Authored By: NYAKARA JOY SHALOM
STRATHMORE UNIVERSITY
Introduction
It has been observed that Kenya maintains a visible standing within the worldwide field of technological advancement. Kenya stands first globally regarding the per-capita utilization of ChatGPT[1] and the country consistently remains among the top three primary locations for financial investment in new companies on the African continent.[2] The business environment around Nairobi, known as the Silicon Savannah, has seen the emergence of fintech, agritech, and healthtech companies of international standards that have helped many people in East Africa. As all these were happening, the Artificial Intelligence Bill 2026[3] (‘the AI Bill’ or ‘the Bill’) was brought before the Kenyan National Assembly, which is a comprehensive legal framework developed to regulate the development, deployment, and use of artificial intelligence systems in Kenya.
Significant circumstances currently surround the arrival of the AI Bill. Artificial intelligence does not exist as a minor tool anymore because artificial intelligence is integrated within systems for financial rating, platforms for agricultural advice, medical examination processes, and the provision of government assistance throughout Kenya. Many people believe that the most important inquiry involves the manner of regulation rather than the need for rules itself. This academic writing suggests that the AI Bill builds an uneven balance for following laws that places heavy weight on Kenya-based creators and small firms while the global technology giants remain outside the reach of the law. A fear exists that the AI Bill will stop the growth of the innovation environment that the law wants to protect if changes are not made to the risk categories, the punishment systems, and the testing zones for new ideas.
Section II surveys the existing Kenyan legal framework relevant to artificial intelligence. Section III analyses the Bill’s risk-based classification system and the compliance obligations the Bill generates. Section IV is applied for analysis of compliance asymmetry problem. Comparative regulatory models from European Union, Tanzania, and Rwanda will be analyzed in section V. Reform recommendations will be provided in section VI. Conclusion is presented in section VII.
The Existing Legal Framework
Prior to the introduction of the AI Bill, the regulation of artificial intelligence in Kenya had been undertaken via a combination of laws that were not specifically designed for the purposes of regulating AI. For instance, the Constitution of Kenya (2010), which outlines among other things the right to consumers as stipulated under Article 46, might be applicable.[4] Second, the Science, Technology and Innovation Act (2013), although generally supportive of technological innovation, makes no reference to algorithmic accountability whatsoever.[5] Third, the Kenya Information and Communications Act, dealing with regulation of electronic communication infrastructure, has no provisions governing the AI layer above that infrastructure.[6]
The only piece of legislation that is directly relevant is the Data Protection Act (2019) (the ‘DPA’). All its obligations, from the necessity of lawful data processing to data minimization and transparency in relation to personal data handling, apply to AI systems.[7] Already, some AI companies working in Kenya have been investigated for violating those obligations. In other words, the DPA itself is not repealed or consolidated by the AI Bill and therefore may lead to regulatory overlaps between the two.
Overall, this legal environment poses certain challenges of compliance. Yet, as will be analyzed below, the AI Bill transforms this challenge into an outright impediment to market entry for small Kenyan players.
III. The AI Bill 2026: Risk Classification and Compliance Obligations
The Risk-Based Architecture
The Bill follows a risk-based approach, some aspects of which are based on international guidelines. Clause 3(1) defines an “AI system” as any system with the capability to produce any output through machine-based operations.[8] Clause 4 classifies AI systems into six risk levels, namely, minimal, limited, moderate, high, critical, and prohibited. High-risk, critical, and prohibited systems must undergo conformity assessments before implementation.[9]
High-risk classification in Clause 18(1) is equally wide-ranging and encompasses the use of AI systems for employment, credit scoring, education, health services, policing, and critical infrastructure.[10] Given the key industries within which Kenyan startups are currently active, fintech, agritech, and health tech, there would be many cases where the local use of AI systems would be considered high-risk.
Obligations Attached to High-Risk Classification
The people developing and running high-risk AI systems have many responsibilities imposed upon them by the Bill. Subsection 20(3) imposes the responsibility of appointing an AI Officer, who must be a resident of the locality, and who should have at least three years of relevant experience.[11] According to subsection 22, there will have to be proper documentation and audit trails maintained for a period of five years, which can be accessed within 48 hours of any request made.[12]
The Penalty Regime
On its face value, the penalization scheme proposed by the Bill is consistent with international standards. According to Clause 31(2)(b), the proposed fines, in the event of non-compliance with specific requirements, amount to KES 5 million.[13] Clause 31(4) requires that the imposition of the penalties must be proportionate to the severity of the violation and the company’s size.[14] However, the proportionate nature of such penalties is not well-defined; the Bill fails to specify whether or not there would be any differentiation between an owner-operated small business employing just three people and a start-up company employing fifty people.
The Compliance Asymmetry Problem
Jurisdictional Reach and the Enforcement Gap
Enforcement deficiencies are a significant concern within the provisions of the Bill. As stated in Clause 41, the extraterritorial jurisdiction of the legislation covers all persons conducting business in Kenya or offering AI systems to users in Kenya.[15] Such jurisdictional breadth is promising, but in actuality, the legislation does not provide sufficient means of enforcing the provisions of the Bill in relation to foreign AI providers who lack a physical presence and assets in Kenya.
Access blocking is the primary means for addressing violations committed by foreign service providers as expressed in Clause 43 (1) in the Bill.[16] This method of enforcement is questionable since it can easily encroach on fundamental rights. It also fails to tackle the enforcement problem directly. Indeed, while blocking can only be used as a last resort, it entails very harsh consequences for violating compliance requirements set forth in Clauses 20 to 22, which apply to domestic AI providers immediately upon implementation.
In reality, a Kenyan company that develops an AI credit-scoring tool will need to appoint an officer responsible for the development of AI, keep a five-year record, and face the risk of being fined up to KES 5 million for failure to comply. Meanwhile, the corresponding obligations are absent from the obligations of a foreign technology provider of the same service accessible to customers through browsers and applications on their mobile phones.[17]
Cost Burden and the Startup Ecosystem
The following statistics are extracted from the 2024 Digital Economy Report produced by the Communications Authority of Kenya. According to fintech start-ups in Kenya, the cost of compliance ranges between 12% to 18% of operational costs under the current data protection law and regulation of financial services.[18] The conditions of the AI Bill, if applied to all high-risk AI systems, would substantially raise this cost .In the case of a startup at the seed or Series A stage, a mere five percent rise in compliance costs can mean the difference between profit and loss.
Clause 7 of the AI Bill provides for the establishment of the AI Safety Authority, which is comprised mostly of government appointees with little involvement of the private sector.[19] There is no requirement in law that would compel the Authority to undertake a regulatory impact assessment prior to adopting guidelines/policies. Without such a provision, there is a real chance of compliance costs escalating without proper analysis of their proportional impact on small businesses.
C.The Regulatory Sandbox: A Partial and Inadequate Solution.
This provision is informed by the innovation challenge that is highlighted in Clause 33, in that there is a sandbox for AI systems that have not undergone conformity assessment yet.[20] The participants in the sandbox program benefit from temporary exempted obligations and undergo increased monitoring within the testing period. Although this is a very useful provision, its usefulness is undermined by several structural challenges. To start with, this provision allows only twenty participants per year to access the sandbox program.[21] Considering the fact that many startups are operating in the technological landscape in Kenya, twenty people are a tiny percentage of the expected number of users. Secondly, the eligibility criteria for the use of sandbox are not known before hand; they are at the discretion of the Authority. It is a violation of the rule of law principle as this creates an environment where gatekeeping is arbitrarily done based on personal whims and political influence.[22] Thirdly, participation in the sandbox program cannot guarantee that one can become fully compliant. The participant is required to be fully compliant in ninety days from the day she exits from the program or be fully subject to the law.[23]
Comparative Perspectives
The European Union AI Act
The Artificial Intelligence Act (Regulation (EU) 2024/1689) of the European Union (“EU AI Act”) constitutes the most advanced comparative legislation at present.[24] Like the AI Bill, the EU AI Act operates under a risk-based regulatory structure, where duties increase proportionally with the higher level of risk categorization. [25]The General-Purpose AI systems that pose a systemic risk are assigned additional obligations, such as adversarial testing and incident reporting under the EU AI Act.[26] Importantly, the EU AI Act is backed by an effective enforcement system that can be extended to the non-EU parties through their market access in the EU market, which houses around 450 million consumers. Notably, Kenya does not possess similar leverage against foreign AI operators. Hence, although the EU AI Act serves as an important benchmark, it requires modification for applicability in Kenya.
Tanzania and Rwanda: Lighter-Touch Frameworks
The Regulatory Sandbox Framework for Fintech Innovation in Tanzania, issued by the Financial Services Authority in 2022, offers another approach.[27] Under the Tanzanian regulatory sandbox framework, up to 36 months can be allowed for sandbox testing, and the requirement for pre-compliance assessment does not apply. It is indicative of a considered decision that the costs of regulatory friction related to establishing an innovation ecosystem outweigh any potential hazards arising from reduced compliance at the beginning of technology adoption.
In the case of Rwanda, a principles-based approach is followed, as set out in the country’s 2023 AI Guidelines.[28] In other words, the guidelines do not mandate specific types of audits or personnel. Instead, they require an AI deployer to show conformity with certain fairness, accountability, and transparency criteria. Such an approach allows for regulatory flexibility and reduces compliance expenses. Moreover, such an approach is likely more appropriate to the rapid pace of development of AI technology.
Comparison of the AI Bill proposed for enactment in Kenya to the approaches taken in neighboring countries demonstrates its potential drawbacks. Should the Bill become law, there would be a risk of regulatory arbitrage insofar as businesses and entrepreneurs would rather register and use AI systems in either Tanzania or Rwanda to avoid compliance costs imposed on businesses in Kenya. They would be able to penetrate the Kenyan market as foreign providers.[29]
Proposals for Reform
In summary, the authors argue that the AI Bill is in need of amendments in order to overcome the compliance asymmetry issue while retaining its legitimate regulatory goals.
Firstly, the penalties prescribed under Clause 31 of the Bill should be updated to reflect enterprise-size differentiation properly. For a micro-enterprise (a firm registered under the provisions of the Kenya Startup Act 2022), the upper limit for the initial violation should amount to KES 500,000, while the maximum fines for medium-sized and larger firms will continue to be KES 5 million.[30]
Secondly, the regulatory sandbox outlined in Clause 33 of the Bill should be significantly enlarged and more transparent concerning governance. The annual cap on the number of participants should be either eliminated or increased to 200 at the very minimum. In addition, the criteria for participation should be disclosed before the selection process begins, and participants should have the opportunity to appeal against the decision. Finally, the transitional period after completion of the sandbox program should be doubled to 18 months, which implies a gradual compliance process instead of a strict deadline of 90 days.[31]
Thirdly, Clause 20(3) of the Bill should explicitly state that small- and micro-enterprises can exempt themselves from having a Responsible AI Officer, instead designating a person responsible for AI compliance issues. Such a person does not need to have three years’ work experience, but the clause should retain the requirement of having a designated person.[32]
Finally, and perhaps most importantly, the AI Bill should include a digital market access condition for foreign AI providers similar to that used in the European Union’s regulations. Providers of high-risk AI systems should be obliged to appoint a local representative and submit to the authority of the AI Safety Authority upon entering the market. It should be noted that such measures will not completely solve the issue of asymmetric regulation; however, it will diminish the asymmetry, providing the regulator with a legal framework for regulating foreign enterprises.[33]
CONCLUSION
Kenya’s Silicon Savannah did not arise out of regulatory laissez-faire. It did so from mobile infrastructure investment, a young and technically educated population, an appetite for entrepreneurial risk taking, and most importantly, from a regulatory framework that, though imperfect, was not so unduly burdensome as to be prohibitive. This regulatory balance, threatened by the Artificial Intelligence Bill 2026, needs preservation.
This article has suggested that the bill, as is, perpetuates a structural compliance disparity: locally established Kenyan developers and startups are subject to immediate and enforced financial penalties, while large dominant non-local AI companies are outside of the bill’s realistic enforcement capacity. Too narrow to provide significant benefits, the sandbox, as designed, lacks certainty. The penalties fail to scale. The jurisdiction is an ambitious claim on paper but lacks enforcement capabilities to hold non-local providers accountable.
The solution is not outright dismissal of the bill, but modification. Instead, a robustly proportionate risk-based regulatory framework: a framework that scales penalties according to the size of an enterprise; that is both broad and properly regulated to accommodate a reformed sandbox; which imposes a digital market access condition for foreign high-risk AI providers, taking lessons from Rwanda and Tanzania’s relatively light-handed approach; and a regulatory framework that protects citizens from algorithmic harms, while preserving the very ecosystem that has made Nairobi a technology capital on the African continent. This type of regulation, which sacrifices the latter to achieve the former, represents not a regulatory win, but rather a trade-off of one type of risk for another.
Kenya has a unique opportunity to serve as the regional leader on comprehensive, proportional AI regulation. We submit that this opportunity be taken in the form of amendments to the bill prior to its enactment.
Reference(S):
Legislation and Bills
Kenya National Assembly, Artificial Intelligence Bill 2026 (Bill No 11 of 2026).
Constitution of Kenya 2010.
Data Protection Act (No 24 of 2019) (Kenya).
Kenya Information and Communications Act (Cap 411A) (Kenya).
Kenya Startup Act (No 46 of 2022) (Kenya).
Science, Technology and Innovation Act (No 28 of 2013) (Kenya).
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L 1689.
European Commission, Proposal for a Regulation laying down harmonised rules on Artificial Intelligence COM(2021) 206 final.
Reports and Policy Documents
Communications Authority of Kenya, ‘Digital Economy Report 2024’ (Nairobi, 2024).
Financial Services Authority (Tanzania), ‘Regulatory Sandbox Framework for Fintech Innovation’ (Dar es Salaam, 2022).
Financial Stability Board, ‘BigTech in Finance: Opportunities and Risks’ (Basel, 2019).
iHUB Research, ‘Nairobi Tech Ecosystem Mapping Report 2023’ (iHUB, 2023).
Kenya National Bureau of Statistics / Statista, ‘ChatGPT Per-Capita Usage Index 2024’ (Nairobi, 2024).
Monetary Authority of Singapore, ‘A Guide to Digital Token Offerings’ (3rd edn, MAS 2020).
OECD, ‘Principles on Artificial Intelligence’ (OECD 2019).
Partech Africa, ‘Africa Tech Venture Capital Report 2024’ (Paris, 2024).
Rwanda Utilities Regulatory Authority, ‘Guidelines on the Use of Artificial Intelligence in Regulated Sectors’ (Kigali, 2023).
Secondary Sources
Gasser U and Almeida V, ‘Towards a Global Norm for Algorithmic Accountability’ (2017) 60 Communications of the ACM 57.
Kiage P, ‘Regulating Innovation: The Challenge of Technology-Neutral Law in Kenya’ (2022) 4 East African Law Journal 112.
[1]Kenya National Bureau of Statistics / Statista, ‘ChatGPT Per-Capita Usage Index 2024’ (Nairobi, 2024).
[2] Partech Africa, ‘Africa Tech Venture Capital Report 2024’ (Paris, 2024)
[3] Kenya National Assembly, Artificial Intelligence Bill 2026 (Bill No 11 of 2026) (‘AI Bill 2026’).
[4] Constitution of Kenya 2010, Art 46(1)(a)-(c) (consumer rights); Art 43 (right to health, education, and food — potentially engaged where AI systems are used in service delivery).
[5] Science, Technology and Innovation Act (No 28 of 2013) (Kenya), s 3 (objects of the Act).
[6] Kenya Information and Communications Act (Cap 411A), 2021.
[7] Data Protection Act (No 24 of 2019) (Kenya), ss 25-31
[8] AI Bill 2026, cl 3(1).
[9] AI Bill 2026, cl 4.
[10] AI Bill 2026, cl 18(1).
[11] AI Bill 2026, cl 20(3).
[12] AI Bill 2026, cl 22.
[13] AI Bill 2026, cl 31(2)(b).
[14] AI Bill 2026, cl 31(4).
[15] AI Bill 2026, cl 41.
[16] AI Bill 2026, cl 43(1).
[17] Cf European Commission, Proposal for a Regulation laying down harmonised rules on Artificial Intelligence (Artificial Intelligence Act) COM(2021) 206 final, Art 52
[18] Communications Authority of Kenya, ‘Digital Economy Report 2024’ (Nairobi, 2024) 31-33.
[19] AI Bill 2026, cl 7.
[20] AI Bill 2026, cl 33.
[21] ibid, cl 33(5).
[22] iHUB Research, ‘Nairobi Tech Ecosystem Mapping Report 2023’ (iHUB, 2023) 44.
[23] AI Bill 2026, cls 33-36.
[24] European Union, Regulation (EU) 2024/1689, Artificial Intelligence Act [2024] OJ L 1689 (‘EU AI Act’), Art 9 & Art 10
[25] EU AI Act, Art 9(4).
[26] EU AI Act, Arts 53-56.
[27] Financial Services Authority (Tanzania), ‘Regulatory Sandbox Framework for Fintech Innovation’ (Dar es Salaam, 2022).
[28] Rwanda Utilities Regulatory Authority, ‘Guidelines on the Use of Artificial Intelligence in Regulated Sectors’ (Kigali, 2023).
[29] Financial Stability Board, ‘BigTech in Finance: Opportunities and Risks’ (Basel, 2019) 28-31.
[30] Kenya Startup Act (No 46 of 2022), s 17(2).
[31] Cf Monetary Authority of Singapore, ‘A Guide to Digital Token Offerings’ (3rd edn, MAS 2020).
[32] AI Bill 2026, cl 35(1)(a)-(e).
[33] Patrick Kiage, ‘Regulating Innovation: The Challenge of Technology-Neutral Law in Kenya’ (2022) 4 East African Law Journal 112, 127.
