Technology & Digital Assets Technology

AI governance

AI governance · risk

The UAE wants to be a global home for artificial intelligence. What it does not yet have is a single, comprehensive law telling businesses how to build and deploy it. For companies operating here, that gap is not a licence — it is a governance problem to be managed under the laws that already exist.

Ambition ahead of a statute

The UAE's posture on AI is deliberate and highly visible. The National Strategy for Artificial Intelligence 2031, in place since 2017, sets the direction: integrate AI across government and the economy and position the country as a hub for capital, talent and infrastructure. That same year the UAE appointed the world's first Minister of State for Artificial Intelligence, and the Artificial Intelligence Office has since become the focal point for national policy.

It is important to be precise about what this does — and does not — mean legally. There is, as yet, no single federal "AI Act" of the kind the European Union has enacted. Governance of AI in the UAE currently flows from the intersection of existing laws, sector-specific rules, and emerging ethical guidance. For a business, this is the crucial point: the absence of a dedicated statute is not the absence of legal exposure. Your AI system is already regulated — just not by a law with "artificial intelligence" in its title.

The laws that already apply

Several established legal layers bite directly on how AI is trained, deployed and relied upon.

  • Data protection. Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the PDPL), in force since January 2022 and drawing partly on the GDPR model, is the most immediately relevant instrument. Training data frequently contains personal data, and the PDPL gives data subjects a right to object to decisions taken solely by automated processing — including profiling — where those decisions have legal effects or otherwise seriously affect them. The law also requires a data protection impact assessment before high-risk processing using new technologies. That is AI in all but name.
  • Intellectual property. Federal Decree-Law No. 38 of 2021 on Copyright and Neighbouring Rights protects the economic and moral rights of authors, but it was written with human creativity in mind. It recognises natural or legal persons as authors, which leaves the ownership of works generated autonomously by a machine genuinely uncertain. The law is also largely silent on whether ingesting protected works for machine-learning purposes is infringement — there is no clear text-and-data-mining exception to rely on.
  • Civil liability. The Civil Code's fault and harm principles remain the backbone of liability when an AI system causes loss. Questions of negligence, causation and responsibility do not disappear because a decision was delegated to an algorithm.
  • Cybercrime and consumer protection. The cybercrime and consumer-protection regimes apply to AI-enabled fraud, manipulated content, and unfair or misleading automated dealings with customers.
  • Sectoral regulation. Financial services is the most developed front. The DIFC has amended its data-protection framework to address personal data processed through autonomous and semi-autonomous systems, positioning itself as an "AI-native" centre, and the UAE's financial regulators — including the DFSA and the ADGM's FSRA — expect firms to maintain proper governance, accountability and consumer safeguards when adopting enabling technologies.

The absence of a dedicated AI statute is not the absence of legal exposure. Your system is already regulated — just not by a law with "artificial intelligence" in its title.

Where the real risk sits

For a business deploying AI, five governance risks recur. First, data and privacy: where training data or live inputs include personal data, PDPL obligations attach, and consent or another lawful basis cannot be assumed. Second, bias and discrimination: an automated system that produces skewed outcomes in hiring, credit or pricing carries both reputational and legal consequences. Third, transparency and explainability: if you cannot explain how a decision was reached, you cannot defend it to a regulator, a counterparty or a court. Fourth, IP ownership: the status of AI-generated output is unsettled, so you should not assume you own — or can freely license — what your tools produce. Fifth, and most controllable, contractual allocation of risk: liability for a model's failures, the provenance and licensing of training data, indemnities, and confidentiality of the data you feed a vendor are matters to be negotiated, not inherited from a standard-form agreement.

The direction of travel

The regulatory picture is evolving, and businesses should treat it as such rather than as settled law. In June 2024 the UAE issued a Charter for the Development and Use of Artificial Intelligence, articulating twelve principles — among them safety, bias mitigation, data privacy, transparency, human oversight, accountability and compliance with law. The Charter is voluntary and non-binding, but it signals the values against which future binding rules, and present-day regulatory expectations, are likely to be measured. It is increasingly referenced in procurement and commercial dealings. Prudent organisations are aligning to it now, on the reasonable assumption that today's ethical guidance is a preview of tomorrow's obligation.

A practical governance framework

Waiting for a comprehensive statute is not a strategy. The workable approach is to build internal governance that satisfies today's laws and anticipates tomorrow's. In practice that means:

  • Establish an AI governance framework — an inventory of AI systems, clear ownership, an approval gate for new deployments, and defined accountability at management level.
  • Run data protection impact assessments for AI that processes personal data or makes decisions affecting individuals, and document the lawful basis and the safeguards.
  • Contract deliberately with vendors: address data provenance, IP ownership and licensing of outputs, model performance, liability and indemnities, confidentiality, and audit rights.
  • Preserve meaningful human oversight of consequential decisions, so that automated processing supports judgement rather than replacing it — the safeguard the PDPL and the Charter both point toward.
  • Keep records that make your systems explainable and auditable, because the ability to reconstruct a decision is the foundation of every defence.

The UAE's message to business is coherent: innovate, and do so responsibly. For now, "responsibly" is defined by the laws already on the books and by guidance still taking shape. Companies that build sound AI governance today are not merely managing present risk — they are positioning themselves for the regime that is coming.

Instruments referred to: Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law); Federal Decree-Law No. 38 of 2021 (Copyright and Neighbouring Rights); the UAE National Strategy for Artificial Intelligence 2031; the UAE Charter for the Development and Use of Artificial Intelligence (2024); and DIFC and financial-services regulatory guidance on AI and data protection. This page is general information, not legal advice.

A technology or digital-asset matter on your desk?

Every matter is handled personally. Tell me about your situation and I'll advise on the best way forward — confidentially and without obligation.

Get in touch