FED. Decree-Law 6 of 2025Art. 184 in force

Personal accountability for the board.
Or sixteen September.
Whichever comes first.

Art. 184 sets the regularization window for the New CBUAE Law. Article 62 extends the licensing perimeter to AI vendors. Stoneset is the workspace one compliance officer uses to prepare for one supervisory event. Built around the 16 September deadline, deterministic in the audit path, traceable to clause.

See the module suiteRead the Clause Map
Origin
London · IAPP · Oxford AI
Engine
Deterministic classification
Output
Hash-chained audit record
Fig. 1 — V1 module suiteFive modules
01
AI Model InventoryCBUAE GN §3.2
Required fields, criticality classification, change history with cryptographic chain-of-custody. CSV and JSON export.
Module 1
V1
02
Bias Testing RegisterCBUAE GN §4.1
Quarterly cadence, representative-sample documentation, fairness library, regulator-facing PDF export.
Module 2
V1
03
Vendor Clause LibraryCBUAE GN §5.3
Pre-vetted cessation, audit-rights, sub-processor flow-down language. Each clause cites the expectation it satisfies.
Module 3
V1
04
Reg. 10 Board PackDIFC DPR §15
Personal-accountability tracking. Director liability heat map. Quarterly DOCX and PDF generation.
Module 4
V1
05
ISO 42001 Evidence VaultISO 42001
Control-by-control documentation, internal audit programme tracker, certification-readiness reports.
Module 5
V1
Source: CBUAE · DIFC · ADGM · VARA · AIATCUpdated 19·05·2026
CBUAE Guidance Note23 Feb 2026 · documented governance, board accountability, annual bias testingFed. Decree-Law 6 / 2025Art. 184 regularization · 16 September 2026Fed. Decree-Law 10 / 2025AI-driven AML monitoring required for VASPsDIFC Data Protection Reg. 10AI and autonomous systemsISO/IEC 42001increasingly required for ADGM firmsHAYVN12.45 M USD · FSRA Abu Dhabi · precedent 2025AIATCADxLaw 3 / 2024 · obligations forthcoming 2026–20272022 Model Management StandardsCBUAECBUAE Guidance Note23 Feb 2026 · documented governance, board accountability, annual bias testingFed. Decree-Law 6 / 2025Art. 184 regularization · 16 September 2026Fed. Decree-Law 10 / 2025AI-driven AML monitoring required for VASPsDIFC Data Protection Reg. 10AI and autonomous systemsISO/IEC 42001increasingly required for ADGM firmsHAYVN12.45 M USD · FSRA Abu Dhabi · precedent 2025AIATCADxLaw 3 / 2024 · obligations forthcoming 2026–20272022 Model Management StandardsCBUAE
§ 01 — V1 module suite
Ships Q3 2026

Five modules. Every one tied to a clausein the CBUAE Guidance Note, DIFC Regulation 10, or ISO 42001.

§ 01
AI Model Inventory
CBUAE GN · 2022 MMS
Required fields, taxonomy, criticality classification, change history with cryptographic chain-of-custody. CSV and JSON export.
§ 02
Bias Testing Register
CBUAE GN §4.1
Quarterly cadence, representative-sample documentation, fairness metric library, evidence vault with versioning, regulator-facing PDF.
§ 03
Vendor Clause Library
CBUAE GN §5.3
Pre-vetted cessation, audit-rights, cyber-security, sub-processor flow-down language. Each clause cites the expectation it satisfies.
§ 04
Reg. 10 Board Pack
DIFC DPR §15
Personal-accountability tracking. AI risk summary by entity. Director liability heat map. Quarterly DOCX and PDF generation.
§ 05
ISO 42001 Evidence Vault
ISO/IEC 42001
Control-by-control documentation, internal audit programme tracker, management review records, certification-readiness reports.
§ 02 — Jurisdictional perimeter
5 regulators · 1 operating system

The UAE AI regulatory stack converges on one workspace. English-law, deterministic, traceable to clause.

CBUAE
Central Bank of the UAE
0+licensed entities
Banks, finance companies, exchange houses, payment institutions, insurance carriers. New CBUAE Law Article 62 extends the licensing perimeter to AI vendors and APIs.
Art. 184 closes16 Sep 2026
DIFC
Dubai International Financial Centre
0licensed entities
English common-law financial free zone. Data Protection Regulation 10 places AI and autonomous systems within the DIFC framework: board accountability, documented governance.
Reg. 10 cadenceContinuous
ADGM
Abu Dhabi Global Market
0licensed entities
+35% growth in 2024. Tech licence pipeline via Hub71 endorsement (88 endorsements in 2024). ISO 42001 alignment increasingly required for ADGM firms.
FSRA · ISO 42001Continuous
VARA
Virtual Assets Regulatory Authority
30–0licensed VASPs
VARA-licensed VASPs face a tightening AML and transaction-monitoring regime, with AI-driven monitoring increasingly expected of virtual-asset firms.
AML monitoringActive
AIATC
AI & Advanced Technology Council
Abu Dhabi Law 3/2024
Regulatory authority for AI in Abu Dhabi. Specific binding obligations expected 2026–2027. AI-native Abu Dhabi government procurement by 2027 will demand assurance artefacts from every supplier.
Forthcoming2026 · 2027
+ DOH AD
Department of Health Abu Dhabi
authorization required
Authorization for AI in healthcare or processing Abu Dhabi patient data. Adjacent to the Stoneset perimeter; covered through V1.1 module roadmap and the AIATC tracker.
V1.1 moduleQ1 2027
§ 03 — Clause map
Researched, fact-checked · May 2026

The CBUAE Guidance Note speaks the vocabulary of UK-style model-risk governance. Board accountability, model inventory, ongoing monitoring — a familiar shape under a different supervisor.

Stoneset publishes a clause-level breakdown of every binding instrument: the Guidance Note, Reg. 10, Decree-Law 6 / 2025, and the 2022 Model Management Standards. Plain-English interpretation. Suggested control evidence. Mapped to the V1 module that satisfies the expectation.

The Clause Map is the credibility apparatus. Compliance officers read it, share it internally, then come back for the workspace that operationalises it.

ClauseExpectationModule
CBUAE GN · InventoryComprehensive AI model inventory aligned to 2022 MMS taxonomy§ 01
CBUAE GN · BiasAnnual bias testing with documented representative-sample design§ 02
CBUAE GN · VendorThird-party audit rights with cessation language and sub-processor flow-down§ 03
DIFC Reg 10DIFC personal-accountability tracking and quarterly board pack§ 04
ISO 42001Documented context, scope, and applicability of the AI management system§ 05
CBUAE 184Regularization window for Licensed Financial Activities — closes 16 Sep 2026All
CBUAE 62Licensing perimeter extends to technology providers, APIs, decentralised platformsV1.1
AML 10 / 2025“Reasonably should have known”: AI-driven AML monitoring for VASPsV1.1
§ 04 — Why Stoneset
London origin · UAE delivery

Built clause by clause from London, not generated by a horizontal GRC platform.

Origin
London regulatory
The CBUAE Guidance Note reads in the idiom of UK-style model-risk supervision — the governance vocabulary UK-trained CROs already know.
Jurisdiction
English common law
DIFC applies UK regulator templates. ADGM applies English common law directly. London-trained regulatory perspective lands without translation.
Procurement
Established pattern
UAE banks and free-zone entities procure compliance technology from London routinely. Stoneset enters a path that already exists.
Architecture
Deterministic core
Every classification gate is deterministic-lookup over customer-attested answers. The audit trail reconstructs from inputs, not from a prompt.
§ 05 — Pricing
Discovery-call qualified · annual prepay default

Three tiers. Priced for mid-tier fintechs and licensed entities, not enterprises.

Starter
Pricing on call
Single entity · up to 10 users
  • § 01 AI Model Inventory
  • § 04 Reg. 10 Board Pack
  • Email support · 48 h SLA
  • For: small DIFC fintechs, single-entity VASPs
Book a discovery call
Professional · Recommended
Pricing on call
Single entity · up to 50 users
  • All 5 modules
  • Reg. 10 personal-liability tracking
  • ISO 42001 evidence vault
  • 24 h SLA · priority support
  • Customer-provided Claude / OpenAI key
  • For: mid-tier fintechs, payment institutions, AI vendors
Book a discovery call
Enterprise
Pricing on call
Multi-entity · unlimited users
  • Multi-entity group consolidation
  • External auditor portal (magic-link)
  • Custom API integrations
  • 99.9% SLA · dedicated compliance specialist
  • Embedded AI inference
  • For: CBUAE-licensed banks, G42 portfolio, group entities
Talk to founder
Encrypted at rest · append-only hash-chained audit log · regional residency configurable on contract
§ 06 — Closing
19 May → 16 September 2026

Procurement cycles run sixty to one hundred and eighty days. Vendors not in conversation by September lose the cycle.

Stoneset is the workspace one buyer uses to prepare for one supervisory event, with a clear expansion path into adjacent obligations as they crystallise. Not a horizontal GRC platform. Not a multi-framework dashboard. Not an AI hype site. The audience is a CRO buying compliance for a board-accountable regulatory regime and a hard reconciliation deadline. We respect them.