The Complete Guide to Using AI in the Government Industry in Peru in 2025

Peru's government has stepped into 2025 with a clear, rule-driven embrace of AI: Law 31814 creates a risk-based regime that names prohibited uses, flags high‑risk areas like biometric ID and credit scoring, and requires transparency, human oversight and stronger data governance - positioning Peru as a regional leader in responsible AI policy (Peru Law 31814 AI regulation overview).

The Regulation was published in the Official Gazette on 9 September 2025, kicking off phased implementation and sectoral timelines that start in 2026 (Peru AI regulation published in the Official Gazette (9 Sep 2025)).

For public teams and civil servants looking to upskill fast, practical training like Nucamp's Nucamp AI Essentials for Work bootcamp - practical AI skills for the workplace offers concrete, workplace-ready skills - so government projects can move from pilot to production without sacrificing citizen rights or oversight, and with tools for real-world compliance.

Peru's AI framework centers on Law 31814 - a risk‑based regime enacted to promote safe, transparent and human‑centered AI while curbing harmful uses - and is now complemented by detailed regulation published in the Official Gazette on 9 September 2025; together they place clear duties on developers and public bodies for transparency, human oversight, data governance and incident reporting (see an overview of Peru's Law 31814: Overview of Peru's Law 31814 AI regulation and the regulation's publication details: Peru AI regulation published in the Official Gazette).

The rules carve AI into prohibited, high‑risk and acceptable buckets: prohibited uses include subliminal manipulation, harmful social scoring and certain real‑time biometric identification in public spaces, while high‑risk systems span biometric ID, credit scoring, educational assessments, employment selection and critical‑infrastructure controls - each triggering stronger transparency, audit and consent obligations.

Governance is centralized under the national digital transformation system, with the Presidency of the Council of Ministers and its Secretariat of Government and Digital Transformation designated to lead implementation, and operators must adopt proportional safety measures, data‑minimization, cross‑border controls and regular audits; even short pilots should map risk levels early, because a live face‑recognition system in a public place can instantly move a project into the most restricted category, changing compliance and procurement requirements overnight.

Peru's Law 31814 and its implementing regulation set a clear, risk‑based map for public-sector AI: some systems are outright prohibited, many are designated high‑risk with strict controls, and a broad set remain acceptable or low‑risk with lighter duties.

Prohibited (“unacceptable”) uses include subliminal manipulation, social‑scoring schemes that produce detrimental effects, and certain real‑time biometric identification in public spaces - rules designed to stop tools that could silently reshape people's choices or civic life (see an overview of Peru's AI regulation (Law 31814) Overview of Peru AI Regulation (Law 31814)).

High‑risk systems - biometric ID and categorization, credit scoring and loan assessments, educational testing and admissions, employment and worker‑evaluation tools, critical‑infrastructure controls and even prioritization within social programs - trigger obligations for transparency, human oversight, data‑minimization and auditing, so a single feature (for example, adding live face recognition to a pilot) can instantly change procurement and compliance paths.

Lower‑risk uses such as chatbots, customer service automation and entertainment AI remain permitted with basic transparency and privacy care. For government teams, the practical takeaway is simple: classify early, document decisions, and treat biometric or scoring pilots as potential high‑stakes projects from day one.

Peru's AI governance is deliberately centralized: Law 31814 places the Presidency of the Council of Ministers at the center of oversight, with the Secretariat of Government and Digital Transformation (SGTD) named as the competent technical‑regulatory national authority that can issue guidelines, technical standards and binding opinions, conduct preventive monitoring and request technical information from developers - powers explained in the OECD summary and in the Regulation analysis (OECD summary of Peru Law 31814 on AI governance: OECD summary of Peru Law 31814 on AI governance, Regulation approval overview for Peru AI law on Lexology: Regulation approval overview for Peru AI law (Lexology)); alongside the SGTD, the National Centre for Digital and AI Innovation (CNIDIA) functions as a practical hub for projects, partnerships and training, while agencies such as the National Authority for Personal Data Protection (ANPDP), Indecopi, the Police and sectoral committees plug into multisector coordination and enforcement.

This means teams running pilots should expect oversight to be both technical and operational: a single SGTD information request or preventive monitoring action can trigger audits or stricter compliance tracks, changing a project's timeline overnight - and citizens can flag improper uses through the government's digital channels as the rules take hold (Peru AI regulation overview: Peru AI regulation overview (Nemko Digital)).

Public entities in Peru must move beyond pilots to a compliance-first mindset under Law 31814 and its implementing regulation (published 9 September 2025): expect mandatory risk classification, transparent labelling of high‑risk systems, documented human‑in‑the‑loop controls, strict data‑minimization and cross‑border rules, regular audits and incident reporting, and retention of impact documentation for years where required.

The Presidency of the Council of Ministers (via the SGTD) can issue binding standards, run preventive monitoring and request technical information, so a single information request or a change like adding live face‑recognition to a trial can push a project into high‑risk status and trigger audits or extra controls overnight (see the regulation summary and obligations in the Official Gazette notice and analysis).

Timelines matter: the Regulation's entry into force leads to phased public‑sector timelines (1–3 years depending on the entity), so agencies should run immediate risk assessments, adopt internal AI policies, name Digital Security/Personal Data/Data Governance officers, train staff on human‑oversight duties, and prepare registration, traceability and PIA-style documentation to meet SGTD and ANPDP oversight.

For actionable guidance on the scope of duties and practical steps, review the official overviews and implementation notes from Peru's regulatory analyses.

Peru's rollout timeline mixes near‑term deadlines with phased grace periods, so government teams should treat 2025 as the year to move from checklist to action: the new data‑protection updates that took effect on 30 March 2025 tighten breach notification, cross‑border rules and DPO timetables (see the 2025 compliance guide), while the AI regulation and its implementing rules published in the Official Gazette in September 2025 start regulated deployment windows that push many public‑sector obligations into 2026 and beyond (Peru data protection law 2025 compliance guide, Peru AI regulation overview and analysis).

Expect staged enforcement: some duties (registration, privacy notices, immediate incident reporting) are already live, higher‑risk controls and automated‑decisioning safeguards carry multi‑year implementation or grace periods (notably ADM timelines reaching into late 2026), and criminal‑law changes that reference AI carry expedited executive deadlines - complementary rules tied to the April 2025 criminal reform had a 60‑day window for regulation, a reminder that legal clocks can accelerate quickly (Peru criminal code AI reform analysis).

Practical takeaway: run a rapid inventory, map systems to risk buckets, start DPO/Digital Security officer planning now, and be prepared to respond to SGTD or ANPDP information requests that can shift a pilot into a formal compliance path overnight.

Practical adoption starts with a fast, honest inventory: map every AI use, then classify each system against Law 31814's risk tiers so a pilot with live face recognition is treated like a legal tripwire that can push a project into high‑risk oversight overnight (see the Peru AI regulation overview for context).

Next, lock in governance - name a Digital Security Officer, Personal Data Officer and a clear approval path, and build an AI lifecycle process that embeds proportionality, data‑minimization, and human‑in‑the‑loop checkpoints from design through decommission.

Pair technical controls (logging, versioning, explainability) with operational rules: mandatory privacy impact assessments, incident reporting and retention of traceability records to meet SGTD and ANPDP expectations.

Train staff on role‑based oversight and bias testing, and adopt recognised frameworks - NIST RMF, ISO/IEC 23894 or similar - to standardise risk assessments and audits as public agencies scale deployments.

Finally, use regulatory certainty to unlock innovation: document decisions for procurement, iterate in sandboxes, and publish inventories and transparency notices so projects remain useful, auditable and aligned with Peru's human‑centred AI goals (overview of Law 31814 and practical inventory/governance advice linked below).

Peru's AI story in 2025 is sectoral and pragmatic: in education, adaptive tutors and personalized learning platforms promise tailored pathways but bump up against high‑risk rules when they touch assessments or admissions, so schools must pair innovation with strict privacy and consent safeguards (see a Peru AI regulation overview and local guidance on classroom transformation like Guidance for AI transformation in basic education in Peru); special‑education workflows such as IEP drafting require the same careful data governance highlighted by 2025 school‑privacy warnings.

Health use‑cases are equally promising and sensitive: diagnostic‑assistance and telemedicine tools can extend specialist expertise to remote clinics but must protect patient records and meet cross‑border data limits.

In public services, automation for document processing already shows how inboxes and backlogs can shrink, freeing staff for oversight and human review - real gains when paired with fraud‑detection, resource‑allocation analytics and transparent citizen notifications (see practical automation examples for Peruvian services).

The practical thread across sectors: classify each system early under Law 31814's risk tiers, bake in human‑in‑the‑loop checks and privacy‑first data practices, and treat any assessment, biometric or admission tool as a potential high‑risk project from day one - because a single automated scoring feature can transform a helpful pilot into a tightly regulated deployment overnight.

Peru's fintech scene is where pragmatic regulation meets fast-moving AI: banks and startups are harnessing machine‑learning for fraud detection, real-time AML/CFT screening, personalised services and alternative‑data credit scoring, with roughly 30% of fintechs already integrating AI tools in their stacks (see the Peru fintech practice guide for 2025).

Under Law 31814 credit‑scoring and loan‑assessment systems sit in the law's high‑risk column, so any move from prototype to production - especially if models use biometric or alternative data - creates clear transparency, audit and human‑oversight duties under the national AI regime (overview of Peru's Law 31814 and risk rules).

Regulators are trying to balance safety and innovation: the SBS sandbox offers a controlled testing route for authorised players, while Decree Supremo 006‑2023‑JUS and related AML rules already pull crypto service providers into reporting regimes, leaving exchanges and VASPs in a grey area that demands careful compliance.

On the payments side, new fraud-prevention rules (SBS Regulation No. 2286‑2024) and a phased 2FA mandate are shifting liability and forcing tech upgrades across card and wallet flows.

Practical takeaway for teams: treat AI‑driven scoring, onboarding and AML pilots as potential legal “tripwires,” build explainability and regtech controls into designs from day one, and use sandboxes and clear traceability so a promising fraud‑fighting model becomes a compliant production asset, not a regulatory headache (Peru fintech practice guide; Peru AI regulation overview; LATAM fraud/regulatory update).

Peru's AI transition now calls for clear, practical next steps: use the OECD policy navigator to align agency strategy with the country's draft National AI Strategy and crowdsource technical input (OECD: Peru AI policy initiatives), pair that guidance with the openness and citizen‑engagement commitments in Peru's OGP Action Plan to build transparent oversight and public consultation loops (Peru Action Plan 2023–2025), and convert inventory into action by classifying every system under Law 31814's risk tiers - remember that a single feature, such as adding live face recognition, can flip a pilot into a high‑risk deployment overnight and change procurement, audit and reporting obligations.

For teams that need fast, practical skills to meet these demands, consider hands‑on workplace training like Nucamp's AI Essentials for Work to learn prompt design, human‑in‑the‑loop controls and traceability practices that make projects auditable and useful (AI Essentials for Work syllabus); combine that learning with rapid PIAs, clear DPO/Digital Security roles and published transparency notices so Peru's ministries can innovate without surprise regulatory setbacks.