By introducing the Artificial Intelligence Bill, Kenya is giving legal force to what was previously voluntary guidance.
The proposed AI Commissioner will also have powers to inspect systems, issue compliance notices and impose penalties.
For many organisations, AI governance still amounts to little more than a page on the corporate website. It lists reassuring principles—fairness, transparency and human oversight—that are approved by the board, admired briefly and rarely tested in practice. It is governance by aspiration rather than evidence.
Those days are ending. What matters is no longer what a board says about AI, but what it can demonstrate. The next regulator, customer or court asking how an AI system reached a decision may have the authority to inspect the evidence.
By introducing the Artificial Intelligence Bill, Kenya is giving legal force to what was previously voluntary guidance. Drawing heavily from the EU AI Act, the Bill classifies AI systems according to risk, from minimal to unacceptable, with the toughest obligations reserved for high-risk applications in sectors such as finance, healthcare and public administration.
For high-risk systems, organisations will be required to conduct pre-deployment impact assessments, evaluate human rights risks, explain automated decisions and, critically, retain records of system performance, inputs and outputs for up to five years. The proposed AI Commissioner will also have powers to inspect systems, issue compliance notices and impose penalties.
Some details, including risk classifications, will be clarified through regulations. Legal experts have also noted that even lower-risk systems will carry disclosure obligations. But the direction is unmistakable. Kenya is positioning itself as one of Africa's first comprehensive AI regulators, and businesses that comply with Kenyan standards are likely to be well prepared for similar frameworks across the continent.
Sceptics argue that enforcement may be slow because regulators face resource constraints. The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has argued that Kenya's challenge is not the absence of AI regulation but an accountability gap. That concern is valid, but it is not a reason to delay.
Inventory of AI systems
Regulatory action is only one source of risk. If an AI system wrongly rejects a loan application, misprices insurance or produces discriminatory outcomes, customers will not wait for regulators before seeking legal redress or taking their business elsewhere. Equally, organisations cannot recreate five years of records when an audit finally arrives. Boards therefore need to shift from claiming responsible AI to proving it.
The starting point is visibility. Every organisation should maintain an inventory of AI systems, whether developed internally or purchased from vendors, and classify them according to risk.Â
Second, organisations should ensure AI systems can be independently audited for bias, accuracy and explainability. If a decision cannot be explained to a customer, regulator or court, it will be difficult to defend.
Finally, accountability must be assigned. AI governance should sit with a named executive reporting to the board's audit or risk committee and should align with existing laws.