The UAE has established itself as one of the region's most ambitious AI markets, with organisations rapidly exploring Generative AI applications across industries. As adoption scales, businesses are increasingly focused on cybersecurity, data privacy, third-party AI risks and governance frameworks capable of supporting enterprise-wide deployment. The challenge is no longer whether to adopt AI, but how to scale it responsibly while maintaining stakeholder trust and regulatory compliance.
We at BDO UAE continuously evaluate developments in the AI landscape and help organisations establish the governance, security and risk management frameworks needed to support sustainable AI transformation.
The question for most organisations is no longer whether to adopt GenAI, but how to scale it responsibly. Without the right controls in place, GenAI can quickly undermine the very value it is meant to deliver.
Over the past year, businesses have learned a great deal through pilots and early GenAI deployments. However, advisory and assurance work consistently shows that foundational controls are often immature or missing entirely.
Common gaps include poor data classification, poor data quality, unclear access rights and limited validation of data permissions before large language models (LLMs) are granted access to vast volumes of information. This is particularly pronounced for unstructured data such as emails, documents, chat logs and reports. While this type of data often makes up a significant portion of an organisation’s data, it is rarely governed with the same rigour as structured systems.
In many cases, competitive pressure and fear of missing out are driving GenAI adoption faster than governance frameworks can evolve. GenAI is pushed into production while leadership alignment, accountability structures and risk ownership are still being debated. The result is technology in use without clear answers to some basic questions: who owns it, what data can it access, and how risks are monitored over time.
One of the most common risks we see is inappropriate or sensitive data being ingested into GenAI models. In the rush to experiment, guardrails around what data can be uploaded, and by whom, are often insufficient. In some cases, organisations have been forced to switch GenAI tools off shortly after deployment when they realised how much sensitive information had become exposed.
Without a clear GenAI strategy and roadmap, many organisations also fall into tool‑first investment decisions, committing significant spend to platforms or vendors that may become obsolete within months. This leads to fragmented solutions, duplicated effort and technology lock‑in, all of which can erode confidence in GenAI investment.
The rapid advancement of GenAI capability is exposing gaps in internal processes that were not designed for a GenAI‑enabled environment. Generating content, insights and analysis at scale heightens risks related to accuracy, compliance, intellectual property and reputation, especially where traditional review and approval controls remain unchanged. These risks are further amplified in accounting and finance businesses due to the sensitivity of financial data, regulatory obligations and the reliance on professional judgement.
Awareness of GenAI risk is growing, but governance maturity remains uneven. A recurring challenge is misalignment at the leadership level on GenAI philosophy, risk appetite and ambition. Where leaders are not aligned, governance inevitably lags.
In many organisations, governance is introduced reactively, as a brake applied when leaders become nervous about how quickly things could go wrong. Far fewer organisations treat governance as a mechanism that gives leaders the confidence to move faster, knowing risks are understood, managed and owned.
When organisations lack clarity on why GenAI is being adopted and what outcomes are expected, governance can become defensive rather than strategic, undermining its role in accelerating value creation.
GenAI is not just changing how organisations operate; it is also reshaping the threat landscape. Threat actors are already using GenAI to enhance phishing campaigns, automate reconnaissance and generate malicious code, significantly lowering the barrier to sophisticated cyber attacks.
There are also emerging risks around model integrity. Deliberate manipulation of training data, or ‘poisoning’ of models, can introduce bias or malicious behaviour that is difficult to detect. Where GenAI outputs inform business decisions or customer interactions, the resulting security and reputational impact can be significant.
As GenAI becomes embedded within core IT architecture, it must be treated as critical infrastructure rather than an experimental add-on. This means stronger controls around data ingestion, access management, third‑party dependencies, model monitoring and output validation.
Data privacy consistently ranks as the top GenAI risk, and for good reason. Unstructured data accounts for roughly 80 per cent of an organisation’s information, yet is rarely classified or governed appropriately. This data often contains personal, confidential or commercially sensitive information, making it a high‑risk input for GenAI models.
Leading organisations are responding to this challenge through investment in data classification, masking and synthetic data techniques, recognising these measures as enablers rather than barriers to GenAI adoption. Properly governed and masked data supports GenAI‑driven value creation while ensuring compliance with privacy obligations and preserving customer trust.
The most effective organisations approach GenAI governance as a means of enabling safe, scalable adoption rather than control for its own sake. As GenAI capability advances, risk capability must mature alongside it.
This requires clear ownership or oversight, proportionate controls, continuous monitoring and strong leadership alignment. When done well, the benefits are clear: faster execution, better decision‑making and greater trust with regulators, customers and employees.
Consistent, enterprise‑wide governance aligned with leadership expectations positions organisations to capture GenAI’s upside while managing its risks, turning governance into a strategic differentiator.
BDO UAE supports organisations in scaling Generative AI by helping them build robust governance, cybersecurity, data protection and risk management frameworks around AI adoption. From enterprise AI strategy and responsible AI policies to third-party vendor governance, privacy considerations and implementation assurance, BDO UAE can help businesses accelerate innovation while maintaining control, compliance and confidence in AI-enabled operations.
We at BDO UAE continuously evaluate developments in the AI landscape and help organisations establish the governance, security and risk management frameworks needed to support sustainable AI transformation.
The question for most organisations is no longer whether to adopt GenAI, but how to scale it responsibly. Without the right controls in place, GenAI can quickly undermine the very value it is meant to deliver.
When innovation outpaces governance
Over the past year, businesses have learned a great deal through pilots and early GenAI deployments. However, advisory and assurance work consistently shows that foundational controls are often immature or missing entirely.Common gaps include poor data classification, poor data quality, unclear access rights and limited validation of data permissions before large language models (LLMs) are granted access to vast volumes of information. This is particularly pronounced for unstructured data such as emails, documents, chat logs and reports. While this type of data often makes up a significant portion of an organisation’s data, it is rarely governed with the same rigour as structured systems.
In many cases, competitive pressure and fear of missing out are driving GenAI adoption faster than governance frameworks can evolve. GenAI is pushed into production while leadership alignment, accountability structures and risk ownership are still being debated. The result is technology in use without clear answers to some basic questions: who owns it, what data can it access, and how risks are monitored over time.
Making GenAI risk tangible
One of the most common risks we see is inappropriate or sensitive data being ingested into GenAI models. In the rush to experiment, guardrails around what data can be uploaded, and by whom, are often insufficient. In some cases, organisations have been forced to switch GenAI tools off shortly after deployment when they realised how much sensitive information had become exposed.Without a clear GenAI strategy and roadmap, many organisations also fall into tool‑first investment decisions, committing significant spend to platforms or vendors that may become obsolete within months. This leads to fragmented solutions, duplicated effort and technology lock‑in, all of which can erode confidence in GenAI investment.
The rapid advancement of GenAI capability is exposing gaps in internal processes that were not designed for a GenAI‑enabled environment. Generating content, insights and analysis at scale heightens risks related to accuracy, compliance, intellectual property and reputation, especially where traditional review and approval controls remain unchanged. These risks are further amplified in accounting and finance businesses due to the sensitivity of financial data, regulatory obligations and the reliance on professional judgement.
GenAI governance maturity remains fragmented
Awareness of GenAI risk is growing, but governance maturity remains uneven. A recurring challenge is misalignment at the leadership level on GenAI philosophy, risk appetite and ambition. Where leaders are not aligned, governance inevitably lags.In many organisations, governance is introduced reactively, as a brake applied when leaders become nervous about how quickly things could go wrong. Far fewer organisations treat governance as a mechanism that gives leaders the confidence to move faster, knowing risks are understood, managed and owned.
When organisations lack clarity on why GenAI is being adopted and what outcomes are expected, governance can become defensive rather than strategic, undermining its role in accelerating value creation.
GenAI is expanding the attack surface
GenAI is not just changing how organisations operate; it is also reshaping the threat landscape. Threat actors are already using GenAI to enhance phishing campaigns, automate reconnaissance and generate malicious code, significantly lowering the barrier to sophisticated cyber attacks.There are also emerging risks around model integrity. Deliberate manipulation of training data, or ‘poisoning’ of models, can introduce bias or malicious behaviour that is difficult to detect. Where GenAI outputs inform business decisions or customer interactions, the resulting security and reputational impact can be significant.
As GenAI becomes embedded within core IT architecture, it must be treated as critical infrastructure rather than an experimental add-on. This means stronger controls around data ingestion, access management, third‑party dependencies, model monitoring and output validation.
Data privacy – the risk GenAI keeps exposing
Data privacy consistently ranks as the top GenAI risk, and for good reason. Unstructured data accounts for roughly 80 per cent of an organisation’s information, yet is rarely classified or governed appropriately. This data often contains personal, confidential or commercially sensitive information, making it a high‑risk input for GenAI models.Leading organisations are responding to this challenge through investment in data classification, masking and synthetic data techniques, recognising these measures as enablers rather than barriers to GenAI adoption. Properly governed and masked data supports GenAI‑driven value creation while ensuring compliance with privacy obligations and preserving customer trust.
Governing GenAI without slowing it down
The most effective organisations approach GenAI governance as a means of enabling safe, scalable adoption rather than control for its own sake. As GenAI capability advances, risk capability must mature alongside it.This requires clear ownership or oversight, proportionate controls, continuous monitoring and strong leadership alignment. When done well, the benefits are clear: faster execution, better decision‑making and greater trust with regulators, customers and employees.
Consistent, enterprise‑wide governance aligned with leadership expectations positions organisations to capture GenAI’s upside while managing its risks, turning governance into a strategic differentiator.