Twelve months ago, AI governance in the Gulf was a set of principles and position papers. Today it is regulation - with teeth.
The UAE Central Bank now requires board-level accountability for AI decisions in financial services. Saudi Arabia has declared 2026 the Year of AI and made its adoption framework mandatory across the public sector. Bahrain is drafting standalone AI legislation. Qatar's AI guidelines for banking have been enforceable since late 2024.
If you are deploying AI in the GCC - or planning to - the compliance landscape has changed materially since most market entry strategies were written. Here is what you actually need to know.
Country by country: where things stand
United Arab Emirates
The UAE has moved fastest and furthest. The Central Bank's AI/ML guidance, issued in February 2026, applies to all licensed financial institutions and covers:
- Board accountability. The board must approve AI strategy and maintain oversight of all AI/ML models in use. This is not a technology governance requirement; it is a board governance requirement.
- Model inventory. Every AI model must be catalogued, with documentation covering purpose, data inputs, known limitations, and performance thresholds.
- Annual bias testing. Models that affect customer outcomes must be tested for bias annually, with results reported to the board.
- Kill-switch requirements. Any AI system making or influencing customer-facing decisions must have a documented human override mechanism.
- Consumer opt-out. Customers must be able to opt out of AI-driven decisions and receive human review on request.
Separately, the UAE Cabinet approved the Charter for AI Development and Use - twelve ethical principles covering safety, bias, privacy, transparency, human oversight, and accountability. It is not yet enforceable in the way the CBUAE guidance is, but it signals the direction of travel clearly.
Saudi Arabia
The government committed $14.9 billion to AI infrastructure in a single policy cycle and declared 2026 the Year of AI. The practical impact for firms operating in the Kingdom:
- AI Adoption Framework - mandatory for all public sector entities and their suppliers. If you are delivering AI to a government-adjacent client, this framework governs your deployment.
- SDAIA oversight. The Saudi Data and Artificial Intelligence Authority reviews AI deployments for compliance with national data protection and AI ethics requirements.
- Data localisation. Government data must be processed and stored within Saudi Arabia. For AI models trained on such data, this has significant infrastructure implications.
Bahrain
Bahrain has proposed standalone AI regulation - a departure from the GCC norm of embedding AI governance within data protection frameworks. The Central Bank's existing fintech sandbox remains the most permissive AI testing environment in the region, but the regulatory direction is toward formalisation. Firms testing AI in Bahrain's sandbox should plan for a transition from sandbox tolerance to regulatory compliance within 12 to 18 months.
Qatar
Qatar Central Bank AI guidelines have been mandatory since September 2024, making them the longest-standing enforceable AI requirements in the GCC. A broader draft AI law is under consideration. Qatar's approach emphasises data governance and algorithmic transparency, with particular attention to public service applications.
Oman and Kuwait
Both are in earlier stages. Oman's AI ethics framework is advisory; Kuwait's focus remains on infrastructure readiness. Neither has enforceable AI-specific regulation today, but both have active national AI strategies and are expected to follow the UAE and Saudi regulatory trajectory within 18 to 24 months.
What this means in practice
The GCC's structural advantage - sovereign cloud zones, unified national strategies, fast regulatory cycles - means regulation moves faster here than in Europe or the US. The EU AI Act took years to negotiate; the UAE Central Bank guidance went from draft to enforcement in months.
For firms entering or operating in the region, the practical implications are:
You need a model inventory before you deploy
If you cannot produce a catalogue of every AI model in use - including purpose, data sources, known biases, performance thresholds, and human override procedures - you are not compliant in the UAE financial services sector today. Other sectors and countries will follow.
Board-level governance is not optional
The days of AI being a technology team initiative are over in the Gulf. Boards must approve AI strategy, receive regular reporting on AI performance and risk, and maintain documented oversight. If your AI governance stops at the CTO, it is insufficient.
Bias testing must be systematic
Annual bias testing with board-level reporting is already required for UAE financial services. This cannot be a one-off exercise before launch; it must be a recurring, documented process with clear ownership and remediation procedures.
Data sovereignty shapes your architecture
Saudi Arabia requires government data to remain in-Kingdom. The UAE has similar requirements for regulated sectors. If your AI model is trained or hosted outside the relevant jurisdiction, you have an architecture problem that no amount of compliance documentation will solve.
The compliance checklist
Before deploying AI in any GCC market, you should be able to answer yes to every item on this list:
- We have a complete model inventory with documented purpose, data sources, and limitations for every AI system
- Board-level AI governance is in place, with regular reporting and documented oversight
- Bias testing is scheduled, recurring, and reported to the board
- Human override mechanisms exist for every customer-facing AI decision
- Consumer opt-out processes are documented and functional
- Data residency requirements are met for the specific jurisdiction
- Audit trails exist for AI-driven decisions that affect customers
- Our incident response plan covers AI failures specifically
If the answer to any of these is no, you have work to do before your first deployment - and the window to do it proactively, rather than reactively, is closing.
The opportunity
GCC AI adoption is past 84% and climbing. The governments are investing billions. The regulatory frameworks are maturing rapidly but are not yet punitive - they are designed to enable responsible deployment, not to prevent it.
The firms that build compliance into their AI programmes from day one will have a structural advantage over those scrambling to retrofit governance after the fact. The GCC is not waiting for you to catch up.