Skip to main content

SAMA Cybersecurity Framework Integration

The Saudi Central Bank (SAMA) Cyber Security Framework (CSF) is mandatory for all financial institutions regulated by SAMA. This document provides a comprehensive mapping between AEEF controls and SAMA CSF domains, enabling financial-sector organizations in Saudi Arabia to implement AI-assisted engineering within their existing cybersecurity compliance programs.

Applicability

Apply this integration when any of the following are true:

  1. The organization is regulated by SAMA (banks, insurance companies, finance companies, payment service providers).
  2. AI-assisted engineering outputs are deployed in systems that process financial transactions, customer data, or regulatory reporting.
  3. Contracts with SAMA-regulated entities require demonstrated cybersecurity framework compliance for AI development practices.

SAMA CSF Domain Mapping

Domain 1: Cyber Security Leadership and Governance

SAMA CSF ControlControl DescriptionAEEF ControlEvidence
1.1 Cyber Security PolicyEstablish and maintain cyber security policiesPillar 2 Overview — AI governance policy framework; IP PolicyAI governance policy document; acceptable use policy
1.2 Cyber Security Roles and ResponsibilitiesDefine roles for cyber security managementPillar 2 Governance Roles — Engineering Director, CISO, Architecture Board, Compliance OfficerGovernance role matrix; RACI charts
1.3 Cyber Security StrategyAlign cyber security with business strategyMaturity Model — strategic progression; KPI Framework — ROI measurementMaturity assessment records; KPI dashboards
1.4 Cyber Security Risk ManagementEstablish risk management processesSecurity Risk Framework — threat modeling, risk assessmentRisk registers; threat model documents

Domain 2: Cyber Security Risk Management and Compliance

SAMA CSF ControlControl DescriptionAEEF ControlEvidence
2.1 Risk AssessmentConduct regular risk assessmentsSecurity Risk Framework; SDAIA Risk Framework AlignmentRisk assessment reports; SDAIA risk classification
2.2 Regulatory ComplianceEnsure compliance with regulationsCompliance & Regulatory; KSA Regulatory ProfileCompliance mapping matrices; audit evidence
2.3 AuditConduct internal and external auditsRetention & Audit Evidence — retention policy and evidence modelAudit reports; evidence archives
2.4 Third-Party RiskManage risks from third-party providersPillar 2 Overview — AI tool approval process; PRD-STD-008 Dependency ComplianceTool approval records; vendor risk assessments; dependency audit logs

Domain 3: Cyber Security Operations and Technology

SAMA CSF ControlControl DescriptionAEEF ControlEvidence
3.1 Asset ManagementMaintain inventory of information assetsPillar 2 Overview — AI tool inventory; Code ProvenanceTool inventory; provenance metadata store
3.2 Access ControlImplement access control measuresPillar 2 Data Classification — classification-based access; PRD-STD-009 Agent Governance — least privilege agentsAccess control configurations; agent permission records
3.3 Application SecuritySecure application developmentComplete AEEF Pillar 1 and Pillar 2 — Engineering Discipline; PRD-STD-002; PRD-STD-004PR review records; SAST/SCA scan results; quality gate evidence
3.4 Change ManagementControl changes to information systemsHuman-in-the-Loop Review; PRD-STD-007 Quality GatesChange approval records; gate pass evidence
3.5 EncryptionProtect data through encryptionPillar 2 Data Classification — encryption requirements by classification levelEncryption configuration records; certificate management
3.6 Vulnerability ManagementIdentify and remediate vulnerabilitiesPRD-STD-004 Security Scanning; Security Risk Framework — remediation SLAsVulnerability scan results; remediation tracking
3.7 Logging and MonitoringMonitor systems and maintain logsRetention & Audit Evidence; PRD-STD-012 Inference Reliability — observabilityLog retention evidence; monitoring dashboard configurations

Domain 4: Third-Party Cyber Security

SAMA CSF ControlControl DescriptionAEEF ControlEvidence
4.1 Vendor Risk AssessmentAssess third-party cyber security posturePillar 2 Overview — AI tool security assessment and approvalTool security assessment reports; vendor questionnaire responses
4.2 Contractual RequirementsInclude security requirements in contractsIntellectual Property — vendor agreements; KSA Regulatory Profile — data residency clausesContract security annexes; DPA agreements
4.3 Ongoing MonitoringMonitor third-party complianceKSA Regulatory Profile — annual revalidation (KSA-03)Annual revalidation records; vendor compliance reports

Domain 5: Cyber Security Resilience

SAMA CSF ControlControl DescriptionAEEF ControlEvidence
5.1 Incident ManagementDetect, respond to, and recover from incidentsIncident Response — AI-specific incident classification and responseIncident reports; MTTR metrics; root cause analyses
5.2 Business ContinuityMaintain operations during disruptionsGovernment (Middle East) Profile — GOV-ME-06 continuity fallback; PRD-STD-012 — fallback behaviorBCP/DR plans; continuity test results; fallback configuration
5.3 Disaster RecoveryRecover systems after catastrophic eventsPillar 1 Version Isolation — independent rollback capabilityRollback test results; recovery time evidence

SAMA-Specific Developer Requirements

Financial-sector AI engineering in Saudi Arabia requires additional developer controls beyond standard AEEF requirements:

MANDATORY for SAMA-Regulated Entities

The following requirements are mandatory for all AI-assisted engineering within SAMA-regulated organizations. Violations may result in regulatory findings.

  1. Customer Data Prohibition: Developers MUST NOT include customer financial data, account numbers, transaction records, or any customer PII in AI prompts under any circumstances. Use synthetic data only.

  2. Transaction-Processing Code: AI-generated code that processes financial transactions MUST be classified as Tier 3 (High Risk) and MUST receive security champion review regardless of change size.

  3. Regulatory Reporting Code: AI-generated code that produces or contributes to regulatory reports (SAMA, CMA, or other regulator submissions) MUST be classified as Tier 3 and MUST include enhanced testing with verified expected outputs.

  4. Model Risk for AI Products: Financial AI products (credit scoring, fraud detection, AML) MUST comply with SAMA model risk management expectations in addition to PRD-STD-010 and PRD-STD-011.

  5. Audit Trail Retention: Provenance metadata and audit trails for AI-assisted code in financial systems MUST be retained for a minimum of 7 years, aligned with SAMA record-keeping requirements.

  6. Segregation of Duties: AI tools used for development MUST NOT have access to production financial data. Development, testing, and production environments MUST maintain strict segregation.

  7. Outsourcing Notification: Use of cloud-based AI tools for financial system development MAY constitute outsourcing under SAMA rules. Organizations MUST assess whether AI tool usage triggers SAMA outsourcing notification requirements.

SAMA Audit Preparation Checklist

  • AI tool inventory includes SAMA compliance status and data classification approval.
  • All AI tools assessed for SAMA third-party risk requirements (Domain 4).
  • Customer data prohibition enforced through prompt governance and technical controls.
  • Transaction-processing and regulatory-reporting code classified at Tier 3.
  • SAST/SCA/secret detection scanning active on all AI-generated code in financial systems.
  • Provenance metadata retention verified at 7-year minimum for financial system code.
  • Incident response procedures include SAMA notification requirements.
  • Change management records (PRs, reviews, approvals) accessible for SAMA audit sampling.
  • Business continuity and disaster recovery plans include AI tool dependency analysis.
  • Annual AI tool revalidation completed per KSA-03.
  • Segregation of duties between AI development tools and production data verified.
  • SAMA outsourcing assessment completed for cloud-based AI tool usage.

External Sources