Have a question?
Send enquiry
Message sent Close
SDAIA AI Compliance β€” AIMAN Technology
AIMAN TECHNOLOGY Β· KSA

SDAIA AI
Compliance
Evidence Pack

Pillar by pillar. Requirement by requirement. Audit-ready.
The only AI transformation methodology that operationalizes every SDAIA obligation through documented workflows, enforceable checkpoints, and retained artefacts delivered at engagement close.

πŸ‡ΈπŸ‡¦ SDAIA AI Adoption Framework 2024 πŸ“‹ ISO/IEC 42001 Aligned βœ… 12-Document Evidence Pack ⚠️ Draft Responsible AI Policy 2026
πŸ“… Request Phase 0 Assessment
SDAIA Framework β€” mandatory public-sector baseline
Draft Responsible AI Policy β€” private sector expansion expected 2026
PDPL Article 32 β€” up to SAR 5M per violation
Coverage at a Glance

Five Pillars.
Full Coverage.

Every pillar of the SDAIA AI Adoption Framework maps to a concrete AIMAN deliverable, a responsible phase, and a document that can be handed directly to an SDAIA reviewer without additional rework.

Pillar 1
Data Governance
Full + PDPL Article-Level
Phase 0 PREPARE Β· Phase 2 DISCOVER
Pillar 2
Model Accountability
Full + ISO/IEC 42001
Phase 3 BUILD Β· Phase 4 TRANSFER
Pillar 3
Transparency
Full + Arabic-Mandatory
Phase 1 ACTIVATE Β· Phase 3 BUILD
Pillar 4
Human Oversight
Core Design Principle
All Phases Β· Phase 3 BUILD primary
Pillar 5
Risk Management
Full + 4-Tier Forward Map
Phase 2 DISCOVER Β· Phase 4 TRANSFER
Foundation
AI Office
Non-Negotiable
Phase 0 PREPARE β€” gating condition
Saudi Operating Context

The Regulatory
Ecosystem

SDAIA does not operate in isolation. Every AIMAN engagement explicitly addresses the full lattice of national strategies, occupational standards, certification schemes, and procurement infrastructure.

NSDAI
National Strategy for Data & AI (2020–2030)
Targets SAR 74B+ GDP contribution from AI by 2030. Six pillars: Ambition, Skills, Policy, Investment, Research, Ecosystem.
β†’ AIMAN maps to Skills, Policy, Investment, and Ecosystem pillars directly.
NOSF
National Occupational Standards Framework for Data & AI
SDAIA-issued competency framework defining role profiles, skill inventories, and certification pathways. Increasingly expected in vendor procurement.
β†’ Every AIMAN literacy participant receives a NOSF Competency Profile β€” Foundation, Practitioner, Specialist, or Expert.
SAMAI
National AI Certification Programme
De-facto national upskilling credential, delivered with Microsoft. Widely expected in AI Office staffing and vendor procurement.
β†’ AIMAN literacy tracks position participants for SAMAI assessment without additional preparation.
PDPL
Personal Data Protection Law
In force since 14 September 2024. Penalties up to SAR 5M per violation (Article 32). Cross-border transfer rules apply from 2025.
β†’ AIMAN Pillar 1 maps every data asset to its PDPL Article 5 lawful basis. DPO appointment in Phase 0.
Nitaqat
Saudization Framework (Phase 2, March 2024)
Requires 40% Saudi nationals in consulting roles. Penalties SAR 5,000–20,000 per non-compliant employee.
β†’ AIMAN engagements structured through Saudi-registered partner entity. Consulting-role classification documented in Phase 0.
Etimad
Unified Government Procurement Portal
All government contracts must transit Etimad. Supplier must be Saudi-registered and in SDAIA vendor database for AI services.
β†’ AIMAN public-sector engagements structured for full Etimad eligibility. SDAIA vendor registration verified before tender submission.
ICAIRE
International Center for AI Research and Ethics
UNESCO-sponsored body hosted in Riyadh. Riyadh Charter on Responsible AI increasingly informs ethics expectations for public and private sector.
β†’ Pillars 3 & 4 deliverables include explicit ethics anchors traceable to the Riyadh Charter.
ISO/IEC 42001
AI Management Systems Standard
SDAIA itself achieved ISO/IEC 42001 certification in July 2024, signalling its expectation that this standard will become central to procurement.
β†’ Every AIMAN pillar deliverable maps to one or more ISO/IEC 42001 control families. Phase 4 evidence pack is structured for ISO audit.
Phase 0 β€” Non-Negotiable

The AI Office
Must Come First

The SDAIA Framework requires every adopting entity to establish an AI Office with executive sponsorship and defined roles. No AIMAN engagement proceeds beyond Phase 0 without a signed AI Office Charter.

πŸ›οΈ

Phase 0 PREPARE β€” AI Office Charter: Gating Condition

The AI Office maintains the Model Register, Risk Tier Register, and Oversight Mode Register. It coordinates with sectoral regulators (SAMA, SFDA, CST, DGA, CMA), liaises with SDAIA, owns the Compliance Evidence Pack lifecycle, and reports to the Head of Entity / CDO. Without this structure, no AI initiative in the Kingdom is compliant β€” regardless of the quality of the AI system itself.

Mandatory Roles β€” 100% Coverage Required
Head of Entity / CDO
Ultimate accountability for AI ethics; approves AI Ethics Plan; signs annual AI Ethics Report.
AI Ethics Principles Β§IV
AI Office Lead
Operational leadership of AI Office; secretariat for governance reviews.
AI Adoption Framework
Compliance & Ethics Officer
Ensures AI activities comply with PDPL, NDMO, and NCA frameworks.
AI Ethics Principles Β§IV
AI System Assessor
Independent audits of AI systems; High Risk assessed annually, Limited Risk every 24 months.
AI Ethics Principles Β§IV
Data Protection Officer
Appointed per PDPL Article 25; coordinates with CDO on personal data matters.
PDPL Article 25
GenAI Champion
Operational ownership of GenAI controls: content authenticity, watermarking, deepfake mitigation.
Generative AI Guidelines
Operating cadence required: Weekly AI Office stand-up Β· Monthly governance review Β· Quarterly executive review Β· Annual board-level review Β· Annual AI Ethics Report (filed within 30 days of fiscal year-end)
5
Governance Pillars
12
Evidence Documents
7
Mandatory AI Office Roles
100%
PDPL Lawful Basis Coverage
72h
Breach Notification Protocol
Five Governance Pillars

Pillar-by-Pillar
Compliance

Partial coverage is not sufficient for formal SDAIA alignment. AIMAN operationalizes all five pillars through phase-linked activities and retained, version-controlled artefacts.

PILLAR 01

Data Governance

βœ“ Full + PDPL Article-Level
The organization must demonstrate that data used to train, fine-tune, or operate AI systems is lawfully sourced, classified according to NDMO sensitivity levels, protected per classification, retained only as long as necessary, and auditable. PDPL Article 18 data residency requirements apply for public-sector systems.
Deliverables
Data Inventory Register Data Flow Diagrams Lawful Basis Memorandum (PDPL Art.5) Residency & Sovereignty Map Retention & Disposal Schedule DPIA (High Risk systems)
πŸ“Š100% data sources catalogued with all mandatory fields
🏷️100% NDMO sensitivity classification coverage
βš–οΈZero cross-border flows without PDPL Art.18 adequacy assessment
πŸ“‹100% High Risk systems with current DPIA (≀12 months)
PILLAR 02

Model Accountability

βœ“ Full + ISO/IEC 42001
The organization must identify, for every deployed AI system, who is responsible for its behaviour, how performance is measured and monitored over time, what happens when performance degrades, and what evidence demonstrates the system behaves as specified. Accountability must be named β€” not diffuse or algorithmic.
Deliverables
Model Cards (per system) System Specification Accountable Owner Register Performance Monitoring Dashboard Incident Response Playbook (PDPL Art.29) Ownership Transfer Protocol
πŸ‘€Named Accountable Owner for every deployed system
⏱️72-hour breach notification protocol (PDPL Art.29)
πŸ“ˆMonitoring thresholds defined at go-live; dashboards active
✍️Ownership Transfer Ceremony signed by client CDO
PILLAR 03

Transparency

βœ“ Full + Arabic + GenAI Controls
Users, stakeholders, and regulators must be able to understand how the system works, what it was trained on, and why it produces specific outputs. For GenAI systems, content authenticity and synthetic-media controls are required. Arabic-language disclosure is mandatory for KSA-deployed systems.
Deliverables
User Disclosure Templates (EN + AR) Solution Blueprints AI Literacy Register Content Authenticity Controls GenAI Watermarking Protocol Recourse Mechanism + Log
🌐Arabic + English disclosure templates β€” legal-reviewed
πŸ€–GenAI content authenticity controls per ICAIRE Riyadh Charter
πŸ“Recourse Log maintained for every user interaction dispute
πŸŽ“AI Literacy Register compiled β€” NOSF-mapped per employee
PILLAR 04

Human Oversight

βœ“ Core Design Principle β€” All Phases
Humans must remain meaningfully in control of consequential decisions, with authority to intervene, override, or stop the system at any time. Human oversight is not a feature added to a finished system β€” in AIMAN it is a design constraint applied from Phase 0, before a single model is deployed.
Deliverables
Kill-switch Implementation (every system) Oversight Mode Classification Human-in-the-Loop Workflow Design Override Authority Matrix Escalation Pathways
πŸ›‘Kill-switches functional in production before go-live sign-off
πŸ”Oversight Mode documented per use case (Fully / Partially / Minimally Supervised)
πŸ“ŒOverride Authority Matrix β€” named roles with documented authority
PILLAR 05

Risk Management

βœ“ Full + Responsible AI Policy 4-Tier
Systematic identification, assessment, mitigation, and monitoring of risks across the AI lifecycle, with proportionality to system impact, forward-mapped to the Responsible AI Policy four-tier risk classification now in public consultation.
4-Tier Risk Classification (SDAIA Draft Responsible AI Policy)

🚫 Prohibited

No deployment path. Documented refusal + rationale.

⚠️ High Risk

Full DPIA, annual AI System Assessor review, enhanced controls.

⚑ Limited Risk

Transparency requirements. Disclosure templates mandatory.

βœ… Minimal Risk

Standard controls. Documented use case and data provenance.

Deliverables
Risk Tier Register (per use case) Use Case Registry Impact/Effort Matrix Risk Assessment per System DPIA (High Risk) Governance Maturity Self-Assessment (D8)
Phase 4 TRANSFER Β· OWN

12 Audit-Ready
Documents

At engagement close, the client receives a physical evidence binder (or digital equivalent) that can be handed directly to an SDAIA reviewer, internal audit team, or procurement officer β€” without additional rework.

01
SDAIA Framework Self-Assessment Scorecard (three pillars + five governance pillars)
02
NOSF Role Mapping Register β€” per employee, per NOSF tier
03
Data Audit Report + Provenance Register (NDMO-classified)
04
G-Cloud Architecture Review Document (CST-aligned)
05
AI Budget + Quarterly Reporting Template
06
Legal Gap Assessment Report (PDPL, NDMO, NCA anchors)
07
Per-Agent Model Cards + Impact Assessments
08
Governance Unit Charter + RACI Matrix (signed by all incumbents)
09
Incident Response Playbook (72h PDPL Art.29 protocol)
10
Training & Certification Records (NOSF + SAMAI pathway)
11
Academic Partnership MOU(s) β€” NEC/Erasmus+ pipeline
12
Continuous Monitoring Protocol (quarterly SUSTAIN refresh)
SUSTAIN subscription: The Evidence Pack is maintained and refreshed through the optional annual SUSTAIN cycle β€” quarterly check-ins, governance maturity self-assessment, and full Evidence Pack update as SDAIA's maturity index evolves and the Responsible AI Policy is enacted.
Binding Regulatory Anchors

Every Obligation
Mapped

The SDAIA Framework derives its binding force from these instruments. AIMAN maps every deliverable to the specific article, control family, or clause from which the obligation originates.

Instrument Type Key Obligation Penalty / Consequence
PDPL
Personal Data Protection Law (Royal Decree M/19)
 Binding Lawful basis (Art.5), data subject rights (Art.10), cross-border transfer (Art.18), DPO appointment (Art.25), breach notification 72h (Art.29) Up to SAR 5M per violation (Art.32)
NDMO Policies
National Data Management Office β€” Data Classification
 Binding Four-tier classification: Top Secret / Confidential / Internal / Public. In-Kingdom processing defaults for Top Secret and Confidential. Mandatory for public-sector AI
NCA Controls
National Cybersecurity Authority β€” ECC / CCC / CSCC
 Binding ECC: all AI deployments. CCC: cloud workloads. CSCC: critical sectors (energy, water, finance, health, transport). Critical sector enforcement
SDAIA AI Adoption Framework
September 2024 β€” 3 Strategic Pillars + 5 Governance Pillars
 Mandatory Five governance pillars + AI Office. Mandatory for public sector and Etimad-registered vendors. Tender exclusion before technical evaluation
SDAIA Responsible AI Policy
Draft April 2026 β€” Consultation closed 3 May 2026
 Forthcoming Four-tier risk classification, lifecycle governance, national data sovereignty, private-sector expansion expected. Private-sector binding 2026+
ISO/IEC 42001
AI Management Systems β€” SDAIA certified July 2024
 Framework AI management system clauses 4–10. AIMAN evidence pack structured to support ISO/IEC 42001 audit readiness. Procurement differentiator 2026+
EU AI Act
Article 4 (Feb 2025 active) Β· High-risk (Aug 2026)
 Binding (EU) Article 4 AI literacy obligations. High-risk system requirements. GPAI model obligations. Practitioners certified ACP+ can serve EU clients. Up to €35M or 7% global turnover
Sectoral Regulators (where applicable)
SAMA
Banking, payments, insurance, capital markets
SFDA
Healthcare, medical devices, pharma
CST
Cloud infrastructure, ICT services
DGA
Public administration, citizen-facing services
CMA
Capital markets, asset management
Engagement Roadmap

From Day 1 to
Audit-Ready

A focused Phase 0 PREPARE engagement produces a tailored compliance baseline within two weeks. Full five-phase delivery takes 3–6 months depending on organization size and AI portfolio.

Phase 0 Β· Week 1–2

PREPARE β€” AI Office + Governance Foundation

AI Office Charter signed. RACI Matrix with all roles filled. Data Inventory initiated. Regulatory scope confirmed (PDPL, NDMO, NCA, sectoral regulators). Etimad and Nitaqat compliance posture established.

AI Office Charter RACI Matrix Regulatory Scope
Phase 1 Β· Week 2–4

IGNITE β€” Literacy & Psychological Safety

AI Literacy Register compiled. NOSF role profiles assigned per employee. SAMAI readiness established. Arabic + English disclosure templates drafted and legally reviewed. Leadership IGNITE delivered.

AI Literacy Register NOSF Profiles Disclosure Templates
Phase 2 Β· Week 4–8

DISCOVER β€” Opportunity Mapping & Risk Classification

Use Case Workshop delivered. Impact/Effort Matrix produced. Four-tier risk classification applied. DPIA initiated for High Risk use cases. Data Flow Diagrams constructed per use case.

Use Case Registry Risk Tier Register DPIA (High Risk)
Phase 3 Β· Month 2–4

BUILD β€” Governance-Controlled Development

Model Cards for each system. Kill-switches implemented and tested. Monitoring Dashboard live. Content authenticity controls for GenAI. AI Incident Response Plan aligned to PDPL Article 29.

Model Cards Kill-switches Monitoring Dashboard
Phase 4 Β· Month 4–6

TRANSFER β€” Evidence Pack Delivered

All 12 documents compiled, version-controlled, and signed. Ownership Transfer Ceremony. Train-the-Trainer delivered. Governance Maturity Self-Assessment (SDAIA D8) conducted. SUSTAIN subscription activated.

12-Doc Evidence Pack Ownership Transfer Train-the-Trainer
SUSTAIN Β· Ongoing Annual

Continuous Governance Maintenance

Quarterly Evidence Pack refresh. Annual Framework re-assessment. ISO/IEC 42001 management review alignment. Forward-compatibility updates as Responsible AI Policy is enacted.

Quarterly Refresh Annual Re-assessment
The AIMAN Distinction

Compliance is a
Property of the Method

Most AI programs treat compliance as a property of the finished system β€” something checked at the end. AIMAN treats compliance as a property of the method used to build it.

THE PROBLEM
Compliance as Afterthought
Organizations spend millions on AI deployments, then discover compliance gaps at procurement review. Evidence is reverse-engineered, incomplete, or unsigned. Tenders are lost before technical evaluation begins.
THE AIMAN SOLUTION
Compliance-Native Engagement
Every phase produces an artefact. Every artefact maps to a pillar. Every pillar is traceable to the SDAIA clause β€” and to the specific PDPL article, NDMO level, NCA control family, or ISO/IEC 42001 clause from which the obligation derives.
THE OUTCOME
Audit-Ready at Phase 4
The client receives a physical evidence binder that can be handed directly to an SDAIA reviewer. No additional rework. No scramble before the audit. The consultant leaves. The compliance capability stays.
"From 2026 onward, any Kingdom-based procurement process involving AI systems will require documented SDAIA alignment as a gating criterion. An organization that cannot produce pillar-by-pillar evidence will be excluded from tenders before technical or commercial evaluation begins."
β€” AIMAN SDAIA Compliance Deep-Dive v3.2, April 2026
Ready to Comply

Get Your
Evidence Pack

A focused Phase 0 PREPARE engagement produces a tailored SDAIA compliance baseline for your organization within two weeks. No existing AI program required.

πŸ“… Book Phase 0 Assessment
aleksandarpokrajac@gmail.com  Β·  Riyadh Β· +966 541 457 747  Β·  LinkedIn
AIMAN Technology DOO Β· Aligned to SDAIA AI Adoption Framework v4.0 Β· April 2026