Responsible AI governance is the set of policies, roles, and controls a company puts in place to design, deploy, and monitor its artificial intelligence systems in an ethical, compliant, and controlled way. It turns principles (fairness, transparency, human oversight) into verifiable procedures, from a use-case register all the way to audit.
Bottom line: Morocco has no enforceable AI law yet (the draft "Digital X.0" framework law is under government review), but your AI systems can already fall under the EU AI Act the moment their outputs are used in the Union, and your personal data remains governed by Law 09-08 and the CNDP. Internal governance (a charter, risk classification, human oversight) is no longer an abstract ethics question; it is a condition of market access.
Many Moroccan executives treat AI governance as a future compliance topic, something to handle "once the law comes out." That is a scheduling error. The obligations that bite today do not come from a Moroccan text: they come from your European clients, from the CNDP on the data side, and from tenders that now demand guarantees. This guide lays out an operational, proportionate framework specific to the Moroccan context.
Why is AI governance becoming urgent for a Moroccan enterprise?
Three pressures are converging, and none of them waits for a Moroccan law. First, European exposure: the EU AI Act (Regulation (EU) 2024/1689), in force since 1 August 2024, applies extraterritorially. Its Article 2 covers providers and deployers established in a third country whenever the output produced by the AI system is used in the Union. A Moroccan offshoring, BPO, SaaS, or fintech firm serving European clients can therefore fall within its scope, regardless of any Moroccan law.
Second, data pressure: the moment an AI system processes personal data, Law 09-08 and the CNDP apply fully (see our CNDP and Law 09-08 compliance guide).
Third, market pressure: the Maroc IA 2030 roadmap ("AI Made in Morocco"), presented on 12 January 2026 in Rabat inside the broader Digital Morocco 2030 strategy, is raising the expectations of buyers and investors faster than internal organizational maturity. Governance is becoming a contract eligibility criterion, not a nice-to-have.
Does Morocco have a law on artificial intelligence?
No, not as of today, and precision matters here because confusion is expensive. Morocco is working on a draft "Digital X.0" framework law intended to govern AI (risk assessment, transparency, human review of automated decisions, registration of high-risk systems), data sovereignty, and digital identity. But in 2025-2026, that text remains a draft under government review, largely inspired by European regulation. It is not in force and creates no binding obligation today.
Likewise, Morocco has not "adopted" the EU AI Act: that is Union law, which reaches Moroccan companies only through its extraterritorial effect. And the penalties under Law 09-08 (fines of 10,000 to 300,000 dirhams, imprisonment of three months to two years, penalties doubled for a legal person) sanction personal-data offences, not AI-specific failures. Building your governance now means pre-positioning for "Digital X.0" rather than scrambling through the transition later.
Which reference frameworks should structure my AI governance?
Rather than inventing everything, lean on recognized references. Three complementary pillars stand out, plus the European text that already binds, each with a different status you must understand so you do not over-promise.
| Reference | Nature | What it brings | Status | |-----------|--------|----------------|--------| | UNESCO Recommendation on the Ethics of AI | Global ethics standard (2021, adopted by all 193 Member States including Morocco) | Values backbone: human oversight, transparency, fairness, privacy, accountability, safety | Non-binding, commitment to implement | | NIST AI RMF 1.0 | Risk-management framework (NIST, January 2023) | Operating model in four functions: Govern, Map, Measure, Manage | Voluntary, recommended best practice | | ISO/IEC 42001:2023 | AI management system (AIMS) standard | Certifiable, auditable requirements to establish and improve an AI management system | Voluntary but certifiable | | EU AI Act | EU Regulation (EU) 2024/1689 | Risk-based approach (unacceptable, high, limited, minimal) and conformity obligations | Binding in the EU, extraterritorial scope (Art. 2) |
Morocco has a credible local anchor: the UNESCO Recommendation, complemented by the "AI Movement" centre at UM6P in Salé, the first Category II centre dedicated to AI in Africa (status granted in November 2023), and the Readiness Assessment Methodology (RAM) country profile the Kingdom completed. You can base your charter on these principles rather than importing only American or European frameworks.
How do I classify my AI systems by risk level?
The cornerstone of proportionate governance is the inventory. You can only govern what you have recorded. Maintain a register of AI systems and use cases (model used, purpose, data involved, business owner, vendor), then classify each entry by risk level, borrowing the tiers of the EU AI Act.
| Risk level (EU AI Act logic) | Indicative examples | Control posture | |------------------------------|---------------------|-----------------| | Unacceptable (prohibited in EU) | Manipulative practices, social scoring | To be banned | | High risk | CV screening, credit scoring, HR or access decisions | Documentation, human oversight, bias testing, logging | | Limited risk | Customer chatbot, internal assistant | Transparency: inform the user they are interacting with an AI | | Minimal risk | Spam filter, office suggestions | General good practice |
This classification lets you concentrate effort where the impact is real. A FAQ chatbot and a credit-scoring tool do not call for the same level of control. For high-risk systems serving European clients, the EU AI Act notably requires a risk-management system (Article 9), data governance (Article 10), technical documentation (Article 11), transparency toward deployers (Article 13), and human oversight (Article 14).
How do I ensure human oversight and accountability?
Automation without an owner is the most common trap. Every consequential AI system must have a named human owner, and every high-impact decision must be reviewable, contestable, and reversible by a natural person. This is precisely the logic of Article 14 of the EU AI Act, which requires high-risk systems to be effectively overseen by human beings.
In practice, distinguish two modes. Human-in-the-loop inserts human validation before a decision is executed (a credit application rejected by the model is reviewed before notification). Human-on-the-loop lets the system act but under supervision, with the ability to intervene and override. Define in writing the trigger thresholds, the escalation procedure, and the right to override.
Also set up a steering body: a cross-functional AI governance committee (executive, legal, security, business lines) that validates risky use cases, arbitrates, and keeps the register current. An internal AI charter, aligned with the UNESCO principles, fixes the scope of acceptable use. Our AI transformation service supports the rollout of this setup.
How do I handle bias, fairness, and transparency in the Moroccan context?
Imported models are not neutral for the Moroccan market, and this is a frequently overlooked governance blind spot. Off-the-shelf foreign models are weakest on Arabic, Darija, and Amazigh language data, and on local demographic realities. A credible fairness setup must therefore test outputs on those languages and populations, not only in French or English.
Three practices structure this dimension. First, discriminatory-outcome testing: verifying the system does not produce unjustified gaps by gender, origin, or language. Second, transparency: documenting the model and its limits, and signalling to the user when they are interacting with an AI (the transparency logic of the EU AI Act's "limited risk" tier). Third, proportionate explainability: the heavier the consequences of a decision, the more you must be able to explain how it was reached.
This requirement aligns with the values backbone of the UNESCO Recommendation (fairness, non-discrimination, transparency, and explainability) and protects you both reputationally and contractually.
How do I manage data protection and residency in an AI pipeline?
This is the most concrete friction point in Morocco. The moment you train or run a model on personal data, Law 09-08 applies: lawful basis, defined purpose, minimization. The sensitive issue is transfer outside the country. Article 43 of Law 09-08 governs transfers of personal data to a recipient or server located outside Morocco: they require either prior CNDP authorization or that the destination country ensures an adequate level of protection (the data subject's express, informed consent being an alternative basis).
Yet the most common cloud AI APIs (OpenAI and others) host their processing abroad. Sending Moroccan personal data to those services can therefore trigger Article 43. The CNDP has already publicly sanctioned failures to notify cross-border transfers.
| Processing option | Compliance consideration | Recommended posture | |-------------------|--------------------------|---------------------| | Foreign AI API with personal data | Art. 43 transfer: CNDP authorization or adequate country | Frame, anonymize, or avoid | | Local hosting or sovereign cloud | Data kept in Morocco | Prefer for sensitive data | | Upstream anonymization / pseudonymization | Reduces exposure to personal data | Build into the pipeline by design |
Data minimization in your AI pipelines and a shift toward sovereign hosting are not technical footnotes: they are governance decisions.
How do I make my governance provable and improve it over time?
Governance that is declared but undocumented is worthless in front of an audit, a client, or a regulator. The principle: make the setup provable, not just displayed. Keep technical documentation per system, logs and audit trails, traceability of models and datasets (lineage), and schedule periodic internal audits.
Operationally, the NIST AI RMF (Govern, Map, Measure, Manage) provides a clear operating model, applied iteratively across the whole lifecycle. For organizations seeking external recognition, ISO/IEC 42001:2023, the first certifiable AI management system standard, is the target: map your controls onto both references.
Finally, governance lives over time: post-deployment monitoring, an AI incident and complaint process, third-party and vendor model governance, and a review cadence aligned with how Moroccan and European rules evolve. For most Moroccan SMEs and mid-caps, the realistic entry point is a lightweight framework (charter, risk register, human oversight) before pursuing ISO/IEC 42001 certification. This sequencing is consistent with our complete guide to AI for Moroccan businesses.
FAQ
Does Morocco already impose AI-specific legal obligations? No. No Morocco-specific AI law is in force as of mid-2026. The "Digital X.0" framework law is still under review. Your current obligations come from Law 09-08 on personal data and, for companies serving the European Union, from the EU AI Act through its extraterritorial scope. Build governance now to pre-position for what is coming.
Can a fully Moroccan company be subject to the EU AI Act? Yes. Article 2 of Regulation (EU) 2024/1689 covers providers and deployers established in a third country whenever the output produced by their AI system is used in the Union. A Moroccan offshoring, SaaS, or BPO firm serving European clients can therefore fall within its scope, independently of any Moroccan law.
Can I use a US AI API with my Moroccan client data? With caution. If that data is personal, sending it to a foreign server falls under Article 43 of Law 09-08, which requires prior CNDP authorization or an adequate destination country. Prefer upstream anonymization, local hosting, or a sovereign cloud for sensitive data, and document your lawful basis.
Are NIST AI RMF and ISO/IEC 42001 mandatory? No. The NIST AI RMF is a voluntary framework published in January 2023. ISO/IEC 42001:2023 is a voluntary standard, but certifiable and auditable. Neither is legally mandatory in Morocco. They serve as best-practice references to structure and prove your governance.
Where do I start if my organization has no AI governance at all? Start light and proportionate: write an AI charter aligned with the UNESCO principles, appoint an owner and a governance committee, build the register of your use cases, and classify them by risk level. Add human oversight on sensitive decisions. ISO/IEC 42001 certification comes later, once the basics hold.
Sources
Last verified: 17 June 2026.
- UNESCO, "Recommendation on the Ethics of Artificial Intelligence" and Global AI Ethics and Governance Observatory, Morocco profile (unesco.org)
- EU Artificial Intelligence Act, Regulation (EU) 2024/1689, Articles 2, 9 to 14, and 99 (artificialintelligenceact.eu)
- CNDP, Law 09-08 and Dahir n° 1-09-15 of 18 February 2009 (cndp.ma); analyses of Article 43 and penalties (Médias24, LexisNexis Maroc)
- NIST, AI Risk Management Framework (AI RMF 1.0), January 2023 (nist.gov)
- ISO/IEC 42001:2023, Artificial Intelligence Management System (Microsoft Learn, BSI, TÜV SÜD overviews)
- Morocco World News and Digital Watch Observatory, "Maroc IA 2030" and "Digital Morocco 2030" (2025-2026)
- Ecofin Agency and Regulations.ai, draft "Digital X.0" framework law (2025-2026)
On responsible AI in Morocco, the enterprise that structures its governance now turns a regulatory constraint into a market advantage: let's talk about your AI governance framework.