Kazakhstan Enacts AI Law: Clear Duties, Targeted Bans, and Mandatory Labeling
President Kassym-Jomart Tokayev has signed Kazakhstan's law on artificial intelligence. The act sets guiding principles for AI systems, assigns responsibility by role, and introduces new compliance requirements across labeling, data protection, and information security.
Core definitions and scope
The law treats artificial intelligence systems as part of informatization and as tools used by people to perform specific tasks. That framing puts AI squarely within existing digital governance while carving out AI-specific duties and controls.
Accountability by role
Responsibility is allocated to owners, holders, and users based on their role in deploying or operating AI systems. Owners and holders must implement risk management, ensure safety and reliability, and provide user support on system functioning. Expect this to influence vendor selection, documentation, and incident handling across the AI lifecycle.
Principles you can anchor policy to
The law codifies legality, fairness, equality, transparency and explainability, priority of human well-being, freedom of will in decision-making, data protection and privacy, plus safety and security. These principles will sit behind audits, DPIAs, model governance reviews, and user disclosures.
What's prohibited
Kazakhstan bans creation and operation of AI systems with certain capabilities within its territory, including:
- Subliminal, manipulative, or similar methods that could influence individuals without their awareness.
- Collection or processing of personal data in violation of personal data legislation.
- Other capabilities as specified by law or regulation (a general clause that warrants close monitoring once the text is published).
Labeling requirement
Outputs produced using AI must be labeled. This applies to goods, works, and services, and will require process changes in product teams, marketing, CX, and vendor deliverables. Build a labeling standard now so you can apply it consistently across channels.
National AI platform
The law establishes a legislative basis for a national AI platform to develop, train, and pilot AI models and platform-based software for limited periods. Treat this like a regulated environment: usage windows, data handling, and exit plans will matter.
Companion amendments: alignment and spillover changes
A separate law amends various acts to align with the AI law and address related areas:
- Unsecured digital assets: Their circulation is now regulated across Kazakhstan; previously it was confined to the Astana International Financial Centre (AIFC). See AIFC for context on the prior regime.
- Personal data consent: Consent validity cannot exceed the time needed to achieve the stated purpose. Data subjects (or legal representatives) can withdraw consent by notifying the owner, operator, or third party.
- Goods marking: Domestic retail entities must record transactions via cash registers by scanning identification means-tightening traceability and compliance.
- Information security: Various requirements are strengthened; expect updates to baselines, controls, and reporting obligations.
What legal teams should do now
- Map AI use across the organization (systems in development, piloting, and production). Identify owners, holders, and users for each system.
- Stand up an AI risk management framework aligned to the law's principles-tie it to your DPIA/PIA process and security controls.
- Draft and implement AI output labeling standards. Update product, marketing, and vendor guidelines.
- Review vendor contracts for AI-related warranties: safety, reliability, explainability support, data protection, and incident obligations.
- Update consent language, retention schedules, and withdrawal workflows to reflect the new personal data rules.
- Assess whether any current or planned systems could fall under the prohibited capabilities list; pause or redesign as needed.
- Prepare for participation in the national AI platform: define data minimization, sandbox timelines, and exit criteria.
- For digital assets teams, reassess licensing, custody, and AML/KYC controls now that activity extends beyond the AIFC.
Effective dates and enforcement
The text of the law will be published in the press. Track publication for effective dates, definitions, implementing rules, and the designated oversight bodies. Plan for a quick policy and contract refresh once the final text and subordinate regulations are available.
If your legal and compliance teams are building internal AI competency, this catalog may help: AI courses by job.
Your membership also unlocks:
