South Africa’s draft AI policy suggests the country is taking an expansive approach to artificial intelligence — and rightly so.
AI is being adopted at unprecedented speed, with tools like ChatGPT now reaching more than 900-million users weekly, growing far faster than previous technologies.
In South Africa, AI is already embedded in the daily running of almost every kind of business.
For SMEs, adoption is often fast-tracked in the race to stay competitive, but this speed is not being matched by investment in security — particularly the kind designed for AI-driven risk. As a result, a gap is emerging between capability and control, and SMEs are carrying the greatest exposure.
Take a person’s browser, for example. According to Adriaan Joubert of Palo Alto Networks, employees now access an average of 36 applications through their browsers, including AI tools.
“The browser has effectively become the office for most small businesses, where employees access banking, manage customers and increasingly use AI tools to drive productivity, but it was never designed to defend against modern cyberthreats or prevent sensitive data from leaking into AI systems,” he explains.
Cybersecurity in South Africa remains largely audit-driven and reactive, focused on periodic assessments rather than continuous exposure management. In a landscape where threats evolve in real time, that approach is no longer sufficient
As a result, almost 95% of companies have experienced a browser-based security incident in the past year alone, meaning one single compromised session can expose an entire business.
AI is also changing the nature of cyber-risk itself. Tasks that once required time and expertise, like mapping vulnerabilities, crafting phishing e-mails or identifying weak points, can now be automated and scaled.
For years, cybersecurity has relied on human judgment as a last line of defence in spotting suspicious e-mails, questioning unusual requests or verifying anomalies. That safety net is weakening, with AI-generated phishing attacks becoming more convincing and personalised while also being deployed at scale.
Some of the biggest risks today, though, are emerging from within. Employees increasingly feed sensitive information such as contracts, customer records and financial data into AI tools, often without clear policies or oversight.
The phenomenon, often referred to as “shadow AI”, creates a significant exposure risk, with data leaving the organisation without any clear understanding of where it is stored, how it is processed or who can access it.
All this strikes at the core of how trust functions in the digital economy. Businesses can no longer rely on instinct alone. Trust must be built into systems, processes and infrastructure, but most South African SMEs are not operating at that level.
Cybersecurity in South Africa remains largely audit-driven and reactive, focused on periodic assessments rather than continuous exposure management. In a landscape where threats evolve in real time, that approach is no longer sufficient.
Policy, while necessary, is not moving fast enough.
The draft AI policy outlines an ambitious governance framework, but it leaves critical questions unanswered around liability, compliance and practical implementation.
There is also a growing concern that in trying to respond quickly, we risk overregulating a space that is not yet fully understood, without clearly defining the problem the regulation is meant to solve.
In the age of AI, security is a core business capability, so slowing down its adoption is unrealistic and undesirable. If we are going to secure our future, we do need a fundamental shift in how businesses approach security
Meanwhile, initiatives such as the expansion of the Cloud Security Alliance’s local chapter show that industry recognises the need for stronger collaboration, skills development and awareness, but these efforts will take time to scale.
Ayanda Peta of the Cloud Security Alliance South Africa chapter has said that building a secure digital economy will depend on whether we actively invest in skills and ensure that businesses and professionals are equipped to operate in an AI-driven environment.
In the age of AI, security is a core business capability, so slowing down its adoption is unrealistic and undesirable. If we are going to secure our future, we do need a fundamental shift in how businesses approach security.
An important lesson emerging is that AI is as much about risk and exposure as it is about innovation. It’s an uneven playing field for sure, with SMEs and young professionals entering the workforce, the most critical to job creation and economic growth, still being the most vulnerable.
Most small businesses, for example, don’t have a dedicated cybersecurity team or the resources to continuously monitor threats. The question is no longer only about access to technology but access to the skills required to participate in a changing economy.
If South Africa is serious about competing in an AI-driven economy, that gap must close, and quickly.
• Luncedo Mtwentwe is MD of Vantage Advisory and host of the SAICABIZ Impact Podcast.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.