Jarred Lloyd
4 min read
A View from UAE: What a Year of AI Has Actually Changed
6:16

Few places on earth have moved as fast, or as deliberately, on AI as the UAE has over the past 18 months. Watching that unfold up close, from Dubai, has shaped how I think about where every business, regardless of geography, now stands.

So here is my honest read on the state of AI: we have moved from asking whether to use it, to discovering that using it well is far harder than anyone budgeted for.

From pilots to production, and a lot of expensive lessons

A year ago, most conversations about AI in the enterprise were still about chatbots and copilots, useful, but bounded. That has changed. 2026 has been the year of the AI agent: systems that don't just draft an email or summarise a document, but plan, decide, and execute multi-step tasks with real access to real systems. Gartner projects that agentic AI will be embedded in 33% of enterprise applications by 2028, up from less than 1% in 2024.

That sounds like unambiguous progress. It isn't, quite. Gartner also expects over 40% of agentic AI projects to be cancelled by 2027, due to escalating costs, unclear business value, or inadequate risk controls. The gap isn't capability, the models are good, and getting better fast. The gap is everything around the model: ownership, oversight, and the unglamorous discipline of knowing what your AI is actually doing, at all times, with what data.

The Gulf illustrates this tension vividly. Adoption here is genuinely world class, McKinsey puts AI adoption across the GCC at 84%, up from 62% just two years earlier, ahead of much of the world. But separate research from Roland Berger found fewer than one in three organisations in the region actually has the operating model and formal governance to scale what they've adopted. Enthusiasm has outrun infrastructure. That's not a UAE problem specifically, it's the defining tension of AI everywhere in 2026, but the UAE is where it shows up first, because the UAE moves first.

The UAE's regulatory bet: speed over a single law

Here's what I find genuinely thought provoking about this market, and worth every business leader's attention regardless of where they operate: the UAE has deliberately chosen not to write a single, EU style AI Act. Instead, it has built a layered stack, the Personal Data Protection Law, DIFC's Regulation 10 governing autonomous systems (now in full enforcement), ADGM's GDPR aligned data protection regime, a non binding national AI Charter, and sector rules from the Central Bank and financial regulators. In June 2026, the government consolidated its AI and data oversight entirely, standing up a new Federal Authority for Artificial Intelligence and Data reporting directly into Cabinet, a clear sign that governance here is being treated as core national infrastructure, not a compliance afterthought.

Compare that with the EU, where the AI Act's high risk obligations land in August 2026 with real teeth, or the US, still governing AI through a patchwork of state laws. Three fundamentally different philosophies, all being tested live, at the same time. The UAE's bet is that speed and coherence beat comprehensiveness, that you regulate the way you'd deploy an AI agent: iteratively, in production, adjusting as you learn. It's a bold wager, and one every multinational operating here needs to actually understand, because “there's no single AI law” is not the same thing as “there's no accountability.” The Federal Authority now has  Personal Data Protection Law (PDPL)  enforcement, AI standards, and government AI deployment all under one roof, and it is not shy about moving quickly.

What this means for how companies actually use AI

The businesses getting real value aren't the ones with the biggest AI budgets. They're the ones treating governance as architecture, not paperwork, baked into how an agent is built, not bolted on after a pilot succeeds. That's showing up in three concrete shifts I'd flag to any leadership team:

1) AI is quietly becoming a security and identity problem. Every AI agent that touches a system is, in effect, a new non-human identity with its own permissions, its own behaviour, and its own potential for compromise. Prompt injection, data exfiltration through tools, and shadow AI, unapproved agents wired into production systems by well meaning teams, are no longer theoretical. This is precisely where cybersecurity and AI governance stop being separate disciplines and start being the same conversation.

2) Standards are becoming procurement requirements, not nice to haves. ISO 42001, the international AI management system standard, is increasingly showing up as a condition of doing business, the same trajectory ISO 27001 took a decade ago, and one the payments industry will recognise instantly from PCI DSS. If you've built compliance muscle for one regulated framework, you already understand the shape of what's coming for AI.

3) The accountability question is getting sharper, not softer. Who signs off when an autonomous agent makes a decision that affects a customer, a transaction, or a regulator's expectations? Boards that treated this as an IT question in 2024 are now treating it as a governance and risk question, as they should.

The provocation worth sitting with

Here's the uncomfortable question I keep coming back to, and the one I'd put to any leadership team weighing AI investment right now: if your organisation had to produce, tomorrow, a full inventory of every AI agent operating in your environment, what data it touches, what it's authorised to do, and who's accountable if it gets it wrong, could you? Most can't. That gap, more than any single regulation or model release, is the real state of AI in 2026.

The UAE's answer has been to build the institutions first and let the rules catch up in real time. Whether that's the right model for a global, more conservatively regulated business is a genuinely open question, and one I suspect I'll be exploring a lot more from here.

 

Subscribe to our Blog

Request more information

Contact Foregenix for strategic advisory 

Jarred Lloyd
Jarred Lloyd

Jarred Lloyd is the Head of Practice for Artificial Intelligence, bringing over 17 years of experience across financial services, analytics, and consulting. He has worked extensively across the Middle East, South Africa, and Pakistan, with additional exposure to the UK and European markets. Jarred specialises in translating data, analytics, and AI into practical commercial outcomes. His expertise spans portfolio optimisation, customer lifecycle management, marketing and customer analytics, credit risk strategy, and digital transformation. Jarred focuses on building and scaling AI and advanced analytics capabilities, embedding data-driven decisioning into business processes, and advising organisations on the responsible and effective use of AI.

See All Articles

NOTES

Gartner, Gartner Predicts Over 40% of Agentic AI Projects Will Be Cancelled by End of 2027, press release, 25 June 2025 (source for both the 33% by 2028 and 40% cancellation by 2027 figures):

https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027

McKinsey and Company, AI adoption in GCC: strategies for value creation, McKinsey State of AI in GCC Survey, August to September 2025, published December 2025 (source for the 84% GCC adoption figure):

https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai-in-gcc-countries-in-pursuit-of-scale-and-value

Roland Berger Middle East, AI across the Gulf: From ambition to scalable impact, February 2026 (source for the governance gap finding):

https://www.rolandberger.com/en/Insights/Publications/AI-across-the-Gulf-From-ambition-to-scalable-impact.html
SUBSCRIBE

Subscribe to our blog

Security never stops. Get the most up-to-date information by subscribing to the Foregenix blog.