Kenya’s push to regulate artificial intelligence (AI) through the proposed Artificial Intelligence Bill, 2026, is being hailed as a major step toward governing a fast-growing sector, but some analysts say key gaps remain around data sovereignty, liability and local relevance that could limit its effectiveness.
The landmark Bill, sponsored by nominated Senator Karen Nyamu, proposes the creation of an Office of the Artificial Intelligence Commissioner to oversee the deployment of AI systems, conduct audits and enforce compliance.
It introduces a risk-based classification framework, similar to the European Union Artificial Intelligence Act, that categorises AI systems from minimal to unacceptable risk, banning those deemed harmful. It also requires human oversight, transparency in decision-making, and workforce impact assessments where jobs could be affected.
But some experts argue that the proposed regulation does not sufficiently address data sovereignty – how Kenya will retain control over its data in a global AI ecosystem dominated by foreign firms.
The principle says that digital data is subject to the laws and governance structures of the country in which it is physically collected, stored, or processed.
Nairobi-based technology policy analyst Gerald Kiti says global developers of frontier models and systems built by foreign companies have historically scraped African data to train models without local oversight.
“They use our data to train their models and then sell the final AI products back to us,” Mr Kiti told the Business Daily in an interview, raising questions over the Bill’s provision of mechanisms to negotiate value or enforce local data governance.
Major tech firms, including ChatGPT maker OpenAI and Meta, have been accused of using low-paid African data labellers and scraping content to train models, which critics have described as "digital colonialism".
This is compounded by the lack of copyright laws that explicitly address AI training, leaving room for exploitation. While Kenya’s Copyright Act allows fair dealing in scientific research, it does not clarify whether AI model training is under this exception.
“Without stronger data governance, the continued extraction of African data to train AI will likely continue to be based on a foundation of exploitation rather than fairness and accountability,” notes a recent paper by Strathmore University’s Centre for Intellectual Property and Information Technology Law.
Liability is another grey area experts are pointing out in the proposed legislation, particularly in cases where harm arises from complex AI supply chains involving multiple actors.
The Bill mandates risk assessments and compliance for high-risk systems, but does not clearly spell out how responsibility would be shared among developers, deployers, and end users.
Analysts warn that in sectors such as healthcare or finance, which the Bill classifies as high-risk, uncertainty over accountability could expose businesses and consumers to legal and financial risks if AI systems fail.
“For a foundational AI model by a US-based company, a tech company can build a product that uses it, which a hospital in Nairobi ends up using for its operations. Should a patient suffer because of the software’s performance, our laws should spell out how these parties are held accountable,” Mr Kiti said.
Under the EU’s regulations, for instance, if a foreign developer does not have a designated European representative, the importer or distributor of the AI system can be held liable. Banned AI applications that pose a “clear risk to fundamental rights” include those that involve the processing of biometric data.
While the Bill mandates fairness and non-discrimination, some critics say it does not explicitly require localisation of training data or standards for inclusion, potentially entrenching biases in systems used across public services and business.
The proposed law mandates that AI systems be designed to “enhance, rather than replace human capabilities,” and requires companies to implement reskilling programmes where jobs are at risk.
It also introduces sweeping powers, including the ability for regulators to inspect AI systems, require disclosure of training data, and enforce penalties of up to Sh5 million or imprisonment for up to two years for violations.
Offences include deploying prohibited AI systems, failing to conduct required risk or workforce assessments, or distributing harmful AI-generated content using someone’s likeness, commonly known as deepfakes, without consent.
If passed, Kenya could become one of the first countries in Africa with a full AI law. None of Africa’s 55 countries has developed a dedicated law regulating AI systems; 16, including Kenya, only have national AI strategies.
The EU, which enacted its AI law in 2024, has backed regulatory alignment as part of broader digital trade talks with Kenya, terming the Bill as a foundation for cross-border data flows and investment. The European body had input in developing Kenya’s Data Protection Act, 2019, and last year’s AI strategy.
“We will also help them formulate an AI policy,” EU’s Ambassador to Kenya Herniette Geiger, told the Business Daily on Wednesday.
But analysts say for Kenya to fully benefit from the AI economy, the law will need to go further in defining data ownership and accountability across AI value chains.
“It is significant progress, particularly through its alignment with established international regulatory approaches,” Mr Kiti said, “but it could go beyond focusing on deployment risks.”
