February 26, 2026
AI Safety Regulation Geopolitics EN / FR
INHUMAIN.AI
The Watchdog Platform for Inhuman Intelligence
Documenting What Happens When Intelligence Stops Being Human
AI Incidents (2026): 847 ▲ +23% | Countries with AI Laws: 41 ▲ +8 YTD | HUMAIN Partnerships: $23B ▲ +$3B | EU AI Act Fines: €14M ▲ New | AI Safety Funding: $2.1B ▲ +45% | OpenAI Valuation: $157B ▲ +34% | AI Job Displacement: 14M ▲ +2.1M | HUMAIN Watch: ACTIVE 24/7 | AI Incidents (2026): 847 ▲ +23% | Countries with AI Laws: 41 ▲ +8 YTD | HUMAIN Partnerships: $23B ▲ +$3B | EU AI Act Fines: €14M ▲ New | AI Safety Funding: $2.1B ▲ +45% | OpenAI Valuation: $157B ▲ +34% | AI Job Displacement: 14M ▲ +2.1M | HUMAIN Watch: ACTIVE 24/7 |
REGULATION

Saudi Arabia AI Regulation: HUMAIN, SDAIA, and the Kingdom's AI Governance

Deep analysis of Saudi Arabia's AI regulatory structure — SDAIA as regulator, HUMAIN as regulated, both owned by PIF, and the structural conflict of interest at the heart of the Kingdom's AI ambitions.

INHUMAIN.AI Editorial · February 26, 2026 · 18 min read

Saudi Arabia is building the largest concentrated AI infrastructure in the world. HUMAIN, the Kingdom’s national AI company, has secured over $23 billion in technology partnerships, is constructing multi-gigawatt data center campuses, and has established direct relationships with every major AI company from OpenAI to Google to Nvidia. The ambition is extraordinary. The governance structure overseeing it raises questions that the international community has largely failed to ask.

This guide analyzes Saudi Arabia’s AI regulatory framework, the structural conflicts embedded within it, and what it means for global AI governance.

The Institutional Architecture

Understanding Saudi AI governance requires understanding three entities and their relationships.

SDAIA: The Saudi Data and Artificial Intelligence Authority

SDAIA was established by royal decree in 2019 as the Kingdom’s national authority for data and artificial intelligence. Its mandate encompasses:

  • National data governance and regulation
  • AI strategy and policy
  • Oversight of the National Data Management Office (NDMO)
  • Operation of the National Center for Artificial Intelligence (NCAI)
  • Development and enforcement of data protection regulations
  • AI standards and governance frameworks

Leadership: SDAIA’s chairman reports directly to the Crown Prince and Prime Minister, Mohammed bin Salman Al Saud (MBS). SDAIA is not structurally independent from the executive authority of the Saudi government — it operates under the direction of the same leadership that controls the entities it is expected to regulate.

Regulatory output:

Document Year Status
AI Ethics Principles 2023 Published (non-binding)
Personal Data Protection Law (PDPL) 2021 (enacted), 2024 (enforced) Binding
PDPL Implementing Regulations 2024 Binding
National Data Governance Standards 2023 Published
AI Governance Guidelines 2024 Published (non-binding)

HUMAIN: The National AI Company

HUMAIN was launched in May 2025 at the PIF Private Sector Forum as Saudi Arabia’s national AI company. It is wholly owned by the Public Investment Fund (PIF), Saudi Arabia’s sovereign wealth fund with approximately $1.1 trillion in assets under management.

Key facts:

  • CEO: Tareq Amin (former Rakuten Mobile CTO)
  • Owner: Public Investment Fund (PIF)
  • PIF Chairman: Crown Prince Mohammed bin Salman
  • Partnerships: Over $23 billion in announced deals with Google, Microsoft, AMD, Oracle, Nvidia, xAI, SambaNova, Groq, and others
  • Infrastructure: Multiple data center campuses under construction across Saudi Arabia
  • Domain: Originally humain.ai, now redirecting to humain.com
  • Venture Fund: $10 billion AI venture fund

PIF: The Public Investment Fund

PIF is the sovereign wealth fund of Saudi Arabia, one of the largest in the world. It is the owner of HUMAIN and the financial engine behind Saudi Arabia’s AI ambitions.

PIF Chairman: Crown Prince Mohammed bin Salman Al Saud.

The Structural Conflict

Here is the governance structure in diagram form:

Crown Prince Mohammed bin Salman
    |
    +--- Chairman, PIF (owner of HUMAIN)
    |        |
    |        +--- HUMAIN (national AI company, $23B+ in deals)
    |
    +--- Ultimate authority over SDAIA (AI regulator)
             |
             +--- Regulates AI in Saudi Arabia
             +--- Including HUMAIN

The same individual who chairs the fund that owns HUMAIN also controls the authority that regulates HUMAIN. There is no structural independence between the regulator and the regulated entity. This is not speculation about potential conflicts of interest — it is the documented, publicly visible governance structure of Saudi AI.

Why This Matters

Regulatory capture — by design: Regulatory capture typically describes a process by which a regulated industry gradually influences its regulator. In Saudi Arabia’s case, the capture is structural, not gradual. The regulator and the regulated entity share the same ultimate decision-maker. SDAIA cannot independently challenge HUMAIN’s practices because both entities derive their authority from and report to the same source.

No independent oversight body: There is no independent judiciary, ombudsman, or parliamentary committee with the authority and independence to review SDAIA’s regulatory decisions regarding HUMAIN. Saudi Arabia does not have an independent legislature in the Western democratic sense. The Shura Council is advisory. Judicial independence, while formally established, operates within a system where the Crown Prince holds supreme executive authority.

No civil society check: Saudi Arabia does not have independent civil society organizations, press freedom, or public advocacy groups that could serve as external accountability mechanisms. Freedom House rates Saudi Arabia as “Not Free.” Reporters Without Borders ranks it among the lowest countries for press freedom. The mechanisms through which regulatory capture is typically exposed and challenged in democratic systems do not exist in Saudi Arabia.

The PDPL Exception

The Personal Data Protection Law (PDPL) does provide a legal framework that nominally applies to HUMAIN. Enacted in 2021 and fully enforceable since September 2024, the PDPL regulates personal data processing in Saudi Arabia, including by government entities.

PDPL key provisions relevant to AI:

Provision Detail
Scope Processing of personal data in Saudi Arabia or of Saudi residents
Legal basis Consent, legitimate interest, or legal obligation
Data subject rights Access, correction, deletion, restriction, portability
Cross-border transfer Restricted; requires adequate protection level
Automated decision-making Right not to be subject to decisions based solely on automated processing
Enforcement SDAIA (through NDMO)
Penalties Up to SAR 5 million ($1.3M) per violation; imprisonment for unauthorized disclosure

The limitation: The PDPL’s enforcement authority is SDAIA. SDAIA is the regulator. HUMAIN is a PIF entity. PIF’s chairman is the Crown Prince. SDAIA reports to the Crown Prince. The PDPL does not solve the structural conflict — it operates within it.

The AI Ethics Principles

SDAIA published Saudi Arabia’s AI Ethics Principles in 2023. The principles articulate commitments to:

  1. Fairness: AI systems should not discriminate or produce biased outcomes
  2. Transparency: AI system operations should be explainable
  3. Security: AI systems should be protected against misuse
  4. Accountability: Clear responsibility for AI system outcomes
  5. Privacy: Personal data protection in AI systems
  6. Human-centricity: AI should serve human welfare
  7. Social and environmental benefit: AI should contribute positively to society

Assessment: As aspirational statements, these principles are unobjectionable. They align broadly with international AI ethics frameworks (OECD, UNESCO, G7 Hiroshima Process). The question is not whether the principles are well-drafted. The question is whether there exists any mechanism by which they can be enforced against HUMAIN when the enforcer and HUMAIN share the same authority.

No independent audit has been conducted of HUMAIN’s compliance with these principles. No independent auditor has been appointed. No public report has been issued demonstrating how HUMAIN implements these principles in its operations.

HUMAIN’s Regulatory Obligations

Based on the current Saudi regulatory framework, HUMAIN is subject to:

Personal Data Protection Law (PDPL)

HUMAIN processes vast quantities of data through its AI systems and data center operations. Under the PDPL:

  • HUMAIN must have a legal basis for processing personal data
  • Data subjects must be informed of processing purposes
  • Cross-border data transfers must comply with PDPL restrictions
  • Automated decision-making with significant effects requires human oversight options

SDAIA AI Ethics Principles

Non-binding but nominally applicable to all AI development and deployment in Saudi Arabia.

Cybersecurity Regulations

Saudi Arabia’s National Cybersecurity Authority (NCA) has issued essential cybersecurity controls applicable to critical national infrastructure, which would include HUMAIN’s data center operations.

Sector-Specific Requirements

HUMAIN’s partnerships span healthcare, education, financial services, and government operations. Each sector has its own regulatory requirements that apply to AI deployments within that sector.

What Is Missing

A frank assessment of what Saudi Arabia’s AI governance framework lacks:

Independent Regulatory Authority

SDAIA does not have structural independence from the executive authority that controls HUMAIN. Compare this to:

  • The EU AI Office, which operates within the European Commission but has structural separation from industry
  • The UK AI Safety Institute, which has operational independence from government procurement and industry
  • The FTC, which is an independent agency with commissioners who cannot be removed by the President except for cause

SDAIA has none of these structural protections. It cannot independently investigate, sanction, or publicly criticize HUMAIN without the approval of the same authority that owns HUMAIN.

Transparency Requirements

There is no requirement for HUMAIN to publish:

  • Annual transparency reports on its operations
  • Safety incident reports
  • Algorithmic impact assessments
  • Data processing disclosures beyond PDPL minimums
  • Environmental impact assessments of its data center operations
  • Independent safety audit results
  • Financial performance details beyond PIF’s aggregated reporting

Independent Safety Testing

No independent body has the authority or access to conduct pre-deployment safety evaluations of HUMAIN’s AI systems. Contrast with:

  • The UK AI Safety Institute’s agreements with major AI labs for pre-release model access
  • The EU AI Act’s requirement for conformity assessments of high-risk systems
  • The US NIST AI Safety Institute’s voluntary evaluation framework

Whistleblower Protection

Saudi Arabia does not have whistleblower protection laws comparable to those in the EU, UK, or US. AI safety researchers or employees who identify unsafe practices within HUMAIN have no legal protection for reporting those concerns publicly. Given Saudi Arabia’s documented treatment of dissidents and critics, the chilling effect on internal safety reporting is severe.

Civil Society Oversight

Independent research organizations, investigative journalists, human rights organizations, and academic institutions that provide external accountability for AI systems in democratic countries have no equivalent in Saudi Arabia. Organizations that have attempted to scrutinize Saudi government entities have faced legal action, harassment, and worse.

International Implications

HUMAIN’s partnerships with Google, Microsoft, AMD, Nvidia, Oracle, xAI, and others create international regulatory intersections:

EU AI Act Exposure

If HUMAIN deploys AI systems whose output is used within the EU — through its technology partnerships or through services provided to European users — those systems may fall within the scope of the EU AI Act’s extraterritorial provisions. HUMAIN’s technology partners are themselves subject to the EU AI Act and must ensure that their products and services comply when deployed in the EU market.

US Regulatory Exposure

HUMAIN’s partnerships with American technology companies create potential exposure to US regulatory requirements:

  • Export control regulations governing AI technology transfers
  • CHIPS Act guardrail provisions restricting certain activities by subsidy recipients
  • CFIUS (Committee on Foreign Investment in the United States) review of AI-related investments
  • SEC disclosure requirements for publicly traded partner companies

OECD and G7 Commitments

Saudi Arabia is a member of the G20 and has participated in multilateral AI governance discussions. Its AI Ethics Principles nominally align with OECD AI Principles. However, the structural governance issues identified above raise questions about whether the Kingdom’s AI development practices are consistent with the multilateral commitments it has endorsed.

The Scale of What Is At Stake

The question of Saudi AI governance is not academic. Consider the scale:

  • HUMAIN is building AI infrastructure that will process data for hundreds of millions of people across the Middle East, Africa, and Asia
  • Its partnerships give it access to the most advanced AI models and capabilities from every major AI company
  • Its data centers will house and process enormous volumes of personal and commercial data
  • Its government integration means AI systems will influence public services, law enforcement, healthcare, education, and economic policy in Saudi Arabia
  • Its investment fund gives it financial leverage over AI startups worldwide

This is the largest concentration of AI capability under a single governance authority in history. And that governance authority has no independent oversight, no transparency requirements, no independent safety testing, and no structural separation between the regulator and the regulated.

The international technology companies that have partnered with HUMAIN have a responsibility to assess whether their engagement is consistent with their own stated AI principles, their obligations under the EU AI Act and other applicable regulations, and the expectations of their users and shareholders.

Recommendations

For International Regulators

  1. Assess extraterritorial reach: Determine whether HUMAIN’s AI systems and the systems of its technology partners fall within the scope of existing AI regulations when serving citizens of regulated jurisdictions
  2. Require partner disclosure: Mandate that technology companies subject to domestic AI regulation disclose the nature and scope of their partnerships with entities in jurisdictions lacking independent AI oversight
  3. Develop mutual recognition frameworks: Establish criteria for recognizing foreign AI regulatory regimes — and for declining recognition when structural independence is absent

For Technology Companies Partnering with HUMAIN

  1. Conduct independent human rights impact assessments of AI deployments in Saudi Arabia
  2. Establish contractual safeguards for data handling, system use, and safety standards that exceed Saudi domestic requirements
  3. Disclose partnership terms to the extent permitted by law, including any restrictions on technology use
  4. Ensure EU AI Act compliance for any systems whose output may be used in the EU

For Civil Society and Researchers

  1. Monitor HUMAIN’s expansion through open-source intelligence and publicly available information
  2. Track technology transfers from Western companies to HUMAIN
  3. Assess compliance of HUMAIN’s technology partners with their domestic AI regulatory obligations
  4. Advocate for transparency requirements in multinational AI governance frameworks

This analysis is part of INHUMAIN.AI’s ongoing coverage of HUMAIN and Saudi Arabia’s AI ambitions. See also: HUMAIN Tracker, Open Letter to HUMAIN, and Global AI Regulation Tracker.

In This Article
Key Data Points
Regulator SDAIA
AI Company HUMAIN (PIF)
Data Law PDPL (Sept 2024)
Common Authority Crown Prince MBS
Independent Oversight None
Related Articles