Playbook · Gulf / GCC · All sectors

AI governance in the Gulf is consolidating fast:
the UAE & Saudi roadmap

The UAE's PDPL and DIFC Regulation 10, Saudi Arabia's SDAIA ethics and draft Responsible AI Policy, and the global frameworks your buyers expect - EU AI Act, NIST AI RMF, ISO/IEC 42001 - are converging into a real bar for AI in the region. Here is the 5-phase roadmap, and the runtime gap your existing stack cannot close.

UAE PDPL · DIFC Reg 10 · ADGM Saudi SDAIA EU AI Act · NIST · ISO 42001
The mandate

What now defines AI accountability in the Gulf

There is no single Gulf AI statute yet - it is a fast-moving, layered picture of national laws, free-zone rules and global frameworks buyers insist on.

United Arab Emirates

Layered · free-zone specific

PDPL (Art. 18 limits automated decisions) · DIFC Regulation 10 (AI impact assessments & transparency, in force Jan 2026) · ADGM DP Regulations. A new Federal AI & Data Authority now consolidates oversight.

Saudi Arabia

SDAIA · risk-tiered

SDAIA AI Ethics Principles (2023) & Generative AI Guidelines (2024); a draft Responsible AI Policy (2026) tiers systems critical / high / limited / low. Data sits under the Saudi PDPL; NCA sets security controls.

Global baselines your buyers expect

Procurement & extraterritorial

EU AI Act (extraterritorial - applies if your AI touches the EU) · NIST AI RMF · ISO/IEC 42001, now a common requirement in enterprise and government vendor reviews.

Also in scope: Qatar PDPPL & QFC rules · sector regulators (CBUAE, DFSA, FSRA, SAMA, SFDA) · NCA cybersecurity controls · OWASP LLM Top 10 & MITRE ATLAS for AI security.
The through-line

What every one of them converges on

Accountability sits with you, not the model
Risk-tiered controls across the lifecycle
Human oversight of AI decisions
Documented evidence, not assertions
The roadmap

Five phases buyers & regulators will inspect

One sequence that satisfies UAE and Saudi expectations and the global frameworks your customers require.

PHASE 0
Govern
Own the risk before AI ships
AI policy & risk tiering (SDAIA / DIFC) · roles (ISO 42001) · AI inventory · PDPL data governance
PHASE 1
Build & Test
Prove it's safe before it ships
Red-teaming - OWASP LLM Top 10 & MITRE ATLAS · NIST MAP/MEASURE · DIFC AI impact assessment
PHASE 2
Deploy & Enforce
Control what the AI can access & do
Human oversight (PDPL Art. 18 · SDAIA) · access control & agent guardrails · shadow-AI controls · NIST MANAGE
PHASE 3
Monitor & Respond
See it, contain it, report it
Logging & transparency (DIFC Reg 10) · output & drift monitoring · incident response · NCA security controls
CONTINUOUS
Assure & Disclose
Sustain trust; answer regulators & buyers
ISO 42001 audit · transparency & disclosures · questionnaire evidence · regulator readiness
The readiness gap

Why this is urgent, not theoretical

Adoption has outpaced control - and that gap is the exposure.

88%
had a confirmed or suspected AI-agent security incident this year
80%
report moderate-to-pervasive shadow AI
18%
have a formal AI security policy
21%
have mature governance for AI agents
Sources: Gravitee (survey of 919 organizations), ISACA & industry surveys, 2026 (global enterprise data).
The blind spot

The gap your existing stack cannot close

Your IAM/PAM, WAF and API gateways, DLP/CASB, SIEM and EDR are built for deterministic software. None can catch a legitimately-authorised AI agent, driven by untrusted input, doing something inside its permissions but outside your policy - the dominant 2026 failure mode (prompt injection, the "lethal trifecta", agentic data exfiltration), and exactly what PDPL Article 18, DIFC transparency and SDAIA human-oversight expectations are about.
IAM / PAM
identity authenticated, in scope
waved through
WAF / API gateway
request well-formed
waved through
DLP / CASB
sanctioned tool & channel
waved through
SIEM / EDR
no known-bad signature
waved through
Every layer says "yes." None can see the AI's intent vs your policy.
Where Trampolyne fits

Make your AI stay within intended bounds - and prove it

From pre-deployment testing, through runtime, to audit-ready evidence. Trampolyne supplies the technical controls and evidence that make each phase credible - the policies and processes stay yours. We help you align; we don't issue certifications.

Product Govern Build & Test Deploy & Enforce Monitor & Respond Assure
AI Red-Teaming
Shadow AI Detection & Runtime Control
Enterprise AI Security & Runtime Control
AI Compliance Assistant
core control & evidence Trampolyne provides  ·  supporting input. Each phase also demands policies and processes you own; Trampolyne supplies the technical controls and audit evidence.

AI Red-TeamingAWS Marketplace

Continuous adversarial testing on a scheduled cadence and on every material change. 27+ attack classes, working exploits + fixes, mapped to OWASP LLM Top 10 & MITRE ATLAS - the evidence a DIFC AI impact assessment or a buyer's security review asks for.

OWASP LLM Top 10MITRE ATLASDIFC AI impact assessmentNIST MAP + MEASURE

Enterprise AI Security & Runtime Control

Sits inline and evaluates every request before the model or agent acts - RBAC/ABAC/PBAC/NGAC enforcement in milliseconds. A deterministic guardrail over a non-deterministic model. Consumes your IAM, feeds your SIEM. No model rewrites.

PDPL Art. 18 automated decisionsDIFC Reg 10 transparencySDAIA human oversightISO 42001 controls

Shadow AI Detection & Runtime Control

Sits between employees and every public AI tool. Classifies data by type, provenance and role, blocks sensitive data before it leaves, and logs every interaction - without killing productivity.

UAE / Saudi PDPLData leakage to public AIISO 42001 data controls

AI Compliance Assistant

Turns enforcement, red-team and runtime evidence into review-ready answers - a continuous, per-decision audit trail for regulators, your board and enterprise-buyer security questionnaires.

ISO 42001 audit evidenceDIFC / SDAIA documentationEU AI Act loggingSecurity questionnaires
FAQ

Gulf AI governance questions we hear from CISOs & DPOs

Is there a single AI law in the UAE?
No. The UAE governs AI through a layered framework: the federal PDPL (Art. 18 restricts solely-automated decisions with legal or serious effects); DIFC Regulation 10, an AI-specific rule in force since January 2026 (AI impact assessments, transparency, high-risk documentation; fines USD 25,000-50,000); and the ADGM Data Protection Regulations 2021. A Federal Authority for AI and Data was established in June 2026, and sector regulators (CBUAE, DFSA, FSRA, DHA) add more.
What does SDAIA require for AI in Saudi Arabia?
SDAIA published the Principles and Controls of AI Ethics (Sept 2023, seven principles including fairness, privacy & security, and human oversight) and Generative AI Guidelines (Jan 2024). In April 2026 it consulted on a draft Responsible AI Policy that tiers AI into critical, high, limited and low risk. Data sits under the Saudi PDPL (fines up to SAR 5M, doubling for repeat offenses); the NCA sets security controls and SAMA/SFDA cover finance and health.
Does the EU AI Act affect companies in the Gulf?
Yes - it is extraterritorial and applies where an AI system or its output is used in the EU. Independently, enterprise and government buyers across the UAE and KSA increasingly require NIST AI RMF alignment and ISO/IEC 42001 certification in procurement, so the global frameworks matter even where local law is principle-based.
What is DIFC Regulation 10?
The Dubai International Financial Centre's AI-specific data regulation, in force since January 2026. It requires AI impact assessments, transparency for AI-driven decisions and documentation of high-risk AI use, with fines of USD 25,000-50,000 per violation. It sits alongside the ADGM Data Protection Regulations 2021, which closely mirror the GDPR.
Can our existing security stack (WAF, DLP, IAM, SIEM) secure AI agents?
No. Those tools are built for deterministic software and cannot catch a legitimately-authorised AI agent, driven by untrusted input, doing something inside its permissions but outside your policy. Meeting PDPL Article 18, DIFC transparency and SDAIA human-oversight expectations requires runtime, pre-execution policy enforcement plus a per-decision audit trail.
More playbooks

Governance playbooks for other markets

Same 5-phase structure, tuned to each market’s regulators and buyers.

See where you stand against the Gulf roadmap

Twenty minutes is enough to map your AI estate against UAE, Saudi and the global frameworks your buyers require.

Positioning collateral, not legal advice. Trampolyne AI helps you align with regulatory expectations; it does not issue certifications.