Introduction
As Kenya continues to cement its status as “Silicon Savannah,” the legislative landscape is racing to keep pace with the rapid integration of automated systems. The Artificial Intelligence Bill, 2026, Kenya’s first comprehensive attempt to move beyond generic data protection and establish a dedicated regulatory framework for AI. Drawing inspiration from global benchmarks like the EU AI Act, this Bill seeks to balance the promotion of innovation with the mitigation of existential and societal risks.
The New Regulatory Architecture
The Bill’s most significant structural proposal is the establishment of the Office of the Artificial Intelligence Commissioner. Designated as an independent State Office, it will be headed by a Commissioner with high-level technical and legal expertise.
Supporting the Commissioner is an Advisory Committee designed to ensure a multi-stakeholder approach, including representatives from the private sector, civil society, the Council of Governors, and data protection authorities.
The Bill also proposes to introduce regulatory sandboxes, which provide controlled environments for testing AI innovations under regulatory supervision. This is a significant step toward fostering innovation, as it allows developers to experiment with new technologies while ensuring that risks are identified and mitigated early.
Risk-Based Classification: The “Litmus Test” for AI
The Bill departs from a “one-size-fits-all” approach by requiring the Commissioner to classify AI systems based on their risk level:
- Unacceptable Risk: Systems that pose severe threats to safety or rights. Such systems are strictly prohibited.
- High-Risk: Systems used in critical sectors including healthcare, education, agriculture, finance, security, employment, or public administration. Such systems will be highly regulated.
- Limited and Minimal Risk: Systems with moderate or negligible risks. These systems will have lighter transparency requirements.
Stringent Obligations for “High-Risk” AI System Providers or Deployers
For businesses developing or deploying high-risk AI, the Bill imposes heavy compliance burdens including:
- Impact Assessments: Mandatory risk and human rights impact assessments must be conducted prior to deployment.
- Transparency: Systems must be “explainable,” and providers must maintain detailed records of training datasets and performance metrics for at least five years.
- Human-in-the-Loop: AI must be designed for “human-centric” use, incorporating review mechanisms that allow a qualified natural person to override automated outputs.
- Consent-based approach: Where the system generates or manipulates images, voice or likeness, obtain explicit consent from the affected person or their legal representative, and ensure the output is clearly labelled as AI-generated
Crucially, the Bill criminalizes the non-consensual distribution of synthetic media that causes harm or infringes on privacy, carrying a fine of up to Kshs 5 million or two years imprisonment.
Further, Section 33 requires providers and deployers to conduct “workforce impact assessments” and implement “reskilling programs” if their AI is likely to displace jobs.
Overlap with the Data Protection regulatory regime
While the Artificial Intelligence Bill, 2026 is a proactive step toward ethical tech governance, there is significant overlap between this Bill and the existing Data Protection Act (Cap 411C). Without clear harmonization, businesses may find themselves reporting to two different Commissioners for the same algorithmic process, leading to “regulatory fatigue.”
Conclusion
The Artificial Intelligence Bill, 2026 is an ambitious piece of legislation that moves Kenya from a passive consumer of AI to an active regulator. It addresses modern fears regarding deepfakes and job loss while attempting to keep the door open for “safe” innovation via regulatory sandboxes. However, for this Bill to succeed, the final regulations must ensure that the “Office of the Commissioner” acts more as a partner to innovation than a bureaucratic bottleneck.
Disclaimer: This article is provided free of charge for information purposes only; it does not constitute legal advice and should be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact our Data Protection & ICT Law Department vide WAICTLaw@wamaeallen.com
About the author
Preston Ndombi Wawire is an experienced litigator of over 10 years standing and has perfected his art in civil and commercial litigation. He has vast experience in banking and recoveries litigation, insurance and malpractice law, and securities enforcement. Prestone has been involved in some of the most ground breaking litigation in injunctive matters and medical malpractice. Prestone is an active member of the Law Society of Kenya, Environment and Land Court Bar Bench Committee.
