How do we know our AI use is
safe, sanctioned, and defensible?
A board-level question. Most organisations can't answer it today. The work of getting to the answer is what we mean by AI Governance & Compliance.
Speak to a consultantWhat governance covers
Six work streams. Each stream produces specific artefacts your board and regulators can review.
Policy framework development
Written AI use policy, vendor approval process, role-based usage rules, exceptions process. Drafted to your sector, signed off by your board.
Role and accountability mapping
Who owns AI risk? Who signs off vendor approvals? Who responds when an AI tool is misused? Documented before incidents force the answer.
Vendor approval processes
Structured intake for new AI tools. Commercial, security, data residency, and exit-clause review. Approval lands in days, not weeks.
Monitoring and reporting cadence
Quarterly board reports. Monthly operational reviews. Anomaly alerting on data egress to AI services. Audit-ready logs.
Regulatory alignment
POPIA §71 mapping for automated decisions. ISO 42001 alignment work. Sector overlays (FSCA AI Report, SAHPRA SaMD, HPCSA Booklet 20). Mapped to controls.
Training programme advisory
Role-based AI use training. We design the curriculum and identify the right delivery partner. Outcomes-based, not theatre.
What you're being asked to demonstrate
The five regulatory threads regulated South African organisations most often need to address. Refreshed quarterly.
| Regulator / Standard | Current state (May 2026) | Upcoming milestone | What it means for a regulated South African organisation |
|---|---|---|---|
| POPIA & the Information Regulator | POPIA in full force since 1 July 2021 with active enforcement. Section 71 explicitly covers automated decision-making — data subjects can refuse decisions made solely by automated means. No AI-specific Code of Conduct issued yet, though one is widely expected. | Information Regulator continues to issue enforcement notices through 2026; AI-specific guidance expected but not yet scheduled. Sector Codes of Conduct under §60 of POPIA are the most likely vehicle. | SA organisations using AI must rely on general POPIA conditions — lawful processing, purpose limitation, minimality, security safeguards (§19) — applied to AI workflows. Section 71 in particular requires meaningful human review of any solely-automated decision affecting a data subject. |
| FSCA + SARB Prudential Authority | FSCA and PA published a joint AI in Financial Services report (2024) signalling a principles-based, technology-neutral stance. A Joint Standard on Cybersecurity and Cyber Resilience (2024) sets baseline expectations. No FSCA equivalent of the FCA Mills Review or PRA SS1/23 has been announced. | Conduct of Financial Institutions (COFI) Bill progress through Parliament; expected to consolidate market-conduct oversight including AI use. Likely 2026–2027 implementation. | SA financial organisations should expect AI-related questions in supervisory dialogues. Model risk, fair treatment of customers, and operational resilience are the live frames. FAIS-licensed advisors using AI-driven advice tools should document oversight. |
| ISO/IEC 42001:2023 | Voluntary certifiable AI Management System standard. SA training and certification capacity in place via BSI and SABS-affiliated bodies. Adoption nascent and largely driven by export-facing organisations. | Continued accelerating adoption through 2026 as procurement clauses propagate, particularly from EU and UK counterparties to SA suppliers. | Not a legal requirement but increasingly a procurement gate, particularly for SA organisations serving European customers. Organisations with ISO 27001 already in place can typically certify in 6–9 months. |
| SAHPRA, HPCSA & healthcare AI | SAHPRA published an AI/ML Software-as-a-Medical-Device framework in September 2025 — one of the more advanced sector AI documents in SA. HPCSA Booklet 20 sets clinical-practice expectations for AI use by registered practitioners. | SAHPRA framework moves from guidance to enforcement through 2026. POPIA Health Code of Conduct (in development) will integrate. | Healthcare AI in SA is more clearly regulated than most sectors. SaMD classification, clinical safety case, post-market surveillance, and HPCSA-approved oversight are non-negotiable for clinical-decision-support tools. |
| Cross-border & AU AI Strategy | African Union Continental AI Strategy adopted 2024. SA's draft National AI Policy was withdrawn 26 April 2026 (16 days after publication) after ~10% of references were found fabricated. SA has explicitly chosen a sector-specific multi-regulator model. | No SA horizontal AI law in prospect for the medium term. EU AI Act's extraterritorial provisions (2 Aug 2026) apply to SA organisations placing AI on the EU market. | SA organisations must navigate by sector and by export market. The EU AI Act is the most concrete cross-border driver. UK and US frameworks (NIST AI RMF) inform procurement expectations from international counterparts. |
Source: Dossier D.2 — AI Governance Regulatory State, last updated 2026-05-13. Refreshed quarterly.
Audit-first methodology
Every engagement begins by establishing facts: what AI is in use, who's using it, what data flows through it. No governance work runs on assumption.
Senior-led delivery
The consultant who writes your AI policy is the consultant who briefs your board. No account managers, no junior analysts ghost-writing for senior names.
Sector-specific, not template-led
An AI policy for a Legal Practice Council-regulated law firm is not the same document as one for an FSCA-authorised financial services provider. We don't pretend otherwise.
AI governance, written for your sector
Most AI policy work on the market is template-driven — a generic document with the organisation's name dropped in, lifted from a publication or a generic consultancy library. It reads well in a procurement questionnaire and falls apart the first time a regulator asks for evidence that it's been operationalised.
Our work starts from what your organisation actually does, what your regulators actually expect, and what AI is actually in use across your business. The policy that comes out the other side is short, specific, and defensible — because it was built to fit, not adapted from a template.
The same logic carries through every artefact in the engagement: vendor approval criteria, board reporting templates, exception logs, training curricula. Each one tied to a named regulatory expectation, each one operable by your team after we hand it over.
How clients engage
Three engagement models. Each one matched to a specific governance posture — ongoing, catch-up, or named accountable owner.
Quarterly retainer
Ongoing governance, board-grade reporting
For organisations that need AI governance to live as a managed function — quarterly board reports, monthly operational reviews, anomaly alerting on data egress, and a named accountable lead on call between cycles.
Annual programme with quarterly reviews
A defined push, then light-touch ongoing
For organisations making a one-time push to bring AI governance current — policy framework, role mapping, vendor process, regulatory alignment delivered as a programme, followed by light-touch quarterly reviews.
Fractional CISO with AI scope
A named accountable owner, part-time
For organisations that need a named accountable AI risk owner without hiring full-time — a senior consultant who attends leadership meetings, signs off on AI risk decisions, and represents the organisation to regulators when needed.
Start with the audit if you haven't already
Governance built on assumed AI usage falls apart in the first regulator question. The AI Usage Audit establishes the facts your governance programme will be built on.
See the AI Usage AuditNeed the board-level conversation first?
If the question is "what should our AI position be?" rather than "is our AI use safe?", the AI Strategy engagement is the better starting point.
See AI Strategy