Caribbean AI Governance
AI Governance in the Caribbean: Country Rankings, Policy Gaps, and What Needs to Happen Next
TL;DR
- No CARICOM member state has published a standalone national AI strategy as of April 2026.
- The region attracts only 1.12% of global AI investment despite representing 6.6% of world GDP.
- Only 6% of Caribbean board directors believe their boards spend enough time on AI oversight (PwC, March 2026).
- Jamaica and Barbados lead on foundational AI governance; Haiti, Dominica, and St. Kitts and Nevis are at the earliest stages.
- The CTU Caribbean AI Task Force final report, due at the Caribbean AI Forum in 2026, is the region's best near-term opportunity to establish a unified governance floor.
AI governance in the Caribbean is not a future policy problem. It is a present one. Across all 15 CARICOM member states — Antigua and Barbuda, The Bahamas, Barbados, Belize, Dominica, Grenada, Guyana, Haiti, Jamaica, Montserrat, Saint Kitts and Nevis, Saint Lucia, Saint Vincent and the Grenadines, Suriname, and Trinidad and Tobago — artificial intelligence is already being deployed in banking, insurance underwriting, healthcare triaging, and government service delivery. What is absent, in almost every case, is a coherent legal and institutional framework for governing it.
This article maps where each country stands, ranks them on a composite governance assessment, and gives governments, regulators, and businesses a direct set of actions they can take before the end of 2026.
Why Caribbean AI Governance Is a Now Problem, Not a Later One
The standard narrative positions Caribbean nations as AI consumers rather than AI producers, with policy as something that can wait until adoption matures. The data no longer supports that position.
A PwC survey of 154 board directors across The Bahamas, Barbados, Grenada, Jamaica, Saint Lucia, and Trinidad and Tobago, published in March 2026, found that only 6% of directors believe their boards spend enough time understanding the impact of AI, and just 9% believe they receive sufficient information to address associated risks. That gap between AI deployment and AI oversight is where governance failures occur.
The stakes are structural. Latin America and the Caribbean account for 6.6% of global GDP but attract only 1.12% of global AI investment. That underinvestment partly reflects the absence of the policy certainty that international technology investors require before committing capital. Countries with clear AI governance frameworks attract more investment, more talent programmes, and more favourable partnership terms from multilateral institutions. Countries without them take what arrives by default.
There is also a sovereignty argument. The Caribbean region has significant concerns about data sovereignty, with heavy reliance on global cloud providers and low uptake of open-data standards. A region without its own AI governance architecture will have its data practices, algorithmic standards, and ethical norms determined by the companies whose tools it uses, not by the governments its citizens elect.
The Regional Architecture: What Exists and What It Can Do
The Caribbean is not starting from zero. Two regional instruments define the current governance floor.
The Caribbean AI Policy Roadmap, published by UNESCO in collaboration with the Broadcasting Commission of Jamaica, provides a regional framework built on four pillars: Culture and Creativity, Governance and Transformation, Upskilling and Education, and Resilience and Sustainability. It was developed through consultation with over 1,000 institutions and individuals across 20 Caribbean countries and remains the most comprehensive Caribbean-specific AI policy document available.
The CTU Caribbean AI Task Force was officially launched on 18 July 2025, with a mandate to harmonise AI policies and regulatory frameworks across Caribbean countries, build regional AI capacity with a focus on youth, women, and underrepresented communities, and promote inclusive, ethical, and responsible AI deployment aligned with the UN Sustainable Development Goals. Dr. Craig Ramlal of the University of the West Indies chairs the Task Force, which is scheduled to present a final report and consolidated policy guidance at a Caribbean AI Forum in 2026, in alignment with the CARICOM Single ICT Space.
These instruments are necessary. They are not sufficient. The Roadmap is advisory. The Task Force is a coordination mechanism, not an enforcement body. What is missing is national-level implementation: designated AI oversight bodies, published AI strategies, and enforcement-capable data protection regulators in each member state.
Country-by-Country: Where Every CARICOM State Stands
The ranking below is based on four criteria: the existence and operationalisation of data protection legislation, the presence of a functional data protection authority, engagement with regional AI governance mechanisms, and digital infrastructure capacity as a proxy for AI deployment readiness. Scores are assessed on available public evidence through April 2026.
| # | Country | Tier | Governance Status |
|---|---|---|---|
| 1 | Jamaica | Tier 1 | Data Protection Act (2020) in force since December 2023 with extra-territorial reach, mandatory 72-hour breach notification, and an active Information Commissioner's Office. CARICOM Chair PM Andrew Holness publicly committed to AI in public services in 2025. Engaged with CTU AI Task Force. National AI strategy in development. |
| 2 | Barbados | Tier 1 | Data Protection Act (2019) operational with an appointed Data Protection Commissioner. GDPR-modelled framework with strong individual rights provisions. Active in regional consultations. Barbados is positioned as a financial services hub with corresponding regulatory sophistication. |
| 3 | The Bahamas | Tier 1 | Oldest data protection legislation in the Caribbean, enacted 2007 and brought into force 2007. Data Protection Commissioner established. Enforcement activity remains limited. The law predates generative AI and requires modernisation, but the regulatory body exists and functions. |
| 4 | Antigua and Barbuda | Tier 2 | Data Protection Act passed; regulator appointed; some provisions in force. Completed a UNDP AI Readiness Assessment in October 2024, setting a regional precedent. Actively engaged with CARICOM digital governance agenda. |
| 5 | Trinidad and Tobago | Tier 2 | Data Protection Act passed in 2011 but not fully operational. No Information Commissioner's Office. Government has articulated a vision for an AI-powered public service and is amending the act with GDPR provisions. iGovTT and the Ministry of Digital Transformation are active. Trinidad and Tobago referenced in global AI governance surveys as a Caribbean state advancing policy development. |
| 6 | Saint Lucia | Tier 2 | Data protection legislation enacted with a regulator appointed. Engaged with OECS digital governance frameworks. Participated in PwC 2026 Caribbean Corporate Governance Survey. Governance capacity is constrained by small public sector size. |
| 7 | Guyana | Tier 2 | Data protection law passed but not fully brought into force. The "Digital Guyana" programme includes a sovereign AI cloud initiative to address data sovereignty concerns. Oil revenue creates fiscal space for infrastructure investment that most CARICOM states do not have. Regulatory operationalisation lags behind the economic ambition. |
| 8 | Grenada | Tier 2 | Data protection law exists but enforcement body not yet fully operational. Engaged with OECS-level digital governance discussions. Limited dedicated AI governance activity at national level. |
| 9 | Saint Vincent and the Grenadines | Tier 2 | The Caribbean's oldest data protection legislation, passed in 2003, has never been brought into force and has no appointed regulator. This is a significant gap for a jurisdiction with active financial services. Engaged with regional digital frameworks but without domestic enforcement architecture. |
| 10 | Belize | Tier 3 | Data protection law not fully in effect; no functional regulator. Limited national digital governance infrastructure. Eligible for UNDP AI readiness assessment support. Geographic position and English-speaking status create potential for technology services growth, but governance foundation is weak. |
| 11 | Suriname | Tier 3 | No substantive national AI document identified as of January 2025 (DPO Caribbean). Limited public data on data protection legislative status. Dutch-speaking status creates some alignment opportunity with EU AI Act frameworks but also an integration gap with English-speaking CARICOM states. |
| 12 | Saint Kitts and Nevis | Tier 3 | Limited publicly available documentation on dedicated AI or data protection governance. Financial services sector (Citizenship by Investment) creates a specific risk profile around data governance and AI-assisted due diligence that is not yet formally governed. |
| 13 | Montserrat | Tier 3 | British Overseas Territory; subject to UK GDPR framework in part, but with limited domestic AI governance activity. Small population and public sector make standalone national strategy impractical; the strongest path is alignment with OECS collective frameworks. |
| 14 | Dominica | Tier 3 | No data protection law has been passed. No AI governance framework in evidence. Dominica's ecotourism positioning and small population mean AI deployment is limited, but the absence of any foundational privacy law is a baseline gap that affects all digital sectors. |
| 15 | Haiti | Tier 3 | Ongoing political and institutional instability prevents meaningful AI governance development. The governance deficit here is not primarily a technology policy failure — it reflects a broader state capacity crisis. External actors including UN agencies are operating AI tools in Haiti without a domestic regulatory counterpart. |
Tier 1: Active data protection law with functional regulator and regional AI engagement. Tier 2: Partial legal framework or regulator, with some forward governance activity. Tier 3: Minimal or no foundational AI governance infrastructure.
The Data Protection Floor: Why It Is the Starting Point for AI Governance
Across the Caribbean, the conversation about AI governance tends to focus on national AI strategies, algorithmic transparency, and advanced regulatory frameworks. All of that matters. But the more immediate problem for most CARICOM states is simpler: the baseline privacy and data protection laws that should govern AI inputs and outputs either do not exist, have not been brought into force, or exist on paper with no enforcement body behind them.
The Bahamas is the only jurisdiction which has fully implemented its data protection law and established a regulator, yet has very little enforcement activity. Jamaica, Antigua and Barbuda, and Barbados have implemented some provisions and appointed a regulator. Belize, Grenada, and Guyana have not brought the law fully into effect. Dominica has not passed any data protection law. Trinidad and Tobago, one of the earliest adopters with legislation passed in 2011, has yet to bring its legislation fully into force and has no regulator.
This matters directly for AI because any AI system processing personal data — and most commercially deployed systems do — operates within the scope of data protection law. Where no enforcement exists, citizens have no recourse when AI systems get things wrong. Where no regulator exists, companies face no accountability for the data practices that feed their models.
The Jamaican Data Protection Act sets the current regional standard. Jamaica's Data Protection Act, 2020, includes extra-territorial reach and robust individual rights. The law is administered by an independent Information Commissioner, with clear enforcement powers, and includes mandatory breach notification within 72 hours and international scope covering foreign processors handling Jamaican data. That is the benchmark other CARICOM states should be working toward.
Guidelines and Recommendations: A 12-Month Action Agenda for Caribbean Governments
The following recommendations are organised by what is achievable without new legislation, what requires legislative action, and what requires regional coordination. They are addressed to national governments, though regulators and the private sector each have corresponding responsibilities.
Actions Requiring No New Legislation (0–6 Months)
- Operationalise existing data protection laws. Trinidad and Tobago, Belize, Guyana, and Grenada have legislation that is not enforced because no regulator has been appointed or fully resourced. Appointing a commissioner and allocating a functional budget is an executive action, not a legislative one. Without this step, all AI governance that follows is built on sand.
- Designate an AI coordination lead within government. Every CARICOM state should name a ministry or statutory body as the national point of contact for AI policy. This does not require a new agency. In most cases, an existing ministry of digital transformation, technology, or innovation can absorb this mandate with a small terms-of-reference adjustment.
- Commission a national AI readiness assessment. Antigua and Barbuda completed a UNDP-supported readiness assessment in October 2024. The methodology is validated and the support is available. Every CARICOM state that has not done this should begin the process now. The assessment takes approximately six months and produces a baseline that makes every subsequent policy decision more grounded.
- Issue guidance to public sector entities on AI procurement. Government agencies in Jamaica, Barbados, Trinidad and Tobago, and The Bahamas are already procuring AI-enabled software from international vendors. They need internal guidance on what data governance requirements to impose on those vendors before contracts are signed, not after.
Actions Requiring Legislative or Regulatory Development (6–18 Months)
- Modernise data protection legislation to address AI-specific risks. Laws modelled on the 1995 EU Data Protection Directive (St. Vincent and the Grenadines, 2003) or even the GDPR's 2018 framework do not address automated decision-making, algorithmic bias, or large-scale AI training data adequately. Amendments should include provisions on automated individual decisions, right to human review, and AI-specific impact assessments for high-risk systems.
- Establish AI transparency requirements for high-risk public sector use. Any government AI system affecting access to benefits, immigration status, criminal justice outcomes, or public health decisions should require disclosure, auditability, and a published impact assessment. This can be achieved through a ministerial directive or statutory instrument rather than primary legislation in most jurisdictions.
- Pass or upgrade data protection legislation in Dominica, Saint Kitts and Nevis, and Suriname. These three states have the largest gaps relative to regional norms. Model legislation exists — the CARICOM-level HIPCAR model policy provides a starting point — and donor support through the World Bank and UNDP is available to assist with drafting and implementation.
Actions Requiring Regional Coordination (Ongoing)
- Engage substantively with the CTU Caribbean AI Task Force final report process. The 2026 Caribbean AI Forum will produce the region's most detailed governance recommendations to date. Every CARICOM government should send a senior official. The report's recommendations will only have force if they are adopted at the national level, and adoption requires champions who were present when the recommendations were shaped.
- Establish a Caribbean AI incident registry. When AI systems cause harm in the region, there is currently no mechanism for sharing that information across borders. A regional incident registry, even a lightweight voluntary one, would allow regulators in smaller states to benefit from enforcement experience in Jamaica or Barbados without duplicating the investigative work.
- Negotiate collective data governance terms with major AI platform providers. Individual CARICOM states have limited bargaining power when dealing with Google, Microsoft, or Amazon Web Services. CARICOM as a collective body, with the CTU as its ICT arm, has more. A regional data sovereignty framework should include common contractual standards that member states can reference when procuring AI services from global providers.
What Caribbean Businesses Should Do Right Now
Governance is a government responsibility, but it is a business risk. Organisations in Jamaica, Barbados, Trinidad and Tobago, and The Bahamas that are deploying AI tools are already operating within the scope of existing data protection law, whether or not their legal teams have assessed that exposure.
Three actions reduce that risk immediately. First, conduct a data processing inventory. Identify every AI tool in use, what personal data it processes, who controls that data, and whether a Data Processing Agreement exists with the vendor. In Jamaica, operating without a ROPA (Record of Processing Activity) is a compliance gap under the Data Protection Act 2020.
Second, assess your highest-risk AI applications against the criteria for automated individual decisions. Credit scoring, hiring screening, and insurance pricing are the most common examples in Caribbean financial services and professional services. Where these systems produce decisions with significant consequences for individuals, human review mechanisms must be in place before regulators begin asking about them.
Third, bring AI governance onto the board agenda. PwC's 2026 Caribbean Corporate Governance Survey found that AI will redefine strategy and competitiveness, yet most boards acknowledge they lack the time, skills, and training needed for effective oversight. That gap is a board governance failure, not just a technology management problem. Boards that cannot articulate their organisation's AI risk exposure cannot govern it.
Frequently Asked Questions
What is AI governance and why does it matter for the Caribbean?
AI governance is the set of laws, policies, and institutional arrangements that determine how artificial intelligence systems are built, deployed, and held accountable. For the Caribbean, it matters because AI is already being used in banking, healthcare, and government services across the region, and without governance frameworks, those systems can cause harm, embed bias, or expose citizens to unregulated surveillance, with no legal recourse.
Which Caribbean country has the strongest AI governance?
Based on data protection legislation, active enforcement, digital infrastructure, and engagement with regional AI policy bodies, Jamaica and Barbados lead the CARICOM group. Jamaica's Data Protection Act (2020) includes extra-territorial reach and mandatory breach notification within 72 hours. Barbados has a functioning Data Protection Commissioner. Neither country has a published national AI strategy, but both are ahead of the rest of the region on foundational governance.
Does CARICOM have a regional AI policy?
Yes, partially. The UNESCO Caribbean AI Policy Roadmap, developed with input from over 1,000 institutions and individuals across 20 Caribbean countries, was published in 2021. The CTU Caribbean AI Task Force was launched in July 2025 to harmonise AI policies across CARICOM member states. A final consolidated report with binding-style recommendations is expected at the Caribbean AI Forum in 2026. No CARICOM member state has yet published a standalone national AI strategy.
How does Caribbean AI governance compare to the rest of the world?
The Caribbean lags significantly. Latin America and the Caribbean as a whole rank seventh out of eight global regions in the AI Readiness Index, with an average score of 42.99 against a global average of 47.59. The region attracts only 1.12% of global AI investment despite representing 6.6% of world GDP. Most CARICOM states score below the global e-Government Development Index benchmark.
What are the risks of weak AI governance for Caribbean businesses?
Three risks are most immediate. First, regulatory exposure: businesses deploying AI tools that process personal data in Jamaica or Barbados can face fines and director-level imprisonment under existing data protection law. Second, correspondent banking risk: international financial partners increasingly require evidence of responsible AI use in compliance functions. Third, reputational risk: AI systems that produce discriminatory outputs in hiring, credit, or healthcare, with no accountability mechanism, erode public trust in the organisations that built them.
Is AI regulated in Trinidad and Tobago?
Not effectively. Trinidad and Tobago passed a Data Protection Act in 2011, but the legislation has not been fully brought into force and there is no functioning Information Commissioner's office. The Ministry of Digital Transformation has articulated a vision for an AI-powered public service, and the government is amending the data protection act with GDPR-aligned provisions. As of April 2026, no national AI strategy has been published.
What should Caribbean governments do first on AI governance?
Three actions are executable within 12 months without requiring new legislation. First, fully operationalise existing data protection laws, especially in Trinidad and Tobago, Belize, Guyana, and Grenada, where laws exist but enforcement bodies do not. Second, complete a national AI readiness assessment using the UNDP framework (Antigua and Barbuda completed this in 2024). Third, designate an existing ministry as the lead AI coordination body and establish an inter-ministerial working group before the CTU Caribbean AI Forum in 2026.
Where is Caribbean AI governance headed over the next two years?
The CTU Caribbean AI Task Force is scheduled to deliver its final report and consolidated policy guidance at the Caribbean AI Forum in 2026. At least two CARICOM states, Jamaica and Trinidad and Tobago, are expected to publish national AI strategies before the end of 2026. The pace depends on political will and institutional capacity, both of which remain uneven across the region.
The Governance Window Is Open, but Not Indefinitely
The Caribbean has a narrow window to shape its own AI governance architecture. The CTU Caribbean AI Task Force will report in 2026. The EU AI Act is now influencing every country whose businesses trade with Europe, which includes every major Caribbean financial centre. International AI platforms are setting default data practices that become harder to renegotiate once contracts are signed and systems are embedded.
Governance built now, even imperfect and incremental, gives Caribbean citizens, businesses, and governments options. Governance deferred gives them fewer options at higher cost. Jamaica and Barbados have demonstrated that small states can establish credible regulatory frameworks. Antigua and Barbuda has demonstrated that readiness assessments are achievable. Trinidad and Tobago has the institutional capacity and the political attention to move further than it has.
The question for the remaining 11 CARICOM states is not whether AI governance is technically feasible. It plainly is. The question is whether the political urgency exists to match the technological one. The data suggests the window for a considered, Caribbean-designed answer is about 24 months wide.
Caribbean AI will continue tracking these developments across all 15 CARICOM member states. Subscribe for updates as the CTU Task Force final report and the 2026 Caribbean AI Forum approach.