UAE’s AI Adoption Is Outpacing PDPL Readiness. Is KSA Next?
Written by Leslie Bradshaw, VP of Growth at Pyxos
Across the Gulf, AI adoption is accelerating. And while it’s also taking off across the globe, looking at the Gulf countries is especially instructive. These are six nations whose economies have long been anchored in oil and natural gas. Now? Artificial intelligence is being treated not just as a technology shift—but as a strategic necessity. A new engine for economic diversification. A way to claim global relevance.
Having collaborated for nearly two years with colleagues across the GCC, I’ve observed a level of ambition, professionalism, and curiosity that reminds me of the early Web 2.0, mobile, and cloud revolutions in the United States. The difference? Back then, my generation wasn’t tasked with carrying our country’s economic future on our shoulders.
But here’s the thing: momentum without readiness creates risk. And right now, the UAE offers a cautionary tale worth studying.
According to Salesforce’s latest IT and security report, 80% of UAE organizations plan to adopt agentic AI by 2027, up from just 32% today.
Optimism is strong… but so are the warning signs:
86% of IT leaders believe AI introduces compliance risks
Only 42% feel confident in their current safeguards
Nearly half question the quality and governance of their own data
These gaps are emerging in a country where the federal UAE Personal Data Protection Law (PDPL) has been enforceable since January 2023, but key executive regulations remain pending. And beyond PDPL, most organizations are still maturing their approach to AI-specific governance, explainability, and automation. Without clear guidance and operational follow-through, companies are stuck in the uncomfortable space between wanting to do the right thing and being able to do it at scale.
What Are the Compliance Risks of Using AI?
At Pyxos, we often talk about compliance in the context of data privacy. But in the spirit of the Salesforce report—and given where AI is headed—it’s worth zooming out.
Compliance today isn’t just about privacy. It’s about whether your systems, tools, and teams operate responsibly, transparently, and in alignment with both the law and public expectation. That includes how data is collected and used—but also how decisions are made, bias is mitigated, risk is governed, and accountability is enforced.
As AI systems grow more autonomous, these stakes rise. They’re now writing, deciding, and analyzing on our behalf—based on inputs that may not be fully understood, governed, or auditable.
At a minimum, laws like PDPL in the UAE and Saudi Arabia require organizations to prove:
Data was collected legally
Individuals were informed and, where required, consented
Use is limited to a defined purpose
Automated decisions are explainable or challengeable
Data subject rights are respected
But if we really want to lead, compliance goes further. It means being ready for the questions regulators, customers, and partners are already starting to ask:
How is your AI trained?
Where is your data stored—and who can access it?
What controls are in place to detect bias, misuse, or unintended consequences?
This broader lens could include:
Responsible AI frameworks (OECD, EU AI Act, UNESCO)
Sector-specific obligations in finance, healthcare, and cross-border operations
Internal auditability: clear roles, documentation, and process discipline
Compliance that holds up under scrutiny—whether from SDAIA, customers, or future investors—is explainable, defensible, and future-ready.
Because in the AI era, consumer trust is and will increasingly become essential… and even harder to achieve if we don’t plan for these moves in our processes, cultures, and systems now.
Why Global AI Tools Create Local Compliance Gaps
Most of the AI tools on the market today were built for global scale. Which means they rely on global cloud infrastructure. We all know that in this global, networked world: data does not stay local. It moves, often automatically and without visibility. When it comes to how the UAE and the KSA are viewing data privacy compliance, this is in fact a problem.
In the UAE, cross-border data transfers are technically allowed under the UAE PDPL, but the rules for how and when are still being finalized. Many organizations are hesitant to rely on foreign-hosted AI tools without knowing whether they’re actually operating within legal bounds.
In Saudi Arabia, the guidance is clearer, and honestly, stricter. Cross-border data transfers are only allowed when there’s a specific need and strong safeguards in place. Most AI platforms are there yet and wonder if / how they are prioritizing it.
Here’s where this gets strategic: Both the KSA and the UAE are investing heavily in their AI futures, both through Saudi Vision 2030 or the UAE’s National AI Strategy. And yet, if organizations can’t prove where their data is going, who’s touching it, and under what protections, that future slows down.
It’s not that global tools are bad, it’s that local rules matter. And aligning the two is the only way forward if we want innovation that actually sticks.
How the UAE & Saudi Arabia are Implementing Personal Data Protection Laws
The UAE introduced its PDPL in 2021, with enforcement starting in early 2023. But some key pieces like breach notification requirements and transfer mechanisms are still in limbo. That’s left companies trying to operationalize compliance without a full playbook.
Saudi Arabia’s timeline is more recent, but the stakes may be even greater. The Saudi Data and Artificial Intelligence Authority (SDAIA) introduced PDPL in September 2023, with enforcement beginning one year later. As James Beriker, our Founder and CEO, wrote last month:
“PDPL became fully enforceable in September 2024, marking what will soon be widely recognized as the most consequential regulatory milestone in the Kingdom’s economic history.”
Despite this mandate, it’s estimated that fewer than 10% of companies are materially compliant. This is a concerning gap given how foundational trust and governance are to the goals of Saudi Vision 2030.
Why the UAE’s Experience Matters for Saudi Arabia’s AI Plans
Saudi Arabia isn’t behind in ambition. But it does have a short window to do things differently and better.
What the UAE’s experience tells us is this: You can’t separate AI from compliance. When you do, the risks compound. And while not felt immediately, by the time things like personal data privacy is breached, it will be too late. But when you build compliance into your AI plans from day one? The KSA stands to gain speed, confidence, resilience, trust, and global leadership.
The UAE’s experience is a clear signal: AI leadership without compliance clarity creates friction. The Kingdom has the opportunity to take an even smarter path.
🔑 What Saudi Business Leaders Should Do About AI & PDPL
1. PDPL enforcement is real and underway
With the law fully in effect as of September 2024, Saudi organizations have a limited window to demonstrate real compliance. As my colleague James wrote last month: early enforcement is intended to “act as catalysts to drive broad-based compliance.”
2. Build processes, not just policies
Legal frameworks are only useful if they are embedded into daily operations. As our Co-Founder and COO Jonathan Kass put it in an interview recently:
“Privacy and data protection are urgent, and if they aren’t treated that way, your customers will know.”
Documented, repeatable workflows build trust with regulators and with users.
3. Align compliance with Vision 2030, not just as a risk-avoidance exercise
As highlighted by James back in April, where he underscored the importance of early compliance with KSA’s new data privacy law:
“PDPL is a key pillar of Saudi Arabia’s Vision 2030 strategy to build a competitive, digitally driven, trust-based economy.”
Compliance isn’t a constraint. It’s a strategic asset, especially given how all-encompassing AI is becoming in the context of work.
Final Thought:
Why AI & Compliance Must Advance Together in the GCC
The UAE’s AI journey isn’t failing—but it is revealing. The region’s early enthusiasm for AI is powerful. But without governance, it becomes fragile. Saudi Arabia still has time to do this differently.
AI and compliance must move forward together. The future of Gulf economies depends on this not just to meet policy obligations, but to unlock the full potential of their people, their data, and their global influence.
How AI was used in this post:
Supported the outlining of key ideas and structure
Assisted in editing and refining human-written prose
Helped format Reference citations in Chicago Style
References
Salesforce. State of IT: Security, Fourth Edition. San Francisco: Salesforce, Inc., 2025. https://www.salesforce.com/resources/articles/state-of-it-security-report/
Malin, Carrington. “UAE IT Leaders Back Agentic AI, but Lack Readiness.” Middle East AI News, June 18, 2025. https://www.middleeastainews.com/p/uae-it-leaders-back-agentic-ai
