The Deadline Arrived Before the Rulebook
Vishal Sachar
Co-Founder & CEO of CLRT
Dubai has given its private sector a clock. The federal government has given its own entities a shorter one, and is already running agents inside its ministries. Meanwhile the regulations that will eventually govern all of this activity do not yet exist in any final, dated form. A deadline you can read, sitting next to a rulebook you cannot, is an uncomfortable arrangement, and nearly every firm I speak to has resolved the discomfort the same way: wait for clarity. I think that reading is exactly backwards, and the firms that see why will own this market.
Consider how quickly the execution side has moved. Dubai announced its two-year plan to embed agentic AI across the private sector at the start of May. Within a month, Dubai Chambers had formed an Executive Committee for Agentic AI and held its first meeting. By mid June the targets had numbers on them: 295,000 companies to be empowered, 100 specialised sector assistants to be built, 50 new agentic AI firms to be established, all inside the same two-year window, approved by Sheikh Hamdan personally. This is not a vision document. It is a dated programme with an owner, a committee and a scoreboard.
The federal government is moving faster still, and it is moving on itself first. The Cabinet approved a framework in May to shift half of government services onto agentic AI within two years and to train 80,000 federal employees, the largest training programme in the government's history. In June it gathered 50 federal entities into a single workshop and set each of them a 90-day window to launch a working agent. The government has already named its first four agents, for procurement, tax auditing, customer happiness and technical support, and ADNOC reports more than 115 agents in production with 20,000 employees trained to build their own job-specific models. Whatever else this is, it is not hesitation.
Now look at the rules side, where every clock is missing its hands. The PDPL, the federal data protection law, has been in force for years, yet its implementing regulations, the part that turns principle into enforceable practice, remain unpublished with no announced date. A new Federal AI and Data Authority was announced on 14 June, consolidating three existing bodies under the Cabinet, and it has yet to clarify how its jurisdiction will sit against DIFC and ADGM, the two financial free zones that operate their own data protection regimes. DIFC itself is consulting on amendments to its AI rules right now; the consultation closes on 18 July, and the amended regulations will follow at some unannounced point after that. Every date on the execution side is fixed. Not one date on the rules side is.
The standard corporate response to this asymmetry is to wait. Moving into agentic systems while the regulatory ground is still settling feels like risk, and postponing until the rulebook lands feels like prudence. But walk the logic forward. The deadlines will not move to accommodate the rulebook; nothing in the past two months suggests this government waits for anything. A firm that defers building until the regulations are published arrives at the deadline with neither capability nor compliance, and then attempts to acquire both at once, in a queue with everyone else who made the same choice. The firms that treat the gap as a design constraint instead, and architect now for the regulation they will get rather than the vacuum they have, arrive at the same moment with systems already shaped to pass.
A dated deadline and an undated rulebook is not a reason to wait. It is the brief.
A deeper dive
The waiting position rests on an assumption worth examining: that the coming rules are unknowable, and that building now means guessing. They are not unknowable. Read the instruments that already exist and the architecture converges from every direction. DIFC's Regulation 10, binding inside the centre since 2023, already assigns accountability for personal data processed by autonomous systems to a named deployer, requires transparency about whether a system can define its own purposes, and demands an Autonomous Systems Officer for high-risk processing. The amendments now under consultation strengthen those expectations; nothing in the paper relaxes them. The PDPL's text, in force even without its implementing regulations, is built on consent, purpose limitation and data subject rights, and implementing regulations tighten a law's application far more often than they loosen it. The new federal authority consolidates AI and data oversight under one roof, which signals enforcement capacity, not leniency. Three regulators, three instruments, one direction: whoever operates an agent must be able to show what it did, on whose data, with what consent, inside which borders, and under which human's authority. Those are the invariants, and a firm can build to them today with confidence, because no plausible version of the rulebook omits any of them.
The reason this matters architecturally, rather than as a compliance footnote, is that every one of those invariants is cheap at design time and brutal at retrofit. An audit trail added after the fact is a reconstruction, not a record; the actions it missed are gone. Consent bolted onto a pipeline that already moved the data is an apology. Residency is a decision about where systems live, which is to say a decision you make once, early, or unwind everywhere, late. Human approval gates threaded through an agent system after it has learned to run without them change the system's shape, not its settings. This is what governable by construction means: the controls are load-bearing parts of the architecture, not a layer painted on for the inspector. The parameters the regulators have genuinely not decided, certification schemes, risk thresholds, reporting formats, are exactly the things a well-built system holds as configuration. Build the invariants into the structure, hold the parameters in a file, and the day the rulebook lands your response is an update, not a rebuild. That is the difference between the firms that will spend 2027 operating and the firms that will spend it remediating.
Key terms
- Implementing regulations
- The executive rules that turn a law's principles into enforceable practice. The UAE's data protection law, the PDPL, has been in force for years while its implementing regulations remain unpublished.
- Regulation 10
- The DIFC rule, binding since 2023, that governs personal data processed through autonomous and semi-autonomous systems, including AI agents. Amendments to it are under consultation until 18 July 2026.
- Governable by construction
- An agent system whose controls, consent, audit, residency and human gates, are load-bearing architecture designed in from the start, not a compliance layer retrofitted later.
Work with CLRT
Building agent systems that are governable by construction, with consent, audit, residency and human gates designed in as architecture rather than retrofitted as apology, is exactly the work CLRT does. If your business is inside the UAE's two-year window, and it is, the useful conversation is not whether to move before the rulebook lands. It is how to move so that the rulebook, when it lands, finds you already compliant. Talk to us before the interval closes.

Vishal Sachar
Vishal Sachar is the Co-Founder and CEO of CLRT, where he helps UAE businesses make sense of applied agentic AI and put it to work. He writes on agentic systems, AI governance, and the economics of automation. Reach him at vishal@clrtstudio.com or on LinkedIn.


