Few places on earth have moved as fast, or as deliberately, on AI as the UAE has over the past 18 months. Watching that unfold up close, from Dubai, has shaped how I think about where every business, regardless of geography, now stands.
So here is my honest read on the state of AI: we have moved from asking whether to use it, to discovering that using it well is far harder than anyone budgeted for.
From pilots to production, and a lot of expensive lessons
A year ago, most conversations about AI in the enterprise were still about chatbots and copilots, useful, but bounded. That has changed. 2026 has been the year of the AI agent: systems that don't just draft an email or summarise a document, but plan, decide, and execute multi-step tasks with real access to real systems. Gartner projects that agentic AI will be embedded in 33% of enterprise applications by 2028, up from less than 1% in 2024.
That sounds like unambiguous progress. It isn't, quite. Gartner also expects over 40% of agentic AI projects to be cancelled by 2027, due to escalating costs, unclear business value, or inadequate risk controls. The gap isn't capability, the models are good, and getting better fast. The gap is everything around the model: ownership, oversight, and the unglamorous discipline of knowing what your AI is actually doing, at all times, with what data.
The Gulf illustrates this tension vividly. Adoption here is genuinely world class, McKinsey puts AI adoption across the GCC at 84%, up from 62% just two years earlier, ahead of much of the world. But separate research from Roland Berger found fewer than one in three organisations in the region actually has the operating model and formal governance to scale what they've adopted. Enthusiasm has outrun infrastructure. That's not a UAE problem specifically, it's the defining tension of AI everywhere in 2026, but the UAE is where it shows up first, because the UAE moves first.
The UAE's regulatory bet: speed over a single law
Here's what I find genuinely thought provoking about this market, and worth every business leader's attention regardless of where they operate: the UAE has deliberately chosen not to write a single, EU style AI Act. Instead, it has built a layered stack, the Personal Data Protection Law, DIFC's Regulation 10 governing autonomous systems (now in full enforcement), ADGM's GDPR aligned data protection regime, a non binding national AI Charter, and sector rules from the Central Bank and financial regulators. In June 2026, the government consolidated its AI and data oversight entirely, standing up a new Federal Authority for Artificial Intelligence and Data reporting directly into Cabinet, a clear sign that governance here is being treated as core national infrastructure, not a compliance afterthought.
Compare that with the EU, where the AI Act's high risk obligations land in August 2026 with real teeth, or the US, still governing AI through a patchwork of state laws. Three fundamentally different philosophies, all being tested live, at the same time. The UAE's bet is that speed and coherence beat comprehensiveness, that you regulate the way you'd deploy an AI agent: iteratively, in production, adjusting as you learn. It's a bold wager, and one every multinational operating here needs to actually understand, because “there's no single AI law” is not the same thing as “there's no accountability.” The Federal Authority now has Personal Data Protection Law (PDPL) enforcement, AI standards, and government AI deployment all under one roof, and it is not shy about moving quickly.
What this means for how companies actually use AI
The businesses getting real value aren't the ones with the biggest AI budgets. They're the ones treating governance as architecture, not paperwork, baked into how an agent is built, not bolted on after a pilot succeeds. That's showing up in three concrete shifts I'd flag to any leadership team:
1) AI is quietly becoming a security and identity problem. Every AI agent that touches a system is, in effect, a new non-human identity with its own permissions, its own behaviour, and its own potential for compromise. Prompt injection, data exfiltration through tools, and shadow AI, unapproved agents wired into production systems by well meaning teams, are no longer theoretical. This is precisely where cybersecurity and AI governance stop being separate disciplines and start being the same conversation.
2) Standards are becoming procurement requirements, not nice to haves. ISO 42001, the international AI management system standard, is increasingly showing up as a condition of doing business, the same trajectory ISO 27001 took a decade ago, and one the payments industry will recognise instantly from PCI DSS. If you've built compliance muscle for one regulated framework, you already understand the shape of what's coming for AI.
3) The accountability question is getting sharper, not softer. Who signs off when an autonomous agent makes a decision that affects a customer, a transaction, or a regulator's expectations? Boards that treated this as an IT question in 2024 are now treating it as a governance and risk question, as they should.
The provocation worth sitting with
Here's the uncomfortable question I keep coming back to, and the one I'd put to any leadership team weighing AI investment right now: if your organisation had to produce, tomorrow, a full inventory of every AI agent operating in your environment, what data it touches, what it's authorised to do, and who's accountable if it gets it wrong, could you? Most can't. That gap, more than any single regulation or model release, is the real state of AI in 2026.
The UAE's answer has been to build the institutions first and let the rules catch up in real time. Whether that's the right model for a global, more conservatively regulated business is a genuinely open question, and one I suspect I'll be exploring a lot more from here.