For today’s executives in South Africa, Artificial Intelligence (AI) presents a delicate balancing act. On one side lies the immense pressure to harness AI for economic growth, rapid decision-making, and competitive advantage; on the other lies a complex web of ethical obligations, data privacy laws, and evolving regulatory frameworks.
Mastering this digital tightrope requires South Africa’s C-suite to shift from reactive crisis management to a proactive, sovereign strategic vision.
Below, certified AI expert and MBA graduate Rowen Pillai, offers advice on how business leaders can navigate the intersection of innovation, liability, and POPIA compliance in the unique South African context:
Understanding regulation
Currently, South Africa does not have a standalone AI law. Regulation relies heavily on the Protection of Personal Information Act (POPIA), specifically Section 72, which governs transborder information flows – a critical blind spot when using offshore cloud tools.
Recently, the government attempted to bridge this gap with the Draft National Artificial Intelligence Policy. However, in a cautionary tale that highlights the very risks of the technology it sought to regulate, the Minister of Communications and Digital Technologies officially withdrew the draft policy after it was discovered to contain fictitious, AI-hallucinated citations. The withdrawal serves as a stark reminder that an over-reliance on AI without human oversight can compromise organisational integrity.
A specialised team of experts has now been appointed to review and rebuild the country’s AI policy framework.
While national policy is rebuilt by the Independent Expert Review Panel, businesses cannot wait. Courts are already applying POPIA’s fairness requirements to automated decisions. To ensure local isn’t just lekker but also law-abiding, firms must prioritise AI sovereignty – knowing when to use global tech and when to insist on absolute national control for high-risk workloads.
The biggest risk to your boardroom in personal liability
For the C-suite and board of directors, the stakes of AI adoption are deeply personal. Company directors who blindly delegate their decision-making to an AI model risk losing their Business Judgement Rule protection and face personal liability.
The legal and ethical mandates are clear:
-
The King V Code specifically dictates that AI must be employed with adherence to ethics, human-centricity, accountability, and independent human oversight.
-
The Companies Act (Section 76) requires directors to exercise their powers with due care, skill, and diligence. Fiduciary duties can only be delegated to a natural or juristic person – and an AI model is neither.
If a board relies indiscriminately on AI advice, “AI did it” will not hold up as a legal defense. To mitigate this risk, leadership must ensure that AI outputs are validated by human experts who understand the limitations and potential hallucinations of the algorithms being used.
The POPIA
Leaders must recognise that AI and POPIA are often on a collision course regarding data minimisation. Furthermore, South African AI infrastructure must be planned around energy resilience; “Energy as Design” is essential to ensure AI operations survive the friction of energy supply.
To prevent immediate compliance crises, executives must actively monitor these inherent risks:
-
Feeding entire, un-anonymized employee or customer records into public AI platforms violates the principle of collecting only what is strictly necessary.
-
Many AI tools are hosted on overseas servers. Sending personal data to these platforms triggers transborder transfer rules, requiring adequate international protection or strict Operator Agreements.
-
POPIA protects individuals from unfair automated profiling. Denying loans or jobs via AI without a “human in the loop” is a major compliance red flag.
Responsible innovation
Mastering the digital tightrope means moving beyond the fear of non-compliance and leveraging AI responsibly. A long-term vision requires integrating ethical governance directly into your operational DNA.
1. Mandate “Human-in-the-Loop” (HITL) systems
AI should augment human judgment, not replace it. Your long-term strategy must embed human control into key decision-making processes, ensuring that critical AI decisions are subject to human validation and oversight. This not only protects the board from liability but builds trust with consumers.
2. Make AI your compliance ally
Instead of viewing POPIA merely as a hurdle, visionary leaders use AI to strengthen compliance. AI can be deployed to monitor large datasets for security anomalies, automate the drafting of compliance policies, and identify unusual login patterns that indicate cyber-attacks.
3. Update governance and vet vendors
Your organisation’s Data Protection and Information Security policies must explicitly address the use of AI. Before adopting new AI tools, businesses must conduct POPIA Compliance Risk Assessments, update privacy notices to inform clients that AI is being utilized, and rigorously vet third-party AI vendors on how and where they store data.
4. Align with Ubuntu and global values
Long-term success requires AI to reflect constitutional values of dignity and equality. Future-focused leaders align strategies with Ubuntu – ensuring technology serves the common good, respects human dignity, and promotes social equity across all 12 official languages.
The transition from crisis mitigation to a long-term AI vision demands proactive leadership. Artificial intelligence is not going anywhere, and businesses that ignore it will fall behind; yet, those that adopt it recklessly will fall foul of the law.
By prioritising human-centric decision-making, enforcing strict data governance, and understanding the bounds of personal liability, the C-suite can confidently walk the digital tightrope – ensuring that innovation never cancels out accountability.
