Authored By: Hanaan Kasargod
Middlesex University Dubai
Introduction
Recent years have seen a rapid increase in AI adoption across various industries in the UAE. AI is increasingly being integrated into core business operations. While AI adoption has led to operational benefits and a major increase in efficiency and performance for firms across the UAE, it has also exposed these firms to emerging legal and compliance risks, as governance mechanisms continue to develop more slowly than AI adoption itself. This article examines the issue of AI adoption in DIFC businesses, which is expanding faster than governance systems, thereby creating emerging compliance, transparency, and operational risks. It evaluates how DIFC Regulation 10 addresses these concerns.
AI Adoption in DIFC Businesses
According to DFSA, AI adoption among DIFC firms rose from 33% in 2024 to 52% in 2025.[1] Furthermore, according to McKinsey’s State of AI survey, 88 percent of respondents report regular use of AI in at least one business function.[2] This demonstrates that businesses are becoming increasingly reliant on AI and are continuing to integrate AI into core business functions. ‘Major drivers of AI adoption include increased efficiency gains, improved analytics, and enhanced performance’,[3] which suggests that businesses increasingly value operational efficiency, improved output quality, and resource optimisation through the integration of AI systems. Furthermore, AI adoption is expanding across multiple business functions. Two-thirds of respondents in McKinsey’s State of AI survey say their organizations use AI in more than one function, and half report using AI in three or more functions.[4] According to DFSA, the number of firms deploying AI across a considerable share of their business operations has tripled from 2024 to 2025.[5] This indicates that AI is no longer limited to a specific function and is seen as more than just an experimental tool. AI systems are becoming increasingly significant to commercial decision-making and core operations. Another important factor is the areas in which the firms are deploying AI. ‘79% of AI use cases in the DIFC remain focused on internal operations, such as human resources, legal, finance, and internal control systems. External-facing applications, such as customer engagement and sales, remain less common.’[6] This suggests that firms primarily use AI internally rather than in customer-facing functions, as internal deployment is generally seen as lower risk. This further reveals that firms remain cautious about deploying AI externally due to governance and accountability concerns. It also indicates that governance frameworks are still in an experimental stage.
III. Emerging Governance and Compliance Risks
While AI adoption delivers operational benefits, it can also generate harmful outcomes that may give rise to legal and regulatory liability for businesses. For example, Microsoft’s Tay chatbot reportedly generated toxic outputs after being trained on unregulated datasets.[7] 51% of the respondents from organisations using AI in McKinsey’s survey reported at least one instance of a negative consequence.[8] This indicates that continued adoption of AI, in the absence of clear governance mechanisms, can expose businesses to legal and compliance risks.
Transparency and Explainability Risks
One of the most commonly reported risks, according to McKinsey’s survey, is explainability.[9] This suggests that while businesses are rapidly adopting AI, they are unable to explain the reasoning behind automated decision-making processes. This further creates transparency issues, which limit effective human oversight and, in turn, increase the risk of unreviewable outcomes. These risks can be observed more significantly in contexts such as employment screening, fraud detection, credit decisions, and access control, where outputs can considerably impact individual rights.[10] This exposes businesses to legal vulnerabilities, especially when they are unable to justify or review automated decisions.
Privacy Risks
AI systems operate at a large scale,[11] often processing sensitive personal data and engaging in profiling activities. This increases potential privacy risks to data subjects due to the scale and nature of automated decision-making, which may result in significant impacts on individual and data protection rights.
Bias and Discriminatory Outcomes
Flaws in the decision-making of AI models can lead to highly unfair outcomes. For example, the AI COMPAS model reportedly exhibited bias that led to unjust criminal prosecution.[12] This suggests that AI models relying on personal characteristics and biased datasets can make decisions based on such inherited bias, which can lead to discriminatory outcomes that can significantly impact an individual’s rights. This can result in individuals losing opportunities and livelihoods. This can further expose businesses to legal liabilities arising from the damaging impact on individuals’ rights. This also indicates a need for human intervention to prevent bias and discriminatory outcomes.
Third-Party and Operational Risks
According to DFSA, the majority of firms in the UAE rely on third-party developers to develop and implement their AI applications.[13] This indicates that many businesses do not fully control or understand the AI systems they deploy, which highlights structural concentration risks within interconnected digital ecosystems.[14] It also implies that businesses may be unable to detect errors, bias, and system failures, or effectively assess compliance risks arising from externally developed systems, which may result in operational disruptions. Such reliance may expose businesses to significant operational and supply chain risks. This is particularly significant as businesses are still legally held accountable for AI models developed or operated by third parties. This suggests a strong need for strengthening third-party risk management frameworks.
DIFC Regulation 10 Response
While these legal and compliance risks continue to emerge, DFSA reports that 21% of firms lack clear accountability mechanisms for AI governance, and 11% of firms using AI across significant areas of the business do not have any governance frameworks in place.[15] This indicates a gap between AI adoption and implementation of AI governance frameworks. AI governance frameworks help mitigate emerging compliance risks and promote the safe and ethical use of AI, while ensuring that it does not limit AI innovation. DIFC Regulation 10 provides a framework for businesses to mitigate emerging risks before deploying any such AI system.[16]
Transparency Obligations
Under DIFC Regulation 10,[17] ‘firms using any autonomous systems are required not only to inform users that such systems are being used but also to provide enough information to allow individuals to properly evaluate the associated risks and impacts on their personal rights. This indicates that transparency is a core component of DIFC Regulation 10.’ [18] This further suggests that the Regulation expects the businesses deploying AI systems to be well-informed and fully understand the algorithms, functioning, principles, safeguards, limitations, and outputs of the systems they use.[19] This ensures transparency, a logical decision-making process used by the AI systems, and effective human oversight. This also helps mitigate any explainability risks and reduces the likelihood of biased, discriminatory, harmful, or negative outcomes that may arise from AI systems.
Accountability Frameworks
‘Regulation 10 prohibits the commercial use of autonomous systems to conduct High Risk Processing Activities unless such systems comply with audit and certification requirements and an Autonomous Systems Officer has been appointed.’ [20] It also requires Accredited Certification Bodies to assess and certify such systems. [21] This indicates that the Regulation prioritises the implementation of internal governance frameworks and external oversight regularly to continually monitor the systems. The Regulation also requires information regarding third parties involved in the processing or operational activities of AI systems.[22]This reflects an attempt to promote effective internal AI governance, risk assessments and documentation to ensure greater accountability and transparency. Such measures help mitigate the likelihood of third-party and operational risks arising from the deployment of externally developed or insufficiently monitored AI systems.
Data Protection Impact Assessments
Regulation 10 made it mandatory to conduct a Data Protection Impact Assessment (“DPIA”) when High Risk Processing Activities are undertaken.[23] ‘The DPIA is a living document, which must be completed before the High-Risk Processing Activity begins, revisited if any changes arise, and made available to the Commissioner upon request.’[24] Such detailed documentation ensures oversight and monitoring of the AI system throughout its deployment and operations. This compels businesses to assess necessity, proportionality, potential risks, and impact, and address them with concrete measures before deployment. This helps mitigate compliance and operational risks arising from issues of transparency, privacy, and accountability.
Human Oversight and Intervention:
Regulation 10 compels human oversight and intervention at every stage of the deployment and operation of the AI systems. It promotes ‘regular audits of systems, outcomes and logs, training for staff on interpreting automated inputs, and vendor and third-party management.’[25] The Regulation emphasises external review, regular consultations with the Commissioner and detailed documentation regarding human intervention mechanisms. ‘One of the key provisions of Regulation 10 is to mitigate risks to fundamental rights by ensuring meaningful human review of automated outputs and decisions.’[26] This reflects an attempt to prevent fully unchecked automated decision-making, which helps reduce the likelihood of harmful, biased, or discriminatory outcomes by regular human monitoring. This ensures an effective and ethical use of AI systems.
Regulatory Challenges and Future Considerations
While DIFC Regulation 10 attempts to bridge the gap between rapid AI adoption and AI governance by providing a structured governance framework. Its effectiveness ultimately depends on whether firms have clear internal policies, expertise, and mechanisms for AI governance and regulatory compliance. This creates several regulatory and operational challenges that firms may continue to face in the future.
Regulatory Uncertainty
DFSA reports that the firms’ key challenges in adopting AI were regulatory uncertainty and the lack of expertise on the topic. 526 firms called for clarification of how existing regulations apply to AI, while 459 firms requested practical guidance on AI use, governance, and related compliance policies.[27] This highlights that one of the key challenges lies not in the lack of governance frameworks but in the effective implementation of those frameworks. Businesses may find it difficult to integrate AI governance frameworks into their existing structures and may be unaware of how these policies work. This indicates a strong need for practical regulatory guidance and specialized expertise to help firms in the implementation of AI governance frameworks.
Need for Harmonisation
DFSA reports that firms have requested the harmonisation of regulatory expectations across the UAE financial sector.[28] This reflects the concern of fragmented regulatory expectations and the lack of consistent AI governance standards across different regulatory bodies in the UAE. As a result, firms may face difficulties navigating different regulatory requirements when deploying AI systems across the UAE. This creates a need for harmonisation of these expectations and development of new AI-specific regulatory regimes.
Governance Gap:
Despite the development of AI governance frameworks such as DIFC Regulation 10, AI adoption continues to expand at a faster pace than the implementation of AI governance. According to McKinsey’s survey, a larger share of respondents reported AI use by their organizations, though most have yet to scale the technologies.[29] DFSA reports 11% of firms using AI do not have any governance frameworks in place.[30] This reflects a major gap in which businesses are integrating AI into operations before developing sufficient internal expertise, mechanisms, and oversight. As AI systems continue to integrate into businesses, the governance structures must continue to evolve alongside AI adoption.
Conclusion
In conclusion, AI adoption in businesses has been significantly increasing, and while it has increased overall efficiency and performance, the governance structures have struggled to keep pace with it. This article demonstrates that emerging risks relating to transparency, privacy, bias, and third-party systems have exposed businesses across the UAE to major legal vulnerabilities. DIFC Regulation 10 addresses these risks through a structured governance framework using accountability systems, risk assessments, effective oversight, regular external review, and prioritising transparency. However, the article demonstrates that the effectiveness of these frameworks depends on the actual implementation of these governance frameworks. This creates a growing need for specialized expertise, clear regulatory guidance, and harmonization of AI governance expectations across the UAE.
Bibliography
Primary sources
Legislation
Data Protection Regulations (Consolidated Version No. 2) 2023 (DIFC), reg 10
Secondary Sources
Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026
Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026
McKinsey & Company, ‘The state of AI in 2025: Agents, innovation, and transformation’ (McKinsey, 5 November 2025) <https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai> accessed 25 May 2026
Mucci T, ‘What is AI governance?’ (IBM, 10 October 2024) <https://www.ibm.com/think/topics/ai-governance> accessed 25 May 2026
[1] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[2] McKinsey & Company, ‘The state of AI in 2025: Agents, innovation, and transformation’ (McKinsey, 5 November 2025) <https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai> accessed 25 May 2026.
[3] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[4] McKinsey & Company, ‘The state of AI in 2025: Agents, innovation, and transformation’ (McKinsey, 5 November 2025) <https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai> accessed 25 May 2026.
[5] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[6] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[7] Tim Mucci, ‘What is AI governance?’ (IBM, 10 October 2024) <https://www.ibm.com/think/topics/ai-governance> accessed 25 May 2026.
[8] McKinsey & Company, ‘The state of AI in 2025: Agents, innovation, and transformation’ (McKinsey, 5 November 2025) <https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai> accessed 25 May 2026.
[9] McKinsey & Company, ‘The state of AI in 2025: Agents, innovation, and transformation’ (McKinsey, 5 November 2025) <https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai> accessed 25 May 2026.
[10] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[11] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[12] Tim Mucci, ‘What is AI governance?’ (IBM, 10 October 2024) <https://www.ibm.com/think/topics/ai-governance> accessed 25 May 2026.
[13] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[14] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[15] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[16] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[17] Data Protection Regulations (Consolidated Version No. 2) 2023 (DIFC), reg 10.
[18] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[19] Data Protection Regulations (Consolidated Version No. 2) 2023 (DIFC), reg 10.2.2.
[20] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[21] Data Protection Regulations (Consolidated Version No. 2) 2023 (DIFC), reg 10.3.3.
[22] Data Protection Regulations (Consolidated Version No. 2) 2023 (DIFC), reg 10.2.2.
[23] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[24] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[25] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[26] Clyde & Co, ‘Regulation 10 of the DIFC Data Protection Law’ (Clyde & Co,14 January 2026) <https://sites-clydeco.vuturevx.com/252/21485/uploads/regulation-10-of-the-difc-data-protection-law.pdf> accessed 25 May 2026.
[27] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[28] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.
[29] McKinsey & Company, ‘The state of AI in 2025: Agents, innovation, and transformation’ (McKinsey, 5 November 2025) <https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai> accessed 25 May 2026.
[30] Dubai Financial Services Authority, ‘DFSA Artificial Intelligence Survey 2025: An overview of regulatory insights and trends in financial services in the DIFC’ (DFSA, 2025) <https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/4317/6284/9776/DFSA_Artificial_Intelligence_Survey_2025_Final.pdf> accessed 25 May 2026.





