Where SAMA's AI Framework Stands in 2026
SAMA's approach to AI regulation has been deliberate and sequential. Beginning with its 2021 Artificial Intelligence and Machine Learning Governance Framework, and deepened through 2023–2024 guidance on model risk management, SAMA has built a layered compliance infrastructure that 2026 examination cycles are now testing in practice.
The critical shift: SAMA has moved from asking banks whether they have AI governance policies to examining how those policies operate — with specific attention to model validation independence, decision explainability, and the audit trail quality for high-risk AI applications in credit, fraud, and AML functions.
The examination question has changed. Examiners are no longer asking "do you have an AI governance policy?" They're asking "show me the committee minutes from your last model validation review" and "walk me through the audit trail for this credit decision."
For institutions that built governance documents in 2023 and have not operationalised them — which is most Saudi banks — this represents a significant compliance gap that cannot be closed by policy revision alone.
The 2026 Enforcement Timeline
SAMA AI Governance — Key Milestones
What Saudi Banks Are Being Asked to Demonstrate
Based on SAMA's published frameworks and examination guidance, the compliance requirements for AI model risk management fall across six areas. Most institutions have partial coverage of the first two and significant gaps in the remaining four.
-
1AI Model Inventory with Risk Classification A comprehensive, current inventory of all AI and ML models in production — classified by risk tier based on decision impact, regulatory sensitivity, and customer exposure. High-risk tier automatically applies to credit scoring, fraud detection, AML transaction monitoring, and customer risk rating models.
-
2Independent Model Validation — With Evidence Validation performed by a team or function genuinely independent of model development. Independence means separate reporting lines, not just different job titles on the same team. Examiners will request the validation reports, the validation methodology, and the CVs of validators — not just a declaration of independence.
-
3Decision-Level Explainability for Credit and Risk Models The ability to produce a human-readable explanation for individual model outputs in credit, risk, and regulatory reporting functions. Aggregate model performance metrics (AUROC, Gini) are necessary but insufficient — SAMA requires the ability to explain why this specific customer received this specific output.
-
4Governance Committee with Documented Operation A functioning AI model risk committee — not an existing committee with "AI" added to its terms of reference — with documented meeting cadence, quorum requirements, approval authority, and written records of model approvals, rejections, and remediation decisions.
-
5Continuous Monitoring with Defined Thresholds Production monitoring for all high-risk models covering performance drift, distribution shift, and output stability — with documented thresholds for escalation, re-validation trigger, and emergency model withdrawal. Monitoring must be running, not planned.
-
6Audit Trail at Decision Level Logs that capture model version, input features (or feature hash), output, confidence/probability where applicable, and any human override — for each production decision. Retained for the examination lookback period. Most current bank logging captures outputs only.
The Saudi Bank Landscape: Who's Most Exposed
Saudi Arabia's largest banks have invested heavily in AI deployment across credit, fraud, and customer functions since 2021 — accelerated by Vision 2030 fintech targets and the competitive pressure from neo-banks and fintech entrants. That deployment pace created governance debt that is now due.
The Vision 2030 tension: SAMA's digital finance ambitions under FinTech Saudi require banks to accelerate AI adoption. Its supervisory function requires those same banks to govern that AI rigorously. Banks that deployed AI fast without building governance infrastructure simultaneously are now carrying both the deployment and the compliance debt.
Why IRRBB Expertise Is Directly Relevant Here
SAMA's approach to AI model risk management is not conceptually separate from its traditional model risk framework — it extends it. The same validation principles that apply to IRRBB models (independent challenge, sensitivity testing, documentation of assumptions) apply to ML credit models, but with additional complexity from algorithmic opacity and distributional instability.
This is the specific credibility NeuralTechSoft brings to this work. Dr. Mehta's team has been implementing IRRBB model validation frameworks in Saudi and GCC banks for over two decades — the same documentation structures, independence requirements, and sensitivity analysis methods that SAMA now applies to AI models. The model risk framework is familiar; the AI-specific overlays are what we build.
For banks whose model risk infrastructure predates their AI deployment, the fastest path to compliance is often to extend the existing MRM framework to cover AI — not to build a parallel AI-specific system. This requires deep familiarity with the existing framework, which is exactly what a 25-year engagement history provides.
The Big 4 Timeline Problem
Here is the structural reality of the Saudi compliance market in May 2026:
| Factor | Big 4 Engagement | NeuralTechSoft Diagnostic |
|---|---|---|
| Time to engagement start | 6–10 weeks (RFP, procurement) | 1–2 weeks |
| Time to examiner-ready output | 12–18 months | 2–4 weeks |
| Scope | Programme build (full framework) | Diagnostic + gap analysis + interim narrative |
| Fee structure | Variable, typically SAR 1M+ | Fixed fee SAR 190K–280K |
| Q3 2026 exam readiness | No — mid-implementation | Yes — interim compliance narrative |
| GCC regulatory expertise | Regional team, variable depth | 25 years Saudi/GCC banking |
| IRRBB/MRM integration | Separate workstream | Native — same framework extension |
The Big 4 build the right long-term programme. But a bank signing an 18-month engagement in May 2026 will still be in Phase 2 of framework implementation when Q3 examinations arrive. The diagnostic NeuralTechSoft produces in weeks is what creates the defensible position for that examination — and the output can serve as the baseline specification for the longer-term programme build, whoever delivers it.
What a SAMA AI Governance Diagnostic Produces
In 2–4 weeks, NeuralTechSoft's AI Model Risk diagnostic produces the following for Saudi financial institutions:
- Full model inventory — classified against SAMA's risk tier framework, with current governance coverage assessment per model
- Gap analysis by requirement — mapped to each of SAMA's six core AI model risk requirements, severity-rated, with evidence of current state
- Independent validation assessment — review of current validation practice against SAMA's independence standard, with specific findings on structure and documentation
- Governance committee review — existing committee structure, terms of reference, meeting evidence, and decision documentation assessed against SAMA expectations
- 30/60/90 day remediation roadmap — sequenced by regulatory risk, with ownership assignments and quick-win identification
- Interim compliance narrative — a documented assessment of good-faith compliance effort, suitable for presentation to SAMA examiners in advance of full programme completion
Get ahead of SAMA examination before it arrives
NeuralTechSoft's AI model risk diagnostic maps your current state, identifies your highest-priority gaps, and produces an examiner-ready assessment — in 2–4 weeks.
The Broader Regulatory Trajectory
SAMA's 2026 enforcement push is not an endpoint — it's a floor. The Saudi Central Bank has signalled increasing scrutiny of AI in financial services through its FinTech strategy, its participation in international AI governance forums, and its alignment with BCBS guidance on model risk in banking.
Banks that build genuine AI governance capability in 2026 — not just documentation — are positioning for a multi-year regulatory trajectory where AI governance maturity will increasingly differentiate institutions in supervisory standing, product approval timelines, and licence expansion decisions.
The window to be ahead of this curve rather than reactive to it is narrow. Institutions that run diagnostics in Q2 2026, remediate their highest-risk gaps by Q3, and begin operationalising their governance frameworks in H2 will be measurably ahead of the institutions that begin this process after their first examination finding.
SAMA examinations are not punitive by default — they respond to demonstrated good-faith effort. A bank with a documented gap analysis, a credible remediation roadmap, and evidence of active remediation in progress is in a materially better position than a bank that couldn't produce those documents when asked.
The question for every Saudi bank with AI models in production: is the gap analysis in place, or is discovering the gap the first thing your examiner does?