On 19^th February 2026, the Artificial Intelligence Bill, 2026 (the “Bill”) was published in the Kenya Gazette Supplement No. 15 and introduced in the Senate. The Bill seeks to establish a comprehensive framework for the regulation and governance of artificial intelligence (AI) in Kenya and ensure ethical, transparent, and accountable AI use.

1. Establishment of Regulatory Bodies

The Bill proposes a robust institutional framework to oversee the AI landscape in Kenya:

• Office of the Artificial Intelligence Commissioner: The Commissioner, appointed by the President with Parliament’s approval, will serve as the primary regulator responsible for enforcing the Act.
• Advisory Committee on Artificial Intelligence: The committee’s role will be to advise on emerging trends, risks, and the development of AI standards.
• Risk-Based Classification System

Mirroring the European Union’s AI Act, the Bill introduces a tiered, risk-based classification for AI systems:

• Unacceptable Risk: AI systems that pose severe threats to safety or rights are strictly prohibited.
• High-Risk: Includes systems used in critical sectors such as healthcare, education, agriculture, finance, security, employment or public administration.
• Limited Risk: Systems with moderate risks.
• Minimal Risk: For systems with negligible risks.

• Key Obligations and Safeguards

• Impact Assessments: Providers of high-risk systems must conduct risk and human rights impact assessments before deployment.
• Transparency and Traceability: Systems must be explainable, and records of training datasets must be maintained for at least five years.
• Human Oversight: The Bill mandates mechanisms that allow a qualified person to intervene or override AI-generated outputs.
• Workforce Impact: Entities must conduct assessments on potential job displacement and implement reskilling programs.
• Regulatory Sandboxes

The Bill proposes to establish regulatory sandboxes which would function as controlled environments for testing innovative AI solutions under regulatory oversight.

• Offences and Penalties

The Bill introduces significant penalties to ensure compliance:

• Deploying unacceptable risk systems or failing to conduct required assessments for high-risk systems can lead to a fine of up to Kes 5 million (approx. US$ 39,000), imprisonment for up to two years, or both.
• Failing to meet transparency obligations or obstructing the Commissioner’s work is proposed to carry a fine of up to KES 1 million (approx. US$ 8,000) and/or six months imprisonment.
• Generating or distributing synthetic media (deepfakes) without explicit consent that causes harm is also indicated as an offence.

As the Bill moves through the legislative process, a primary critique is the potential for “bureaucratic bloat” caused by establishing the Office of the Artificial Intelligence Commissioner. It is argued that the Office of the Data Protection Commissioner (ODPC) is already mandated to handle data-heavy technologies. Additionally, the prevalence of fragmented laws and regulatory bodies is already a major concern in Kenya. It is suggested that empowering the ODPC, which is proposed to sit on the Advisory Committee, would be more cost-effective than creating a new state office with its own wage bill and administrative costs.

Additionally, the Bill proposes a flat fine of up to Kes 5 million (approx. US$ 39,000) for more serious violations. It has been argued that this will create an uneven playing field. For SMEs/ local startups, such a fine could be terminal. Conversely, for global tech giants, a Kes 5 million (approx. US$ 39,000) penalty may be viewed merely as a minor “cost of doing business,” failing to provide a meaningful check on their operations.

Further,while the establishment of regulatory sandboxes is intended to prioritize local solutions, it has been noted that without strict transparency in the conditions for participation, these sandboxes could become tools for gatekeeping.

Please contact us at info@cfllegal.com should you require further information.