There's a specific kind of nervousness that shows up about two weeks before an AI system goes through any kind of formal regulatory review, and it usually comes from not knowing what's actually going to be asked. We're not regulators and we won't pretend to speak for CBUAE here, but having sat alongside compliance teams at two UAE banks preparing AI systems for examination, the actual questions are a lot more concrete — and honestly more reasonable — than the anxiety beforehand suggests.
It's rarely about the algorithm
This is the part that surprises technical teams the most. Examiners generally aren't trying to evaluate whether your model architecture is state of the art, and they're not asking for a maths lecture on how the underlying language model works. What they want to understand is much closer to how they'd evaluate any other operational process: what decision is being made, by what authority, with what record, and what happens when it goes wrong.
The four questions that come up every time
First — what specific action does this system take, and what's the worst-case consequence if it's wrong? Not a hypothetical, a real worst case for this specific use case. Second — show me the record of a specific decision, end to end, including what data was used and what reasoning led to the output. Third — who is the named human accountable for this system's operation, and what authority do they have to intervene? Fourth — how do you know if this system's performance degrades over time, and what's the trigger for retraining or pulling it from production?
None of these are algorithm questions. All four are governance and accountability questions, and they're answerable in plain language if the system was designed with those answers in mind from the start. They become very hard to answer convincingly if governance was retrofitted after the fact, because the documentation usually doesn't exist in the form an examiner wants to see it.
What "explainability" means in this context
People sometimes assume explainability means being able to fully describe the internal mathematics of a model, which for modern AI systems is genuinely difficult and arguably not the point anyway. What examiners are actually looking for is closer to a decision rationale — given this input, here's what data the system looked at, here's the rule or pattern it matched, here's the confidence level, and here's why it either proceeded or escalated. That's an achievable, documentable thing, and it's a very different bar than "explain the neural network."
The audit trail question is where most systems fall short
We've seen AI systems that work well operationally but produce a transcript-style log that's essentially useless for examination purposes — a wall of text rather than a structured record an examiner could actually query. "Show me every decision this system made last Tuesday involving a customer over a certain risk threshold" should be a query you can run, not an exercise in reading through logs manually. If your audit trail can't answer a specific, structured question like that quickly, it's not really an audit trail yet, regardless of how much data it's technically storing.
Documentation that holds up
The banks we've worked with that went through examination with the least friction had three documents ready before anyone asked: a one-page description of what the system does and doesn't do, in plain language a non-technical reviewer could read; a RACI-style map of who's accountable for what part of the system's operation; and a sample export of the audit trail for a handful of real decisions, redacted as needed, showing exactly what gets recorded. None of these are exotic documents. They're the kind of thing a well-run operations team should have for any critical process, AI or not.
The honest takeaway
Examination readiness isn't really a separate project from building the AI system well in the first place — it's mostly the natural output of having built it with governance as a first-class requirement rather than an afterthought. The banks that struggle aren't usually the ones with worse AI. They're the ones who built fast, got something working, and only started thinking about documentation and accountability once someone asked for it.