Saudi Arabia AI Compliance Requirements

Mandatory and recommended controls under EU AI Act + national rules, including the role of the local data-protection authority.

EU AI Act requirements begin with system risk assessment. Your organization must evaluate every AI system against the EU AI Act's risk framework: prohibited systems (facial recognition in law enforcement, social credit scoring, subliminal manipulation), high-risk systems (hiring, benefits determination, law enforcement, biometric ID), limited-risk systems (chatbots), and minimal-risk systems (game AI, spam filters). The legal requirement is to classify your system correctly. Misclassification — for example, claiming that a hiring AI is minimal-risk when it is high-risk — is itself a compliance violation. High-risk classification triggers the heaviest compliance burden: conformity assessment, bias and fairness testing, documented risk mitigation, human oversight, transparency, and record-keeping. If you are uncertain whether a system is high-risk, the safe assumption is to treat it as high-risk and apply the full compliance framework.

Pre-deployment conformity assessment is the core requirement for high-risk systems. Before deploying a high-risk AI system (or immediately, if it is already deployed), you must complete a documented assessment covering: data quality — are the training and decision-making data representative of the population affected by the system, and do they contain known biases?; model performance — does the model perform equally well across demographic groups, or is accuracy lower for protected groups?; system explainability — can you explain to an affected individual why the system made a particular decision?; human oversight design — what process allows an individual to escalate the AI decision to human review?; and risk mitigation — what controls have you implemented to reduce the risk of discriminatory outcomes? This assessment must be documented in writing, reviewed by qualified personnel, and updated at least annually.

Bias and fairness testing is a specific requirement for high-risk systems. The EU AI Act does not prescribe a particular testing methodology, but requires that your organization conduct documented testing and be able to demonstrate that you have evaluated the system for discriminatory impact across protected characteristics (race, color, religion, national origin, sex, gender identity, sexual orientation, disability, age, etc.). Testing must include: hold-out test data not used in training, representative of the affected population; evaluation of decision-rate parity across groups (does the AI approve loans at the same rate for all genders, races, and age groups?); and performance parity testing (does the AI make accurate predictions equally well across all groups?). Document test results, identify any disparate impact, and implement mitigation (rebalance training data, adjust decision thresholds, redesign features, or limit the system's scope).

Transparency and human-rights mechanisms are mandatory for all systems, with intensity scaling to risk level. For limited-risk systems (chatbots), you must disclose that the individual is interacting with AI. For high-risk systems, transparency is much deeper: you must inform affected individuals before the AI system makes a decision about them, explain what data the system is using, describe how the system works (at a non-technical level accessible to the individual), and provide the individual with a clear, accessible process to request human review and appeal the AI decision. In employment and benefits contexts, individuals must be able to request re-evaluation by a human reviewer, and that human review must be genuine — a human who has authority to override the AI decision and the information needed to make an independent judgment.

Ongoing monitoring, record-keeping, and individual-rights response are permanent obligations. You must monitor every high-risk AI system's performance and decisions on an ongoing basis (not just at deployment). Maintain audit logs of every high-risk decision for at least three years, capturing inputs, decision outputs, confidence scores, human-review flags, and any human override. When an individual requests an explanation of an AI decision, you must respond within 30 days with accessible, non-technical information about how the system works and why it made that particular decision. When an individual requests appeal or human review, you must provide it. Failure to respond to individual rights requests is a documented compliance violation and a source of private civil liability.