An immutable, searchable log of every decision made by an AI model, including the input data, model version, output, confidence score, and whether a human reviewed the decision. Under DIFC Regulation 10, the audit trail must be tamper-evident and exportable for regulatory examination.
Autonomous system
Under DIFC Regulation 10, any system that uses automated processing to make decisions or recommendations about individuals with limited or no human intervention. Credit scoring models, fraud detection systems, and KYC classifiers typically qualify.
B
Bias testing
The process of evaluating whether an AI model produces systematically different outcomes across demographic groups. The CBUAE Guidance Note requires annual bias testing — documented with methodology, data, results, and any remediation actions.
Board accountability (AI)
The CBUAE Guidance Note requires boards of licensed financial institutions to be directly accountable for AI outcomes — not just aware of them. This means receiving regular AI risk reports, approving the AI governance framework, and being able to make informed decisions about AI risk tolerance.
C
Concept drift
A change in the statistical relationship between a model's input features and the outcome it predicts, caused by real-world changes after the model's training cutoff. Distinct from feature drift.
Consequential decision
A decision that has a material impact on an individual's financial position, access to services, or rights. Under DIFC Regulation 10, consequential decisions require explainability and a human oversight mechanism.
D
Data residency
The requirement that certain categories of data — particularly sensitive personal and financial data — be stored and processed within the UAE's geographic boundaries. Relevant to any cloud-based AI governance tool that processes UAE customer data outside the country.
DFSA
The Dubai Financial Services Authority — the independent regulator of financial services within the Dubai International Financial Centre. Responsible for supervising compliance with DIFC Regulation 10 for AI systems.
DIFC
The Dubai International Financial Centre — a financial free zone in Dubai with its own independent legal and regulatory framework, including the DIFC Data Protection Law and Regulation 10 for AI.
E
Enforcement agent
In AI governance, a software component that sits in the model's decision path and enforces governance policies in real time — before the model receives an input or before the application acts on the model's output.
Explainability
The ability to produce a clear, comprehensible explanation of why an AI model reached a specific decision. Under DIFC Regulation 10, firms must be able to explain consequential decisions in terms a non-specialist can understand.
F
Feature drift
A change in the statistical distribution of input features fed to an AI model, indicating that current production data no longer resembles the training data. Detected using metrics such as the Population Stability Index.
Feature schema
A structured declaration of all input features a model expects — including data types, value ranges, PII status, and whether each feature is used for explainability. Required for consistent audit log rendering and drift monitoring.
H
Hash chaining
A cryptographic technique where each record's identifier includes the identifier of the record before it, creating a chain where any deletion or modification is detectable. Used to provide tamper evidence in AI audit logs.
Human-in-the-loop
An oversight design where a human must actively review and approve a model's decision before it is executed. Required for the highest-risk AI decisions under CBUAE guidance.
Human-on-the-loop
An oversight design where a model's decisions are automatically executed but simultaneously reviewed by a human who can intervene if needed. Acceptable for moderate-risk decisions under CBUAE guidance.
L
LLM-as-judge
A technique where a language model evaluates the output of another AI model against a defined policy or quality criterion. In AI governance, used to evaluate whether model outputs meet requirements that rules-based checks cannot assess — such as whether a credit decline explanation is sufficiently clear for a customer.
M
Model drift
The general term for degradation in an AI model's performance over time as real-world patterns change. Includes both feature drift and concept drift.
Model inventory
A formal register of every AI model deployed by an organisation — including ownership, risk tier, version history, and assessment status. Required by the CBUAE Guidance Note and implied by DIFC Regulation 10.
Model risk
The risk of adverse outcomes arising from decisions made by an AI model, due to model error, data quality issues, distributional shift, or misuse.
O
Object lock
A storage configuration that prevents any user — including administrators — from deleting or modifying stored objects during a defined retention period. Used in AI audit log infrastructure to ensure tamper evidence.
Override rate
The percentage of model decisions reviewed by a human that the human reversed. A consistently high override rate — typically above 15% — signals systematic model miscalibration and is a key metric in board-level AI risk reporting.
P
PDPL
The UAE Personal Data Protection Law — Federal Decree-Law No. 45 of 2021. The federal data protection law governing all processing of UAE residents' personal data. Full compliance required by January 1, 2027.
Population Stability Index (PSI)
A statistical metric measuring how much the distribution of a variable has shifted between two time periods. PSI above 0.25 on a key model feature typically indicates significant drift requiring model revalidation.
Pre-deployment risk assessment
A structured evaluation of an AI model's risks, conducted before the model goes into production. Required under DIFC Regulation 10 for all High and Medium risk autonomous systems.
R
RFC 3161 timestamp
A trusted timestamp produced by an independent timestamp authority, proving that a document or record existed in its current form at a specific point in time. Used in AI audit log infrastructure to demonstrate records have not been modified since they were created.
Risk tier
A classification of an AI model based on the potential harm its decisions could cause. Under the UAE AI Act 2026, models are classified into four tiers; under internal governance frameworks, typically three tiers — High, Medium, and Low.
S
Self-hosted
A deployment model where all data processing — including model evaluation, audit logging, and policy enforcement — occurs within the customer's own infrastructure. Required for UAE financial institutions processing regulated personal data under PDPL.
SHAP
SHapley Additive exPlanations — a mathematical framework for explaining individual model predictions by computing each input feature's contribution to the prediction. Used for explainability in credit scoring and other regulated AI contexts.