Kazakhstan's New AI Law: Key Requirements for Businesses (2026)
Alexander Shlimakov specializes in Salesforce, Tableau, Mulesoft, and Slack consulting for enterprise clients across the CIS region. With a proven track record in technical sales leadership and a results-oriented approach, he focuses on the financial services, high-tech, and pharma/CPG segments. Known for his out-of-the-box thinking and strong presentation skills, he brings extensive experience in solution sales and business development.
Kazakhstan's new AI law: risk tiers, copyright, mandatory labeling, liability, and bans. Key for businesses in Central Asia.
Kazakhstan's New AI Law: Key Requirements for Businesses (2026)
On January 18, 2026, Kazakhstan's New AI Law officially took effect, making it the first Central Asian nation to regulate artificial intelligence comprehensively. This landmark legislation establishes new rules for intellectual property, corporate liability, and data governance, impacting any business developing or using AI within the country. The law mandates that companies label all AI-generated content, localize personal data, and classify AI systems according to risk. It also reserves copyright for human-led creative work and bans high-risk applications like social scoring, placing full liability for AI-related damages on companies. As Kazakhstan now leads the region in AI rules, its framework is expected to influence neighboring countries.
What are the key requirements of Kazakhstan's new AI law?
Kazakhstan's AI law, which became effective January 18, 2026, imposes several key obligations on companies:
- Classify all AI systems into minimal, medium, or high-risk tiers and adhere to corresponding safeguards.
- Clearly label all content generated or significantly altered by AI.
- Recognize copyright only for works demonstrating significant human creative input.
- Store all personal data processed by AI systems on servers within Kazakhstan.
- Cease and avoid all banned AI applications, including subliminal manipulation and social scoring.
- Why the hurry? The law addresses a surge in AI spending, which reached roughly $220 million on AI-enabled products in 2024 - a 37% annual increase. By enacting the Law "On Artificial Intelligence"*, the government aims to establish a secure, regulated AI market and move beyond the previous legal ambiguities. What follows is a detailed guide to the provisions most critical for business leaders, product developers, and compliance teams operating in Kazakhstan.
1. Risk first, everything else second
Under the new law, every AI system that is developed, hosted, or commercially exploited in the country must be slotted into one of three risk tiers:
| Level | Typical examples | Obligations |
|---|---|---|
| Minimal | Recommendation engines, simple chatbots | Basic safety self-check; no pre-market filing |
| Medium | Customer-scoring models, predictive maintenance | Internal risk dossier; user notification |
| High | Credit-scoring in banks, medical image analysis | Third-party audit, traceability logs, 24-hour incident reporting |
High-risk models are treated like state information systems: encryption, penetration tests, and a formally appointed "information security officer" are non-negotiable.
While companies self-classify their systems, regulators possess the authority to re-classify and impose fines for "obviously implausible" assessments.
The law's core requirements compel businesses to classify AI by risk level, label all synthetic media, and ensure personal data remains localized. It also limits copyright to human-guided creations and explicitly prohibits certain applications like social scoring systems or subliminal behavioral tools.
2. Copyright: humans in, pure machines out
The law provides a clear framework for ownership of AI-generated content:
- Copyright is granted if a human's creative prompt or iterative edits demonstrably shape the final output.
- Raw machine output - images, text, or code created without substantial human guidance - is not copyrightable and enters the public domain.
- The prompts used to generate content are themselves eligible for copyright protection, a key detail for firms selling engineered prompt libraries.
For training data, the law follows Japan's 2024 model, implementing an "opt-out" system. Scraping data for training is considered lawful unless a rights-holder explicitly prohibits it using a machine-readable signal.
3. Mandatory "synthetic" labelling
All audio, video, image, or text file that is AI-generated or has been "materially modified" by AI must include a clear disclosure. This responsibility falls on the system's owner or operator, not the end-user. Non-compliance can result in administrative fines up to 3,000 Monthly Calculation Indices (approx. $21,000) and civil liability for misleading consumers.
4. Liability lands on the company, not the machine
The law states that legal liability for damages caused by an AI system falls squarely on the developer, owner, or business user - in that joint-and-several order. This necessitates that managers:
- Establish clear internal protocols for validating and deploying model updates.
- Negotiate contractual clauses that transfer a portion of the risk to technology vendors and data suppliers.
5. Black-list of forbidden use-cases
The legislation outright prohibits thirteen specific categories of AI applications. Key examples include:
| Prohibited practice | Rationale |
|---|---|
| Subliminal techniques to alter behaviour without user awareness | Consumer protection |
| Emotion recognition in public spaces without consent | Privacy |
| Social scoring of individuals by personality traits | Non-discrimination |
| Real-time biometric identification in mass gatherings | Civil-liberty safeguard |
These prohibitions apply to all AI systems regardless of their risk tier, as the ban is based on the intended use case, not the underlying technology.
6. Data-localisation stays in force
Echoing the 2013 Personal Data Law, the AI legislation reaffirms that any personal data processed by AI systems must be store that data on servers physically located in Kazakhstan. International providers typically comply by using a dedicated "KZ-only" cloud tenant or a local private cloud.
7. State support tools already online
To ease the transition, the government has introduced two key support initiatives:
- AI Governance 500 - a 12-week executive course that has placed 110 civil servants and private-sector managers in intensive workshops on risk auditing and ethics.
- A draft "trusted systems" whitelist - models that pass voluntary certification earn faster procurement in state tenders.
8. Practical checklist for enterprises
- Inventory all AI models that interact with users in Kazakhstan and complete internal risk classification.
- Scan training datasets for opt-out signals and log the results for compliance records.
- Implement watermarks or on-screen labels for all generative AI outputs.
- Update Service Level Agreements (SLAs) to guarantee incident notification within 24 hours.
- Archive all model version artifacts - including weights, data snapshots, and test results - for five years to prove compliance if requested by regulators.
9. Regional echo
To date, no other Central Asian republic has enacted similar AI legislation. While Uzbekistan published an AI strategy paper in 2024, it has not yet progressed to law. This positions Kazakhstan as the definitive regulatory laboratory for the region. Many multinationals are standardizing their compliance frameworks based on Kazakhstan's model, anticipating that neighboring countries will eventually adopt similar rules.
10. Bottom-line for boards
This law is now in full effect, with all transition periods expired. Any AI-enabled system deployed after 18 January 2026 is subject to these regulations, and contractual silence is not a defence if something goes wrong. Companies that are already pursuing certification, including several in the pharmaceutical and telecom sectors, are setting the standard. Businesses that delay action risk falling behind in a market where transparency, accountability, and labeled content are the new requirements for earning trust.