficult to undo. The sector's compliance gaps are therefore the most urgent to address.
Government: The Scale Problem
Saudi government entities are deploying AI at scale across citizen services, public safety, and urban management. The scale creates governance challenges that private sector organizations do not face to the same degree.
When a municipal AI system allocates services, routes traffic, or prioritizes infrastructure investment, it affects entire populations, including people who have no direct relationship with the deploying organization and no meaningful ability to opt out. The governance requirements for such systems are qualitatively different from enterprise AI deployed in commercial contexts.
Government AI deployments must satisfy multiple oversight frameworks simultaneously: SDAIA's ethical principles, NCA's cybersecurity controls, sector-specific requirements from the relevant ministry, and often public transparency obligations that do not apply to private sector actors. Most government entities have not built the internal capacity to manage this complexity. They rely on vendors whose incentives favor deployment speed over governance thoroughness. They inherit systems from predecessors without documentation. They face pressure to demonstrate Vision 2030 progress that can conflict with the slower pace of genuine governance.
The gap between government AI ambition and governance capacity is perhaps the most strategically significant in the Kingdom, given the scale of government AI deployment and the consequences of public-facing failures.
Energy: The Critical Infrastructure Imperative
Saudi Arabia's energy sector has been deploying AI longer than most industries and at greater scale. Predictive maintenance, reservoir management, supply chain optimization, and environmental monitoring all increasingly depend on machine learning systems whose failures carry both economic and safety implications.
The sector's governance advantage is that AI systems controlling physical infrastructure have long been subject to safety-critical system governance that predates modern AI frameworks. The discipline of validating systems whose failures could cause injury or environmental damage transfers reasonably well to AI governance.
The sector's governance challenge is that AI is now being deployed into contexts where the safety implications are less direct but still significant. An optimization model that improves energy efficiency but creates cybersecurity vulnerabilities has introduced risk that traditional safety governance may not capture. A demand prediction model that fails during a heat wave could cascade into public health consequences that the model's developers never considered.
Critical infrastructure AI governance requires the integration of traditional safety discipline with AI-specific threat awareness. Most organizations are still building this integration.
The Cost of Non-Compliance: When Gaps Become Failures
The consequences of AI compliance gaps remain largely invisible until something goes wrong. When failures occur, the costs compound quickly.
The National Cybersecurity Authority's 2025 enforcement action against an organization for AI-specific cybersecurity violations resulted in penalties of SAR 2.5 million and suspension of AI operations until controls were implemented. The violations themselves were ordinary—unencrypted model storage, inadequate data integrity controls, missing incident response procedures—but the enforcement demonstrated that regulators are willing to impose substantial penalties for AI governance failures.
Financial exposure is only part of the cost. Organizations that experience public AI failures face reputational damage that affects customer trust, partner relationships, and regulatory relationships. A healthcare AI that misdiagnoses patients creates liability exposure that extends beyond regulatory penalties to potential malpractice claims. A government AI that treats citizens unfairly erodes the public trust that Vision 2030's transformation depends upon.
The most insidious cost is the one that compounds silently: organizations that deploy AI without governance capacity accumulate technical debt that becomes increasingly expensive to address. Each system deployed without proper documentation, monitoring, and oversight adds to a burden that must eventually be remediated. The cost of retrofitting governance onto ungoverned systems consistently exceeds the cost of building governance into systems from the start.
The Path Forward: Building What Vision 2030 Requires
Closing the gap between Vision 2030's AI ambitions and current implementation reality requires organizations to build capabilities that most have not yet prioritized.
The first requirement is visibility. Organizations cannot govern AI systems they do not know exist. Building a comprehensive inventory of AI deployments—their purpose, data sources, decision-making roles, and regulatory exposure—is the foundation for everything that follows. This inventory should be living, updated as new systems are deployed and existing systems change.
The second requirement is structure. Effective AI governance requires cross-functional coordination that most organizations have not institutionalized. Governance committees must have genuine authority, not just advisory roles. Technical teams must have compliance expertise embedded, not externalized to functions that review systems after they are built. Risk and legal functions must understand machine learning well enough to evaluate the technical claims they are being asked to assess.
The third requirement is monitoring. AI systems require continuous oversight, not just pre-deployment validation. Monitoring infrastructure must detect performance degradation, data drift, emerging bias, and security threats in real time. Incident response procedures must address AI-specific scenarios with clear escalation paths and defined remediation steps.
The fourth requirement is documentation that serves governance, not just compliance. Model documentation, validation records, and monitoring logs should exist because they support operational decision-making, not because regulators might ask for them. Organizations that document well navigate regulatory inquiries smoothly because they produce what already exists rather than creating it on demand.
The fifth requirement is patience. Building AI governance capability takes time. Organizations that attempt to close all gaps simultaneously typically fail, overwhelmed by scope and underinvested in capacity. Prioritizing the highest-risk systems first, building reusable governance components, and treating capability development as a multi-year journey produces better outcomes than attempting a comprehensive remediation that collapses under its own weight.
The Strategic Imperative
Vision 2030's ambition for AI in the Kingdom is genuine and substantial. The regulatory frameworks to ensure responsible AI deployment are developing with increasing specificity. The enforcement activity that demonstrates regulatory seriousness has begun.
The organizations that will thrive in this environment are not necessarily those that deploy AI fastest, but those that build the governance capacity to deploy AI sustainably. They will move through regulatory review efficiently because their systems are designed for oversight. They will detect problems before they become crises because they have monitoring infrastructure. They will maintain the trust of customers, regulators, and the public because they can demonstrate that their AI systems are governed effectively.
The gap between vision and reality is real, but it is closable. The question for Saudi organizations is no longer whether to build AI governance capability, but how quickly they can do so without disrupting the AI deployments that their operations increasingly depend upon.
The Kingdom has committed to AI transformation. The organizations that will lead that transformation are those that recognize governance not as an obstacle to innovation, but as the infrastructure that makes sustainable innovation possible.
Published by PeopleSafetyLab — AI safety and governance research for KSA organizations.