Why enterprises deploy first and ask later
The pressure to deploy AI is real. Boards want it. Competitors are announcing it. Finance teams are being told to cut costs. In that environment, compliance questions feel like delay — like legal putting a hold on something the business wants.
The result is that most enterprise AI deployments we encounter were approved in a commercial process that never included the questions below. The answers to these questions are rarely a deployment blocker — they are design requirements. The difference between answering them before deployment and after deployment is the difference between building a compliant system from scratch and retrofitting compliance onto something that was not designed for it.
Retrofitting is always more expensive. We have done it. It is not fun.
Watch out
Question 1: Where does the data go?
Every AI system that processes documents sends data somewhere to run inference. That somewhere has a geography and a legal jurisdiction. Data residency requirements vary by country, by data type, and by the specific regulatory framework your company operates under.
The questions to answer: Where does inference run — which cloud region? Does the vendor store prompts or document content for model improvement? If so, is that configurable? Is there an option for inference that does not leave a specific country or region? For MENA-based enterprises operating under local data protection regulations, the answers to these questions are often not in the vendor's standard documentation — you have to ask explicitly and get contractual confirmation.
For financial institutions operating under UAE Central Bank or Saudi SAMA guidelines, the data residency question is not optional. "We use AWS globally" is not an acceptable answer. You need a specific region commitment and a data processing agreement that covers it.
Question 2: Can you explain every decision?
Auditability and explainability are different things. Auditability means you can show that a decision was made, by what process, at what time, with what inputs. Explainability means you can say why the model reached the conclusion it reached.
For financial workflows, auditability is the minimum requirement. You need a log that shows: this invoice was processed by this model version on this date, the extraction produced these fields at these confidence scores, the routing decision was made by this rule, and this human reviewed and approved it. That log needs to be available for at least 7 years for standard financial audit purposes — and longer for some regulated industries.
Explainability — being able to say "the model classified this transaction as suspicious because of these factors" — is required in some contexts but not all. For procurement automation, auditability is usually sufficient. For credit decisions or employee performance systems, explainability requirements are stricter and you should involve legal before deployment.
The absence of an audit trail does not mean nothing happened — it means you cannot prove what happened. In a regulated context, those are functionally the same outcome.
Question 3: Can a human override any decision?
This sounds obvious. It is not always obvious in implementation. An AI system that approves invoices and writes to the ERP in a single automated step has no override point. An AI system that approves invoices, creates a pending record, and requires human confirmation before the ERP write has a natural override point.
The design question is: at which points in the pipeline can a human intervene, and is that intervention point clearly defined in the system or does it require an engineer to roll back a database write? For any AI system that takes actions with financial or legal consequences, every action should have a hold state that a human can inspect and override before it is committed.
The human-in-the-loop requirement is also increasingly embedded in AI governance regulations. The EU AI Act, for example, requires human oversight for high-risk AI systems. MENA regulators are watching these developments closely. Building override capability in from the start costs almost nothing relative to building it as a retrofit.
Our take
Question 4: What happens when the regulation changes?
AI regulation is moving fast. The rules that apply to your AI deployment today may be different in 18 months. The compliance conversation before deployment should include: how do we update the system when regulations change, who is responsible for monitoring regulatory changes that affect this system, and what is the process for halting the system quickly if a new requirement cannot be met?
This is less about predicting what will change and more about building a governance process that can respond to change. An AI system that a single engineer understands and maintains is a compliance risk when that engineer leaves. A system with documented controls, clear ownership, and a defined review cadence is not.
The practical minimum: appoint a named owner for every production AI system. Document the data flows, the external dependencies (which APIs, which model versions, which cloud regions), and the controls in place. Review this documentation when the system is updated and when relevant regulations change. This does not require a dedicated compliance team — it requires one hour per quarter and a document that is not stored only in someone's head.
Related reading