Compliance in the Age of Oversharing AI

AI is breaking Shariah governance. The IFSB-10 audit trail can't survive AI tools that ingest customer data, fatwa rulings, and board decisions. ZeroH Disclosure is a deterministic, on-device privacy layer that masks sensitive fields before any AI call and anchors every disclosure to a permissioned ledger. Live in Qatar (QFC) and Bangladesh.

By Kasturi Sharma, Head of Compliance at Blade Labs
Published 8th May 2026

Every regulated business already has a data-sharing problem, and for Islamic banks, AI has made it a Shariah governance problem. Auditors need evidence. Regulators need proof. AI tools need context. The data that satisfies any of them is the data the institution is supposed to keep under control. NDAs, redactions, and after-the-fact attestations held the line for decades, when evidence moved in batches, and the parties on the other end were known and few. Neither condition holds anymore, and for the 11.5%-CAGR Islamic fintech market, the cost of pretending otherwise is now measurable.

IBM's 2024 Cost of a Data Breach Report put the global average breach at $4.88M, a 10% year-over-year jump and the largest since the pandemic. The 40% of breaches involving data spread across multiple environments cost more than $5M on average and took the longest to identify and contain, i.e. 283 days to contain.

Cisco's 2026 Data and Privacy Benchmark Study found that 90% of organisations say their privacy programs have expanded because of AI, 43% increased privacy spending in the past year, and 93% plan to allocate more resources to privacy and data governance over the next two years. In Samsung’s 2023 ChatGPT incident, employees reportedly pasted confidential source code and a meeting transcript into ChatGPT in several separate incidents over about 20 days, which led Samsung to restrict the use of public AI chatbots.

Stanford's 2026 AI Index Report logged 362 AI-related incidents in 2025, up from 233 the year before, a roughly 55% jump. Over the same period, the share of organisations rating their own AI incident response as "excellent" fell from 28% to 18%.

The pattern is the one most compliance teams already feel. Redaction-after-the-fact, NDAs, and vendor assurances were never designed for a world where evidence flows simultaneously to human auditors, regulators, and AI systems. The choice today is between sharing too much and accepting the breach risk, or sharing too little and grinding the business to a halt.

Why Shariah Governance breaks under AI pressure (IFSB-10 explained)

Islamic banks face this with an extra dimension. The IFSB's Shariah Governance Standard (IFSB-10) defines Shariah governance as a four-part control system: issuance of pronouncements by the Shariah board, dissemination of those rulings internally, real-time compliance review of products and transactions, and an annual independent audit. Each function depends on the institution's ability to prove what was decided, what was communicated, what was followed, and what was reviewed. Without a verifiable evidence trail, none of those functions can be discharged.

Meanwhile, digital Islamic banking is the segment growing fastest. The IFSB documented Islamic banking sector growth of 6.5% in 2024, with digital adoption accelerating across the GCC and Malaysia. The wider Islamic fintech market is now estimated at USD 198 billion in 2024/25 and is projected to reach USD 341 billion by 2029, reflecting an 11.5% CAGR. 

This growth is moving into regulated banking channels, with Malaysia’s AEON Bank, Saudi Arabia’s STC Bank, and other newly licensed digital Islamic banks building customer-facing propositions for a market where AI is already operating at scale. Wells Fargo’s Fargo assistant, for example, has supported more than 1 billion customer interactions in less than three years since launch.

The collision is the obvious one. Customer journeys in a digital Islamic bank touch products approved by the Shariah board, regulated personal data, and AI tools, all in the same session. The channel layer is where customers form trust judgments. It is also where Shariah governance is most likely to fail silently.

ZeroH Disclosure: a deterministic privacy layer for Shariah-compliant AI

There is a path that doesn't force a choice between AI utility and regulatory survival. ZeroH Disclosure is a patent-pending, deterministic, policy-driven privacy and proof platform that lets regulated institutions use AI without surrendering control of sensitive data. It applies the disclosure policy on the device, masks sensitive fields before they leave it, sends only the redacted prompt onward to any external AI, and stamps a hash of every disclosure to a permissioned distributed ledger.

The premise is simple. The Shariah board makes decisions, issues rulings, and approves the customer-facing language. Those decisions compile into a single source-of-truth policy. From that point on:

• Customers see exactly the language the Shariah board approved, not a marketing-paraphrased version.
• AI assistants in the journey can help customers without ever seeing the customer's personal information; data that should never reach a model is stripped before any model call.
• Every customer interaction (consent given, disclosure viewed, AI exchange completed) produces a cryptographically anchored record. The internal Shariah audit team can query exactly what version of which disclosure a specific customer saw on a specific date.
• When the Shariah board updates a ruling, the policy recompiles and reaches the runtime immediately. The mobile app stops lagging the board by a release cycle.
• At year-end, the annual Shariah review and the regulator's audit both ship from the same artefact: a proof pack assembled from the year's accumulated evidence, not months of forensic reconstruction.

What the layer doesn't do is replace human judgment. The Shariah board still decides. Advisors still interpret. The layer's job is to make sure those decisions actually reach customers, automatically, every time, with proof on the side.

Live deployments: QFC Digital Assets Lab (Qatar) and Mudarabah Platform (Bangladesh)

This isn't a roadmap. The architecture is operational across multiple settings today.

In Bangladesh, we launched a Shariah-compliant livestock Mudarabah platform in March 2026, with our on-ground partner Agricore (InsureCow), and our platform ZeroH providing the governance layer. The signed Mudarabah contract is enforced as code, with role-based field-level disclosure for every stakeholder and Shariah board certification required before any settlement closes.

In Qatar, ZeroH was deployed at the QFC Digital Assets Lab in September 2025, announced alongside AlRayan Bank, Google Cloud, and Hedera, as the Digital Receipt System for a blockchain-based Islamic finance compliance proof-of-concept. The deployment provides AAOIFI obligation extraction, Shariah board workflow management, and ledger-anchored compliance records.

The public preview of Ask Ali, built on the same disclosure architecture, is soon to be released for Shariah boards, compliance teams, scholars, and auditors.

Same disclosure primitives. Different surfaces. Configured rather than rebuilt.

The choice for Islamic banks: AI utility with auditable evidence

For regulated finance, and for Islamic banks especially, the question is no longer whether AI belongs in the customer journey. It does. The question is whether AI can be there legally, with evidence that the Shariah board and regulator can independently verify. 

This is the layer ZeroH Disclosure provides → See how ZeroH Disclosure works 

FAQs

1. What is Shariah Governance AI?

Shariah Governance AI is the discipline of using artificial intelligence in Islamic finance with auditable, board-approved evidence at every step. Unlike consumer AI tools, Shariah Governance AI enforces a four-part control system — pronouncement, dissemination, real-time review, and annual audit — defined in IFSB-10. ZeroH and Ask Ali+ are built on this category, with Shariah board rulings compiled directly into runtime policy.

2. Can Islamic banks legally use ChatGPT, Claude, or other public AI in customer journeys?

Not without controls. Public AI tools transmit prompts and customer data to third-party infrastructure, which conflicts with most data-residency, banking-secrecy, and Shariah-governance obligations under IFSB-10, AAOIFI, and national regulators (SAMA, CBUAE, QFCRA, BNM). Islamic banks need a disclosure layer that masks sensitive fields on-device before any AI call. ZeroH Disclosure was built specifically for this requirement.

3. What is the IFSB-10 Shariah Governance Standard?

IFSB-10 is the Islamic Financial Services Board's Shariah governance standard for Islamic banks. It defines four interlocking control functions: (1) issuance of pronouncements by the Shariah board, (2) internal dissemination of those rulings, (3) real-time compliance review of products and transactions, and (4) an annual independent Shariah audit. Each function depends on a verifiable evidence trail.

4. How does AI break Shariah compliance in Islamic banks?

AI breaks Shariah compliance in three ways: (1) customer data is sent to third-party models without consent or redaction, (2) AI-generated responses can paraphrase Shariah board rulings into non-approved language, and (3) the audit trail required by IFSB-10 is broken when AI exchanges occur outside the governance system. A deterministic disclosure layer prevents all three.

5. What is AAOIFI compliance automation?

AAOIFI compliance automation is the use of software to map Islamic finance products and transactions against AAOIFI Shariah Standards in real time, replacing manual review by Shariah officers. Automation extracts AAOIFI obligations, routes them through the Shariah board workflow, and produces ledger-anchored compliance records. ZeroH was deployed for AAOIFI obligation extraction at the QFC Digital Assets Lab in 2025.

6. What is a deterministic disclosure layer?

A deterministic disclosure layer is a privacy and proof system that applies a single, board-approved policy on-device, masks sensitive fields before any external AI call, and stamps a cryptographic hash of every disclosure to a permissioned distributed ledger. "Deterministic" means the same input always produces the same compliant output — no probabilistic redaction, no model-based guessing.

7. How can a Shariah board audit AI use in a digital Islamic bank?

A Shariah board audits AI use by reviewing the cryptographically anchored evidence trail produced for every customer interaction: which disclosure version was shown, what data was masked before any AI call, what response was returned, and which board ruling governed the policy at that moment. With ZeroH Disclosure, the annual Shariah audit ships from the same artefact as the regulator's audit — no forensic reconstruction.

8. What's the difference between Ask Ali+ and ZeroH Disclosure?

Ask Ali+ is a Shariah Governance AI assistant for boards, scholars, compliance teams, and auditors — it answers research questions, drafts opinions, and surfaces citations against AAOIFI and national fatwa libraries. ZeroH Disclosure is the underlying privacy and proof layer that makes Ask Ali+ — and any AI-enabled customer journey — provably compliant. Both share the same disclosure primitives.