Right-Sizing AI Governance for a UAE SME
An external advisor recommended full EU AI Act alignment to be safe. The tool was internal and domestic. The right framework was certifiable, locally aligned, and cost a fraction as much.
A mid-sized UAE services company was using AI for internal workforce planning and performance review. No European users. No overseas clients. Purely internal, purely domestic.
An external advisor had recommended full EU AI Act alignment "to be safe." For a company this size it was an expensive instinct. The Act's employment-related AI rules are strict, and mapping to them would have meant a conformity assessment process built for a regulatory regime that did not apply to this business at all.
What the right approach actually was
Under NIST AI RMF, the same system was straightforward to manage. But NIST does not produce a certificate, and the company wanted something it could show its leadership and clients, and that aligned with local expectations.
ISO 42001 was the fit. It gave them a certifiable AI management system, mapped cleanly to the UAE's data protection law, and imposed no obligations designed for a market they were not in.
Why it mattered
The EU AI Act alignment the previous advisor recommended would have cost roughly three times as much and added no value for this company's actual risk profile. For an SME, that difference is not a rounding error. It is the budget for the rest of the year's technology work. Governance is not about applying the strictest rulebook on the shelf. It is about applying the one that matches your actual risk, and stopping there.
If your situation is similar, our team is happy to start with a conversation about scope and approach.