AI Ethics Committees in Saudi Arabia: Why Most Will Fail—and What the Ones That Work Look Like
In late 2024, a mid-size Saudi financial institution deployed a credit-scoring model to automate personal loan decisions. The model had passed internal technical review. It had legal sign-off. It had gone through the company's newly formed AI ethics committee, which met twice, reviewed a slide deck, and approved the deployment unanimously. Within weeks, the institution's customer service teams were fielding complaints from applicants who couldn't understand why they were rejected—and couldn't get an explanation in Arabic. The model's outputs were interpretable in English. Its error messages were English. Its appeal process assumed a level of financial literacy that didn't match the applicant base. The ethics committee had looked at the algorithm. Nobody had asked who it was actually going to affect, and how.
That institution's experience is not unusual. Across the Kingdom, organizations are establishing AI ethics committees in direct or anticipatory response to SDAIA's AI Ethics Principles framework. Most of these committees exist. Very few of them work.
Saudi organizations are building AI ethics committees as decoration. The ones that will matter are structured differently.
The Regulatory Moment That Changed the Calculus
SDAIA's National AI Strategy and its associated AI Ethics Principles—organized around the pillars of being Human-Centric, Ethical, and Secure—did not appear in a vacuum. They emerged as the Kingdom committed, through Vision 2030, to becoming a leading AI economy by the decade's end. That ambition brought with it a governance obligation: AI deployed at national scale needs accountability structures. SDAIA's framework provides the ethical architecture. Organizations are expected to build the internal organs that give it operational meaning.
The Personal Data Protection Law (PDPL) adds a harder legal edge. PDPL creates enforceable obligations around automated decision-making, data subject rights, and the processing of sensitive categories of data. An organization using AI to make decisions about employees, customers, or citizens is now operating in a regulated space—one where "we had an ethics committee review it" is only a defensible position if that committee's process can actually withstand scrutiny.
The National Cybersecurity Authority's Essential Cybersecurity Controls (NCA ECC) round out the picture, particularly for AI systems that process sensitive infrastructure or government data. Governance here is not optional.
What the regulatory environment has not done—yet—is mandate what an AI ethics committee must look like. That gap is precisely why so many of them are being built to satisfy the appearance of oversight rather than its substance.
What a Saudi AI Ethics Committee Actually Has to Do That's Different
The default model for AI ethics governance was developed in Western institutional contexts. It assumes certain things: that affected populations are digitally literate, that decisions can be explained in English, that the primary failure modes are discrimination along lines of race and gender as understood in US or European law, that data privacy frameworks look like GDPR.
None of those assumptions transfer cleanly to Saudi Arabia, and an ethics committee that doesn't account for the differences isn't doing ethics—it's doing translation theater.
Consider language first. Saudi Arabia's AI deployments serve a population that is predominantly Arabic-speaking, and SDAIA's Human-Centric pillar explicitly requires that AI systems be understandable to the people they affect. That means an ethics committee reviewing a customer-facing AI system needs to evaluate explainability in Arabic—not whether the model can produce an Arabic output if asked, but whether the explanation is culturally coherent, at an appropriate literacy level, and accessible through the channels Saudi users actually use. An algorithm that produces a rejection letter in formal Modern Standard Arabic for an applicant who reads Gulf dialect informally has failed at explainability even if it technically produced Arabic text.
Islamic finance considerations create a distinct ethical review layer that no Western ethics framework anticipates. Saudi organizations operating in banking, insurance, takaful, and investment management are deploying AI into domains governed by Shariah principles. An AI model that optimizes for interest-bearing returns, or that treats zakat obligations as externalities, or that segments customers in ways inconsistent with Shariah-compliant product structures, has an ethical problem that is entirely invisible to a committee using a generic Western ethics checklist. The ethics committee needs members—or access to advisors—who can evaluate these dimensions directly.
The cultural context of workforce applications is equally specific. Saudi Arabia's labor market has distinct dynamics: Saudization targets under Vision 2030, the particular social significance of employment for Saudi nationals, different norms around gender-segregated work environments, the role of wasta in traditional hiring that AI is often being deployed to counteract. An AI ethics committee reviewing a recruitment or performance management system needs to understand these dynamics well enough to ask the right questions about bias, fairness, and impact. A committee that treats Saudi workforce AI exactly as it would an equivalent system in London will miss the actual risk surface.
Structure That Creates Accountability Rather Than the Appearance of It
The most common structural failure in ethics committees is designing membership around representation rather than capability. Organizations invite a C-suite sponsor to signal authority, a legal counsel to handle regulatory questions, an IT leader to manage technical translation, and perhaps an external advisor to provide independent credibility. The result is a committee that has institutional coverage but lacks the specific expertise to evaluate what's actually in front of it.
Effective committees are built around the questions the committee needs to answer, not the functions that need to feel included. For a Saudi organization deploying AI across customer-facing and workforce applications, that means having people who can evaluate: whether an Arabic-language interface genuinely serves affected users; whether Shariah-compliance has been maintained in financially sensitive applications; whether PDPL obligations around automated decision-making have been discharged; whether the system's security posture meets NCA ECC requirements for the data it processes; and whether the business case accurately represents who bears the risk if the system fails.
That last point—who bears the risk—is where executive composition matters most. Ethics committees frequently include the people who benefit from AI deployment and exclude the people who are most exposed to its failures. Employees affected by AI-driven performance management systems are rarely represented. Customers subject to AI-driven credit decisions have no voice at the table. Saudi organizations need to build structured mechanisms for surfacing the interests of affected parties even when those parties aren't committee members. This might mean mandatory stakeholder consultation before high-risk deployments, or designating a committee member whose explicit role is to represent affected populations rather than organizational interests.
Reporting structure determines whether the committee has actual authority or only advisory influence. A committee that reports to the Chief Technology Officer will find it structurally difficult to halt an AI deployment that the CTO's team built and wants to ship. A committee that reports directly to the CEO or board—or to a Chief Risk Officer with genuine independence—has the structural standing to make unpopular decisions stick. The reporting line should be decided before the first deployment review, not renegotiated when the first conflict arises.
Decision types matter more than most organizations acknowledge when writing charters. Approving a deployment is the least important thing an ethics committee does. The consequential decisions are conditional approvals with binding implementation requirements, deferral pending additional information, and—most critically—outright rejection with documented rationale. An ethics committee that has never rejected or deferred a deployment is not doing oversight. It is providing regulatory cover.
The Review Process Is Where Governance Gets Real
Most AI ethics committee processes are designed around the convenience of the teams submitting systems for review rather than the information needs of the committee doing the reviewing. A team submitting a slide deck that describes what the AI does—without providing the committee with an independent analysis of who it affects, what failure modes exist, and what happens to those affected when it fails—is not giving the committee what it needs to govern.
Effective intake processes require submission packages that go beyond technical documentation. They require applicant teams to identify affected populations, enumerate the specific harms that could occur if the system fails or is misused, describe the redress mechanisms available to affected parties, and demonstrate that explainability requirements have been met in the languages and literacy levels of those populations. Requiring this documentation shifts the burden of ethical analysis to the teams who built the system—who have the information—rather than leaving the committee to extract it through questioning.
The review meeting itself should separate technical interrogation from ethical deliberation. These are different cognitive tasks. Technical interrogation—probing the model's architecture, training data, and validation results—requires committee members with quantitative fluency. Ethical deliberation—reasoning about harm, fairness, and accountability—requires different expertise. Conflating the two tends to result in technical members dominating discussions that should involve the whole committee.
Follow-up is where most committees fail silently. Conditional approvals that aren't tracked produce systems that deploy without their required modifications. Annual reviews of approved systems that never actually happen mean that systems whose risk profiles changed—because of new use cases, new data, or new deployment contexts—never come back to the committee. Governance without follow-up is aspiration, not oversight.
The Specific Risk of a Cosmetic Committee
The financial institution that deployed the Arabic-explainability-failing credit model did not lack governance. It had a committee. It had a process. It had documentation of approval. What it lacked was a committee that asked the right questions, had the expertise to evaluate the answers, and had the authority to require changes before approval was granted.
The risk of a cosmetic ethics committee is not simply that bad AI gets deployed. The deeper risk is that the organization now has documented evidence that it reviewed the system and found nothing wrong. In the event of a regulatory inquiry under PDPL, or a public failure that attracts scrutiny, that documentation becomes evidence of negligence rather than diligence. The committee that approved everything has made the organization's legal and reputational position worse than if no committee had existed at all.
SDAIA's framework is explicit that accountability for AI systems rests with the organizations that deploy them. The Human-Centric pillar requires that AI serves people, not just organizational interests. The Ethical pillar requires that organizations identify and mitigate harm proactively. The Secure pillar requires that risks are managed across the AI system's lifecycle. An ethics committee that meets these standards cannot be a rubber stamp. It has to be a body capable of saying no—and saying it on the record, with documented rationale, before a system reaches the people it will affect.
What the Next Twelve Months Require
Saudi organizations that have established AI ethics committees should conduct an immediate structural audit. Does the committee have members with Arabic-language AI expertise? Does it have access to Shariah-compliance guidance for financial applications? Does it have a documented process for consulting affected stakeholders before high-risk deployments? Does it have the authority to halt a deployment, and has it ever used that authority? If the answer to any of these is no, the committee is not yet fit for its purpose.
Organizations that have not yet established ethics committees should resist the temptation to build the structure that looks right before building the structure that works. A small, expert committee with genuine authority and a rigorous intake process will produce better governance than a large, representative committee with a rubber-stamp workflow. The goal is not to have an ethics committee. The goal is to govern AI in a way that serves the people it affects, meets the Kingdom's regulatory expectations, and builds the institutional trust that Saudi Arabia's AI transformation requires.
The Kingdom's ambition for AI is real. The regulatory framework to hold organizations accountable is developing. The organizations that will lead in this environment are not the ones that had ethics committees first—they're the ones that built committees that actually governed.
Published by PeopleSafetyLab — AI safety and governance research for KSA organizations.