Corporate Governance 2026

KENYA Law and Practice Contributed by: Sammy Ndolo, Brian Muchiri, Nicholas Owino and Valere Nyaboke, Cliffe Dekker Hofmeyr

8. Artificial Intelligence 8.1 Board Oversight of AI

Where AI systems are integral to a company’s opera - tions or pose significant risks, boards must ensure that these matters are addressed in financial state - ments and management commentary. Failure to disclose material AI-related risks may result in enforcement action by the CMA and civil liability to investors for misrepresentation or omission. Data Protection Act The Data Protection Act requires data controllers and processors to implement appropriate technical and organisational measures to protect personal data. Where AI systems process personal data, boards must ensure compliance with data protection prin - ciples, including lawfulness, fairness, transparency, purpose limitation and data minimisation. In addition, the Data Protection Act imposes specific obligations regarding automated decision-making, including the right of data subjects to obtain human intervention and to contest decisions. AI Bill The AI Bill proposes specific governance requirements for AI systems. In this regard, the AI Bill introduces a risk-based classification system, categorising AI systems as unacceptable risk (prohibited), high-risk, limited risk or minimal risk. High-risk systems include those used in healthcare, education, finance, employ - ment and public administration. In addition, the AI Bill imposes mandatory obligations on providers and deployers of high-risk AI systems, including: • conducting risk assessments before deployment and implementing mitigation measures, including human oversight; • conducting human rights impact assessments before deployment; • ensuring transparency, traceability and explainabil - ity of the system’s decision-making processes; • maintaining records of data inputs, training data - sets, outputs and performance metrics for at least five years;

Kenya currently has no AI-specific board oversight requirements in force. However, the Artificial Intelli - gence Bill, 2026 (the “AI Bill”), introduced in Parlia - ment, proposes to establish a comprehensive regu - latory framework for AI governance. In the interim, AI-related matters are addressed indirectly through existing frameworks governing material risks, corpo - rate governance, data protection, investor protection and anti-money laundering. The key sources of current and proposed regulations are outlined below. Companies Act The Companies Act imposes statutory duties on directors to act in good faith, exercise reasonable care, skill and diligence and act in the best interests of the company. In addition, the Companies Act requires directors to exercise independent judgment. Where AI systems present material risks to the com - pany’s operations, finances or reputation, directors must ensure adequate oversight and risk manage - ment. A failure to address foreseeable AI-related risks may constitute a breach of these duties, potentially expos - ing directors to personal liability under derivative actions or unfair prejudice provisions. Capital Markets Act The Companies Act empowers the CMA to regulate public companies and market intermediaries, includ - ing in relation to disclosure and governance. Issuers must comply with continuous disclosure obli - gations and boards must ensure that material risks (including those arising from AI) are appropriately identified and disclosed. POLD Regulations The POLD Regulations require listed companies to disclose in their annual reports all material risks affect - ing the company and its prospects.

419 CHAMBERS.COM

Powered by