AI Governance in Gulf States: The MENA Guide

The Gulf region is executing the most ambitious national AI strategies on the planet — backed by sovereign wealth measured in trillions. MENA AI venture funding hit $858M in 2025, with the UAE alone capturing $519M at a staggering 267% year-over-year increase. Saudi Arabia has declared 2026 the Year of Artificial Intelligence. Qatar committed $2.4 billion to AI. The world's largest AI campus outside the United States is being built in Abu Dhabi. But ambition without governance creates compound risk. This is the definitive strategic resource for AI leaders operating in or entering the MENA market — covering regulatory landscapes, enforcement realities, cultural governance dimensions, and cross-jurisdictional compliance architecture.

The MENA AI Moment — Why Governance Now

The numbers are staggering. The MEA AI market is projected at $24.7 billion in 2025 with a 35% CAGR through 2033. MENA tech spending is forecast to reach $169 billion in 2026. Saudi Arabia has earmarked a $40 billion AI investment fund, while Gulf sovereign wealth funds deployed $126 billion in 2025 — 43% of all global sovereign investment — with AI as a focal allocation. Abu Dhabi's digital strategy alone commits $3.54 billion between 2025 and 2027. This is not experimental spending. It is national strategy at civilisation scale.

Why governance matters now: the Gulf's soft-law approach creates accountability gaps that compound as deployment scales. The EU AI Act's extraterritorial scope directly impacts any Gulf company whose AI products or outputs reach European users — and enforcement is already active. Arabic language AI faces critical bias, representation, and cultural alignment challenges that standard Western governance frameworks do not address. And rapid deployment is outpacing governance maturity across every Gulf state. The question is no longer whether the Gulf needs AI governance. It is whether governance can catch up to the deployment velocity already underway.

This guide serves four audiences: CTOs expanding into the Gulf who need a regulatory landscape map; compliance officers and legal counsel mapping obligations across jurisdictions; government AI leads and consultancies benchmarking the Gulf Model against global frameworks; and SWF advisors and free zone companies assessing governance maturity by country. It synthesises regulatory analysis, enforcement data, cultural governance dimensions, and cross-jurisdictional architecture into a single strategic resource — something no other English-language publication currently provides.

This article connects to AskAjay's core thesis: governance is a competitive advantage, not a compliance cost. The Gulf region is the most compelling proof environment for that thesis. Organisations that embed governance early — before enforcement hardens and penalties accumulate — will define the region's AI future. Those that treat governance as an afterthought will accumulate the liability ledger that compounds faster than any investment return.

The Gulf AI Governance Model — A Different Philosophy

Innovation-First vs. Precautionary: Two Schools of AI Governance

The Gulf has developed a coherent — if largely unnamed — approach to AI governance that represents a fundamentally different philosophy from the EU's precautionary model. The Gulf Model is innovation-first, sandbox-heavy, soft-law, and rapid-iteration. The EU Model is precautionary, hard-law, classify-and-restrict. Neither is inherently superior. Each carries distinct risks and advantages that any leader operating in the region must understand. A comprehensive comparative analysis of GCC national AI strategies confirms this philosophical divergence across all six member states.

The strategic implications extend beyond the region. The Gulf Model demonstrates that governance velocity can match innovation velocity — a lesson the EU has struggled to learn. But the Gulf Model also demonstrates what happens when principles lack enforcement: accountability gaps widen, ethicswashing becomes possible, and inconsistency between emirates and sectors creates compliance uncertainty. As the Hidden Tax on AI Speed analysis showed with UAE examples, the question is not speed OR governance — it is governance AS speed.

Cross-referencing with the AskAjay framework library: the Gulf Model aligns with the Minimum Viable Governance philosophy of starting lean and iterating. But the MVG framework insists on enforcement mechanisms from day one — a critical gap that most Gulf governance instruments currently lack. The AI Governance Theatre analysis applies directly to Gulf voluntary governance: principles without enforcement create the conditions for performative compliance.

The Soft-Law Trap: When Principles Lack Enforcement

The GCC currently lacks unified legislative standards across its six member states. Most governance instruments are voluntary guidelines, ethical charters, and policy principles — not binding statutes with enforcement teeth. Nearly 100 non-binding ethical codes globally have produced modest concrete effects. The Gulf's reliance on soft law creates three specific risks: accountability gaps when AI systems cause harm, ethicswashing where organisations adopt principles performatively without operational change, and inconsistency between emirates, sectors, and free zones that creates compliance arbitrage. Saudi Arabia's Draft Global AI Hub Law signals that at least one Gulf state recognises these risks — the hard-law pivot is beginning, but it has not arrived.

UAE — The Region's Most Mature AI Governance Ecosystem

UAE National AI Strategy 2031

The UAE was the first country to appoint a Minister of State for AI in 2017 and has since built the most comprehensive governance ecosystem in the Gulf. The National AI Strategy 2031 targets AED 335 billion in AI-generated growth, aiming to lift AI's GDP contribution from approximately 9% to 45% by 2031. The strategy spans eight objectives — from building the UAE's reputation as a global AI destination to deploying AI across priority sectors including energy, logistics, tourism, healthcare, and cybersecurity. AI is now a mandatory subject from kindergarten to Grade 12 in all public schools, extending to private schools by 2026-2027. The workforce target: 10,000 UAE data scientists and ML engineers, supported by golden visas for global AI experts.

UAE AI Ethics Charter (2024): The 12 Principles

Issued by the UAE Minister of AI in June 2024, the AI Ethics Charter establishes 12 principles that serve as the ethical spine for all sectoral AI regulatory initiatives. While not legally binding, KPMG's major analysis positions it as the foundation on which sector-specific regulation builds. The charter's emphasis on human-centric AI resonates with global responsible AI principles while embedding fairness, accountability, privacy, and security at the core. The governance implication: compliance may be expected by regulators even where not mandated.

Law No. 3 of 2024 — Abu Dhabi's AIATC

In January 2024, Abu Dhabi formally established the Artificial Intelligence and Advanced Technology Council (AIATC) through emirate-level legislation — not federal. The AIATC regulates projects, investments, and research associated with AI within Abu Dhabi, making it the most institutionally concrete AI governance body in the Gulf. Important distinction: the UAE has NOT enacted a dedicated federal AI law. The governance landscape is layered: federal principles (AI Ethics Charter), emirate-level institutions (AIATC in Abu Dhabi), and free zone-specific regulation (DIFC, ADGM). Companies must navigate all three layers simultaneously.

DIFC Regulation 10: Where Governance Gets Real

Regulation 10 of the DIFC Data Protection Regulations is the most concrete AI governance mechanism in the Gulf. Introduced in late 2023 with enforcement planned for early 2026, it establishes binding design principles for AI systems in the Dubai International Financial Centre: ethicality, fairness, transparency, security, accountability, and compliance with certification requirements. General certification requirements will be set in future guidance, with stricter requirements for High Risk Processing. The Regulation 10 Accelerator Program operates as a sandbox where firms can test AI systems against privacy-by-design principles before enforcement begins. This is moving from soft law to hard obligations — DIFC companies will need certification, not aspiration.

ADGM: Sandboxes and Financial Sector AI Governance

The Abu Dhabi Global Market takes a pragmatic approach: enhancing existing legal frameworks rather than creating new AI-specific structures. Key elements include joint guidelines with the Central Bank of UAE, Securities and Commodities Authority, DFSA, and FSRA for financial institutions using AI — emphasising governance, accountability, and consumer protection. The ADGM RegLab provides a regulatory sandbox for controlled experimentation, while the Digital Lab enables co-creation and testing of fintech under regulatory guidance. The digital assets framework has been enhanced to address tokenisation, DeFi, and AI-driven market participation. For financial services governance, ADGM is the innovation-friendly counterpoint to DIFC's more structured certification approach.

Dubai: AI-First Government at Scale

Dubai's government deployment of AI is the most advanced in the region. 96%+ of government entities have adopted at least one AI solution, with 100+ high-impact applications documented and 60% of users preferring AI-supported services. The DubaiAI virtual assistant serves 180+ public services. The Dubai Live Platform integrates AI, digital twin models, predictive analytics, and real-time data from thousands of sensors. Dubai ranked 4th globally in the IMD Smart City Index 2025, outperforming Zurich, Oslo, and Geneva in transportation. The April 2025 Dubai AI Policy for Government Entities is binding — not aspirational guidance. AI could contribute over AED 235 billion to Dubai's economy by 2030.

Saudi Arabia — From Vision to Enforcement

SDAIA: Structure, Mandate, and the Year of AI

The Saudi Data and AI Authority (SDAIA) was established by Royal Order in October 2019 as the national authority for data and AI strategy. SDAIA sets national frameworks, issues guidelines, conducts public consultations, supervises AI ethics compliance, and enforces the PDPL. In a signal of escalating ambition, Saudi Arabia's Cabinet designated 2026 as the Year of Artificial Intelligence — formalising the Kingdom's drive to position itself as a global AI hub for development, deployment, AND governance. The $40 billion AI investment fund, the Humain national champion (backed by PIF, launched May 2025 with plans for up to 6GW data centre capability by 2034), and the SDAIA Academy form the institutional infrastructure.

Saudi PDPL: The Enforcement Gateway

The Personal Data Protection Law (PDPL), enacted in 2021 and fully enforceable since September 2024, is the most consequential AI governance instrument in Saudi Arabia today — not because it is an AI law, but because AI systems inevitably process personal data, and the PDPL has enforcement teeth. AI-specific requirements include explicit consent for automated processing, consent when decisions are made solely based on automated processing, and regular privacy risk assessments for AI-driven analytics. 48 enforcement decisions were issued in the first year of full enforcement — marking a turning point in SDAIA's enforcement maturity. Cross-border data transfers require prior adequacy assessments, standard contractual clauses, or equivalent safeguards. Data cannot leave the Kingdom without express regulatory clearance.

SDAIA AI Ethics Principles: Seven Principles, Four Risk Tiers

SDAIA's seven core AI ethics principles — Fairness, Transparency and Explainability, Privacy and Security, Reliability and Safety, Accountability and Responsibility, Humanity, and Social and Environmental Benefit — are supported by a four-tier risk classification system: little or no risk, limited risk, high risk, and unacceptable risk. This mirrors the EU AI Act's risk-tier approach, though the SDAIA principles are not legally binding on their own. Non-compliance could trigger enforcement under the PDPL and related laws. The 2024 Generative AI Guidelines cover content authenticity, watermarking, and oversight, while the AI Adoption Framework defines four maturity levels with enablers across data, technology, human capabilities, and responsible use.

Draft Global AI Hub Law (2025): The Hard-Law Pivot

The Draft Global AI Hub Law represents Saudi Arabia's most significant governance development: the transition from voluntary principles to binding legislation. This is a pivotal shift — moving from soft-law aspiration to hard-law obligation for AI infrastructure and cross-border data governance. The April 2025 consultation on secondary-use-of-data rules governing responsible data sharing between public and private entities signals the law's operational scope. For companies operating in the Kingdom, the message is clear: governance that was optional in 2024 is becoming mandatory in 2026.

Saudi Healthcare AI Governance

Saudi healthcare AI governance illustrates sector-specific complexity. The Saudi FDA (SFDA) issues guidelines on AI use in medical devices. The National Health Command Centre (NHCC) uses AI to monitor healthcare operations nationwide. The King Faisal Specialist Hospital Digital Innovation Hub operates a four-component governance ecosystem: guiding principles, governance processes, innovation capabilities, and operational discipline. NEOM Health deploys a proactive, preventative model using AI, genomic data, quantum computing, and behavioural analytics. For practitioners, Saudi healthcare AI requires layered compliance: PDPL, SDAIA principles, SFDA guidelines, and Ministry of Health frameworks — plus EU AI Act high-risk requirements if serving European patients. See the Healthcare Governance Guide for the full framework.

NEOM: Governance at City Scale

NEOM is designed as an autonomous governance zone with its own regulatory framework, tax and labour laws, and judicial system. AI is central to its governance model — managing security, resource allocation through data analytics and ML. This creates a unique governance testbed: regulatory sandboxes at infrastructure scale (not just project scale), liability frameworks for AI decisions being established in real time, and drone and airspace regulation for AI systems. The governance challenges are unprecedented: national security, safety, and data governance standards must govern AI in infrastructure and city management while preserving the innovation-first philosophy that defines the project.

Cross-references: the Data Governance for AI framework addresses the data sovereignty foundations that both Saudi healthcare and NEOM governance require. The A7 Agentic AI Readiness Framework applies directly to NEOM's autonomous systems governance.

Qatar, Bahrain, Oman, and Kuwait — The Emerging Players

Qatar: Phased Governance with Scale Investment

Qatar has taken the most structured approach to governance phasing in the Gulf. The Artificial Intelligence Committee, established by Cabinet Decision No. 10 in 2021, coordinates cross-government AI strategy. Implementation follows three explicit phases: foundation (2023-2024), sectoral implementation (2025-2026) covering finance, health, and government services under tailored rules, and full deployment (2026-2027) with cross-sector harmonisation and innovation sandboxes. The $2.4 billion commitment and five-year Scale AI collaboration target 50+ AI-driven government use cases by 2029. MCIT's ethical guidelines require risk-based categorisation, DPIAs for high-impact AI, and Discrimination Impact Assessments — aligning with OECD and UNESCO best practices. Qatar's GovAI Program provides a policy-to-practice playbook, particularly for agentic AI deployment in government.

Bahrain: Sustainability-Led AI Policy

Bahrain announced its National Policy for AI in July 2025 through the Information and eGovernment Authority (iGA). The forthcoming National AI Strategy positions sustainability as a cross-cutting theme — tying AI adoption to both economic growth and environmental protection. Bahrain is ranked highly in the Network Readiness Index 2025 alongside the UAE and Saudi Arabia, suggesting infrastructure readiness that outpaces governance maturity. The governance gap between capability and regulation is perhaps widest here.

Oman: Three-Pillar Approach

Oman's National Program of AI and Advanced Digital Technologies, approved by the Council of Ministers in September 2024, rests on three pillars: promoting and adopting AI in economic sectors, localising AI technologies, and governing AI with a human-centred approach. A draft National Charter for Artificial Intelligence Ethics underwent public consultation in August 2024. Oman's approach is deliberate and consensus-driven — slower than the UAE or Saudi Arabia, but potentially more durable.

Kuwait: Strategy 2025-2028

Kuwait's Draft National AI Strategy 2025-2028 aligns with Kuwait Vision 2035. Short-term 2025 priorities include establishing an AI Centre of Excellence, launching pilot projects in critical sectors, building a centralised data repository, and strengthening digital infrastructure through a sovereign Azure region. Kuwait is the earliest-stage governance environment in the GCC — presenting both risk (limited compliance clarity) and opportunity (ability to shape governance from greenfield).

Cross-Cutting Governance Challenges

Data Sovereignty and Cross-Border Flows

Data sovereignty in the Gulf is not a technical preference — it is a sovereignty expression. The UAE's PDPL requires specific clearance for high-risk cross-border transfers. Banking data must remain onshore with Central Bank approval and customer consent required for any transfer. Saudi Arabia's PDPL imposes more severe restrictions than most international counterparts — data cannot leave the Kingdom without express regulatory clearance via adequacy assessments, standard contractual clauses, or binding corporate rules. The tension between data localisation requirements and cloud-first AI strategies defines a critical governance challenge. Key infrastructure investments — the 5GW Stargate Abu Dhabi campus, Kuwait's sovereign Azure region, Saudi's Humain project — represent sovereign solutions to this tension.

Arabic Language AI: Bias, Representation, and Cultural Alignment

Arabic language AI faces critical governance challenges that Western frameworks do not address. Gender bias is measurably worse in Arabic LLMs than in English counterparts. Educational AI performs significantly worse in Arabic than English for tutoring and feedback. Much Arabic-language training data is translated English content, missing cultural nuances and failing to reflect real-world usage. Right-to-left interface design, content filtering for cultural sensitivity, and dialect diversity (Modern Standard Arabic versus Gulf, Levantine, and Egyptian dialects) create layers of governance complexity. Saudi Arabia's ALLaM model explicitly encodes Islamic values and regional cultural context. The UAE's Falcon provides advanced Arabic processing capabilities. But governance frameworks must catch up: bias audits, cultural sensitivity reviews, and dialect-specific testing are not optional — they are governance requirements. Arabic AI bias is a form of ethical debt that compounds with every unaudited deployment.

• Invest in native Arabic training data — not translated English content that strips cultural context
• Test across dialect groups — MSA, Gulf, Levantine, and Egyptian Arabic produce different bias profiles
• Embed cultural sensitivity review — religious references, gender roles, social customs require specialist assessment
• Conduct Arabic-specific bias audits — Western fairness metrics do not translate directly to Arabic contexts
• Align with SDAIA fairness principles — the closest regional standard for Arabic AI governance

The Sharia and AI Ethics Intersection

AI governance in the Gulf cannot be separated from the ethical traditions that shape the region. The Maqāṣid al-Sharīʻah framework — the objectives of Islamic law — provides a governance lens through five preservations: life, intellect, lineage, wealth, and religion. Tawḥīd (Oneness of God) positions AI as a tool serving divine purpose, not replacing human judgment. ʿAdl (Justice) grounds algorithmic fairness in Islamic justice concepts. Ihṣan (Excellence) establishes quality and benefit as AI development standards. Practical governance implications are immediate: Islamic finance requires Sharīʻah Supervisory Board approval before introducing AI products — a unique governance layer that conventional banking does not face. AI-assisted fatwa issuance raises questions about the role of independent reasoning (ijtihād) that have no parallel in Western governance. Privacy is strongly valued in Islamic teachings — unauthorized access to personal information is considered unethical independently of any regulatory requirement. The gap between scholarly engagement and actual policy frameworks remains wide, but the trajectory is clear.

Workforce Displacement and AI Readiness

The Gulf's AI workforce dynamics are paradoxical. UAE AI hiring grew 39% year-over-year and Saudi 26%, with data scientists in 43% demand growth and AI product managers at 37%. The UAE projects 1+ million new jobs by 2030. But critical STEM education gaps persist, reliance on expatriate talent continues, and routine low-skill activities face the highest displacement exposure. High-skill AI roles are seeing significant wage increases while lower-skill positions face stagnation. National strategies prioritise workforce development but execution gaps remain — a governance challenge that intersects with immigration policy, education reform, and social stability.

Oil, Gas, and Energy Sector AI Governance

The Gulf's energy sector faces a dual AI governance imperative: sustain production in maturing reservoirs while accelerating digital innovation. National oil companies are deploying AI, IoT, drones, and robotics at scale. ADNOC's Neuron 5 and ENERGY.ai platforms represent the shift from experimental pilots to core operational systems. Digital twins provide validated data for AI governance. AI governance committees enforce ethical standards in energy operations. ADNOC's multi-billion commitment to CCUS facilities creates AI governance requirements for emissions compliance. The GCC AI Digital conference in 2026 will convene senior energy decision-makers specifically on AI governance. UAE Federal Decree-Law No. 45 of 2021 and the Saudi PDPL provide the data handling standards, but sector-specific AI governance for energy remains nascent.

Sovereign Wealth Funds and AI Investment Governance

Gulf SWFs deployed $126 billion in 2025, representing 43% of global sovereign investment — with AI as a focal allocation. Saudi Arabia's PIF is the world's most active SWF and the 5th largest globally, reporting to the Council of Economic and Development Affairs with unusual operational independence. The UAE's MGX is a dedicated AI investment fund. PIF's Humain is a national AI champion. PIF targets $300 billion contribution to non-oil GDP. The governance challenges are unique: operational independence creates tensions with transparency and accountability. How SWFs evaluate AI companies and their governance maturity, environmental and social governance of AI infrastructure investments, and cross-border AI investment frameworks are all unresolved questions. Board-level AI governance becomes critical when the "board" manages trillions in sovereign assets.

EU AI Act and Global Frameworks — Impact on Gulf Companies

Does the EU AI Act Apply to Your Gulf Company?

The EU AI Act's extraterritorial scope is unambiguous: it applies to providers placing AI systems on the EU market regardless of where the provider is located, and to deployers outside the EU where AI output is used in the EU. A Dubai-based fintech using AI for European customers falls squarely within scope. An Abu Dhabi AI company providing healthcare diagnostics used in EU hospitals is subject to high-risk provisions. Key enforcement dates: February 2025 for AI literacy and prohibited systems, and December 2, 2027 for high-risk full applicability across healthcare, finance, employment, and critical infrastructure (deferred from August 2026 under the Digital Omnibus; provisional pending formal adoption in the EU Official Journal). Any Gulf company with EU exposure needs compliance architecture now — not when enforcement begins.

Building a Multi-Jurisdictional Governance Stack

Companies operating across multiple Gulf states and serving global markets need a layered governance architecture. The principle: start with the most restrictive jurisdiction and build outward. For most Gulf companies, that means Saudi PDPL as the base layer (strongest data protection enforcement), add DIFC Regulation 10 if DIFC-registered (certification requirements), layer ISO/IEC 42001 for international credibility, add EU AI Act compliance if serving EU markets, and monitor the emerging GCC unified strategy. The NIST AI RMF Practitioner's Crosswalk demonstrates how to map one governance architecture to multiple framework requirements — the approach works equally well for multi-jurisdictional Gulf compliance.

• Layer 1: Saudi PDPL compliance — the strictest data protection baseline in the Gulf. Start here.
• Layer 2: SDAIA AI Ethics Principles — voluntary but increasingly expected. Maps to OECD and UNESCO.
• Layer 3: DIFC Regulation 10 — if DIFC-based, certification is becoming mandatory.
• Layer 4: ISO/IEC 42001 — the international AI management standard for global credibility.
• Layer 5: EU AI Act — if any AI output reaches EU users, full compliance required.
• Layer 6: GCC Unified Strategy — monitor and prepare. When it arrives, it will reshape the regional landscape.

Cross-references: the EU AI Act Strategic Guide provides the comprehensive EU compliance architecture. The NIST Crosswalk demonstrates multi-framework mapping. The OECD AI Principles Guide covers the GCC's alignment framework. The GDPR Compliance Guide addresses the data protection underpinnings. The Third-Party AI Risk Guide covers vendor governance for Gulf companies managing global AI supply chains.

The AskAjay MENA Governance Framework

Five Principles for Gulf AI Governance Leaders

• Governance as competitive advantage, not compliance cost. The Trust Premium applies directly: Gulf organisations that build governance-first AI will command premium market positioning as enforcement matures. Governance is not a tax on innovation — it is the infrastructure that makes innovation sustainable.
• International standards as floor, local requirements as walls. Use NIST AI RMF, ISO 42001, and OECD principles as your governance baseline. Layer UAE, Saudi, or Qatar-specific requirements on top. This creates portable governance that survives jurisdictional changes.
• Cultural alignment as governance requirement. Arabic language bias auditing, Sharīʻah intersection analysis, and cultural sensitivity review are not optional add-ons. They are governance requirements as fundamental as any technical control.
• Sandbox participation as strategic investment. DIFC Accelerator, ADGM RegLab, and NEOM regulatory sandboxes are not bureaucratic exercises. They are early-mover advantages that build compliance muscle before enforcement arrives.
• Enforcement readiness, not enforcement reaction. Saudi Arabia's 48 PDPL decisions signal the direction. Build governance for the enforcement environment of 2027, not the voluntary environment of 2024. The ROI of AI Governance makes the business case your CFO needs.

Your 90-Day MENA AI Governance Roadmap

What Comes Next: The Gulf Governance Trajectory

The next 18 months will be decisive for Gulf AI governance. A unified Gulf AI strategy is under preparation by the GCC General Secretariat. Saudi Arabia's Draft Global AI Hub Law will harden from consultation to legislation. DIFC Regulation 10 enforcement begins in 2026. The EU AI Act's high-risk provisions become fully applicable in December 2027 (Digital Omnibus deferral) — directly impacting Gulf companies with European exposure. Qatar enters Phase 3 (full deployment) in 2026-2027. The organisations that build governance architecture now — before enforcement hardens — will have 12 to 18 months of competitive advantage over those that wait. AskAjay will continue providing MENA-specific governance analysis as these developments unfold. This guide will be updated quarterly.

Situation Room: Your Gulf AI Governance Questions Answered