In the race to stay ahead and keep on top of heavy workloads, employees are turning to “free” AI tools to get the job done quicker and more effectively. They use these tools to write meeting minutes, draft emails, and analyse data.
But behind this productivity boost, there is an unseen cost. It’s called shadow AI. This is putting companies at immense risk and under the scrutiny of the UAE Data Office’s recent regulations.
So where did the risk start?
A company’s risk can start from a simple and innocent copy-and-paste. An employee takes a client document that contains sensitive information, or a spreadsheet of personal details, and pastes it into a public AI chat to spell-check. At that point, your company may have violated the law.
It is not just one violation but three major breaches of Federal Decree-Law No. 45 (PDPL):
- Unauthorized data transfer: Your employee has most likely moved personal data outside the UAE without knowing it. By using a public cloud service, there may be no consent for the data to leave the country, and the safeguards the UAE requires are no longer in place.
- Loss of data sovereignty: Once that data reaches a public model, you (the company) no longer own the data in the way the law requires. Furthermore, it can become training data for global models.
- Breach of confidentiality: Public AI tools such as ChatGPT, Copilot, and Gemini often lack the hardened security required for high net worth individuals (HNWIs) and corporate businesses.
The 72-hour clock is ticking
Recent updates to UAE data protection law (Federal Decree-Law No. 45) mean you must report certain data breaches to the authorities within a 72-hour window. So if an employee has been using a free AI tool without your knowledge, and that tool is compromised and company data is leaked:
- Would you even know it had been compromised?
- How can you report to the authorities what you don’t know?
Without centralised, private infrastructure, most businesses are defenceless against silent data leaks. You cannot report a breach you cannot see.
From employee error to AED 5 million fines
Under the latest framework released by the UAE Data Office, what used to be guidance for companies to follow is now backed by enforcement. Companies found to be in serious breach, or to have repeatedly breached data residency and protection laws, can face administrative fines of up to AED 5 million.
When an employee uses shadow AI, the company is held liable, not only the individual. Examples include:
- Lack of consent: Sharing personal data on AI platforms where the user has not authorised third-party training.
- Cross-border transfer violations: Sending sensitive local data to international cloud clusters without a data protection impact assessment (DPIA).
- Loss of confidentiality: Risking the exposure of trade secrets, since they may become part of a public LLM’s knowledge base.
Bridging the gap with sovereign AI
This is where the shift to sovereign AI becomes a strategic necessity rather than a luxury. By giving teams a localised, private AI environment, you gain the efficiency the business needs without compromising the company or inviting regulatory intervention. Employees get the tools they want, inside private and secure infrastructure that keeps data yours and within your physical control. For how private hosting maps to the PDPL, see also Part 1: Sovereign AI and the UAE’s new era of data protection.