South Africa’s withdrawal of its draft artificial intelligence (AI) policy should be seen as a cautionary tale for businesses adopting new technologies without robust governance, according to a leading cybersecurity firm.The policy, intended to position South Africa as a leader in AI through new regulatory bodies and incentives, was withdrawn in April after communications & digital technologies minister Solly Malatsi said it included fictitious AI-generated references.It has since led to the suspension of two officials and a full redraft overseen by an expert panel, with a revised framework targeted for 2027.“The reality is business leaders should be looking at this like a mirror of what could potentially happen in any organisation,” said Gareth Redelinghuys, TrendAI country MD for Sub-Saharan Africa.The government’s failure should accelerate private sector action as AI adoption speeds up while lacking sufficient oversight, he said, warning that it shows how quickly things can go wrong when systems are not properly monitored. “We cannot wait. The time to get this sorted is now.”AI governance must be an executive priority rather than being left to IT teams, as regulatory and enforcement risks increase beyond compliance to include financial penalties, criminal liability and reputational damage.More specifically, Redelinghuys said the incident highlights a growing problem with generative AI “hallucinations”, where systems can generate fabricated or incomplete information that is presented as credible or verified.Large language models do not always distinguish between accurate and fabricated sources, meaning outputs still require strict human verification.The next shift beyond chat-based tools is agentic AI systems that can execute tasks and workflows on behalf of users, posing new risks for organisations.Those companies that are joining forces to mitigate against these zero-day attacks, those are the companies that will also survive in the future.— Gareth Redelinghuys, TrendAI country MD for Sub-Saharan Africa.Redelinghuys warned that as these tools are deployed to drive efficiency, the main concern is the extent of access being granted across internal systems.“You’ve just opened the door, handed the keys, the crown jewels, your secret sauce,” he said, cautioning that once integrated, such systems can operate across calendars, databases and enterprise platforms in ways users may not be able to fully monitor.The same AI systems driving productivity are simultaneously lowering the barrier for cybercriminals, making it easier to identify vulnerabilities at scale, including weaknesses in legacy systems that may have gone unpatched for decades.Redelinghuys stressed that attackers using AI are now finding security gaps faster than traditional defence systems can respond, forcing cybersecurity firms to adopt AI themselves to keep pace and proactively detect and patch vulnerabilities.“Those companies that are joining forces to mitigate against these zero-day attacks, those are the companies that will also survive in the future,” he said. “If you don’t embrace AI, you’re going to be left behind.”Redelinghuys added that many executives still misunderstand cloud security, assuming that adoption guarantees protection while overlooking the “shared responsibility” model, in which providers do not fully control how data is accessed or governed.Data sovereignty is critical, he said, ensuring that information remains under South African law and within clearer local control.According to a 2026 economic report by the Africa Data Centres Organisation, Africa’s data centre market remains underdeveloped. There are an estimated 220 to 230 facilities in 38 countries, and capacity is concentrated in a handful of hubs. such as South Africa, Egypt, Kenya and Nigeria.Most data generated on the continent is stored offshore, according to estimates from the International Finance Corporation and the Global System for Mobile Communications Association. This is primarily in Europe and North America, though the market is projected to grow to $9.2bn by 2029.This is especially important for large-scale data lakes, which aggregate vast operational and security data across multiple environments, as locally hosted infrastructure ensures sensitive information remains subject to South African regulation and oversight.Business Times