THE FOUNDER, THE FUNDING, AND THE FINE PRINT
Yasmina has a working product. It is an Arabic language clinical assistant trained partly on a healthcare dataset she licensed in Egypt, partly on outputs from a major foundation model accessed through a cloud region in Europe, and partly on fine tuning runs she paid for on a sovereign GPU cluster in Abu Dhabi.
She has term sheets from two regional VCs. She has letters of intent from a Saudi hospital group and another GCC insurer. She has a free zone licence and a CTO.
What she does not have, and what no one in her cap table has thought to ask about, is a clean answer to five questions her future acquirer's lawyers will absolutely ask.
▸ Who owns the model?
▸ Where does the data live?
▸ What did she sign with the sovereign infrastructure provider?
▸ Is she licensed to do what she is doing?
▸ Can she sell to a non GCC buyer if she wants to?
If you are building an AI company in the GCC right now, you are operating in the most exciting moment this region has produced in a generation. It is also the most legally consequential. Sovereign AI is no longer a policy slogan. It has become a procurement reality, an infrastructure stack, a regulatory regime, and a capital pool, all at once. Each of those layers carries legal exposure that will shape your exit, your fundraising, and your day to day operations.
This Special Issue is a founder's eye view of those exposures.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
THE LANDSCAPE, IN ONE PAGE
You do not need a policy briefing. You need to know what has changed enough to change your contracts. Here is the minimum.
UNITED ARAB EMIRATES
The UAE now operates under a multi tiered AI governance structure. The federal AI Office leads it, with sectoral overlays from the Central Bank, the DFSA in DIFC, the FSRA in ADGM, and the emirate level health and transport regulators. There is no single AI Act. Compliance is layered. The Personal Data Protection Law sits at federal level, sector specific rules sit on top of it, and the free zone regimes in DIFC and ADGM each carry their own data protection and licensing perimeter. Stargate UAE, the Abu Dhabi gigawatt class campus partnered with G42, Microsoft, and NVIDIA, is now the regional flagship for sovereign compute. Its first phase comes online in 2026.
KINGDOM OF SAUDI ARABIA
Saudi Arabia has formally designated 2026 the Year of Artificial Intelligence. SDAIA continues to enforce the Personal Data Protection Law and, since November 2025, has published an AI Adoption Framework that sets a mandatory governance baseline for public sector entities. The same baseline is now creeping into the requirements placed on private suppliers selling to government. HUMAIN, the AI vehicle launched by the Public Investment Fund in May 2025, is the centre of gravity for sovereign backed AI capital in the Kingdom, sitting alongside the Hexagon data centre in Riyadh.
THE WIDER GCC
Qatar, Bahrain, Kuwait, and Oman are each running their own national AI strategies. Data residency expectations differ from emirate to emirate and kingdom to kingdom. Cross border AI deployment in the GCC is no longer a single jurisdiction question.
▸ WHAT THIS MEANS FOR YOU
If your AI company touches data, models, compute, or government customers in more than one GCC country, and most do, you are operating in a multi regulator environment. There is no single licence, no single law, no single regulator to satisfy. Unlike in the EU, the legal architecture of your company has to map onto that reality.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
FIVE LEGAL EXPOSURES EVERY GCC AI COMPANY SHOULD BE AWAKE TO
DATA RESIDENCY AND CROSS BORDER FLOWS
What it is. Both the UAE PDPL and the Saudi PDPL impose conditions on transferring personal data outside the country. Both regimes are strict about health, financial, and minors' data. The sovereign AI rhetoric in the region, the language used by SDAIA, the AI Office, and the free zone regulators alike, increasingly assumes that strategic data should stay in country.
What it means for you. If your model is trained or fine tuned on personal data that originated in the UAE or KSA, the question of where the data and the resulting model artefacts physically sit is no longer a back office IT decision. It is a legal one. It also affects whether you can use foundation models hosted abroad, whether your customer can lawfully send you their data in the first place, and whether your investors' due diligence will green light a Series A.
Where it bites. Customer contracts that promise data residency you cannot actually deliver. DPAs that do not reflect the cloud region your model is actually running in. Training data licences that do not extend to the geography you have just moved into.
- SOVEREIGN INFRASTRUCTURE CONTRACTS
What it is. Access to sovereign compute, whether that is Stargate UAE, the 5GW Abu Dhabi campus, Hexagon in Riyadh, or the broader G42 and HUMAIN ecosystems, typically comes wrapped in long, sophisticated contracts. These are not standard cloud terms of service. They contain provisions on data handling, IP in model outputs, audit rights, exclusivity, and in some cases preferential rights for the infrastructure provider in subsequent funding rounds or in the company's commercial output.
What it means for you. When you sign a sovereign compute agreement, you may also be signing restrictions on who you can sell to, where you can deploy, and who has visibility into what you build. None of this is necessarily bad. Some of it is excellent. All of it should be understood before signing, not after.
Where it bites. Acquisition negotiations. Buyers will read these contracts before they read your cap table. A poorly negotiated infrastructure agreement can compress your enterprise value materially, or put a buyer's preferred deployment strategy out of reach.
- GOVERNMENT PROCUREMENT AND "CULTURAL ALIGNMENT"
What it is. Both the UAE and KSA are channelling enormous government demand into AI procurement. SDAIA's AI Adoption Framework is becoming the de facto procurement baseline for Saudi public sector buyers. The UAE's emerging cultural alignment indices and AI procurement guidelines mean that selling to government customers in the region is no longer just about price and product. It is about evidenced governance posture.
What it means for you. Government RFPs are increasingly asking for AI asset inventories, model cards, human oversight documentation, bias testing, and evidence of data lineage. If your startup cannot produce these on demand, you are not bidding for sovereign work, even if your product is technically superior.
Where it bites. Tender disqualification. Months of business development work lost because the legal compliance file does not exist. Promises made in commercial proposals that the company cannot legally honour.
- IP OWNERSHIP OF MODEL OUTPUTS AND TRAINING DATA
What it is. AI startups are unusually exposed on intellectual property. The chain runs from training data, through model weights, through fine tuning, through prompts, to outputs. At every link, the question of who owns what is contractually defined, not legally assumed. Under GCC laws, the position on whether AI generated output attracts copyright at all remains open and is being shaped on a contract by contract basis.
What it means for you. Your training data licences, your foundation model API terms, your enterprise customer agreements, and your employee IP assignments need to align. If they do not, and most early stage cap tables have at least one gap, your future acquirer can argue that the IP they are paying for is not, in fact, yours to sell.
Where it bites. Acquisition diligence. Investor warranties. Customer claims if a model output infringes a third party. Founder disputes when an early team member claims ownership over fine tuning work.
- SECTORAL LICENSING YOU MAY NOT REALISE YOU NEED
What it is. AI products that touch healthcare data, financial services, telecommunications, education, or transport in the UAE and KSA generally trigger sector specific licensing. The relevant authorities include the Department of Health Abu Dhabi, the SCFHS in Saudi Arabia, the Central Bank, the DFSA, the FSRA, the TDRA, and others. The fact that your free zone licence permits AI services is not the end of the analysis. It is sometimes barely the beginning.
What it means for you. A company who launches an AI clinical decision support tool under a generic technology licence in a free zone can find, at the moment of their first hospital contract, that they need a separate health sector authorisation to lawfully deploy. By that point, the deal is either delayed, restructured, or lost.
Where it bites. First enterprise contracts. Cross emirate or cross border expansion. Acquisition by a regulated buyer who needs the target to already hold the relevant authorisations.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ THE PATTERN I KEEP SEEING
AI companies in the GCC are signing long term sovereign infrastructure agreements, foundation model API terms, training data licences, and enterprise customer contracts in parallel. Often in the same fundraising quarter. Often with different counsel reviewing each in isolation.
By the time anyone reviews the stack as a whole, the contradictions are baked in. The fix is not legal heroics at exit. The fix is a coherent contract architecture set early, while everything is still negotiable.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
GCC CONTEXT: WHY THIS MATTERS NOW
Three forces converging in 2026.
▸ CAPITAL. HUMAIN, MGX, G42's investment programmes, and the broader sovereign backed AI capital pool are deploying at a scale unmatched anywhere outside the United States and China. Capital is rarely the constraint for serious GCC AI founders. Legal readiness for that capital often is.
▸ COMPUTE. Stargate UAE's first phase, the Hexagon data centre in Riyadh, and the broader regional sovereign compute build out give GCC domiciled AI startups direct access to frontier hardware without leaving the region. The contracts behind that access are where the value, and the risk, sits.
▸ DEMAND. The UAE's AI adopted government posture and Saudi Arabia's Year of AI procurement push are creating government anchored demand at a scale founders elsewhere can only envy. But that demand is gated by governance evidence, not just product quality.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
THE PRE BUILD LEGAL CHECKLIST FOR GCC AI COMPANIES
Before you raise your next round, and certainly before you sign your next sovereign infrastructure agreement or government RFP, work through this list. If you cannot answer any of these confidently, you have a gap worth closing now rather than at diligence.
▸ DATA LINEAGE
Can you produce, on demand, a clear record of where every dataset in your training and fine tuning pipeline came from, on what licence, and with what restrictions?
▸ DATA RESIDENCY MAPPING
Do you know, for every type of personal data you handle, which jurisdiction it originated in, where it is stored, where it is processed, and whether your customer contracts match?
▸ MODEL AND WEIGHTS OWNERSHIP
Is the legal ownership of your model weights, fine tunes, and derivative artefacts unambiguously vested in your operating company, with all employees and contractors covered by IP assignments?
▸ FOUNDATION MODEL DEPENDENCIES
Have you read the API terms of every third party foundation model in your stack? Do you know what the provider's rights are over your prompts, outputs, and fine tunes?
▸ SOVEREIGN INFRASTRUCTURE TERMS
Have the long form agreements with your sovereign or hyperscale compute provider been reviewed by counsel familiar with GCC AI contracting, not just generic cloud counsel?
▸ SECTOR LICENSING AUDIT
For every sector you sell into, whether health, finance, education, or transport, have you confirmed which national or emirate level authority needs to authorise your activity, and on what timeline?
▸ PROCUREMENT READINESS FILE
Can you assemble, within a week, the AI asset inventory, model documentation, governance policies, and human oversight evidence that public sector buyers in KSA and the UAE are now expecting?
▸ CROSS BORDER DEPLOYMENT PLAN
If a customer in another GCC country wants to deploy your product tomorrow, do you know what changes legally, and can you give them a defensible answer the same day?
▸ INVESTOR AND ACQUIRER READINESS
Are your contracts internally consistent, so that a future buyer reading the stack does not find a sovereign infrastructure clause, a customer DPA, and an investor warranty pulling in three different directions?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
WHY COMPANIES WHO GET THIS RIGHT WILL WIN THIS DECADE
There is a version of the next ten years in which the most consequential AI companies built outside the United States and China are built in the Gulf. The capital is here. The compute is here. The political will is here. The customer demand, public and private, is here at a scale that founders in many larger markets simply do not have.
What separates the AI startups that will compound from those that will stall is not, in our experience, the model architecture. It is the legal architecture.
Founders who treat data residency, IP chain, infrastructure contracts, sectoral licensing, and procurement readiness as core company building tasks, alongside hiring, fundraising, and product, are the ones whose Series B diligence reads cleanly. Their government tenders advance. Their acquisition conversations close on the founder's terms rather than the buyer's.
It is genuinely a great moment to be building an AI company in the Gulf. It is also a moment in which the legal cost of moving fast without a coherent foundation has gone up materially. Both things can be true. They are.
The Legal Rooms
The Legal Rooms
Share this article