In the fourth quarter of 2025, the National Cybersecurity Authority issued its first enforcement action specifically targeting an AI system. The organization — a Saudi financial services firm — had deployed a fraud detection AI that, by most performance measures, was doing its job. It was catching fraud. Nobody inside the organization had raised concerns about it. The problem, when the NCA assessment team arrived, was structural: the system had never been registered with the Authority, its model weights were stored unencrypted, there was no monitoring infrastructure capable of detecting model drift, and the documentation required to explain its decisions to auditors or affected parties did not exist. The fine was SAR 2.5 million. AI operations were suspended until controls were implemented.
The firm was not acting recklessly. It had deployed a capable system through a reputable vendor. What it had failed to do was notice — or respond to — a regulatory change that transformed the compliance obligations around that system.
In 2025, the NCA issued supplementary guidance extending its Essential Cybersecurity Controls Framework to explicitly cover AI and machine learning systems. Before that guidance, AI systems were implicitly covered under general cybersecurity controls in ways that created significant interpretive ambiguity. After it, AI deployments carry specific requirements covering model security, data lineage, explainability, and adversarial robustness. An organization that had been operating AI under the assumption that ordinary IT controls were sufficient was, from the moment that guidance was issued, operating outside the framework without knowing it.
Most Saudi organizations have not yet adjusted.
The Architecture of the Framework
The NCA AI controls are organized around a four-tier classification that determines which requirements apply to which systems. Understanding where your AI deployments sit is the foundational task — everything else follows from it.
Tier 1 covers low-risk systems with limited impact on individuals or operations: basic recommendation engines, simple chatbots, automation tools where errors are easily caught and corrected. Tier 2 addresses systems with moderate business impact — AI driving customer service interactions, marketing personalization, internal workflow automation. Tier 3 is where the framework begins to show its weight. Systems that are high-risk or sector-critical fall here: healthcare triage tools, fraud detection engines, credit scoring models, AI driving safety-relevant decisions. With that classification come requirements for incident notification, explainability documentation, and formal compliance assessment. Tier 4 is reserved for AI with national-level implications: government decision-support systems, critical infrastructure control, systems where a failure could affect public safety or national security at scale.
For most Saudi enterprise organizations, the operative classification is Tier 2 or Tier 3. The consequence of Tier 3 status is significant. It triggers the full weight of the framework, including a requirement to report AI-specific incidents to the NCA within 72 hours and to register systems with the Authority before deployment.
Seven control domains apply across tiers, scaling in intensity. Data governance requirements address how training and inference data is documented, classified under PDPL frameworks, and retained — with the specification that a complete data inventory must be producible within 48 hours for an NCA audit. Model security requirements cover encrypted storage of model weights, supply chain verification for third-party components, version control, and adversarial robustness testing against vulnerabilities including prompt injection, data poisoning, and model inversion attacks. Access control provisions require role-based access management, multi-factor authentication for administrative operations, and access logs retained for a minimum of two years.
Monitoring and incident response provisions mandate continuous performance tracking, automated alerting, and AI-specific response playbooks distinct from general IT incident procedures. Explainability requirements are among the most demanding for high-risk applications: for Tier 3 and Tier 4 systems, organizations must maintain documentation that enables a regulator, auditor, or affected individual to understand the reasoning behind a specific output. Aggregate performance statistics do not satisfy this requirement. The standard demands the capacity to reconstruct and explain individual decisions after the fact. Testing and validation provisions require security assessments before deployment and after material changes, adversarial testing that goes beyond conventional penetration testing, and independent audits for Tier 4 systems. Business continuity requirements address backup, fallback, and recovery — Tier 4 AI systems must meet a recovery time objective of four hours or less.
What Gets Organizations into Trouble
The enforcement action that produced Saudi Arabia's first AI-specific NCA fine illustrates a pattern that extends well beyond the firm involved. AI systems deployed before the 2025 guidance often exist in a governance vacuum. They may perform well technically. They may have been built by competent teams with genuine care. But they were designed for a regulatory environment that no longer exists, and the gap between their current state and the framework's current requirements can be extensive.
The failure modes in that enforcement action are representative. Not registering a Tier 3 AI system before deployment means the NCA has no record of the system — a violation carrying penalties between SAR 100,000 and SAR 1 million. Unencrypted model weight storage is a model security failure, with penalties between SAR 500,000 and SAR 2 million. The absence of drift monitoring means the organization cannot demonstrate ongoing performance compliance, and creates liability for any accuracy degradation affecting users without detection. Missing explainability documentation compounds everything: without it, the organization cannot cooperate meaningfully with any regulatory review, incident investigation, or customer dispute process.
These four failures, each individually common in organizations that have not yet updated their AI governance, generated a fine of SAR 2.5 million and an operational suspension. That outcome fell in the lower range of what the framework allows. The maximum penalty for repeated or willful violations reaches SAR 13 million, with further operational restrictions possible. And because the same systems are typically processing personal data, NCA penalties can be compounded with PDPL enforcement actions administered by SDAIA — substantially expanding the financial exposure.
The Gap Between Current State and Compliance
What distinguishes organizations in reasonable compliance shape from those that are not is rarely technical capability. The AI systems themselves are often perfectly capable of meeting the framework's requirements. What is missing is the governance layer around them — the documentation, the monitoring infrastructure, the access controls, the incident response procedures — that makes that capability legible to regulators and auditors.
The first task for any organization that has not yet done this work is building an AI asset inventory: a documented register of every AI and ML system in production or active development, with enough information about each to classify it under the NCA tier framework. For Tier 3 and Tier 4 systems, that classification then needs to be formalized through registration with the Authority. The inventory surfaces the scope of the compliance gap and establishes the foundation for everything that follows.
The second task is addressing the highest-risk systems first. An organization with AI deployed across many functions should not attempt to bring all of them into compliance simultaneously. The appropriate sequencing is to identify the Tier 3 systems — those where non-compliance creates the greatest regulatory, operational, and harm exposure — and concentrate initial remediation there. The priority controls are model security (encryption, version control, supply chain verification), monitoring infrastructure (performance dashboards, alerting, drift detection), incident response procedures specific to AI failures, and the documentation required to support explainability.
The third task is establishing the operational routines that make compliance sustainable. One-time remediation that decays within months because no maintenance processes exist is governance theater. The NCA framework expects ongoing compliance, demonstrated through documentation and monitoring that is current at the time of an audit — not documentation that existed when a project was initially approved.
The Regulatory Direction of Travel
The 2025 AI guidance is unlikely to be the last update to the framework. The NCA has indicated its intent to continue evolving its approach as AI technology and deployment patterns develop. Organizations that treat compliance as a one-time response to the current framework will face the same disruption again when it updates. Organizations that treat compliance as a sustained operational function — with ongoing monitoring, regular review cycles, and governance processes that adapt to regulatory change — will find that compliance becomes easier rather than harder over time, because the infrastructure for it already exists.
There is also a coordination dimension that deserves attention. The NCA framework for AI does not operate independently of SDAIA AI ethics requirements or the PDPL data protection obligations. The same systems requiring NCA-compliant security controls often process personal data subject to PDPL requirements, produce automated decisions subject to SDAIA transparency expectations, and — for financial institutions — trigger SAMA model risk management frameworks. Organizations that address these obligations in coordination, through a unified AI governance program, carry substantially less overhead than those managing each regulatory relationship separately.
The financial services firm that received Saudi Arabia's first AI-specific NCA fine is, in this sense, a cautionary illustration rather than an exceptional case. Its systems were running quietly, producing results that satisfied their business purpose, generating no internal alarms. The regulatory obligation that made them non-compliant existed before anyone inside the organization had an opportunity to respond to it. That dynamic — unnoticed regulatory change creating invisible exposure in systems that are working as intended — is the defining compliance risk of the current period for any organization operating AI in the Kingdom.
Published by PeopleSafetyLab — AI safety and governance research for KSA organizations.