If your business uses Artificial Intelligence to make decisions about credit, customers, patients, or suppliers, Kenya’s law is about to change what that means for you. The Artificial Intelligence Bill, 2026, received its first Senate reading on 2nd April 2026, and when it passes, it will create binding legal obligations for every business that develops, deploys, or operates an AI system in Kenya.

This article analyses key provisions of the Bill that create specific compliance obligations for business operators.

 1. Establishment of the Office of the Artificial Intelligence Commissioner

The Artificial Intelligence Bill establishes a dedicated Office of the Artificial Intelligence Commissioner with the authority to classify AI systems, conduct risk assessments, perform compliance audits, investigate complaints, issue enforcement notices, and impose penalties. The Commissioner is appointed through a rigorous public process and operates independently of government, with powers that mirror those of the Office of the Data Protection Commissioner.

The Office is not merely advisory. It can enter your premises, inspect your systems, summon your staff, require production of records, and refer matters for criminal prosecution. For businesses accustomed to treating AI as a purely technical matter, this represents a fundamental shift. Businesses must be prepared for regulatory inspections of their AI infrastructure. 

2. Risk Classification Framework 

The Artificial Intelligence Bill introduces a four-tier risk classification system for AI:

  • Unacceptable Risk: These are Systems whose risks are deemed fundamentally incompatible with the law. They are prohibited outright.
  • High Risk: Systems used in healthcare, education, agriculture, finance, security, employment, or public administration. These carry the heaviest compliance burden.
  • Limited Risk: Moderate obligations, primarily around transparency
  • Minimal Risk:  Light-touch regulation

The classification criteria will be set by regulations on the Commissioner’s recommendation. Critically, the Commissioner is empowered to update the criteria periodically in line with international standards, meaning the goalposts can and will move.

3. Compliance Obligations for High-Risk AI Systems

If your business operates or deploys a high-risk AI system, the obligations are substantial. Under clause 26 of the Bill, before deployment, you must conduct both a risk assessment and a human rights impact assessment, with documented mitigation measures and human oversight mechanisms in place. Once deployed, you must maintain records of data inputs, training datasets, outputs, and performance metrics for a minimum of five years. Your system’s decision-making processes must be transparent, traceable, and explainable not just to regulators, but to the users and persons affected by those decisions.

Where your AI system generates or manipulates a person’s image, voice, or likeness, the Bill requires explicit consent from the affected person and clear labelling of the output as AI-generated.

4. A Public Register of High-Risk AI Systems

Clause 27 of the Artificial Intelligence Bill provides that the Commissioner will maintain a public register of all high-risk AI systems, including those used by county governments. This register has a significant effect on businesses as it makes registration with the Commissioner a mandatory step for all operators of high-risk AI systems. Failure to register constitutes a standalone breach of the Act independent of any substantive compliance failure. 

5. Synthetic Media and Deepfakes 

Where an AI system generates or manipulates a person’s image, voice, or likeness, the Bill requires explicit consent from the affected person and clear labelling of the output as AI-generated.

Clause 2 of the Bill defines “synthetic media” as means media content generated or manipulated using generative artificial intelligence that depicts events, speech, or appearances that did not occur.

Businesses using AI tools for marketing, advertising, content creation, customer service avatars, or voice synthesis must establish consent mechanisms before deploying such outputs. AI-generated content must carry visible labelling. The obligation applies to both generation and distribution of such content.

6. Workforce Impact Obligations

Under Clause 33 of the Artificial Intelligence Bill, providers and deployers of AI systems likely to impact employment must conduct a workforce impact assessment, including an assessment of potential job displacement, and implement mitigation measures such as reskilling programmes.

Businesses planning AI-driven automation across operational functions, including manufacturing, logistics, customer service, and finance operations, must undertake a formal workforce impact assessment before deployment. This assessment must address potential job displacement and document mitigation strategies. Mitigation may include reskilling, redeployment, and engagement with national and county transition programmes.

Understanding the Bill is the beginning. Translating it into a practical compliance strategy for your specific business is the work that follows and the sooner it starts, the better placed you will be when the law takes effect.

Kioi and Co. Advocates advises businesses across sectors on technology law, data protection, and regulatory compliance. If you would like to discuss what the Kenya AI Bill means for your organisation, feel free to contact Kioi & Co. Advocates at info@kioi.co.ke or +254 714 449 123 for a consultation with our Advocates.