Where Things Stand
In February 2026, the Department of Communications and Digital Technologies confirmed to Parliament that South Africa’s Draft National AI Policy has entered Cabinet approval processes. A 60-day public comment period is expected within months. Full policy finalisation is targeted for 2026/2027, with sector-specific regulations to follow from 2027/2028. The clock is ticking.
The Core Pillars
The policy is built on five foundations: skills and capacity; responsible governance and accountability; ethical and inclusive AI; protection of South African cultural values; and human-centred deployment. Notably, government has chosen a multi-regulator model — AI oversight will sit with your existing sector regulator, whether that is the FSCA, SARB, or another body. Your current regulator is about to become your AI regulator.
This multi-regulator approach means that the governance requirements you face will depend on your industry. Financial services firms will look to the FSCA and SARB. Telecommunications providers will look to ICASA. Healthcare organisations will look to the HPCSA and the Department of Health. There will not be a single “AI regulator” — the expectation is that sector regulators will develop AI-specific guidance within their existing mandates.
What Happens Next
The public comment period is your opportunity to shape the final policy. After consultation, government will finalise the National AI Policy, followed by sector-specific strategies and, ultimately, a potential AI Act — South Africa’s answer to the EU AI Act. Those who engage now may influence the rules they will eventually have to follow.
The timeline is significant. Policy finalisation in 2026/2027 means sector-specific regulations from 2027/2028. That gives organisations approximately 18–24 months to prepare. For companies that have not yet begun mapping their AI systems or establishing governance frameworks, the window is narrowing.
Three Things to Do Right Now
- Map every AI system your organisation uses — including third-party tools and automated decisions. You cannot govern what you haven’t found. This includes AI embedded in productivity suites, customer service platforms, HR tools, and vendor-provided analytics.
- Apply a risk lens by use case. Not all AI is equal. A content chatbot and a credit-scoring model need very different governance frameworks. Categorise your AI systems by risk level and prioritise governance investment accordingly.
- Consider ISO 42001. The international AI Management Systems standard maps directly to the policy’s pillars and demonstrates governance credibility to customers and regulators alike. Early adoption positions your organisation ahead of mandatory requirements.
Key Takeaways
Key Takeaways for Governance Professionals
- South Africa’s Draft National AI Policy has entered Cabinet approval, with a 60-day public comment period expected within months.
- The policy adopts a multi-regulator model — your existing sector regulator (FSCA, SARB, ICASA, etc.) will become your AI regulator.
- Full policy finalisation is targeted for 2026/2027, with sector-specific regulations from 2027/2028.
- The five pillars: skills and capacity, responsible governance, ethical and inclusive AI, cultural values protection, and human-centred deployment.
- Organisations should start now: map all AI systems, apply risk-based categorisation, and consider ISO 42001 certification.
- The public comment period is an opportunity to influence the final policy — engage proactively.
Prepare for South Africa’s AI Policy
Priviso helps organisations map their AI footprint, assess governance readiness, and align with ISO 42001 ahead of South Africa’s national AI policy requirements.
Start Free Trial Contact Us