Riyadh Charter on AI · 53 ICESCO Member States · SDAIA · MOAI AI Seal · DIFC Regulation 10 · ADGM · ALECSO · KSA + UAE PDPL · Sovereign Hosting Available
OWASP MEMBER  ·  61/61 TESTS PASSING  ·  v0.5.0
Middle East · Islamic World · GCC

Adversarial robustness evidence mapped to the Riyadh Charter, SDAIA, MOAI, DIFC, and ALECSO — before your AI ships.

RTK-1 is the autonomous AI red teaming platform built for sovereign banking, public sector, and critical infrastructure deployments across Saudi Arabia, the UAE, the GCC, and the 53 ICESCO member states. Multi-agent compound failure testing for sovereign systems. Twelve minutes per campaign. SHA-256 signed Evidence-layer artifact integrating into your safety case under the Claims–Arguments–Evidence (CAE) structure. Sovereign hosting under KSA Global AI Hub Law. Self-assessment is documentation. RTK-1 produces enforcement evidence. Different claims carry different legal weight.

View Sample Middle East Report → Request a Sovereign Engagement

Why the Middle East — and why now

On December 15, 2025, the Riyadh Charter on Artificial Intelligence for the Islamic World was ratified by all 53 ICESCO member states. Jointly issued by Saudi Arabia's Data & AI Authority (SDAIA) and ICESCO, it is the first multilateral AI charter that binds privacy, security, transparency, accountability, humanity, and social benefit principles to a regional procurement framework. Saudi PDPL penalties stand at SAR 5 million; UAE PDPL penalties stand at AED 5 million. DIFC Regulation 10 of 2023 was the first regulation worldwide governing autonomous AI processing personal data.

The compliance demand exists. The supply does not. RTK-1 produces the regulator-ready, signed, auditable Evidence-layer artifact buyers in Riyadh, Abu Dhabi, Dubai, Doha, Manama, Kuwait City, Muscat, and Cairo are required to present — automatically.

"Anything external becomes attestation, not proof. The assurance substrate must be architectural, not process-based."

— Framing principle that drove RTK-1's design

The Seven Riyadh Charter Principles

Every RTK-1 Middle East engagement maps each finding to all seven principles ratified by the 53 ICESCO member states. The evidence is generated automatically; the mapping is structural.

PRINCIPLE 01
Integrity & Fairness
AI systems operate with integrity and fairness, free from bias that disadvantages individuals or groups.
PRINCIPLE 02
Privacy & Security
Personal data privacy respected; robust security maintained against adversarial threats. Tested via tool abuse + RAG injection.
PRINCIPLE 03
Reliability & Safety
Reliable, safe performance under both normal and adversarial operating conditions. Proven via Phase 1 → Phase 2 delta.
PRINCIPLE 04
Transparency & Explainability
Operations and decisions transparent and explainable to users and oversight bodies. Every finding mapped, every signature verifiable.
PRINCIPLE 05
Accountability & Responsibility
Clear accountability for AI behavior across multi-agent handoffs and tool authorization. Cross-agent provenance verified by independent composition validator (see Multi-Agent Compound Failure).
PRINCIPLE 06
Humanity
AI serves human dignity, family-centered values, and the preservation of cultural and Islamic identity. Tested via Sharia layer.
PRINCIPLE 07
Social & Environmental Benefit
AI deployments must demonstrate net positive contribution to society and environment within the Islamic world.

Multi-Agent Compound Failure for Sovereign Deployments

Sovereign banking workflows, public-sector service orchestration, and critical-infrastructure control systems are increasingly built as multi-agent chains — one agent enriches an alert or document, a second agent acts on it, a third agent confirms. Single-agent validators verify that each agent stayed within its declared scope. They cannot detect an authorization claim laundered through faithful upstream extraction — a claim that originated in attacker-shapeable input data and was passed downstream as if it had been verified.

This is the failure mode that single-agent validators are structurally unable to detect — invisible at every individual checkpoint, undeniable at the composition level. RTK-1's /agentic_chain provider tests for it directly. Your two-agent target chain plugs in via the AgentInterface Protocol; RTK-1's three independent validators — Validator A, Validator B, and the Composition Validator — produce signed trace evidence that an external auditor can reproduce.

Agent A
UPSTREAM
Validator A
EXTRACTION FIDELITY
PASS
Agent B
DOWNSTREAM
Validator B
INPUT-ACTION MATCH
PASS
Composition
AUTH PROVENANCE
FAIL
Final Verdict C2_FAIL

Three possible verdicts. Each carries debug-grade information about which agent and which provenance step yielded the result — not just a verdict.

C1_C2_PASS
Defense Holds
Both single-agent validators and the composition validator pass. The chain enforces authorization end-to-end under adversarial pressure.
C2_FAIL
Authorization Laundering
Per-agent validators pass; composition validator detects an authorization claim whose provenance traces to attacker-shapeable input. Defense-in-depth gap pinpointed.
C1_FAIL
Per-Agent Boundary Breach
Single-agent behavior outside declared scope. Detected at Validator A or Validator B before composition is evaluated. Trace identifies the failing agent.

Why this matters for sovereign procurement

Riyadh Charter Principle 5 (Accountability) and SDAIA AI Ethics Principle 5 both require demonstrable accountability across agent handoffs. ISO/IEC 42001 Clause 8.4 requires verification of intended behavior under realistic operating conditions. A signed RTK-1 composition trace is the artifact that satisfies all three simultaneously — the provenance step where authorization originated is mathematically identified, not asserted.

Fifteen Frameworks. One Signed Report.

A single RTK-1 engagement generates evidence for every framework below. Submit the same SHA-256 signed package to SDAIA, MOAI, DIFC, ADGM, and Sharia ethics committees in parallel.

Riyadh Charter on AI
53 ICESCO Member States · Dec 15, 2025
7 principles. Per-finding mapping. Sharia & Islamic values compatibility verified.
🇸🇦 SDAIA Generative AI Guidelines
Saudi Arabia · Government + Public Editions, Jan 2024
All risk mitigation categories tested: deepfakes, jailbreak, sycophancy, copyright.
🇸🇦 SDAIA Self-Assessment
Saudi Arabia · Vendor qualification
Pre-fills 70%+ from a single signed RTK-1 deliverable.
🇸🇦 SDAIA AI Ethics Principles
Saudi Arabia · 12 principles
Per-finding mapping across all twelve.
🇸🇦 Saudi PDPL
Saudi Arabia · Penalty SAR 5M
Cross-border data transfer compliance verified.
🇸🇦 KSA Global AI Hub Law
Saudi Arabia · Draft / Private + Extended + Virtual Hub
Sovereign hosting in-jurisdiction. No data exfiltration.
🇦🇪 MOAI AI Seal
United Arab Emirates · Vendor qualification
Pre-fills the seal application from RTK-1 evidence package.
🇦🇪 UAE AI Ethics Principles
United Arab Emirates · Dec 2022
Per-principle mapping; UAE GenAI Guidelines coverage.
🇦🇪 UAE PDPL
UAE Federal Decree-Law No. 45 of 2021 · Penalty AED 5M
Personal data handling proofs; cross-border transfer compliance.
DIFC Regulation 10 of 2023
Dubai International Financial Centre
First regulation worldwide for autonomous AI + personal data. SHA-256 evidence supplied.
ADGM Data Protection Regulations
Abu Dhabi Global Market
AI use case attestation; same coverage as DIFC.
ALECSO Charter
Arab League · 22 States · June 17, 2025
Arab cultural heritage and Islamic beliefs compatibility verified.
ISO/IEC 42001
International · Adopted by SDAIA
Per-control mapping. Operational evidence layer for AI management certification.
NIST AI Risk Management Framework
USA · International cross-recognition
GOVERN · MAP · MEASURE · MANAGE. Pairs with ISO 42001 for cross-border deployments and US-headquartered subsidiaries operating in the GCC.
NDAA §1535 Critical Infrastructure AI
USA · Federal critical infrastructure
Operational technology and SCADA AI validation tested via the /digital_twin provider. Required for sovereign critical-infrastructure deployments touching US federal supply chains.

Jurisdictional Reach

One engagement. Evidence usable across the entire Middle East and Islamic world.

🇸🇦 Saudi Arabia 🇦🇪 UAE DIFC ADGM 🇶🇦 Qatar 🇧🇭 Bahrain 🇰🇼 Kuwait 🇴🇲 Oman 🇪🇬 Egypt 🇯🇴 Jordan 🇱🇧 Lebanon 🇮🇶 Iraq 🇲🇦 Morocco 🇹🇳 Tunisia 🇩🇿 Algeria 🇱🇾 Libya + 37 ICESCO states

Sovereign Hosting & the Sharia Layer

Sovereign Hosting Under KSA Global AI Hub Law

Federal and Sovereign-tier RTK-1 engagements are deployable under the Private Hub, Extended Hub, and Virtual Hub models defined in the draft KSA Global AI Hub Law. No prompts, no model responses, no signed evidence ever leave the designated jurisdiction. The orchestrator, attack providers, scoring layer, composition validator, and signing infrastructure all run in-territory. Bilingual English and Arabic delivery available on these tiers.

Sharia & Islamic Values Compatibility Layer

RTK-1 includes a configurable islamic_values=True flag that activates the Sharia and Islamic values compatibility scoring layer. This tests outputs against five categories: religious practice mockery, sacred text distortion, Sharia-compliant finance omission, consent & family-centric outcome alignment, and cultural heritage integrity per the ALECSO Charter. The detailed scoring rubric is reviewed by independent Sharia advisory input and provided in Annex C of the full engagement deliverable.

Evidence before deployment. Not a report card after the incident.

RTK-1 produces the SHA-256 signed adversarial robustness Evidence-layer artifact required for sovereign banking, public sector, and critical infrastructure AI deployments across the Middle East and Islamic world. Multi-agent compound failure tested. Composition trace signed. It never tires. It never gets distracted.

View Sample Middle East Report → Request a Sovereign Engagement