The Saudi Data and Artificial Intelligence Authority (SDAIA) has issued the National Framework for AI Risk Management, to serve as a reference for the public and private sectors in assessing and addressing threats from intelligent systems. The framework aims to establish governance and responsible use according to 7 ethical principles.

SDAIA emphasized that the framework provides entities with a sequential practical methodology starting from risk identification and assessment, through to treatment and continuous monitoring, noting that this methodology is applied across all stages of the intelligent systems lifecycle to ensure the highest levels of reliability and regulatory compliance.

Related news

The framework highlighted that AI risks fundamentally differ from traditional software, due to their association with uncertainty and the autonomous decision-making of models. It indicated that these risks extend to broader social, regulatory, and ethical dimensions, and may emerge unexpectedly during operation. The authority categorized potential risks into seven main categories, led by bias and discrimination, privacy, and misinformation production, along with misuse in fraud operations. The categories also included risks of over-reliance on systems and diminishing human role, economic and environmental impacts, and weak system reliability and safety. To control these threats, the authority adopted seven basic principles for AI ethics, based on integrity, privacy, promoting human role, social benefits, reliability, transparency, and accountability. It stressed that these principles ensure intelligent models align with justice values, and hold developers and operators responsible for the consequences of their systems' decisions. The legislative guide addressed key evaluation challenges, foremost reliance on third-party data or software components, and the absence of unified standards. It noted a gap between experimental testing environments and operational reality, making the evaluation process dynamic and requiring continuous monitoring of systems after deployment. The authority affirmed that data is the fundamental pillar in risk management, obligating entities to control access permissions and trace data sources to address bias and security risks. It explained that risk management requirements vary across sectors such as health, finance, and education, necessitating controls proportionate to the nature and sensitivity of each sector's data.