AI for DIFC and ADGM-regulated fintechs.
Fintechs operating in DIFC and ADGM are subject to AI governance requirements under DFSA Regulation 10 and FSRA guidance, including risk assessments and the appointment of an Autonomous Systems Officer for firms using AI in regulated activities. Steinn Labs builds AI governance infrastructure and custom AI products for DIFC and ADGM-regulated fintechs, including Magpie, our self-hosted AI compliance platform built specifically for DFSA Regulation 10.
The rules that actually apply to fintech AI in the UAE.
The DFSA's dedicated AI framework. Applies to Authorised Firms using AI or autonomous systems in the conduct of regulated activities. Requires documented governance, risk assessments, model inventory, human oversight, and, for material use cases, an Autonomous Systems Officer accountable for the system.
A named individual accountable for the AI system's behaviour end to end. Owns the risk assessment, the ongoing monitoring, and the escalation path when the system misbehaves. Effectively required for any firm putting AI into a decisioning path that touches customers or regulated activity.
The ADGM regulator has published its own AI and machine learning guidance for financial services firms. Directionally aligned with DFSA Regulation 10: governance, model risk controls, human oversight, and clear accountability. Firms operating across both jurisdictions typically build one governance stack that satisfies both.
Fintechs touching onshore rails, payments licences, or partnering with UAE banks pick up Central Bank expectations on top of DFSA or FSRA obligations. Relevant where the fintech's AI use case sits inside a workflow the CBUAE supervises, including fraud, AML, and consumer-facing automation.
For a deeper walk-through of Regulation 10, including scope, controls, and the Autonomous Systems Officer role, see our full guide on Magpie.
The regulation is not the blocker. The wrong architecture is.
DIFC and ADGM fintechs can build with AI today. The regulator is not asking anyone to stop. What they are asking for is evidence: model documentation, audit trails, reviewable decisions, and a named human accountable when things go wrong.
Most fintechs get stuck in the same three places. Audit trails that were never designed to be regulator-facing. Explainability bolted on after the model is live. And data residency questions no one wants to answer because the AI stack is running on someone else's servers.
Self-hosted architecture removes the third problem outright. Building governance into the system from day one removes the first two. That is the shape of the work we do for fintech buyers in this region.
Two paths, depending on what you are actually trying to do.
Need to meet Reg 10 requirements out of the box?
Magpie is our self-hosted AI governance platform built specifically for DFSA Regulation 10. Model inventory, audit logging, evaluation harness, human oversight workflow, and reporting, all running inside your environment.
Building an AI-powered product and need it compliant from day one?
We build custom AI systems and agentic products for fintechs where the governance surface is part of the design brief. Reviewable decisions, human sign-off gates, and audit-ready inference pipelines are engineered in, not retrofitted.
Concretely, what does compliant AI development look like?
Model inventory and documentation
Every model in the system is registered, versioned, and documented. Purpose, training data lineage, evaluation results, and owner. Ready to hand to an examiner without a scramble.
Audit logging from the architecture stage
Inference logging is not a feature we add later. It is part of the request path from the first line of code, capturing prompts, outputs, model versions, and the human context around each decision.
Human oversight mapped to risk tiers
Sign-off gates, override flows, and reviewer workflows are calibrated to the risk of the decision, matching the tiering Reg 10 expects rather than a blanket approval step.
Data residency as default
Self-hosted deployments inside your environment or a UAE-resident cloud. The compliance question about where data goes stops being a negotiation.
We built the tool that solves this exact problem.
Magpie is our self-hosted AI governance platform, engineered from the ground up against DFSA Regulation 10. It is the strongest evidence of what we understand about this regulatory surface, and it is in production inside DIFC-regulated fintechs today.
Credibility that matters when a fintech buyer runs due diligence.
What is DFSA Regulation 10?+
DFSA Regulation 10 is the Dubai Financial Services Authority's dedicated framework for the use of AI and autonomous systems by Authorised Firms in DIFC. It sets expectations for governance, risk management, documentation, human oversight, and accountability whenever AI is used in the conduct of a regulated activity. In practice, it means firms must be able to explain how a model was built, what data it uses, who is accountable for it, and how it is monitored in production.
Do all DIFC fintechs need an Autonomous Systems Officer?+
Not every DIFC fintech, but any Authorised Firm using AI in a way that materially affects a regulated activity is expected to appoint an accountable individual for those systems. For firms deploying agentic AI, automated decisioning, or models that influence customer outcomes, the Autonomous Systems Officer role is effectively required. The role owns the risk assessment, the model inventory, and the ongoing monitoring of the system's behaviour.
What AI governance requirements apply in ADGM?+
ADGM firms fall under the FSRA, which has issued its own guidance on AI and machine learning in financial services. The expectations are directionally similar to DFSA Regulation 10: documented governance, model risk controls, human oversight, and clear accountability. Firms operating across DIFC and ADGM typically build one governance stack that satisfies both regimes rather than maintaining parallel systems.
Can fintechs use third-party AI tools like ChatGPT under DFSA rules?+
Third-party tools are not banned, but using them in a regulated workflow shifts the compliance burden onto the firm. The regulator wants to see how prompts, outputs, and data flows are controlled, where data is processed, and how audit trails are maintained. Most DIFC fintechs end up either self-hosting their AI stack or wrapping third-party APIs in a governed layer that captures every request and response.
What happens if a fintech does not comply with DFSA AI requirements?+
Non-compliance is treated like any other prudential or conduct failing. That can range from supervisory attention and required remediation plans through to enforcement action, fines, and restrictions on regulated activities. More practically, gaps in AI governance often surface during routine supervision or thematic reviews, and firms are then given a fixed window to close them, which is expensive to do reactively.
How is Magpie different from building compliance in-house?+
Building governance in-house means designing the model inventory, audit logging, evaluation harness, human oversight workflow, and reporting layer from scratch, then maintaining them as the regulator's expectations evolve. Magpie ships those primitives out of the box, self-hosted inside your environment, mapped to DFSA Regulation 10 from day one. Teams still own their models and their risk decisions; Magpie removes the infrastructure work underneath.

