UAE virtual asset compliance shifts from policy to auditable controls

At a glance

What this is: This partnership focuses on moving virtual asset compliance from policy documents to auditable operational controls for regulated businesses in the UAE and international markets.

Why it matters: It matters because IAM, NHI, and governance teams increasingly need controls that prove compliance in day-to-day operations, not just on paper.

👉 Read Sumsub's analysis of the Finjuris partnership on virtual asset compliance

Context

Virtual asset compliance is increasingly defined by whether an organisation can demonstrate controls, not simply describe them. In practice, that means licensing readiness, AML/CFT obligations, and risk management all depend on identity, workflow, and monitoring evidence that stands up to supervisory review.

For regulated and prospective VASPs, the governance problem is less about having a policy framework and more about making sure the framework is executable. This is where compliance programmes often fail: the operating model, control evidence, and review cadence do not line up with what regulators expect to see.

Key questions

Q: How should virtual asset firms turn compliance policies into auditable controls?

A: They should map each policy requirement to a specific operational control, then make sure the control generates evidence automatically. That means linking onboarding, verification, monitoring, escalation, and review into one workflow. If a regulator asks for proof, the organisation should be able to show logs, approvals, and exceptions without rebuilding the record manually.

Q: Why do paper-based compliance programmes fail in regulated virtual asset environments?

A: They fail because a policy does not prove that the control was executed consistently. In regulated environments, supervisors look for evidence of implementation, not just intent. If identity checks, monitoring, and risk responses are disconnected, the organisation may appear compliant while its actual operating model remains fragile.

Q: When should firms prioritise compliance operations over new policy drafting?

A: They should prioritise operations as soon as the policy cannot be demonstrated through repeatable evidence. If a team can write a requirement but cannot show the control in action, that gap becomes a licensing and audit risk. Mature programmes focus first on repeatable execution, then on refining policy language.

Q: Who is accountable when licensing readiness and AML/CFT controls break down?

A: Accountability usually spans compliance, legal, IAM, and operational owners, because the failure is rarely isolated to one function. In virtual asset businesses, the control chain crosses onboarding, identity assurance, transaction monitoring, and escalation. The accountable model is the one that assigns ownership for evidence, not just for policy text.

Technical breakdown

Policy-based compliance versus operational control evidence

Paper compliance describes what an organisation intends to do, while operational compliance shows what the system actually did. In regulated virtual asset environments, that gap matters because licensing and supervisory review depend on evidence of identity verification, transaction monitoring, escalation, and auditability. A framework can exist on paper and still fail if the workflows, logs, and approvals do not map to real activity. The core issue is evidentiary continuity: controls must be traceable from policy to transaction to review.

Practical implication: build compliance controls that generate durable evidence automatically, not manually compiled assurances.

AML/CFT controls as part of identity governance

AML/CFT programmes are not just transaction rules. They are identity governance controls because they determine who can operate, what activity is permitted, and which signals trigger review or restriction. When identity verification, monitoring, and risk management are disconnected, organisations create blind spots between onboarding, ongoing activity, and exception handling. In virtual asset settings, that disconnect can make a compliant policy look effective while the actual execution path remains weak.

Practical implication: treat identity verification, monitoring, and escalation as one governance chain rather than separate compliance tasks.

Licensing readiness depends on repeatable control design

Licensing frameworks work best when compliance is structured as a repeatable operating model rather than a one-off submission exercise. That includes documented responsibilities, consistent evidence collection, and a clear linkage between regulatory obligations and the controls used to meet them. For virtual asset businesses, the issue is not only whether the control exists, but whether it can be demonstrated repeatedly across audits, renewals, and regulatory change.

Practical implication: design licensing evidence so it can be reused for audits, renewals, and post-licensing reviews without reconstruction.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Compliance fails when policy cannot survive supervisory inspection. This partnership is really about the gap between what firms say they do and what they can prove under review. Virtual asset businesses do not fail compliance because they lack documents alone, but because the control chain from onboarding to monitoring to escalation is often not operationalised. The practitioner conclusion is that evidence quality is now part of the control itself.

Virtual asset governance is converging with identity governance. In regulated environments, identity verification, transaction monitoring, and AML/CFT controls are no longer separate disciplines. They describe the same operational question from different angles: who is allowed to act, under what conditions, and with what traceable oversight. The implication is that IAM, compliance, and risk teams need shared ownership of the control fabric, not parallel reporting lines.

Auditable compliance has become the real licensing threshold. The partnership reflects a market where regulators increasingly care about demonstrable controls rather than policy commitments. That shifts the burden onto operating models that can produce reliable review artefacts, exception handling records, and repeatable evidence. Practitioners should read this as a warning that paper maturity is no longer a sufficient signal of readiness.

Controls that cannot be evidenced will not scale across jurisdictions. The article points to firms operating in the UAE and international markets, where regulatory expectations may differ but the demand for traceability does not. A programme built only for local documentation will struggle when the same governance pattern must satisfy cross-border review. The practitioner conclusion is to standardise control evidence early, before expansion forces redesign.

Continuous compliance is now a governance design problem. The named concept here is document-to-control gap: the distance between written compliance intent and the actual system behaviour regulators inspect. As that gap widens, organisations accumulate audit friction, remediation cost, and licensing risk. The practitioner conclusion is to treat compliance architecture as an operating discipline, not a filing exercise.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• For the lifecycle angle, see Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs for how provisioning, rotation, and offboarding need to be tied to evidence.

What this signals

Document-to-control gap: virtual asset compliance is moving toward continuous evidence rather than periodic assurance, and that shift will expose programmes built around static policy artefacts. Teams that cannot produce decision trails, exception records, and control logs on demand will feel this first in licensing and renewal cycles.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per The 2026 Infrastructure Identity Survey, the broader governance lesson is that identity controls are already under pressure to prove execution, not intent.

For practitioners

• Map regulatory obligations to control evidence paths Trace each AML/CFT or licensing requirement to the exact system events, approvals, and logs that prove it was met. If a requirement cannot be evidenced without manual reconstruction, the control is not mature enough for supervisory review.
• Unify identity verification and transaction monitoring workflows Connect onboarding, risk scoring, monitoring, and escalation so the same subject record follows the customer or account through its lifecycle. This reduces gaps between compliance teams and makes exceptions easier to audit.
• Build licensing-ready audit artefacts into day-to-day operations Store decision records, review outcomes, and exception handling artefacts as part of normal operations, not as a separate audit project. That makes post-licensing compliance and renewal reviews less fragile.
• Create a shared governance model for compliance and IAM teams Assign joint ownership for policy design, control implementation, and evidence quality across legal, compliance, and identity functions. Regulated virtual asset programmes break when these responsibilities are split across disconnected teams.

Key takeaways

• Virtual asset compliance now depends on evidence that regulators can inspect, not just policy language that sounds complete.
• The strongest programmes connect identity verification, monitoring, escalation, and audit records into one repeatable control chain.
• Firms that cannot operationalise compliance will face higher licensing, renewal, and supervisory risk as expectations tighten.

Key terms

• Operational Compliance: Operational compliance is the ability to prove that controls work in practice, not just that they exist on paper. In regulated virtual asset environments, it depends on repeatable workflows, durable evidence, and reviewable decisions that can survive audit and supervisory scrutiny.
• AML/CFT Control Chain: An AML/CFT control chain is the linked set of identity, monitoring, escalation, and review steps used to prevent and detect financial crime risk. In practice, the chain is only as strong as its weakest handoff, especially when evidence must be shown to regulators.
• Licensing Readiness: Licensing readiness is the state in which a business can demonstrate that its processes, controls, and records meet regulatory expectations before or after approval. It requires more than policies, because regulators usually assess whether the operating model produces consistent evidence.
• Document-to-Control Gap: The document-to-control gap is the distance between what a policy says should happen and what the system actually proves happened. The wider that gap becomes, the more likely an organisation is to fail audits, trigger remediation, or struggle with cross-border regulatory review.

Deepen your knowledge

Virtual asset compliance operations and audit evidence are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance that must withstand licensing and supervisory review, it is worth exploring.

This post draws on content published by Sumsub: Finjuris and Sumsub's partnership on virtual asset compliance in the UAE. Read the original.