South Africa falls behind as AI becomes core infrastructure

Artificial intelligence is no longer just a new technology added to government systems. It is becoming part of the foundation of how the state operates.

When AI is used in tax systems, border control, policing tools, social grant verification, procurement analytics and healthcare decisions, it stops being optional. It becomes infrastructure. And infrastructure is defined by dependence — once it is embedded, government cannot function without it.

Other parts of the world have recognised this shift.

The European Union has responded with the EU AI Act, which treats AI used in critical sectors like law enforcement, education, employment and migration as "high-risk." These systems must undergo strict testing, documentation, monitoring and human oversight. The EU's message is clear: once AI affects people's rights, regulation cannot be voluntary.

The United States has taken a different approach. There is no single AI law. Instead, different agencies oversee AI within their existing mandates. This creates oversight, but through a patchwork system rather than one unified framework.

China has centralised its approach. It regulates AI as part of national security and social stability policy, requiring registration and security reviews for generative AI systems.

South Africa's position is less clear.

POPIA Is Not an AI Law

South Africa's main data protection law, POPIA, includes a section on automated decision-making. It says that decisions with serious consequences cannot be made purely by automated systems unless certain safeguards are in place.

On paper, this sounds strong. In practice, it has limits.

• POPIA does not require algorithm audits.
• It does not mandate AI-specific impact assessments.
• It does not set transparency standards for training data.
• It does not create procurement rules for AI tools used by the state.

The Information Regulator enforces POPIA, but it is not an AI oversight body. Its mandate covers data protection broadly, not technical AI accountability.

This creates a grey area. AI systems can be introduced into government processes as long as data rules are followed — but broader accountability questions remain unclear.

Procurement is the real entry point

Most infrastructure is built through procurement, not new legislation.

In South Africa, National Treasury regulates public procurement. The rules focus on financial compliance and value for money. They do not require departments to conduct AI bias testing, publish model documentation, or commission independent technical audits before deploying AI systems.

This means AI tools can enter government systems through normal procurement channels, without special safeguards.

Once these systems are embedded, they are difficult and expensive to remove. They create long-term vendor dependence and deeply integrated data systems.

Oversight is fragmented

South Africa does not have a dedicated AI regulator. Oversight is spread across:

• The Information Regulator
• National Treasury
• Sector regulators
• Parliamentary committees
• The Auditor-General

The Auditor-General often flags IT failures and digital system weaknesses. But current audit methods do not assess algorithm bias, training data quality, or how automated decisions are made.

In other words, technical AI oversight is not yet built into the system.

The Bigger Risk

Infrastructure does not become dangerous when it collapses dramatically. It becomes dangerous when it quietly shapes decisions without scrutiny.

If AI is used in social grant approvals, financial risk scoring, public health systems and law enforcement tools, it will influence outcomes in ways that are not always visible.

Without clear audit powers, transparency rules, procurement safeguards and technical oversight capacity, AI systems may become entrenched before accountability systems catch up.

The EU chose early legislation. The U.S. regulates through institutional adaptation. China centralises control. South Africa has not yet developed a clear, coordinated AI governance framework that matches the scale of AI's growing role in public systems.

AI is already integrating into infrastructure.

The real question is whether governance will evolve before these systems become too embedded to effectively regulate.

Because once infrastructure settles in, it resists scrutiny.

And that is why oversight must come before entrenchment.