The history of technology governance in low- and middle-income countries follows a recognisable pattern: the technology is deployed, often rapidly, by commercial actors with resources to move faster than regulatory bodies; evidence of harm accumulates; a governance response is designed to address the harm that has already occurred. This is regulatory capture by timeline — not by commercial interest, but by the simple fact that governing a technology already embedded in critical infrastructure requires overcoming the political and economic costs of dislodging it (Mazzucato 2021). Kenya's AI governance window in healthcare is open. It will not remain so.
The Gap in the Literature
The proactive governance literature — scholarship focused on governance frameworks designed before technology deployment rather than in response to documented harm — is dominated by OECD contexts, particularly the EU AI Act and OECD AI Principles (OECD 2019; European Parliament 2024). There is a significant gap in this literature regarding pre-emptive AI governance frameworks for health systems in East Africa, where the relevant institutional actors, regulatory traditions, and deployment contexts differ substantially from those on which existing frameworks were designed. This article contributes to closing that gap by proposing a governance architecture calibrated to Kenya's institutional realities.
The Deployment Pace Problem
AI-enabled diagnostic tools, clinical decision support systems, and patient triage platforms are entering Kenyan health facilities through procurement channels that were not designed to evaluate them. The Kenya Medical Practitioners and Dentists Council regulates medical devices and clinical practice. The Pharmacy and Poisons Board regulates pharmaceutical products. Neither institution currently has a designated mandate to evaluate AI clinical tools as a distinct regulatory category — which means that a diagnostic algorithm is currently purchased and deployed under the same procurement logic as a blood pressure cuff (KMPDC 2023). This is not a sustainable position.
The Data Protection Act requires that health data be processed on specified lawful bases (Republic of Kenya 2019). The AI Strategy signals an intention to develop governance frameworks (Republic of Kenya, Ministry of ICT 2023). The eSanjeevani telemedicine platform in India, built on AI-generated differential diagnosis recommendations, logged over 282 million consultations by early 2026 (ICTworks 2026) — a scale that demonstrates both the genuine utility and the governance urgency of these tools. Kenya's trajectory toward comparable deployment volumes is clear. The question is whether governance arrives first.
Governing a technology already embedded in critical infrastructure requires overcoming the political and economic cost of dislodging it. That cost increases every day governance is deferred.
The EU AI Act: A Framework Designed for a Different Institutional Context
The EU AI Act (European Parliament 2024) classifies clinical decision support systems as high-risk AI applications and subjects them to mandatory conformity assessment, registration, and ongoing monitoring requirements. The Act represents the most comprehensive attempt to govern AI pre-deployment in any jurisdiction. Its limitation as a model for Kenya is institutional: the conformity assessment infrastructure it assumes — notified bodies, market surveillance authorities, and the technical capacity to conduct AI audits — does not yet exist in Kenya. Importing the EU's regulatory architecture without the institutional infrastructure to implement it would produce the same nominal-mandate, low-compliance outcome that India's IRDAI experience illustrates in the insurance domain.
The more immediately applicable model is India's phased approach: establish the validation infrastructure first (BODH), require deployment disclosure second, and introduce mandatory conformity assessment as institutional capacity develops. Kenya can sequence this transition more rapidly than India did, because it is designing it with full knowledge of where India's sequencing produced gaps.
Three Steps Available Now
First, the KMPDC and Pharmacy and Poisons Board can jointly issue a clinical AI registration requirement — modelled on medical device registration but adapted for software — requiring any AI clinical decision support tool deployed in a licensed health facility to be registered with a designated national authority as a condition of procurement. This requires regulatory guidance, not primary legislation.
Second, the National AI Strategy can be amended in its first scheduled review to designate healthcare as a high-risk AI application domain, triggering a mandatory consultation process before any government health facility may deploy an AI tool above a defined risk threshold.
Third, Kenya can engage through the African Union's Digital Transformation Strategy process to develop a continent-wide AI health governance framework — positioning Kenya as an architect of regional governance rather than a recipient of frameworks designed elsewhere — a role consistent with Kenya's existing leadership in the AU's digital transformation agenda (African Union 2020).