Governance goes geographic

Artificial intelligence rules are starting to look more like local law than broad principle, with Saudi Arabia and California both moving to spell out how organizations must govern systems before and after launch. (6clicks.com) (gov.ca.gov) In Saudi Arabia, the Saudi Data and Artificial Intelligence Authority’s AI Adoption Framework sets a baseline for public-sector entities around five pillars: data governance, model accountability, transparency, human oversight, and risk management. A Saudi legal analysis published April 7 said the framework sits alongside the Personal Data Protection Law and the 2023 Artificial Intelligence Ethics Principles rather than replacing them. (6clicks.com) (tamimi.com) The 6clicks analysis, published April 11, said Saudi Arabia declared 2026 the “Year of Artificial Intelligence” and described the framework as a mandatory baseline for every public-sector entity in the kingdom. The same piece said Saudi authorities project government AI adoption could generate $56 billion a year in productivity gains. (6clicks.com) California moved earlier, on September 29, 2025, when Governor Gavin Newsom signed Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act. The law requires standardized public safety disclosures from developers of the largest models and took effect in January 2026, with civil penalties of up to $1 million per violation. (gov.ca.gov) (wilmerhale.com) California’s law is narrower than the European Union’s Artificial Intelligence Act in scope, but it borrows a similar logic: force advance documentation, risk management, and accountability for systems above a defined threshold. WilmerHale said Senate Bill 53 applies to “frontier” models trained with more than 10^26 floating-point operations, a compute threshold higher than the European Union law’s 10^25 benchmark. (wilmerhale.com) That shift is pushing companies to treat AI governance less like a separate ethics project and more like an extension of existing control systems. The National Institute of Standards and Technology says its Artificial Intelligence Risk Management Framework is meant to help organizations build trustworthiness into the design, development, use, and evaluation of AI systems, while the International Organization for Standardization says ISO/IEC 27001 and ISO/IEC 42001 provide management-system structures for information security and AI governance. (nist.gov) (iso.org 1) (iso.org 2) The attraction of those standards is practical: they turn abstract duties like oversight and accountability into named controls, assigned owners, review cycles, and audit evidence. ISO says ISO/IEC 42001 is the first global standard for an artificial intelligence management system, and says it is designed to work in a common management-system approach alongside security, privacy, and other governance programs. (iso.org 1) (iso.org 2) A separate April 2026 industry piece argued that sequence matters as much as policy, using a simple example: if artificial intelligence writes code and a human approves deployment only after the fact, the approval record may fail an audit trail. The article said governance gaps often appear not in missing policies but in missing order, especially where human signoff, testing, and release controls are supposed to happen before production use. (qservicesit.com) The result is a map of AI rules that now runs through Riyadh and Sacramento as much as through Brussels or Washington. For companies selling into government or building large models, the immediate job is no longer just to publish principles, but to show dated approvals, defined controls, and named accountability inside the systems they already use. (6clicks.com) (wilmerhale.com)