There is no single AI act in the UAE or the wider GCC. Regulation comes through a layered set of authorities and horizontal statutes, and the most common mistake we see at board level is assuming that because there is no one law, there is nothing binding. That is wrong. The expectations are real, and in some cases enforcement is already active.
Here is the map a financial institution operating in the region should have.
UAE Central Bank (CBUAE)
The CBUAE published a Guidance Note on responsible AI and ML adoption in February 2026. It applies to all licensed financial institutions: banks, insurers, exchange houses, payment providers. It calls for board-level accountability for AI systems, a mandatory AI model inventory with risk ratings, annual bias testing, and consumer opt-out rights for high-impact AI decisions. The language is "should" rather than "must," but it carries strong supervisory expectation. If your examiner references it, it is not optional in practice.
DFSA (Dubai Financial Services Authority)
The DFSA regulates firms inside the DIFC under its own data protection regime, DIFC Law No. 5 of 2020. It has not published standalone AI guidance yet, but AI obligations are being folded into existing expectations around operational resilience, outsourcing, and technology risk. Firms using AI in client-facing decisions, including robo-advisory, credit assessment, and AML screening, should expect questions during examinations. The DIFC Commissioner of Data Protection has issued enforcement decisions, making it the most active enforcement body in the region on data-related AI obligations.
ADGM (Abu Dhabi Global Market)
ADGM runs its own data protection framework and has published guidance on AI and big data analytics. Abu Dhabi also established its AI Authority under Law No. 3 of 2024. The presence of the Technology Innovation Institute and Mohamed bin Zayed University of AI in the same ecosystem signals long-term sovereign AI intent, which tends to precede firmer governance expectations rather than follow them.
Saudi Arabia: SDAIA and SAMA
Saudi Arabia declared 2026 the Year of Artificial Intelligence. SDAIA is the centralised authority driving national AI governance, the Saudi PDPL is in effect, and SAMA oversees financial-sector compliance. For an institution operating across both the UAE and Saudi Arabia, the real challenge is structural: the UAE is a layered, multi-regulator ecosystem, while Saudi Arabia centralises through SDAIA. The principles overlap. The enforcement structures do not.
UAE federal baseline
The UAE Charter for AI from June 2024 sets out twelve ethical principles but is non-binding. The binding baseline is Federal Decree-Law No. 45/2021 (PDPL) and Federal Decree-Law No. 34/2021 (cybercrime). There is no single federal AI act. Regulation arrives through these horizontal laws and sector-specific rules.
What boards should do now
The organisations that get caught out are not the ones with bad AI. They are the ones whose leadership cannot answer a basic question: which AI systems are running, what decisions are they making, and who owns the risk. We ran a governance review for a fast-growing UAE technology company and found three production AI systems, none of which leadership had ever catalogued. The fix was not technical. It was a model inventory, a clear reporting line, and a mapping of which systems triggered which obligations. The full account is in our case study on building an AI governance layer for a scale-up.
The three questions any leadership team in the region should be asking this year, whether you are a licensed institution or a fintech heading toward one: do we have a complete inventory of our AI systems with risk ratings, is accountability for each one assigned at a senior level, and can we show a regulator how each system maps to the obligations in the jurisdictions where we operate. If the answer to any of those is no, that is the work.
If you are weighing an AI investment, acquisition, vendor selection, or training programme, our team is happy to start with a conversation about scope and approach.
The views and findings in this article are shared for general information only. They are high-level perspectives, not legal, financial, regulatory, or other professional advice, and should not be relied upon for any specific decision or circumstance. For guidance tailored to your situation, please consult a qualified adviser.