Sovereign AI for Gulf banks that answer to SAMA and the CBUAE.

Gulf banks answer to SAMA and the CBUAE long before they answer to a model vendor. Iftah keeps generative and analytical AI inside the bank's own SAMA- and CBUAE-aligned environment — transaction data, KYC records, and customer PII processed where the regulator can supervise them, never shipped to a foreign region. One control plane enforces residency, governance, and audit across every model and cloud.

Talk to an engineerAll industries

Built for the Gulf's banking regulators

  • In-Kingdom / in-country residency by configuration
  • Tamper-evident audit for SAMA & CBUAE review
  • Bare-metal for real-time fraud & AML
  • Explainability & human-in-the-loop controls

Designed to evidence the regimes your bank answers to.

Iftah does not claim certification — that stays the bank's obligation. In-region deployment, a content-free audit trail, and customer-held keys give your reviewers concrete, exportable evidence for each framework.

KSACentral Bank · SAMA

SAMA Cyber Security Framework

Access, logging, and incident-response controls designed for review under the SAMA CSF.

KSASAMA · Cloud

Outsourcing & Cloud Rules

In-Kingdom control over outsourced and cloud AI workloads, mapped to platform configuration.

KSASAMA · AML/CTF

AML / CTF Rules

Auditable, explainable model outputs for monitoring, screening, and SAR workflows.

UAECentral Bank · CBUAE

CBUAE Outsourcing Regulation

Master System of Record and Confidential Data kept inside the UAE with supervisory access.

KSA/UAEData · PDPL

PDPL (SDAIA / Federal)

In-country processing, data-subject-rights flows, and transfer controls for your DPO's review.

UAEFree zone · DIFC/ADGM

DIFC & ADGM Data Protection

Free-zone-resident processing with reviewable controls for autonomous-AI and data duties.

QatarCentral Bank · QCB

QCB AI in Finance

Governance and oversight aligned to QCB's FinTech and AI expectations.

Every banking objection, resolved by design.

The reasons public-cloud AI stalls in a Gulf bank — and how Iftah removes each one.

The trade · Residency

Data leaves the country

SaaS AI routes prompts with transaction, KYC, and account data through foreign regions — breaching CBUAE Master-System-of-Record and SAMA in-Kingdom control.

Iftah

Every model and workload is pinned to an approved region, hybrid, or on-prem location; the Master System of Record and Confidential Data never leave the jurisdiction.

The trade · Audit

No proof of access

Shared multi-tenant endpoints give the bank no way to show who accessed which customer record.

Iftah

Immutable, tamper-evident logs capture every prompt, retrieval, and decision — the supervisory trail SAMA and the CBUAE require, on demand.

The trade · Explainability

Black-box decisions

Vendor models cannot satisfy SAMA and QCB expectations for explainability, bias testing, and human oversight on credit and risk.

Iftah

Explainability, human-in-the-loop checkpoints, and model-version controls are built into the governance plane.

The trade · Ownership

Custody is surrendered

Sending Confidential Data to a third-party AI provider transfers de facto custody and risks secondary use for vendor training.

Iftah

The bank owns the model, the data, and the full inference record; nothing is used to train anyone else's model.

The trade · Governance

Shadow AI spreads

Each business unit adopts its own SaaS tool — fragmented guardrails and ungovernable IP leakage.

Iftah

One control plane applies uniform policy, access, and guardrails across every entity and cloud.

Each workload runs where its regulator demands.

From an in-Kingdom sovereign region to air-gapped core systems — one governance standard across all of it.

Sovereign cloud

Sovereign in-Kingdom region

Customer-facing copilots and analytics in a SAMA-registered local region.

Multi-cloud & hybrid

Multi-cloud per entity

A Saudi entity and a DIFC/ADGM arm run in different clouds — governed as one.

On-prem

Bare metal for fraud & AML

Real-time fraud and AML screening on isolated GPUs with deterministic sub-second latency.

Disconnected

Air-gapped core

Core banking and payments AI with no cross-border data path whatsoever.

High-value AI, in-region and auditable.

  • AML & sanctions monitoring

    Transaction monitoring, screening, and SAR narrative drafting aligned to SAMA AML/CTF rules.

  • Real-time fraud detection

    Payment-anomaly and fraud scoring on isolated, low-latency infrastructure.

  • Explainable underwriting

    Document-grounded credit and SME risk assessment with auditable model outputs.

  • Bilingual service copilots

    Arabic-English customer-service and contact-center automation that keeps data in-region.

  • RM & compliance copilots

    Retrieval over internal policy, product, and regulatory documents for relationship managers and officers.

  • Regulatory reporting & KYC

    Automated reporting, KYC/onboarding document processing, and control-testing assistance.

What banking risk and procurement ask first.

Iftah deploys so the Master System of Record and Confidential Data remain inside the UAE with supervisory access; residency is evidenced by configuration, and your DPO retains the compliance attestation.
Yes — in a SAMA-registered region, your private cloud, or on bare metal in your own data center, with in-Kingdom control over the model and logs.
Every prompt, retrieval, and decision is logged in-region and replayable, with explainability and human-in-the-loop checkpoints on automated credit and risk.
No vendor is. Iftah is designed to map to and evidence these frameworks; certification remains the bank's obligation, and we give your reviewers the artifacts to support it.

Next step

Review Iftah AI against your environment before choosing the first workload.

Talk to an engineer