Central Bank of UAE's AI Guidance: What UAE Financial Institutions Must Do Now

In February 2026, the Central Bank of the UAE released its Guidance Note on Responsible Adoption and Use of AI by Licensed Financial Institutions. This is not aspirational guidance. It is binding direction that applies to every bank, insurance company, and licensed financial institution operating in the UAE.

If you work in compliance, risk management, or IT security at a UAE financial institution, you need to understand what this guidance requires. More importantly, you need to know what your organization must do to comply.

This article breaks down the 10 sections of the CBUAE guidance and translates regulatory language into practical, actionable steps you can take starting today.

Section 1: Definitions — Know What You're Governing

The guidance defines AI broadly. It includes not just obvious machine learning models, but GenAI tools like ChatGPT and Claude that your employees may be using right now without approval.

Your institution must have a clear, documented definition of what counts as an "AI system" under this guidance. This includes third-party tools, internal models, APIs, and any software with embedded machine learning. The key term is "high-impact decision" — defined as any AI-driven determination that materially affects a customer's access to financial products or services. This includes loan decisions, insurance claim approvals, credit scoring, and fraud detection.

Practical Step: Audit your organization and create a register of all AI systems currently in use. This register should include off-the-shelf tools (ChatGPT, Claude, etc.) and any internal models. For each system, document whether it falls into the "high-impact" category.

Section 2: Governance and Accountability — Build the Framework

The CBUAE requires a documented governance framework for AI. This is not optional. The framework must be commensurate with your institution's size and complexity.

• Your Board of Directors is accountable for AI governance

• Senior management must oversee model selection, deployment, and ongoing monitoring

• You cannot use AI models you don't control

• Regular reporting to the Board and senior management is required

• Risk management, compliance, and audit functions must understand AI systems and be able to challenge outcomes

Practical Steps:

Step 1: Establish an AI Governance Committee. This committee should include representatives from compliance, risk management, IT security, and business lines. Assign clear ownership.

Step 2: Document your AI governance policy. This policy should outline how AI systems are selected, evaluated, deployed, and monitored. Make it specific to your institution.

Step 3: Create an inventory of all AI systems. For each system, document: name, purpose, risk rating (low/medium/high), owner, and monitoring frequency. The CBUAE expects this inventory to exist and be current.

Step 4: Establish reporting cadence to the Board. The CBUAE expects regular reporting on AI performance and risk. Define what "regular" means for your organization — monthly, quarterly, or semi-annually.

Step 5: Define the approval process for new AI systems. Before any AI system is deployed, it should be reviewed and approved by your AI governance committee.

Section 3: Fairness and Non-Discrimination — Test for Bias

The guidance explicitly prohibits deploying AI systems that create discriminatory or biased outcomes. If an AI system develops bias after deployment, you must address it immediately.

Practical Steps:

Step 1: Assess the data used to train your AI systems. Is it representative? Does it contain historical biases? Document your findings.

Step 2: Conduct bias testing. If you have high-risk AI systems (credit decisions, hiring, fraud detection), engage a third party to test for discriminatory outcomes. The CBUAE will expect evidence of this testing during audits.

Step 3: Document remediation efforts. If bias is found, document the steps you took to address it. This demonstrates good faith compliance.

Step 4: Schedule annual bias testing. Make it part of your compliance calendar.

Section 4: Transparency and Explainability — Customers Must Understand

The guidance requires your institution to be transparent about AI usage, particularly for high-impact decisions. Customers must understand how AI decisions are made and have the right to challenge those decisions.

Practical Steps:

Step 1: Audit your customer-facing materials. If your institution uses AI in loan decisions, credit decisions, or insurance underwriting, customers need to know this.

Step 2: Create plain-language disclosure templates. These should explain what AI is being used and how it affects the customer's outcome.

Step 3: Establish a human review process. Customers should be able to request that a human review an AI-driven decision.

Step 4: Ensure Arabic and English translations of all customer-facing AI disclosures.

Section 5: Data Quality, Privacy, and Security

The guidance emphasizes that AI is only as good as the data it uses. Your institution must ensure data quality, compliance with the UAE Personal Data Protection Law (PDPL), and security.

Practical Steps:

Step 1: Conduct a data audit. Verify the quality of data used in your AI systems. Are there gaps? Is it current? Document your findings.

Step 2: Verify PDPL compliance. Ensure that personal data used in AI systems is being collected, stored, and processed in compliance with the UAE Personal Data Protection Law.

Step 3: Implement access controls. Limit who can access the data used in AI systems. Use role-based access controls and audit logs.

Step 4: Establish data retention policies. The CBUAE expects you to know how long data is retained and why. If data is no longer needed, delete it.

Step 5: Test for resilience. Run stress tests on your AI systems to ensure they operate reliably under various conditions.

One area of particular concern: employee usage of external AI tools (ChatGPT, Claude, etc.). If your employees are sharing customer data or financial information with these tools without approval, you are exposing personal data in uncontrolled environments. The CBUAE will expect you to demonstrate control over this. SilentGuard helps institutions prevent unauthorized data sharing with external AI tools, providing real-time visibility and blocking sensitive data before it leaves your organization.

Section 6: Continuous Monitoring and Review

The guidance requires ongoing monitoring of all AI systems. This is not a one-time audit. It is continuous oversight.

Practical Steps:

Step 1: Define monitoring metrics for each AI system. What performance metrics matter? (Accuracy, fairness, speed, etc.) Document these.

Step 2: Establish monitoring frequency. How often will you review each system? High-risk systems should be reviewed more frequently than low-risk ones.

Step 3: Engage third parties. At least annually, have an independent third party assess your AI systems. This demonstrates compliance to regulators.

Step 4: Create an update management process. If vendors push updates to AI systems you use, test them before deploying. Document the testing.

Step 5: Set up alerts. If an AI system's performance degrades, you should know immediately. Implement monitoring that alerts your team to issues.

Section 7: Human Oversight and Consumer Protection — Humans in the Loop

The guidance distinguishes between three levels of human oversight: human-in-the-loop, human-on-the-loop, and human-out-of-the-loop. The level required depends on the risk posed by the AI decision.

Practical Steps:

Step 1: Classify your AI systems by risk level. High-risk decisions (loans, credit, insurance) require human-in-the-loop. Low-risk decisions (fraud flags) may allow human-on-the-loop or human-out-of-the-loop.

Step 2: Design human review workflows. For each high-risk AI system, document the human review process. How long does review take? Who reviews? What authority do they have?

Step 3: Train your team. Staff who review AI-driven decisions need to understand what the AI does and how to challenge outcomes.

Step 4: Document escalation procedures. If a customer disputes an AI decision, how does that escalate? Who reviews it?

Step 5: Publish your complaint procedures. Make sure customers know how to challenge AI decisions.

Section 8: Integration with Existing Frameworks — Align with Risk Management

AI governance should not operate in isolation. It must be integrated into your institution's broader risk management framework.

Practical Steps:

Step 1: Map AI risks to your existing risk management framework. Does your institution have a conduct risk function? Enterprise risk function? Map AI risks to existing categories.

Step 2: Include AI in risk reporting. If you report on operational risk or conduct risk, include AI-related incidents.

Step 3: Align with existing policies. Your data protection policy, conflict-of-interest policy, and third-party vendor management policies should address AI.

Step 4: Conduct a risk assessment for each AI system. Document the risks, controls, and residual risk for each system.

Section 9: Outsourcing and Third-Party Risk — Manage Your Vendors

Many financial institutions rely on third-party vendors for AI tools, models, or hosting. The CBUAE holds you responsible for third-party AI, not the vendor.

Practical Steps:

Step 1: Audit your third-party AI vendors. What models or tools are you using? What are the vendor's governance and security practices?

Step 2: Review your vendor contracts. Do they include audit rights? Information access? Compliance with CBUAE standards? If not, renegotiate.

Step 3: Conduct due diligence before engaging a new vendor. Review their AI governance, data protection practices, cybersecurity posture, and regulatory compliance.

Step 4: Diversify. If you rely on a single vendor for critical AI functions, consider a second vendor for redundancy.

Step 5: Schedule vendor reviews. Conduct cybersecurity and compliance reviews of AI vendors annually.

Section 10: Ethical Collaboration and Innovation — Lead the Industry

The final section encourages financial institutions to collaborate with peers, regulators, and industry bodies to advance responsible AI practices.

Practical Steps:

Step 1: Engage with regulators. The CBUAE expects institutions to reach out for clarification on the guidance. If you have questions, ask them.

Step 2: Participate in industry forums. The UAE AI sandbox program may be relevant to your institution. Consider joining.

Step 3: Share knowledge internally. Document your compliance efforts and share lessons learned across your organization.

Step 4: Stay informed. Designate someone on your team to monitor AI developments and regulatory changes.

How SilentGuard Enables CBUAE Compliance

As financial institutions navigate this guidance, one practical challenge stands out: how do you maintain visibility and control over employee usage of external AI tools?

SilentGuard addresses this directly. The platform detects sensitive financial data and personal information in real-time, preventing it from being shared with external AI tools. Every interaction is logged and auditable, giving your compliance team the visibility the CBUAE requires. SilentGuard provides:

• Real-time detection of sensitive data before it reaches external AI platforms

• Audit-ready logging of all AI interactions

• Visibility into which employees are using which AI tools and what data they're accessing

• Automatic redaction of sensitive information, allowing employees to remain productive while maintaining security

• Compliance documentation ready for regulatory review

The CBUAE guidance makes clear that responsible AI adoption requires both enablement and control. Your team needs to use AI tools to compete. But you need visibility and protection to comply.

SilentGuard bridges that gap.

Book a demo to see how SilentGuard can help with visibility and control over external AI tool usage.