The government has decided that Kenya cannot wait for AI to cause a crisis before regulating it.
Over the past year, three separate tracks have converged, including a dedicated Artificial Intelligence Bill, a national strategy document, and amendments to the country’s cybercrime law.
Together they show a state that wants to be seen as proactive on AI, even as critics warn that some of the tools being built could just as easily be turned against the public.
Speaking at the 6th annual Information Security Management Systems (ISMS) Conference in Naivasha, Principal Secretary for Internal Security and National Administration Dr. Raymond Omollo laid out the government’s read on the problem.
Cyberattacks targeting government institutions have risen in recent years, and the state is estimating losses running into billions of shillings annually. His bigger worry, though, was timing.
With a general election approaching, he said the country was seeing increased risks tied to AI-generated defects and manipulation of public opinion online.
That framing, threats to institutions on one hand and threats to electoral integrity on the other, explains why the government’s response has been split between building new AI-specific laws and patching the cybercrime laws already on the books.
READ: Egg on Face After Foreign Affairs PS Shares Fake CNN Video Praising Kenya
A Dedicated Regulator for AI
The centerpiece of the legislative effort is the Artificial Intelligence Bill, 2026. Unlike the current approach, which leans on the Data Protection Act, 2019 to cover AI-adjacent issues, the Bill proposes a standalone statutory framework built around a new Artificial Intelligence Commissioner.
The proposal is to have an independent State Office tasked with risk assessments, policy development, and public AI literacy programs.
The Bill also sets up an Advisory Committee on Artificial Intelligence, bringing together government officials, data protection authorities, scientists, private companies, and civil society to flag new risks and think through how AI affects jobs.
The more important piece is how the Bill sorts AI systems by how much harm they could do to people’s health, safety, rights, the environment, or society at large.
Systems used in healthcare, education, agriculture, finance, employment, security, and public administration are treated as high-risk and face tighter obligations.
READ: AI Bill Moves to Senate Committee as Public Input Window Opens
Providers and deployers of high-risk systems would need to run pre-deployment risk and human rights impact assessments, keep humans in the loop for critical decisions, and maintain traceability and record-keeping standards.
Any AI system that generates or manipulates images, voice, or likeness would require explicit consent and clear labeling wherever there is a risk of harm or misinformation, a provision clearly aimed at the deepfake and synthetic media problem the PS referenced in Naivasha.
The Bill goes further to instruct the AI Commissioner to develop guidelines on bias, discrimination, privacy, human dignity, and environmental sustainability, and it requires workforce impact assessments wherever AI deployment is likely to displace jobs, paired with mitigation measures such as reskilling.

The National Strategy on AI
Before the AI Bill, there was the National AI Strategy 2025-2030 that was unveiled on March 27, 2025. It’s a roadmap, organized around three pillars: AI digital infrastructure, data, and AI research and innovation.
Notably, it acknowledged upfront that Kenya lacked a dedicated AI legal framework at the time, and it set out a gradual path toward regulation, starting with a soft framework and sectoral law reviews before graduating to standalone legislation as adoption matures.
The AI Bill is effectively that graduation point arriving on schedule.
Patching the Cybercrime Law
The second track is less about writing new rules and more about closing holes in old ones. The government has moved to amend the Computer Misuse and Cybercrimes Act to close gaps that AI-driven threats have exposed.
This is where the government’s approach gets a lot of skepticism and pushback.
Rights groups, including the Defenders Coalition, flagged the amendment to Section 6, which allowed authorities to render websites or applications inaccessible if they were deemed to promote unlawful activity, as granting powers broad enough to be misused against legitimate speech.
That provision has since been struck down by the High Court, which ruled NC4 cannot block websites or apps without a court order.
A parallel concern remains with amendments to Section 46, which let an authorized person order content removal or deactivate a computer system entirely, language critics describe as vague enough to invite abuse.
The government’s counter-argument, as Omollo framed it, is that these tools exist to protect the safe use of digital platforms and to blunt AI-generated disinformation ahead of the election cycle.
Parliament has already approved the National Cybersecurity Agency, which Omollo said would strengthen coordination and improve the country’s readiness against evolving threats.
On the operational side, the National Computer and Cybercrimes Coordination Committee (NC4) is now active, and the Critical Information Infrastructure Protection and Cybersecurity Management Regulations, 2024, are being rolled out.
NC4 director Dr. James Kimuyu said the country had made strides in dealing with cyber threats, though he did not detail specific metrics.
Digital Services as the Proof of Concept
The government keeps pointing back to eCitizen as evidence that its digital push is already working, and the numbers it cites are large.
The platform now supports more than 24,000 government services, serves over 15 million users, and processes roughly 500,000 transactions daily, according to Omollo.
Health is the next frontier, with digitization of health records underway as part of what Omollo described as a major digital push in the sector, supported by the Digital Health Authority and Social Health Authority.
Omollo also urged local investment in cybersecurity innovation, saying Kenya should aim to export cybersecurity solutions rather than only import them.
Where This Leaves the Policy Conversation
Taken together, the AI Bill, the national strategy, and the cybercrime amendments represent a government trying to regulate AI on two fronts at once. Building dedicated oversight for AI systems while hardening the general-purpose cyber law it already has.
The tension the government has to manage is not really about whether to regulate. It is about whether the enforcement powers it is creating, especially around content takedowns and system deactivation, can be exercised without becoming instruments against the free expression the same government says it wants to protect ahead of the next election.


























