Know what your regulator expects — before they ask.
AI risk assessment and compliance mapping built for the GCC: CBUAE, DIFC Regulation 10, ADGM, UAE PDPL and the EU AI Act, reconciled into one register your audit committee can read.
One risk register. Every regime you answer to.
Institutions in the UAE typically answer to three or more regulatory regimes at once — federal law, free-zone regulation and home-market rules like the EU AI Act. This practice maps each AI system against every regime it touches, tiers the risk, and hands you a remediation roadmap with owners and dates.
Core deliverables
At a glance
Regulations covered
The compliance picture has changed faster than the controls.
Overlapping regimes, one system
A single model can sit under CBUAE guidance, UAE PDPL and the EU AI Act simultaneously. Treating each in isolation triples the work and still leaves gaps.
Risk registers that predate AI
Enterprise risk registers built five years ago don't capture model drift, hallucination, prompt injection or autonomous-agent failure. The taxonomy needs extending, not replacing.
Unclassified vendor models
If you can't say which of your AI systems would be high-risk under the EU AI Act or in scope for DIFC Regulation 10, neither can your compliance function.
Cross-border data in training sets
AI pipelines move personal data across borders by design. PDPL and free-zone data protection regimes both have something to say about that.
What we assess and map.
AI risk assessment
NIST AI RMF-aligned assessment across models, vendors and agents — likelihood, impact and control maturity per system.
EU AI Act readiness
High-risk classification, Annex III mapping, conformity assessment preparation and the technical documentation file.
CBUAE supervisory readiness
Model governance, validation and explainability expectations for UAE financial institutions, mapped to your model inventory.
DIFC Regulation 10 mapping
Applicability analysis and control mapping for autonomous systems processing personal data in the DIFC.
UAE PDPL alignment
Lawful basis, automated decision-making safeguards and cross-border transfer conditions for AI processing onshore.
ADGM expectations
FSRA technology governance and ADGM data protection obligations for Abu Dhabi Global Market entities.
A typical 6–10 week engagement.
Inventory & scope
- AI system & vendor inventory
- Applicable-regime determination
- Risk taxonomy extension
Assess & map
- Per-system risk assessment
- Obligation-to-control mapping
- Gap analysis across regimes
Roadmap
- Prioritised remediation plan
- Owner and date per gap
- Audit-committee presentation
Find the gaps before the regulator does.
Bring us your AI inventory — or let us help you build one — and we'll tell you which regimes apply and where you stand.
Book a consultation