On May 3, 2026, the Saudi Data & Artificial Intelligence Authority (SDAIA) closed a month-long public consultation on a draft Responsible AI Policy — the Kingdom's clearest move yet from aspirational principle to enforceable rule. Posted to the government's Istitlaa consultation platform, the draft introduces a four-tier risk classification (critical, high, limited, low), system-registration requirements, AI "ethics labelling" tied to compliance maturity, audit and assurance obligations for high-risk systems, and a regulatory sandbox. It lands in the year Riyadh has branded its "Year of Artificial Intelligence" under Vision 2030.
From Principles to Operational Rules
The case for the draft is strong, and worth stating plainly before criticising it. Until now, Saudi AI governance has rested on non-binding instruments: the AI Ethics Principles (2023), the Generative AI Guidelines (2024), and dedicated deepfake guidance. Principles without process give neither citizens nor investors much to rely on. A risk-tiered regime that scales obligations to actual harm — light touch for a low-risk recommender, real scrutiny for an automated credit or diagnostic system — is the model most serious jurisdictions have converged on, including the EU AI Act. Tying the heaviest duties (registration, third-party audit, assurance) to systems in healthcare, finance, education and national security, as the US Commerce Department's market-intelligence summary of SDAIA's earlier risk framework describes, is proportionate in principle. And anchoring the policy to the existing Personal Data Protection Law (Royal Decree M/19, fully enforced September 2024) and National Cybersecurity Authority controls reduces duplicative compliance rather than stacking a parallel regime on top of it.
The shift is also a maturation. SDAIA's 2025 National AI Risk Management Framework used a simpler two-tier split between low- and high-risk systems; the new draft's four tiers add "critical" and "limited" bands, a finer-grained taxonomy that better matches how risk actually distributes. Running in parallel, the Communications, Space & Technology Commission has consulted on a draft Global AI Hub Law. Read together, these signal a deliberate transition from planning to implementation that the Year of AI framing is meant to dramatise.
The Sandbox Is the Best Idea in the Draft
The single best instrument here is the regulatory sandbox — a supervised environment for testing and certifying systems before market entry. Sandboxes let regulators learn how a technology actually behaves instead of legislating against a caricature of it, and they lower compliance costs for smaller players who cannot fund a full legal team. For a state spending heavily to become an AI hub — Arab News reports $9.1 billion raised by AI firms and a 14th-place finish in the 2025 Global AI Index — a sandbox is exactly the kind of pro-innovation tool that signals seriousness without freezing experimentation.
Breadth Is the Problem
The difficulty is reach. According to an analysis by Access Partnership, the draft applies not only to government entities, private companies and non-profits, but to individuals who develop, use or publish AI-enabled applications. That is unusually broad. The EU AI Act, the obvious comparator, exempts deployers who are "natural persons using AI systems in the course of a purely personal non-professional activity" and largely carves out free and open-source components unless they are high-risk. A policy that sweeps in individual developers, researchers and hobbyists risks attaching registration and labelling duties to exactly the experimental, bottom-up activity that builds an ecosystem.
"Ethics labelling tied to compliance maturity" is a particular concern. A maturity-graded label is one administrative step from a licence, and licensing regimes reliably advantage incumbents and state-aligned champions — here, the Public Investment Fund's Humain vehicle — over the startups a Year of AI is meant to cultivate. Registration triggered by mere publication, rather than by genuinely high-risk deployment, would compound that bias toward those who can absorb paperwork.
Governance Without Speech Control
There is a deeper tension the draft does not resolve. Responsible-AI frameworks increasingly fold in "content moderation" and "non-discrimination" obligations, and SDAIA's does. In a high-trust, high-speech environment, those duties target real harms. In Saudi Arabia they sit uneasily beside the state's recent conduct. In May 2026, Access Now and a coalition of rights groups documented that Meta, at the Saudi government's request, geo-blocked the Facebook and Instagram accounts of human-rights NGOs and researchers from audiences inside the Kingdom — part of a pattern of over 100 restricted pages since March. When the same authority that requests platform geo-blocking also writes the rules for AI "content moderation," the governance question is not whether the framework is well-drafted but whom it will be used against.
A Proportionate Path
None of this argues for inaction. It argues for precision. SDAIA could keep the sandbox, retain the four-tier structure, and still narrow the policy in three ways: exempt individual, non-commercial and open-source activity from registration; trigger audit and assurance only for genuinely high-risk deployment, not mere publication; and decouple AI governance from speech control by leaving content rules to transparent, appealable processes rather than maturity-graded labels.
Operational governance is an upgrade over vague principles — but only if it is calibrated to the harm it addresses, not to the breadth of activity it can reach. The Kingdom is betting that trustworthy AI will draw capital and talent. Trust is built by rules that are predictable and proportionate, and by a state that does not treat speech itself as a risk category. The draft gets the first half right. The consultation that just closed is the moment to fix the second.