The UAE central bank's February 2026 AI Guidance Note is framed as flexible principles. A close reading shows its force comes from three binding instruments it is wired into, and from the evidence examiners can now ask for.
In February 2026, the Central Bank of the UAE issued its Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions. It applies to every institution the CBUAE supervises: banks, insurers, exchange houses, finance companies, and payment service providers. It is the most specific instrument any Gulf central bank has published on AI to date.
Most of the commentary since has taken one of two positions. Vendors selling compliance software describe it as a binding mandate with immediate examination consequences. Skeptics point out that it is, by its own terms, a set of flexible principles rather than a regulation, and conclude that institutions can file it away.
Both readings miss how the document actually works. The Guidance Note is voluntary on its face. Its force comes from what it is wired into.
Three cross-references that matter more than the principles
Read the text closely and a pattern emerges. At nearly every point where the guidance could have stated a soft expectation, it instead points to an instrument that already binds.
First, the Model Management Standards. The guidance states that the governance, usage, and validation of AI in licensed financial institutions should follow the principles of the CBUAE's Model Management Standards, issued in 2022. Those standards are not new, and they are not optional for the institutions they cover. What the guidance does is settle an open question: AI and machine learning models sit inside the model risk framework that examiners already test against. An institution that treated its chatbot, its credit scoring model, or its fraud detection system as something separate from its model inventory no longer has that argument available.
Second, the Consumer Protection Regulation. The guidance requires that consumers be able to request human review of AI-generated decisions, and it anchors complaints and redress in Article 8 of the Consumer Protection Regulation. That regulation carries enforcement history. An AI-driven decision that a customer cannot challenge is now legible to the CBUAE as a conduct failure under an existing regime, not a gap in a future one.
Third, the Outsourcing Regulation. For third-party AI, the guidance points to section 4.7 of the Model Management Standards and to the Outsourcing Regulation for Banks. Due diligence on AI vendors, contractual audit and information rights, and annual independent cybersecurity reviews of procured AI are framed as extensions of obligations institutions already carry.
This is how principles-based supervision works in practice. The CBUAE did not need to write a new binding rule, because the binding rules already exist. The Guidance Note tells institutions, and examiners, how those rules apply to AI.
What the document actually asks for
Strip away the framing and the operational asks are concrete. Boards and senior management are accountable for AI outcomes, and the guidance is blunt on one point: institutions "should not employ AI models that they have no control over." That single line has implications for every institution running a third-party large language model it cannot inspect.
Institutions should maintain an inventory of all AI models and systems, whether built in-house or procured, with model name, purpose, and risk rating as minimum metadata. Each system should carry a documented risk rating that feeds the enterprise risk framework. Deployed AI should be tested for bias at least annually, and again whenever a model is upgraded or materially changed.
The transparency requirements deserve more attention than they have received. Disclosures about AI use must be made in plain language in both Arabic and English, with telephone support available in the major languages spoken in the UAE. For a sector where model documentation, vendor materials, and governance frameworks are written almost entirely in English, producing accurate, understandable Arabic-language AI disclosures is not a translation task. It is a governance task, and very few institutions have built for it.
The guidance also defines three modes of human oversight: human-in-the-loop, where a person retains full decision authority; human-on-the-loop, where AI operates routinely under human monitoring; and human-out-of-the-loop, which the guidance reserves for low-risk, non-material processes only. Institutions are expected to match the oversight mode to the consumer risk of each system, and to retain at all times the clear and immediate ability to shut an AI system down through human intervention. An examiner can test that capability with one question: who can switch it off, and how fast.
Generative AI is explicitly in scope. The definitions cover large language models by name, which means the customer-facing chatbot deployed in 2025 falls under the same inventory, testing, and oversight expectations as a credit model.
What examination will look like
The CBUAE supervises through periodic examination cycles, and guidance of this kind shapes what examiners ask long before any new regulation arrives. The practical question for a compliance or risk officer is not whether the Guidance Note is technically binding. It is what evidence the institution can produce when the questions come.
The text itself describes the evidence. A documented governance framework proportionate to the institution's size and complexity. A complete model inventory with risk ratings. Records of annual bias testing and of testing after material model changes. Board and senior management reporting on AI performance and risk. Contracts with AI vendors that contain audit rights and information rights. Documentation of why each third-party provider was selected. Arabic and English disclosure materials. A complaints channel that customers can actually find. A demonstrated kill switch.
None of this is satisfied by a policy document. The guidance is explicit that AI risk management should be integrated into the enterprise-wide risk framework rather than operating in isolation, and that control functions, including compliance and internal audit, should be able to understand and challenge AI-driven processes. A binder of principles that the engineering and data teams have never read will not survive a competent examination conversation, and supervisors in every market have learned to recognize it.
The regional signal
The timing is worth registering. The European Union spent the spring negotiating a delay to its AI Act, with high-risk obligations now set to move to late 2027 under the political agreement reached in May. In the same window, the CBUAE issued sector-specific AI guidance with immediate practical effect, joining the Qatar Central Bank's AI guideline and the ADGM's rulebook provisions on AI and big data. Saudi Arabia's cabinet designated 2026 the Year of Artificial Intelligence, with a dedicated AI law under development at SDAIA, the Saudi Data and Artificial Intelligence Authority.
The pattern is consistent: in the Gulf, AI governance is arriving through financial supervisors rather than through omnibus legislation, and it is arriving now, not in 2027. For institutions, this is an advantage if they treat it as one. An AI governance system built to the CBUAE's specification, with a live inventory, documented testing, and real oversight, is the same infrastructure that satisfies vendor due diligence questionnaires, supports ISO 42001 alignment, and answers the questions European counterparties will eventually ask under the EU AI Act. Build it once, against the most demanding specification available, and every subsequent regulatory conversation gets shorter.
The institutions that wait for the guidance to harden into regulation will build the same system later, under examination pressure, at higher cost. The ones that build now turn a supervisory expectation into procurement and market access infrastructure.
What to watch
Two developments will determine how quickly expectations firm up. The first is whether AI-related findings begin appearing in CBUAE examination reports over the next 12 months, which would confirm that the guidance has entered supervisory practice. The second is the Saudi AI law, which, if it follows SDAIA's signaling on risk-based classification and registration duties, would make the CBUAE's approach look like the gentle version of what is coming to the region's largest market.
If your institution is working through what this guidance means for its AI inventory, testing program, or vendor contracts, get in touch.
Primary source: CBUAE Rulebook, Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E., issued February 2026. Read alongside the CBUAE Model Management Standards (2022), the Consumer Protection Regulation, and the Outsourcing Regulation for Banks.