Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber ResilienceIn January 2026, the Dubai Electronic Security Center quietly shifted the dial on how government cybersecurity compliance works. Not through a new policy directive or a revised framework, but through a live demonstration of an AI engine that can audit, assess, and recommend in real time. This is what happened, what it means, and why the rest of the GCC is paying attention.
The Compliance Challenge Facing Dubai Government
Dubai’s digital infrastructure spans more than 45 government entities and a growing network of semi-government organisations, all subject to the DESC ISR v3.1 framework. Each entity must demonstrate compliance across a comprehensive control catalogue covering identity and access management, incident response, business continuity, and everything in between.
The traditional model involves ISR Officers conducting periodic assessments, documenting evidence against controls, and submitting findings to DESC. The cycle is structured and thorough, but it is also inherently retrospective. By the time an audit captures a gap, the conditions that created it may have existed for months.
The challenge is compounded by scale. ISR Officers across Dubai government are responsible for frameworks that touch every corner of their organisation’s technology stack. Manual gap analysis across hundreds of controls, mapped against live operational environments, is resource-intensive work that benefits enormously from intelligent automation.
What Is ASAAS 2.0?
ASAAS 2.0 is DESC’s next-generation AI-powered auditing engine, demonstrated at the Multaqa ISR Officers forum in January 2026 — an event that brought together ISR Officers from across Dubai’s government and semi-government entities under DESC’s convening authority.
The name builds on the original ASAAS platform, which established the foundational compliance assessment infrastructure for DESC. Version 2.0 represents a generational upgrade, introducing AI-driven reasoning where the first version relied primarily on rule-based logic and manual inputs.
By choosing to demonstrate ASAAS 2.0 to ISR Officers directly, DESC signalled that this is not a back-office tool. It is an operational capability that will change how ISR Officers do their jobs, how entities understand their compliance posture, and how DESC exercises its supervisory role.
What Is ASAAS 2.0?
ASAAS 2.0 operates across three capabilities that together represent a fundamental shift in what compliance assessment looks like in practice.
The first is real-time compliance assessment. Rather than periodic snapshots, the engine continuously ingests telemetry and evidence from entity environments, mapping observed controls against the ISR v3.1 catalogue in near real-time. This gives Dubai government entities a living posture model that reflects the actual state of their security controls at any given moment, not where they stood six months ago.
The second is automated gap analysis. The engine identifies deltas between an entity’s observed posture and ISR v3.1 requirements, categorising gaps by severity, control domain, and remediation complexity. What previously required weeks of structured interviews and evidence collection can now surface as a prioritised gap register in a fraction of the time.
The third is AI-driven recommendations. Beyond identifying where gaps exist, ASAAS 2.0 generates contextualised remediation guidance tailored to the entity’s sector, size, existing tooling, and historical compliance trajectory. This shifts the audit from a descriptive exercise to a prescriptive one, giving ISR Officers actionable direction rather than a list of deficiencies.
The ISR Officer’s role does not disappear. It evolves. The engine surfaces and prioritises; the officer exercises judgment, validates context, and carries the accountability that no AI system can hold.
How It Maps to ISR v3.1
The ISR v3.1 framework covers the full spectrum of information security discipline. Across governance and strategy, identity and access, protection and prevention, detection and monitoring, response and resilience, and compliance culture, ASAAS 2.0 brings automated evidence ingestion and AI-assisted assessment to domains that previously depended almost entirely on manual effort.
Detection and monitoring is where the AI value is most immediate. SIEM, SOAR, and UEBA controls generate the kind of continuous telemetry that ASAAS 2.0 is built to process. Identity and access controls, covering IAM, PAM, MFA and PKI, are similarly well-suited to real-time monitoring. Response and resilience controls, including the currency and completeness of incident response plans and business continuity documentation, benefit from the engine’s ability to track evidence freshness automatically.
Governance and compliance culture controls are harder to automate fully, and ASAAS 2.0 is not designed to replace human judgment in those domains. What it does is give ISR Officers a structured, consistent baseline that makes their own assessment effort more focused and more productive.
In January 2026, the Dubai Electronic Security Center quietly shifted the dial on how government cybersecurity compliance works. Not through a new policy directive or a revised framework, but through a live demonstration of an AI engine that can audit, assess, and recommend in real time. This is what happened, what it means, and why the rest of the GCC is paying attention.
The Compliance Challenge Facing Dubai Government
Dubai’s digital infrastructure spans more than 45 government entities and a growing network of semi-government organisations, all subject to the DESC ISR v3.1 framework. Each entity must demonstrate compliance across a comprehensive control catalogue covering identity and access management, incident response, business continuity, and everything in between.
The traditional model involves ISR Officers conducting periodic assessments, documenting evidence against controls, and submitting findings to DESC. The cycle is structured and thorough, but it is also inherently retrospective. By the time an audit captures a gap, the conditions that created it may have existed for months.
The challenge is compounded by scale. ISR Officers across Dubai government are responsible for frameworks that touch every corner of their organisation’s technology stack. Manual gap analysis across hundreds of controls, mapped against live operational environments, is resource-intensive work that benefits enormously from intelligent automation.
What Is ASAAS 2.0?
ASAAS 2.0 is DESC’s next-generation AI-powered auditing engine, demonstrated at the Multaqa ISR Officers forum in January 2026 — an event that brought together ISR Officers from across Dubai’s government and semi-government entities under DESC’s convening authority.
The name builds on the original ASAAS platform, which established the foundational compliance assessment infrastructure for DESC. Version 2.0 represents a generational upgrade, introducing AI-driven reasoning where the first version relied primarily on rule-based logic and manual inputs.
By choosing to demonstrate ASAAS 2.0 to ISR Officers directly, DESC signalled that this is not a back-office tool. It is an operational capability that will change how ISR Officers do their jobs, how entities understand their compliance posture, and how DESC exercises its supervisory role.
The Three Core Functions
ASAAS 2.0 operates across three capabilities that together represent a fundamental shift in what compliance assessment looks like in practice.
The first is real-time compliance assessment. Rather than periodic snapshots, the engine continuously ingests telemetry and evidence from entity environments, mapping observed controls against the ISR v3.1 catalogue in near real-time. This gives Dubai government entities a living posture model that reflects the actual state of their security controls at any given moment, not where they stood six months ago.
The second is automated gap analysis. The engine identifies deltas between an entity’s observed posture and ISR v3.1 requirements, categorising gaps by severity, control domain, and remediation complexity. What previously required weeks of structured interviews and evidence collection can now surface as a prioritised gap register in a fraction of the time.
The third is AI-driven recommendations. Beyond identifying where gaps exist, ASAAS 2.0 generates contextualised remediation guidance tailored to the entity’s sector, size, existing tooling, and historical compliance trajectory. This shifts the audit from a descriptive exercise to a prescriptive one, giving ISR Officers actionable direction rather than a list of deficiencies.
The ISR Officer’s role does not disappear. It evolves. The engine surfaces and prioritises; the officer exercises judgment, validates context, and carries the accountability that no AI system can hold.
How It Maps to ISR v3.1
The ISR v3.1 framework covers the full spectrum of information security discipline. Across governance and strategy, identity and access, protection and prevention, detection and monitoring, response and resilience, and compliance culture, ASAAS 2.0 brings automated evidence ingestion and AI-assisted assessment to domains that previously depended almost entirely on manual effort.
Detection and monitoring is where the AI value is most immediate. SIEM, SOAR, and UEBA controls generate the kind of continuous telemetry that ASAAS 2.0 is built to process. Identity and access controls, covering IAM, PAM, MFA and PKI, are similarly well-suited to real-time monitoring. Response and resilience controls, including the currency and completeness of incident response plans and business continuity documentation, benefit from the engine’s ability to track evidence freshness automatically.
Governance and compliance culture controls are harder to automate fully, and ASAAS 2.0 is not designed to replace human judgment in those domains. What it does is give ISR Officers a structured, consistent baseline that makes their own assessment effort more focused and more productive.
The April 2026 joint guidance is structured around the six functions of NIST Cybersecurity Framework 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. It also aligns with NIST SP 800-82 Rev. 3, the DoD Zero Trust Reference Architecture v2.0, and the international ISA/IEC 62443 standard series. For practitioners, this means the guidance is not a standalone exercise – it plugs into the compliance frameworks most OT organisations are already working with.
Here are the five most actionable priorities the guidance identifies:
- Comprehensive asset visibility
You cannot apply Zero Trust to assets you cannot enumerate. The guidance makes passive asset discovery the foundational first step. Using SPAN ports or network TAPs, OT teams can fingerprint every device on the network from observed traffic – capturing device type, vendor, firmware version, protocols in use, and communication patterns – without injecting a single packet that could disrupt operations.
CISA specifically endorses Malcolm, its open-source SIEM tool, which includes Zeek parsers built for common OT protocols and supports deep traffic analysis. This is a practical, cost-accessible starting point for organisations without dedicated OT security tooling.
- Zones and conduits
Once assets are visible, they must be grouped by criticality and security requirements. The IEC 62443 zone and conduit model – explicitly referenced in the CISA guidance – provides the architectural backbone. Zones group assets with similar security levels; conduits are the controlled communication pathways between zones. Every conduit must be documented, controlled, and protected.
In practice, this typically means a safety layer (SIS/ESD systems at minimum Security Level 3, fully isolated), a basic process control layer, an operations and monitoring layer, and a DMZ that mediates all communication between OT and IT. No direct IT-to-OT communication paths should exist.
- Identity and access controls
Shared credentials between IT and OT environments are one of the primary vectors Volt Typhoon and similar actors exploit. The guidance is specific: OT Active Directory should be separated into a distinct forest or domain with no direct trust relationships to the IT AD. Multi-factor authentication should be enforced at the jump host level – the last controlled point before OT access – even where legacy OT assets cannot support MFA natively.
Third-party and vendor remote access is a particular priority. Time-limited, least-privilege, fully monitored remote sessions should replace always-on VPN tunnels that provide persistent, broad access to OT networks.
- Supply chain risk management
CISA’s guidance notes that compromised trusted third-party vendor software is a well-documented attack vector against OT environments. Procurement decisions should now incorporate security requirements: Software Bills of Materials (SBOMs) for OT components, vendor security posture assessments, and contract terms that mandate timely vulnerability disclosure.
The “secure by design” imperative is closely linked here. When procuring new OT components, organisations should require that security capabilities – logging, encrypted communications, identity support – are built in by default, not treated as optional extras.
- Continuous monitoring and detection
Zero Trust does not end at access control. Continuous monitoring is what makes the model adaptive. Critically, OT environments’ relatively static nature is an advantage here: normal behaviour is predictable, which means anomalies are detectable. Unexpected commands to a PLC, unusual protocol traffic on an OT segment, or a device communicating with an unfamiliar external IP – all of these stand out sharply against the baseline.
The highest-risk monitoring points are the junctions where OT connects to IT or to external systems. Passive monitoring through TAPs keeps observation completely load-free, with no risk of disrupting time-sensitive control traffic. CISA’s Malcolm/Zeek tooling provides OT protocol-aware analysis that generic SIEM solutions cannot replicate.
The GCC Context: Why This Matters Regionally
DESC’s deployment of ASAAS 2.0 does not exist in isolation. Across the GCC, regulators and security authorities are navigating the same fundamental tension: the scale and sophistication of digital government services is growing faster than the capacity of traditional audit processes to keep pace.
In Saudi Arabia, the National Cybersecurity Authority has been building out continuous monitoring capabilities through the National Cybersecurity Framework, while the SAMA Cyber Security Framework governs the financial sector with increasingly frequent assessment cycles. The DESC ISR Officer community model mirrors Saudi Arabia’s own sectoral compliance structure closely, making ASAAS 2.0 a directly relevant reference architecture for NCA planners.
In Abu Dhabi, the Abu Dhabi Digital Authority has developed its own information assurance framework for Abu Dhabi government entities. As the two largest emirates align on digital government standards, there is natural momentum toward interoperability between Abu Dhabi’s assurance model and Dubai’s ISR framework. The evidence architecture that ASAAS 2.0 generates could serve as a practical bridge for that alignment.
Across Bahrain, Kuwait, Qatar, and Oman, each national cybersecurity authority operates within the GCC-CERT coordination network. An AI-powered auditing model proven at Dubai government scale carries credibility that will accelerate consideration at national level across the region. The Multaqa forum model, convening practitioners rather than just regulators, is itself an approach that resonates with how the GCC cybersecurity community prefers to develop consensus.
The broader regional backdrop matters too. Saudi Vision 2030, UAE Centennial 2071, Qatar National Vision 2030, and Bahrain Economic Vision all depend on digital infrastructure that must be secured and demonstrably compliant. AI-powered auditing at the DESC scale gives the region a proof point it can build on.
Implications for ISR Officers
For the ISR Officers who attended the January 2026 Multaqa forum, and for those who will work with ASAAS 2.0 when it becomes available to their entities, five practical priorities stand out.
Prepare your evidence architecture before rollout. ASAAS 2.0 ingests telemetry and structured evidence. Entities that have invested in clean, well-documented control environments will benefit most from the engine’s capabilities. Use the period before rollout to audit your own evidence management practices and close structural gaps in how compliance data is captured and stored.
Understand the human oversight requirement. ASAAS 2.0 generates findings and recommendations. It does not replace the ISR Officer’s accountability for those findings. Know which controls the engine assesses autonomously, where it flags uncertainty, and what escalation pathways exist for contested determinations.
Engage your leadership on continuous compliance. Moving from annual snapshots to continuous posture management changes the conversation at board and executive level. Frame this transition proactively: compliance is no longer a point-in-time certification but an ongoing operational state that requires sustained investment.
Align your vendor ecosystem. The effectiveness of ASAAS 2.0 depends in part on the quality of integration with the tools and platforms entities already operate. Engage your security vendors on API readiness, telemetry output standards, and compatibility with DESC’s evidence ingestion requirements ahead of rollout.
Participate in the community. The Multaqa ISR Officers forum is a convening model that gives Dubai’s compliance community a shared space to develop practice, share lessons, and influence how ASAAS 2.0 evolves. Active participation is one of the most direct ways ISR Officers can shape the tools they will use.
DESC has placed a clear bet on AI as the engine of next-generation compliance supervision. For those operating within the ISR framework, the question is no longer whether this shift is coming. It is how ready you are when it arrives.
The GCC Context: Why This Matters Regionally
DESC’s deployment of ASAAS 2.0 does not exist in isolation. Across the GCC, regulators and security authorities are navigating the same fundamental tension: the scale and sophistication of digital government services is growing faster than the capacity of traditional audit processes to keep pace.
In Saudi Arabia, the National Cybersecurity Authority has been building out continuous monitoring capabilities through the National Cybersecurity Framework, while the SAMA Cyber Security Framework governs the financial sector with increasingly frequent assessment cycles. The DESC ISR Officer community model mirrors Saudi Arabia’s own sectoral compliance structure closely, making ASAAS 2.0 a directly relevant reference architecture for NCA planners.
In Abu Dhabi, the Abu Dhabi Digital Authority has developed its own information assurance framework for Abu Dhabi government entities. As the two largest emirates align on digital government standards, there is natural momentum toward interoperability between Abu Dhabi’s assurance model and Dubai’s ISR framework. The evidence architecture that ASAAS 2.0 generates could serve as a practical bridge for that alignment.
Across Bahrain, Kuwait, Qatar, and Oman, each national cybersecurity authority operates within the GCC-CERT coordination network. An AI-powered auditing model proven at Dubai government scale carries credibility that will accelerate consideration at national level across the region. The Multaqa forum model, convening practitioners rather than just regulators, is itself an approach that resonates with how the GCC cybersecurity community prefers to develop consensus.
The broader regional backdrop matters too. Saudi Vision 2030, UAE Centennial 2071, Qatar National Vision 2030, and Bahrain Economic Vision all depend on digital infrastructure that must be secured and demonstrably compliant. AI-powered auditing at the DESC scale gives the region a proof point it can build on.
Implications for ISR Officers
For the ISR Officers who attended the January 2026 Multaqa forum, and for those who will work with ASAAS 2.0 when it becomes available to their entities, five practical priorities stand out.
Prepare your evidence architecture before rollout. ASAAS 2.0 ingests telemetry and structured evidence. Entities that have invested in clean, well-documented control environments will benefit most from the engine’s capabilities. Use the period before rollout to audit your own evidence management practices and close structural gaps in how compliance data is captured and stored.
Understand the human oversight requirement. ASAAS 2.0 generates findings and recommendations. It does not replace the ISR Officer’s accountability for those findings. Know which controls the engine assesses autonomously, where it flags uncertainty, and what escalation pathways exist for contested determinations.
Engage your leadership on continuous compliance. Moving from annual snapshots to continuous posture management changes the conversation at board and executive level. Frame this transition proactively: compliance is no longer a point-in-time certification but an ongoing operational state that requires sustained investment.
Align your vendor ecosystem. The effectiveness of ASAAS 2.0 depends in part on the quality of integration with the tools and platforms entities already operate. Engage your security vendors on API readiness, telemetry output standards, and compatibility with DESC’s evidence ingestion requirements ahead of rollout.
Participate in the community. The Multaqa ISR Officers forum is a convening model that gives Dubai’s compliance community a shared space to develop practice, share lessons, and influence how ASAAS 2.0 evolves. Active participation is one of the most direct ways ISR Officers can shape the tools they will use.
DESC has placed a clear bet on AI as the engine of next-generation compliance supervision. For those operating within the ISR framework, the question is no longer whether this shift is coming. It is how ready you are when it arrives.
See also:
Dubai