South Africa’s AI Governance Gap

South Africa is at a pivotal juncture as we embrace artificial intelligence at speed, with enterprises across key sectors, including financial services, healthcare, and retail, as well as the public sector, deploying AI tools to drive efficiency and improve service delivery. Yet our appetite to embrace of the future is light-years ahead of the governance frameworks needed to underpin this adoption safely and responsibly.

South Africa’s Draft National AI Policy has been approved by Cabinet for public comment, with implementation expected for the 2027/28 financial year. While this is a meaningful step, policy is out of step with reality. With organisations already running AI workloads today, the window between deployment and regulatory clarity is not a pause for reflection. It is a period of material risk.

Despite strengths in data infrastructure and technological advancement, we lag in governance and policy readiness, which are key pillars for fostering responsible AI growth. The consequences of this gap are not abstract. Absent or ambiguous policy frameworks allow organisations to default to minimum viable governance. They deploy AI systems without adequate visibility into what data those systems are accessing, how decisions are being made, or what happens when something goes wrong.

This is where the security dimension becomes critical, and where many organisations are operating with a blind spot.

The stakes are laid out clearly in the Rubrik Zero Labs State of Data Security in 2025 report, which draws on insights from over 1,600 IT and security leaders across ten countries. According to the research, 90 per cent of respondents reported cyberattacks in the past year, with nearly one-fifth of organisations globally experiencing more than 25 attacks in 2024 alone. AI adoption is occurring in tandem with the acceleration of the threat landscape.

The most pressing concern for our security and IT leaders right now is identity. As organisations integrate AI agents into their workflows, a new category of risk is emerging that most global governance frameworks have not yet addressed. According to Rubrik Zero Labs, the AI wave is translating into a surge of both non-human and agentic identities in the workplace, creating an urgent focus for CIOs and CISOs on identity threats and recovery. These non-human identities often lack the lifecycle management applied to human accounts, making them an attractive target for attackers looking to move laterally through an environment undetected.

The research also found that in 2025, only 28 per cent of respondents believed they could fully recover from a cyber incident within 12 hours or less, compared to 43 per cent in 2024. Among those who experienced a ransomware attack, 89 per cent paid a ransom to recover their data or stop the attack. Confidence in recovery is declining precisely as the attack surface expands, which extends the problem far beyond technical capabilities and requires forward-thinking governance.

South Africa’s proposed model opts for a multi-regulator, sector-specific approach rather than a single AI regulator, meaning AI governance will be embedded within existing supervisory frameworks. This has merit in terms of contextual relevance, but it also creates the risk of fragmentation. Without clear cross-sectoral standards on data security, AI system accountability, and incident response, organisations will be left interpreting their obligations in silos.

What business leaders need to do now, ahead of formal regulation, is treat AI governance and data security as inseparable disciplines. That means mapping the data AI systems can access, establishing visibility into how non-human identities behave across their environments, and building recovery capabilities that assume compromise will occur. The organisations that do this work proactively will be far better positioned when inevitably sector-specific regulatory instruments arrive, and far more resilient when adversaries come looking.

Lloyd Timcke is the Regional Director: Africa and Israel, Rubrik