ServicesGovern & AssureFinance & TransactionsTransform & DigitizeOperate & Scale
FrameworkAI Policy DevelopmentResponsible AIData Governance
RegulationsGCC regulationsRegulations & standardsResearch & benchmarks
Insights
About
Contact
Book a consultation
Practice · AI Risk & Compliance

Know what your regulator expects — before they ask.

AI risk assessment and compliance mapping built for the GCC: CBUAE, DIFC Regulation 10, ADGM, UAE PDPL and the EU AI Act, reconciled into one register your audit committee can read.

What this practice does

One risk register. Every regime you answer to.

Institutions in the UAE typically answer to three or more regulatory regimes at once — federal law, free-zone regulation and home-market rules like the EU AI Act. This practice maps each AI system against every regime it touches, tiers the risk, and hands you a remediation roadmap with owners and dates.

Core deliverables

AI risk assessment (NIST AI RMF)Compliance obligation matrixEU AI Act risk tieringGCC regulatory gap analysisRemediation roadmapAudit-committee risk report
At a glance
GCC coverageCBUAE · DIFC · ADGM · PDPL
InternationalEU AI Act · NIST AI RMF
OutputCompliance matrix + roadmap
Typical duration6–10 weeks
Regulations covered
Why it matters now

The compliance picture has changed faster than the controls.

Overlapping regimes, one system

A single model can sit under CBUAE guidance, UAE PDPL and the EU AI Act simultaneously. Treating each in isolation triples the work and still leaves gaps.

Risk registers that predate AI

Enterprise risk registers built five years ago don't capture model drift, hallucination, prompt injection or autonomous-agent failure. The taxonomy needs extending, not replacing.

Unclassified vendor models

If you can't say which of your AI systems would be high-risk under the EU AI Act or in scope for DIFC Regulation 10, neither can your compliance function.

Cross-border data in training sets

AI pipelines move personal data across borders by design. PDPL and free-zone data protection regimes both have something to say about that.

Scope of work

What we assess and map.

AI risk assessment

NIST AI RMF-aligned assessment across models, vendors and agents — likelihood, impact and control maturity per system.

§

EU AI Act readiness

High-risk classification, Annex III mapping, conformity assessment preparation and the technical documentation file.

CBUAE supervisory readiness

Model governance, validation and explainability expectations for UAE financial institutions, mapped to your model inventory.

DIFC Regulation 10 mapping

Applicability analysis and control mapping for autonomous systems processing personal data in the DIFC.

UAE PDPL alignment

Lawful basis, automated decision-making safeguards and cross-border transfer conditions for AI processing onshore.

ADGM expectations

FSRA technology governance and ADGM data protection obligations for Abu Dhabi Global Market entities.

How we engage

A typical 6–10 week engagement.

1

Inventory & scope

  • AI system & vendor inventory
  • Applicable-regime determination
  • Risk taxonomy extension
2

Assess & map

  • Per-system risk assessment
  • Obligation-to-control mapping
  • Gap analysis across regimes
3

Roadmap

  • Prioritised remediation plan
  • Owner and date per gap
  • Audit-committee presentation

Find the gaps before the regulator does.

Bring us your AI inventory — or let us help you build one — and we'll tell you which regimes apply and where you stand.

Book a consultation