Why This Framework Exists
The market for AI tools that touch Shariah compliance is growing. Institutions are evaluating products that assist with fatwa research, product certification review, obligation tracking, and Shariah board workflow management. Most evaluation processes focus on product demos rather than structured due diligence.
A demo can show what a tool does when conditions are favourable. It does not show what the tool does when a scholarly source is ambiguous, when a question spans multiple madhahib positions, when a regulator requests a three-year audit trail, or when a data breach notification arrives and the vendor agreement does not cover customer input confidentiality.
This scorecard provides a structured framework for the questions that matter. It is not a product comparison. The five dimensions apply equally to any tool claiming to assist with Shariah compliance workflows.
The Five Evaluation Dimensions
Each dimension addresses a distinct failure mode that buyers encounter after deployment rather than during evaluation.
Source Attribution Quality
The tool must identify the specific AAOIFI standard, IFSB guideline, fatwa, or scholarly text behind each response, traceable to a named clause in an authoritative source document. Generic attribution to categories of Islamic finance knowledge is insufficient for compliance purposes.
- ✓Does the tool cite specific clause numbers, not just document titles?
- ✓Are source documents independently verifiable?
- ✓Can users access the primary source text from within the tool?
Madhahib Coverage
The tool should cover all four classical schools of Islamic jurisprudence: Hanafi, Maliki, Shafii, and Hanbali. Different GCC markets and institutions follow different schools. A tool that only covers the majority position may produce incorrect guidance for a minority-school institution.
- ✓Are all four madhahib represented in source data?
- ✓Does the tool distinguish between school-specific positions when they diverge?
- ✓Can the tool be configured to prioritise a specific madhab for a given institution?
Audit Trail Completeness
Every compliance decision should produce a structured, immutable record: the question asked, sources consulted, reasoning applied, determination reached, reviewer identity, and timestamp. Regulators and auditors should be able to verify the trail independently.
- ✓Does the tool produce structured records, not just chat logs?
- ✓Are records immutable after the fact?
- ✓Can records be exported for regulator submission?
Regulatory Alignment
Alignment with a regulatory framework means producing outputs that satisfy documentation requirements for a specific regulator. Training data coverage is not the same as production regulatory validation. Ask for named deployment evidence, not assertions.
- ✓Which regulators have reviewed outputs in production engagements?
- ✓Are there named institution case studies with jurisdiction specifics?
- ✓Does the tool differentiate between Bahrain CBB, SAMA, CBUAE, and QFC requirements?
Data Sovereignty
Compliance workflows involve sensitive contract text, customer information, and board deliberations. Buyers must understand where data goes, who can access it, and whether the tool can satisfy local data residency requirements. General privacy policies are not sufficient.
- ✓Where is data processed and stored geographically?
- ✓Does the vendor retain any training rights over customer inputs?
- ✓Can the tool operate within national data residency boundaries if required?
Questions to Ask Vendors
The following questions are designed to surface capability gaps that product demos do not reveal. Request written responses rather than verbal answers so that commitments are documented.
Which named regulatory frameworks have your outputs been validated against in production engagements?
Provide an example of a tool output with full source attribution including specific clause references.
How does your tool handle a question where Hanafi and Hanbali positions differ?
What is the data processing agreement and which jurisdictions does data reside in?
How are audit records structured, and can they be exported in a format suitable for regulatory submission?
Who has access to customer input data and under what conditions?
What happens to audit records if the institution terminates the contract?
What Good Evidence Looks Like
Vendor claims are not evidence. The following represent stronger signals during evaluation.
Named deployment case studies
A named institution, a named jurisdiction, a named regulator, and a description of what the tool was used for and what evidence it produced. Generic case studies without institution names provide weak signal.
Independent Shariah scholar review
A fatwa or written certification from a named, qualified Islamic scholar confirming that the platform's design and outputs are Shariah-compliant. This is a higher standard than internal vendor assertions.
Demonstrated audit trail export
A live demonstration of exporting a compliance decision record in a format that would satisfy a regulator request, including timestamps, source citations, reviewer identity, and the determination reached.
Frequently Asked Questions
What is source attribution quality and why does it matter for Shariah AI?
Source attribution quality measures whether an AI tool identifies the specific AAOIFI standard, IFSB guideline, fatwa, or scholarly text behind each response, and whether that identification is traceable to the authoritative source document. Poor attribution means users receive answers without knowing whether they come from a binding standard, an advisory opinion, or training data of uncertain provenance. For compliance purposes, an answer without a verifiable source cannot be relied upon. Buyers should ask vendors to demonstrate attribution to specific clauses in named source documents, not just to general categories of Islamic finance knowledge.
What does madhahib coverage mean and how should buyers assess it?
Madhahib are the four classical schools of Islamic jurisprudence: Hanafi, Maliki, Shafii, and Hanbali. Many Islamic finance structures, particularly those used in different GCC markets, follow different schools. Saudi Arabia and Pakistan primarily follow Hanbali positions; Egypt and many South and Southeast Asian institutions follow Shafii or Hanafi. An AI tool with narrow madhahib coverage may give correct answers for one jurisdiction while producing incorrect or incomplete guidance for another. Buyers should ask vendors to demonstrate that their tools cover all four schools, not just the majority position, and can distinguish between scholarly opinions when they diverge.
What should an audit trail include for Shariah compliance decisions?
A complete audit trail for a Shariah compliance decision should record: the question or instrument submitted for review, the source documents consulted, the reasoning applied, the determination reached, the identity and authority of the reviewer, and a timestamp. The trail should be immutable after the fact so it cannot be edited to reflect a more favourable history. Regulators and external auditors should be able to verify the trail independently without relying solely on the institution's own systems. Many AI tools produce answers but no structured audit record, which means compliance teams must maintain a parallel manual log that creates additional overhead and risk.
How should buyers assess regulatory alignment?
Regulatory alignment means the tool can produce outputs that satisfy the documentation requirements of the specific regulator the institution reports to. A tool built for the Malaysian Securities Commission framework may not produce outputs appropriate for a Bahrain CBB audit or a QFC QFCRA review. Buyers should ask vendors which regulatory frameworks have been validated against real regulatory engagements, not just which standards the tool was trained on. There is a meaningful difference between training data coverage and production regulatory validation. Independent deployment case studies with named regulators and institutions provide stronger evidence than vendor assertions.
What data sovereignty questions should buyers ask Shariah AI vendors?
Data sovereignty covers three practical questions. First, where does data go: does the tool send contract text, customer information, or board deliberations to third-party cloud infrastructure, and in which jurisdictions does that infrastructure sit? Second, who can access it: does the vendor retain training rights over customer inputs, or can inputs be used to improve models that serve other customers? Third, can the institution comply with local data residency requirements: some GCC and Southeast Asian regulators require that certain classes of financial data remain within national borders. Buyers should request vendor data processing agreements that answer these questions explicitly, not just general privacy policies.
Should a Shariah AI tool replace the Shariah Supervisory Board?
No. A Shariah Supervisory Board composed of qualified scholars is a governance requirement for Islamic financial institutions under AAOIFI Governance Standard No. 1 and the regulatory requirements of every GCC jurisdiction. AI tools can assist in research, obligation tracking, document review, and workflow management, but they do not constitute scholarly determination. Regulators and accreditation bodies require human scholar oversight. The appropriate role for AI is to reduce the operational burden on the board: surfacing relevant precedents, organising obligations, flagging non-conforming clauses, and producing structured evidence that the board can review and ratify, not to substitute for the board's judgement.