Forging Sri Lanka's Enterprise AI Strategy Amidst Global Currents

The global surge in artificial intelligence (AI) presents not merely an opportunity, but an imperative for nations like Sri Lanka. While the narrative often centres on economic leaps in giants like India or China, the critical challenge for smaller, developing economies lies in harnessing AI's transformative power resiliently. This demands a strategy acutely aware of inherent vulnerabilities, infrastructural constraints, and the paramount need for inclusive, ethical deployment. As someone deeply immersed in development economics and policy formulation, having navigated complex international and national governance landscapes, I contend that Sri Lanka’s enterprise AI journey must prioritise strategic resilience above raw speed. The projected economic impact – often cited optimistically, though precise, consistently verified figures for Sri Lanka circa 2035 remain elusive in authoritative public sources – hinges entirely on this foundation.

The Sri Lankan Context: Promise Tempered by Reality

Sri Lanka's digital infrastructure and talent pool form the bedrock upon which any AI strategy must be built. Current data paints a picture of potential constrained by significant gaps:

1.     Digital Penetration & Infrastructure: Internet penetration stood at approximately 47% of the population in 2021 (World Bank, 2022), significantly lower than regional peers. While mobile broadband access is higher, fixed broadband – crucial for robust AI development and deployment – remains limited, especially outside urban centres. The 2021 Network Readiness Index ranked Sri Lanka 81st globally (Portulans Institute, 2021), highlighting challenges in technology access, governance, and impact. Power stability, though improving, remains a historical concern for data-intensive operations.

2.     Talent Pipeline: The core fuel for AI is skilled human capital. Sri Lanka produces around 15,000 IT/ITeS graduates annually (Sri Lanka Association of Software and Service Companies - SLASSCOM, cited in ADB, 2021). However, a critical shortage exists in specialised AI/ML skills, data science, and deep technical expertise. Brain drain further exacerbates this gap. Building a domestic talent pool capable of developing, implementing, and governing enterprise AI is a multi-year endeavour requiring urgent, concerted effort.

3.     Economic Structure: Dominated by SMEs, Sri Lanka's enterprise landscape often lacks the capital reserves and risk appetite for significant, unproven technological investments. The 2022 economic crisis further strained resources, making cost-effective, high-impact AI solutions paramount.

The Triad of Resilience: Cyber, Governance, Accountability

Deploying AI without embedding resilience is akin to building on sand. Three pillars are non-negotiable:

1.     Cyber Resilience in the AI Era: AI systems introduce novel attack vectors and amplify the impact of breaches. Adversarial attacks can manipulate AI models, data poisoning can corrupt learning, and AI-powered cyberattacks are becoming more sophisticated. Sri Lankan enterprises often operate with limited cybersecurity maturity. The Global Cybersecurity Index (GCI) 2020 ranked Sri Lanka 78th globally (ITU, 2020), indicating significant room for improvement. Best practices from nations like Singapore (ranked 1st on GCI 2020) demonstrate the necessity of:

o   Integrating Security by Design: Mandating security protocols within the AI development lifecycle (SDLC), not as an afterthought. This includes rigorous data validation, model testing for vulnerabilities (e.g., adversarial robustness checks), and secure deployment pipelines.

o   AI-Specific Threat Intelligence: Developing and sharing intelligence on emerging AI threats targeting financial systems, critical infrastructure, or public services.

o   SME-Centric Support: Providing accessible frameworks, tools, and potentially shared security operations centres (SOCs) tailored for resource-constrained SMEs adopting AI. Models like the UK's National Cyber Security Centre (NCSC) guidance for small businesses offer valuable templates (NCSC, ongoing).

o   Investment in Critical Infrastructure: Securing national data infrastructure and cloud platforms is fundamental. Collaboration with international partners adhering to robust standards (e.g., EU cybersecurity frameworks like NIS2 Directive) is crucial.

o    

o   Figure 1: Global Cybersecurity Index (GCI) Scores - Selected Comparators (ITU, 2020)*

Country	GCI Score (2020)	Global Rank (2020)
Singapore	100.00	1
Malaysia	98.06	3
India	97.49	10
Sri Lanka	64.92	78
Thailand	61.78	86

2.     Creating a Robust Governance Framework: Without clear rules of the road, AI deployment risks ethical breaches, bias amplification, and public backlash, stifling innovation. Sri Lanka currently lacks comprehensive, AI-specific legislation. Drawing from global best practices is essential:

o   Adopting Core Principles: Embedding principles like fairness, transparency, accountability, privacy, and human oversight, as outlined in the OECD AI Principles (OECD, 2019) and UNESCO's Recommendation on the Ethics of AI (UNESCO, 2021), into national policy and corporate governance.

o   Risk-Based Regulation: Following the EU AI Act's approach (European Parliament, 2024) by categorising AI applications based on risk (unacceptable, high, limited, minimal) and tailoring regulatory requirements accordingly. High-risk applications (e.g., recruitment, credit scoring, critical infrastructure) demand stringent oversight, including conformity assessments and human-in-the-loop requirements.

o   Sectoral Adaptation: Developing specific guidelines for high-impact sectors like finance (algorithmic trading, credit risk), healthcare (diagnostic tools), and agriculture (predictive analytics), learning from frameworks like Singapore's FEAT Principles for finance (MAS, 2018) or India's Responsible AI approach in healthcare (NITI Aayog, 2021).

o   Data Governance: Strengthening the existing Personal Data Protection Act (2022) to explicitly address AI training data requirements, consent mechanisms for secondary use, and algorithmic bias mitigation. Establishing clear data sharing protocols for public sector data, crucial for training impactful AI models (e.g., in agriculture, disaster management), while ensuring privacy, is vital. Estonia's X-Road infrastructure provides a compelling model for secure data exchange.

o   Establishing Oversight: Creating a multi-stakeholder National AI Governance Body, involving government, industry, academia, and civil society, to oversee implementation, adapt regulations, promote standards, and handle grievances.

3.     Innovation with Accountability: Resilience isn't stagnation. It enables sustainable innovation. The goal is to foster an environment where experimentation thrives within ethical and secure boundaries:

o   Regulatory Sandboxes: Establishing controlled environments, like those pioneered by the UK's Financial Conduct Authority (FCA) and adopted in Singapore, Malaysia, and India, allowing enterprises to test innovative AI solutions with real data under regulatory supervision and temporary exemptions. This accelerates learning while managing risk.

o   Bias Auditing & Explainability (XAI): Mandating regular audits of AI systems for bias, particularly against protected groups, using standardised methodologies. Promoting the development and adoption of Explainable AI (XAI) techniques so stakeholders (users, regulators, internal auditors) can understand AI decisions, especially in high-stakes domains. Tools like IBM's AI Fairness 360 offer open-source frameworks.

o   Human-Centred AI Design: Ensuring AI augments human decision-making, not replaces it entirely without oversight, particularly in critical functions. Investing in workforce reskilling and upskilling programmes focused on AI literacy and human-AI collaboration is essential for equitable transition. Initiatives like Finland's "1% AI" training model provide inspiration.

o   Promoting Open Innovation & Collaboration: Encouraging partnerships between academia (universities conducting AI research), industry (problem definition, deployment), and government (funding, policy support). Establishing national AI research centres focused on solving local challenges (e.g., precision agriculture for climate resilience, Sinhala/Tamil NLP) can drive relevant innovation. The AI Singapore programme is a benchmark.

Charting Sri Lanka's Path: Practical Solutions and the Way Forward

Based on the realities and the triad of resilience, here are concrete, actionable recommendations:

1.     National AI Strategy & Roadmap (Year 1): Develop and publicly release a clear, actionable National AI Strategy. This must prioritise cyber resilience, ethical governance, and talent development as foundational pillars, not add-ons. It should set measurable targets (e.g., % of large enterprises with AI governance frameworks by 2025, number of AI specialists trained annually, improved GCI ranking) and assign clear institutional responsibilities. Learn from the focused strategies of countries like the UAE and Malaysia.

2.     Urgent Talent Development Surge (Years 1-3):

o   Revamp University Curricula: Integrate core AI/ML, data science, and ethics modules into relevant STEM and business/economics degrees. Partner with global tech firms (Google, Microsoft, NVIDIA) for curriculum input and faculty training.

o   National AI Scholarship Programme: Fund scholarships for postgraduate AI studies (MSc, PhD) domestically and at leading international institutions, with bonds requiring service in Sri Lanka.

o   Industry-Academia Apprenticeships: Mandate or incentivise major tech employers (local and MNCs) to offer structured AI apprenticeships and internships.

o   Targeted Upskilling: Launch government-subsidised, industry-recognised certification programmes in AI fundamentals, data literacy, and AI ethics for mid-career professionals, especially managers and policymakers.

3.     Strengthen the Cyber-AI Nexus (Ongoing):

o   National AI Security Guidelines: Issue mandatory guidelines based on NIST AI RMF (NIST, 2023) and ENISA's AI cybersecurity guidance (ENISA, 2021) for all public sector AI and critical infrastructure.

o   Establish CERT-AI: Create a dedicated unit within Sri Lanka CERT|CC focused on AI threat intelligence, incident response for AI systems, and vulnerability coordination.

o   Promote Secure AI Development Kits: Collaborate with industry to provide SMEs with vetted tools and libraries incorporating security best practices.

4.     Implement Phased, Risk-Based Regulation (Years 1-4):

o   Immediate (Year 1): Issue comprehensive guidelines for public sector AI procurement and use, mandating algorithmic impact assessments (AIAs) for high-risk applications.

o   Short-Term (Year 2): Enact regulations for clearly defined high-risk private sector AI uses (e.g., financial scoring, HR recruitment, healthcare diagnostics), requiring conformity assessments, bias audits, and human oversight.

o   Medium-Term (Year 3-4): Develop a full AI Act, informed by the EU model and local experience, establishing the National AI Governance Body as the regulator. Launch a regulatory sandbox.

5.     Foster Inclusive Innovation Ecosystems:

o   AI for Local Challenges Fund: Establish competitive grant funding (public & donor-supported) for AI R&D tackling specific Sri Lankan problems (e.g., climate-smart agriculture, landslide prediction, Sinhala/Tamil language AI, SME productivity tools).

o   SME AI Adoption Vouchers: Provide financial and technical support (consultancy, cloud credits) for SMEs to pilot proven, high-impact AI solutions (e.g., inventory optimisation, customer service chatbots, predictive maintenance).

o   Open Data Platform: Accelerate the release of non-sensitive, high-value government datasets in machine-readable formats (anonymised where necessary) to fuel AI innovation, adhering to strong privacy standards.

6.     International Collaboration: Actively engage in regional (ASEAN, SAARC) and global (OECD, GPAI, UN) forums on AI governance, cybersecurity, and standards. Leverage partnerships for knowledge exchange, technical assistance, and aligning with international best practices.

Conclusion: Resilience as the Catalyst

The promise of AI for Sri Lankan enterprises is undeniable – potential efficiency gains, new markets, and solutions to persistent developmental challenges. However, realising this promise without succumbing to new vulnerabilities requires a deliberate strategy centred on resilience. This means proactively building cyber defences fit for the AI age, establishing governance that earns public trust through ethical rigour and accountability, and fostering innovation that is inclusive and sustainable. Rushing headlong into adoption without these foundations risks systemic failures, exacerbated inequalities, and a loss of public confidence that could set back the digital transformation agenda for years.

Sri Lanka has the intellectual capital and the imperative to act. By learning from global best practices, adapting them to local realities, and prioritising strategic resilience from the outset, Sri Lankan enterprises can harness AI not just as a tool for profit, but as a genuine engine for inclusive and sustainable national development. The time for a clear-sighted, resilient AI strategy is now. The cost of inaction, or ill-considered action, is simply too high.

References

·        ADB (Asian Development Bank). 2021. Sri Lanka: Fostering Skills for the Digital Economy. Manila: Asian Development Bank. [Note: While the full report might detail graduate numbers, SLASSCOM data is widely cited in media and ADB analyses based on national sources].

·        ENISA (European Union Agency for Cybersecurity). 2021. Artificial Intelligence Cybersecurity Challenges: Threat Landscape for Artificial Intelligence. Luxembourg: Publications Office of the European Union. https://www.enisa.europa.eu/publications/artificial-intelligence-cybersecurity-challenges

·        European Parliament. 2024. Regulation (EU) ... Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts. (Text adopted P9_TA(2024)0138). https://www.europarl.europa.eu/doceo/document/TA-9-2024-0138_EN.pdf [Note: Final text formally adopted March 2024].

·        ITU (International Telecommunication Union). 2020. Global Cybersecurity Index 2020. Geneva: International Telecommunication Union. https://www.itu.int/epublications/publication/global-cybersecurity-index-2020/en/

·        MAS (Monetary Authority of Singapore). 2018. Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore’s Financial Sector. https://www.mas.gov.sg/regulation/guidelines/feat-principles

·        NCSC (National Cyber Security Centre - UK). (Ongoing). Small Business Guide: Cyber Security. https://www.ncsc.gov.uk/collection/small-business-guide

·        NIST (National Institute of Standards and Technology). 2023. Artificial Intelligence Risk Management Framework (AI RMF 1.0). Gaithersburg, MD: National Institute of Standards and Technology. https://www.nist.gov/itl/ai-risk-management-framework

·        NITI Aayog (National Institution for Transforming India). 2021. *Responsible AI #AIForAll: Approach Document for India Part 2 - Operationalizing Principles for Responsible AI*. New Delhi: NITI Aayog. https://www.niti.gov.in/sites/default/files/2021-02/Responsible-AI-22022021.pdf

·        OECD (Organisation for Economic Co-operation and Development). 2019. Recommendation of the Council on Artificial Intelligence. OECD/LEGAL/0449. Paris: OECD Publishing. https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449

·        Portulans Institute. 2021. Network Readiness Index 2021: Accelerating Digital Transformation. https://networkreadinessindex.org/nri-2021/ [Note: Specific country rankings are accessible via their interactive tool/data].

·        UNESCO. 2021. Recommendation on the Ethics of Artificial Intelligence. Paris: UNESCO. https://unesdoc.unesco.org/ark:/48223/pf0000381137

·        World Bank. 2022. Individuals using the Internet (% of population) - Sri Lanka. https://data.worldbank.org/indicator/IT.NET.USER.ZS?locations=LK [Note: Data typically has a 1-2 year lag. 2021 is the latest confirmed data point at time of writing].