Operationalizing CBUAE Responsible AI Guidance

PDI Partners Advisory

05 Jun, 2026

Blog Image

Executive Summary

The Central Bank of the UAE (CBUAE) has issued guidance reinforcing consumer protection and sound market conduct expectations for the use of artificial intelligence (AI) and machine learning (ML) by Licensed Financial Institutions (LFIs). The guidance emphasizes practical safeguards—fairness and non-discrimination, transparency and explainability, data privacy and security, ongoing monitoring, and meaningful human oversight—particularly where AI influences customer interactions or material decisions.

As a supervisory Guidance Note, these expectations set clear requirements for how LFIs should design, deploy, and operate consumer-impacting AI/ML use cases. The guidance is closely aligned with enforceable regulatory obligations, including the Model Management Standards and the Consumer Protection Regulation. Failure to embed these principles into internal policies, controls, and governance arrangements may therefore expose institutions to regulatory, conduct, and reputational risk.

This paper outlines how LFIs can operationalize CBUAE’s Responsible AI expectations using the Three Lines of Defense (3LoD) model, clarifying accountability across business, risk, and assurance functions and enabling consistent oversight across the AI lifecycle.

Operationalizing Responsible AI through the Three Lines of Defense

Effective and compliant adoption of AI depends on clear ownership, structured governance, and proportionate controls. Applying the Three Lines of Defense model enables institutions to identify, manage, and independently challenge AI-related risks, while embedding transparency, accountability, and assurance across design, deployment, and ongoing operation.

First Line of Defense: Business & Technology

Ownership, Implementation, and Control

Business units, product teams, distribution channels, and technology delivery functions are accountable for ensuring that AI/ML use cases produce fair customer outcomes and comply with consumer protection expectations. This responsibility is most critical where AI is used in customer-facing activities, including marketing, onboarding, suitability assessments, pricing, credit or claims decisions, and complaints handling.

Key first-line responsibilities include:

  • Human Oversight: AI-enabled workflows should be designed based on consumer risk. High-impact or material decisions must incorporate human-in-the-loop controls with clear decision authority. Fully automated decisioning should be limited to low-risk, non-material activities.
  • Transparency and Consumer Disclosure: Customers should be clearly and promptly informed when AI is used, particularly where it influences outcomes. Disclosures should be in plain language, available in both Arabic and English, and support informed consent. Customers must have a clear and accessible path to request human assistance. Where applicable, disclosures should reflect Sharia-compliant product considerations.
  • AI Use-Case Inventory: The first line should maintain a centralized and current register of all consumer-impacting AI/ML use cases, including third-party solutions. The register should capture purpose, customer touchpoints, disclosure requirements, oversight mechanisms, and consumer impact. Use cases qualifying as models should be governed in accordance with CBUAE Model Management Standards.
  • Responsible Customer Engagement: AI-enabled sales, marketing, and interaction tools should promote suitable products, support informed decision-making, and avoid misleading, coercive, or manipulative practices. Where relevant, outcomes should align with Sharia principles of fairness, honesty, and avoidance of deception.
  • Bias and Fairness Management: Business and technology teams should conduct pre-deployment testing and ongoing performance monitoring to detect bias, discriminatory effects, or unjust outcomes. Identified issues should be remediated promptly, with remediation tracked and evidenced across the AI lifecycle.

Second Line of Defense: Risk & Compliance

Framework Integration and Oversight

Second-line functions provide independent oversight and challenge to ensure AI/ML use cases comply with regulatory, consumer protection, ethical, and—where relevant—Sharia requirements.

Key responsibilities include:

  • Enterprise Risk Management Integration: Consumer-impacting AI risks should be embedded within the institution’s enterprise risk management framework, with particular focus on conduct and consumer protection risk, supported as needed by credit, operational, and third-party risk disciplines.
  • Mandatory AI Risk Classification: The second line should define and oversee a consistent risk assessment methodology for AI use cases, considering data sensitivity, control effectiveness, consumer impact, and reliance on third parties. Risk classification should drive proportionate safeguards, including disclosure requirements, explainability standards, human oversight thresholds, and customer redress mechanisms.
  • Third-Party and Concentration Risk Oversight: Given reliance on external vendors, robust due diligence over cybersecurity, data governance, and model controls is essential. Institutions should also actively manage concentration risk through diversified sourcing and contingency planning.

Third Line of Defense: Internal Audit

Independent Assurance and Validation

Internal Audit provides independent assurance over the design and operating effectiveness of AI governance, risk management, and controls, with a focus on consumer outcomes and regulatory compliance.

Audit scope should include:

  • Cease / Override Capability: Validation that the institution can promptly suspend or disable AI/ML systems where continued operation could cause consumer harm or regulatory concern, including clear authority, access rights, and documented procedures.
  • Transparency and Disclosure Effectiveness: Assessment of whether customers are clearly informed when interacting with AI, receive understandable explanations of AI-supported decisions, and have effective channels for inquiries and redress.
  • Human Review and Alternatives: Verification that customers can request human review or explanation of AI-driven decisions, particularly for material outcomes, and that opt-out or alternative arrangements are operational and effective.
  • Fairness and Bias Testing: Review of evidence demonstrating periodic bias and fairness testing, including post-change testing, with clear remediation actions tracked to completion.
  • Complaints Handling and Redress: Confirmation that AI-related complaints are identifiable, logged, investigated, and resolved through accessible processes, and that complaint trends are monitored and fed back into control enhancements.

Conclusion

Applying the CBUAE Responsible AI guidance enables LFIs to move beyond a compliance-only response and embed consumer-focused, responsible AI practices across the organisation. This approach supports controlled innovation while strengthening governance, transparency, and trust, and reinforces the institution’s ability to scale AI responsibly within the UAE regulatory environment.