AI Governance in the UAE: National AI Strategy, DIFC, and the Gulf's Leading AI Jurisdiction

UAE's AI governance architecture

The UAE's approach to AI governance is distinctive — it frames AI governance primarily through the lens of AI as a development opportunity and positions the UAE as a global AI leader, with governance designed to enable rather than constrain AI adoption. The Ministry of Artificial Intelligence, the UAE AI Office, and the National Programme for AI all reflect this orientation. This does not mean that the UAE has no AI governance requirements — it means that those requirements are designed to create a trustworthy environment for AI investment and deployment rather than primarily to protect against AI harms.

The practical implications for organisations operating in the UAE: AI governance is expected as a mark of organisational quality and as a requirement for government and enterprise procurement, rather than primarily as a compliance obligation. Organisations that demonstrate robust AI governance — documented processes, bias testing, explainability — are better positioned in the UAE market, both commercially and in regulatory engagement.

DIFC AI governance: the most developed framework

The Dubai International Financial Centre has developed AI-specific data protection and governance guidance that is among the most sophisticated AI regulatory frameworks in the Middle East. The DIFC Data Protection Law and its implementing regulations apply to organisations operating within the DIFC — approximately 5,000 registered companies including major financial services, professional services, and technology firms. DIFC's AI governance guidance builds on its data protection framework to address AI-specific concerns: automated decision-making rights, algorithmic transparency, and AI system documentation. For financial services firms operating within the DIFC, the guidance creates specific expectations for AI used in credit assessment, customer risk profiling, and compliance functions.

The UAE PDPL and AI

Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) applies across the UAE (outside DIFC and ADGM which have their own regimes) and creates data protection obligations for AI systems processing personal data of UAE residents. Key PDPL provisions relevant to AI: lawful basis requirement for processing (consent, contract, legal obligation, legitimate interest, or public interest); purpose limitation (data collected for one purpose may not be used for AI training for a different purpose without additional lawful basis); data subject rights including access, correction, and objection to processing; and obligations around automated decision-making in contexts affecting individuals. The PDPL is enforced by the UAE Data Office, which has been progressively building its enforcement capability.