The CBUAE published its Guidance Note on responsible AI and machine learning adoption in February 2026. It applies to every licensed financial institution in the UAE: banks, insurers, exchange houses, payment providers. The word that causes the most confusion is "should." The guidance is framed as expectation rather than hard rule, and some institutions have read that as optional.
That reading is a mistake. In supervisory practice, "should" carries weight. If an examiner references the guidance and you cannot show you have addressed it, the distinction between "should" and "must" will not help you. Treat it as the standard you will be measured against.
The four areas it covers
Board-level accountability. The guidance places responsibility for AI systems at board level. AI can no longer be treated as an IT matter handled below the line. The board is expected to understand what AI is running and to own the risk.
A model inventory with risk ratings. Institutions are expected to maintain an inventory of their AI systems, each with a risk rating. This is the foundational control, and the one most institutions lack. You cannot govern what you have not catalogued.
Annual bias testing. AI systems that affect customers are expected to be tested for bias on a regular basis. Not once at launch, but annually, because models drift and customer populations change.
Consumer opt-out for high-impact decisions. Where AI drives high-impact decisions about customers, those customers should have a route to opt out or to request human review.
The practical steps
For most institutions the work breaks down in order. Build the model inventory first, because everything else depends on knowing what you have. Assign each system a risk tier and a named owner. Stand up a board reporting line so AI risk reaches the board in language it can act on. Then put the recurring controls in place: scheduled bias testing, drift monitoring, and a documented opt-out process for high-impact systems.
Why this is harder than it sounds
The challenge is rarely the testing or the documentation. It is that most organisations do not actually know what AI they are running, and that is as true for a fast-growing fintech as it is for an established institution. We ran a governance review for a fast-growing UAE technology company and found three AI systems in production that leadership had never catalogued, one of them live for months. The full case study is here.
For a fintech heading toward a licence, this matters early. If you cannot produce a complete AI model inventory today, that is the gap the CBUAE guidance is really pointing at, and it is far cheaper to close before a supervisor asks than after.
If you are weighing an AI investment, acquisition, vendor selection, or training programme, our team is happy to start with a conversation about scope and approach.
The views and findings in this article are shared for general information only. They are high-level perspectives, not legal, financial, regulatory, or other professional advice, and should not be relied upon for any specific decision or circumstance. For guidance tailored to your situation, please consult a qualified adviser.