South Africa's Draft National AI Policy: what it says and what comes next
Co-authored with Michael van Schalkwyk.
On 10 April 2026 the Department of Communications and Digital Technologies gazetted the Draft South Africa National Artificial Intelligence Policy (Notice 3880, Government Gazette No. 54477). Public comment closes on 10 June 2026 at 16h00. The document builds on the August 2024 AI Policy Framework, incorporates the 32 submissions received on that Framework, and sets out where the country's AI governance regime is heading through to 2027/28.
The policy is worth reading in full whether or not you work in insurance. It proposes a new institutional architecture, a risk-based regulatory approach inspired by the EU AI Act, and operational obligations — impact assessments, explainability, human-in-the-loop — that apply to anyone building or deploying AI in South Africa. Financial services, healthcare, the public sector, academic research, SMEs, and the education pipeline all sit inside its scope. The eight-week comment window is the moment to shape the final text before Year 1 regulatory requirements land.
Pillar 1 — AI for inclusive economic growth, and a Developing Africa lens
The policy opens by positioning AI as "a strategic general-purpose technology" that holds "the potential to drive innovation, enhance productivity, and contribute meaningfully to socio-economic development" (Section 1.1). Three sectors are named as critical focus areas — education, healthcare, and agriculture — with public administration positioned as the implementation lever rather than a fourth sector (Section 3.2). The policy is explicit that AI in South Africa has to serve "inclusive economic growth, job creation, cost reduction, and a Developing Africa."
Section 3.4 frames the strategic direction through a Futures Triangle — the Push of the Present (technological advancement, economic necessity, policy momentum), the Pull of the Future (economic transformation, social equity, sustainable development, global leadership), and the Weight of the Past (digital divide, historical inequities, institutional inertia, outdated regulatory frameworks). Naming historical structural inequities inside an AI policy document is less common than competitiveness framing. South Africa's draft opens with inequality and keeps returning to it.
The policy anchors itself simultaneously to the Constitution and Bill of Rights, the OECD AI Principles, UNESCO's Recommendation on the Ethics of AI, and the African Union's Digital Transformation Strategy and Continental AI Strategy (Section 1.3). This is a developing-country policy that consciously imports developed-country ethical baselines while reserving the right to interpret them in South African context.
For anyone planning AI work in South Africa, the priority-sector naming matters practically: procurement preference, grant funding, and regulator attention will concentrate first where the policy concentrates first.
Pillar 2 — Building the AI governance ecosystem
The policy proposes seven new institutional bodies, repositions three existing ones, and creates a coordinating forum to hold them together (Sections 4.5, 4.6, 4.7). The ambition is whole-of-government AI oversight with sector-specific expertise retained.
The proposed institutional architecture
The seven proposed bodies each have a distinct role. The National AI Commission / National AI Office coordinates policy and implementation. The AI Ethics Board enforces ethical governance on bias, privacy, and fairness. The AI Regulatory Authority monitors compliance, performs audits, and issues certifications. The AI Ombudsperson Office allows individuals to challenge AI-driven decisions and seek redress. The AI Insurance Superfund compensates for harm in ambiguous-liability scenarios, modelled on the Road Accident Fund. The National AI Safety Institute advances the science of AI safety in concert with international peers. The Integrated AI-Powered Monitoring Centre is intended as a central nerve-centre for service-delivery efficiency (Section 4.6).
Three existing bodies are explicitly repositioned. ICASA evolves to oversee ethical AI in telecommunications, ICT, and broadcasting (Section 4.7). The Information Regulator continues data-protection oversight under POPIA (Section 4.5). The South African Human Rights Commission monitors AI compliance with human-rights law (Section 4.5).
Above them all, a National AI Regulatory Forum coordinated by DCDT brings together ICASA, the Information Regulator, the Competition Commission, SARB, FSCA, CSIR, and DTIC (Section 4.7). The practical effect is that a significant AI deployer will be observed from several angles at once — prudential, market conduct, competition, data protection, innovation-policy — under one coordinated framework. If you are designing a compliance programme today, build it against the Forum's scope, not a single regulator's mandate.
Pillar 3 — Talent development and digital infrastructure
The skills side is substantial. AI is to be integrated into school curricula from primary through tertiary level (Section 9.1.1). The approach is STEAM-plus — technical skills alongside Social Sciences and Humanities for ethical literacy. Dedicated specialised AI programmes are to be co-designed with industry in higher-education and vocational institutions. Reskilling and upskilling programmes explicitly target finance, agriculture, mining, and logistics — the sectors the policy expects AI to disrupt fastest. A Master AI Institute is proposed as the national anchor for skills diffusion. Diaspora engagement programmes and community-based AI education centres in underserved regions are also named.
The infrastructure side is equally ambitious. Section 9.1.2 calls for supercomputing infrastructure and a national data centre, 5G and 6G rollout with high-capacity fibre, and last-mile connectivity through low-earth-orbit satellites for rural areas. Universal internet access is framed as a socio-economic right — a meaningful constitutional elevation. Regional AI Factories are to be established for decentralised innovation, paired with AI community centres and hubs in underserved areas.
One detail is worth flagging. The policy calls out energy preparedness as a policy variable rather than an operational footnote (Section 9.1.2). It specifically references electricity, water, and other environmental resources needed for data-centre operations. This is a more explicit treatment of AI's energy demand than most national AI policies carry — a recognition that data centres, electricity, and water are connected planning problems.
For operators in named sectors, the MSME and skills-grant pipeline will follow the policy's sector list. The opportunity is to shape the support programmes during consultation rather than inherit them afterwards.
Pillar 4 — Risk-based regulation: the proportional approach
The policy adopts four complementary regulatory stances in Section 5: an Ethics-First Approach with stringent safeguards; Flexible, Iterative Regulation using phased rules and sandbox environments; an Economic-Focused Strategy prioritising AI's productivity contribution in mining, agriculture, and public administration; and Global Standards Alignment with the OECD, UNESCO, and the EU AI Act. The document states that it "draws some inspiration from the European Union AI Act" while keeping drafting technology-neutral (Section 7.3).
Risk classification sits at the centre of how obligations cascade. AI systems will be categorised by levels of potential harm, with stricter regulations for high-risk applications (Section 7.3). Credit scoring is explicitly named as a high-risk context in the policy's accountability and explainability sections. Financial systems are flagged as critical infrastructure warranting stricter protection (Section 9.4.1). The operating phrase is "proportional controls based on risk levels."
The operational obligations on high-risk deployers are concrete. Mandatory algorithmic impact assessments (Section 7.2), gender and human-rights impact assessments (Section 7.3 and 9.4.2), routine bias testing on algorithms in high-stakes applications (Section 9.4.2), "sufficient explainability" (Section 9.6.2), plain-language notifications when individuals are affected by automated decisions (Section 7.2), and public access to AI system audits (Section 9.4.2). Human-in-the-loop is required for critical decisions, with reinforcement learning with human feedback (RLHF) explicitly namechecked for alignment (Section 9.6.1). Read the AI use case lifecycle for how these obligations map onto operational stages — most of them live in the monitoring stage, which is also the stage most deployers under-invest in.
A compensation mechanism sits alongside the regulatory machinery. The AI Insurance Superfund (Section 9.3.1) would compensate individuals or entities harmed by AI-driven outcomes in cases where liability is difficult to determine. The design is modelled on the Road Accident Fund. Funding model, contributor base, and claim thresholds are not yet defined — that is exactly what the consultation window is for.
Pillar 5 — Ethics, human rights, and the constitutional frame
Section 9.4.1.1 sets out six principles of responsible AI: Fairness, Reliability and Safety, Privacy and Security, Inclusiveness, Transparency, and Accountability. These are not novel internationally — the OECD and UNESCO use similar sets. What is distinctive in the South African formulation is the direct constitutional anchoring.
Section 1.3 enumerates specific Bill of Rights sections — s9 (equality), s10 (human dignity), s12 (freedom and security), s14 (privacy), s15, s16, s17, s18, s19, s21, s22, s23, s24, s27, s28 (children), s29 (education), s30 (language and culture), s31, s32 (access to information), s33 (just administrative action), s35 — and states that AI "must not be used to violate" any of them. This is a legal hook that future constitutional cases will cite. It is also a scope statement: almost every area where AI is already deployed has a corresponding section of the Bill.
Child-protection language is particularly strong. Section 9.3.1 calls for protection of children against manipulative AI systems, including predatory advertising, gamified features that encourage excessive screen time, and other exploitative practices. This is rare in a national AI policy; it is more typical of consumer-protection statutes. Edtech, gaming, and social-media operators should read it closely.
The transparency obligations carry the highest implementation cost. Plain-language notifications to affected individuals, auditable decision logs, routine algorithm impact assessments, and public access to audits require engineering investment, not just legal review. Deployers who have already built monitoring and explainability into their stacks — particularly in financial services — are closer to compliance than those who have not.
Pillar 6 — AI that serves SA's unique identity: the African philosophy lens
Ubuntu is named as an explicit guiding philosophy in Section 9.5.1 — interdependence, respect for human dignity, fairness, and social equity. Most national AI policies anchor on rights language alone. The South African draft goes further and names a philosophical tradition. This is a drafting choice with consequences: it gives regulators, courts, and ombudspersons a cultural reference point for interpretation beyond the Bill of Rights catalogue.
Cultural preservation is treated as a concrete policy intervention. Section 9.5.1 commits to AI tools that digitise and preserve indigenous languages, arts, music, and literature; real-time translation capabilities across all twelve official languages of South Africa; and research into language models that support underserved African languages. This is a procurement and research agenda, not a philosophical statement — local-language data is a real gap, and the policy names it as an investment priority.
The continental positioning is explicit. Alignment with the African Union's Agenda 2063 and Continental AI Strategy, research partnerships with sub-Saharan and continental peers, federated African cloud and data platforms, and a Data Justice approach that "accounts for economic and environmental impacts" (Section 9.5.2). South Africa's AI strategy is at least partially an African continental anchoring strategy, not a solo national play.
The inclusive-growth sub-theme connects here. Regulatory sandboxes, direct government procurement from MSMEs and women- and youth-led startups, open data initiatives, and data commons are all named in Section 9.2.2. Whether the procurement preferences translate into actual deal flow is the question the next three years will answer.
Across sectors — the policy is broader than any one industry
Six readings for six different audiences, beyond the headline framing.
Broader financial services. SARB and FSCA both sit on the National AI Regulatory Forum. Banking, capital markets, and payments inherit the same obligations as insurance. Credit scoring is the named high-risk example. IFRS 9 provisioning models, algorithmic trading, retail risk-based pricing, and fraud detection all sit in the territory the policy wants stricter controls around.
Healthcare. Listed as a critical sector alongside education and agriculture (Section 3.2). Healthcare AI is also a child-protection flashpoint — paediatric triage, wearables, and mental-health-adjacent tools all fall inside Section 9.3.1's protective language. Clinical decision support and medical imaging classifiers sit near the high-risk boundary.
Public sector. The policy names public administration as a critical sector (Section 3.2) and positions government itself as the pilot ground. The Integrated AI-Powered Monitoring Centre (Section 4.6) is framed as a service-delivery oversight platform. The practical implication is that departments of Home Affairs, Health, Education, and SARS will themselves become regulated AI deployers, subject to the same obligations they enforce on the private sector. Public-sector AI procurement should be written today with the full obligation stack in mind — impact assessments, explainability, auditable logs, plain-language notifications to affected citizens. Supplier contracts that do not contemplate those obligations will need to be renegotiated when the Year 1 regulatory requirements land.
Skills and higher education. Curriculum changes from primary through tertiary, the Master AI Institute, diaspora engagement, sector-specific reskilling (Section 9.1.1). Universities, TVET colleges, professional bodies, and corporate learning functions each have a direct role. The sector-specific reskilling list — finance, agriculture, mining, logistics — signals where employer-funded programmes will cluster first.
SMEs and startups. Regulatory sandboxes (Section 9.2.2), and legal exemptions enabling direct government procurement from MSMEs and women- and youth-led startups. This is procurement policy as much as AI policy. The operational challenge is that the sandbox mechanics — what qualifies, who runs the sandbox, what exit criteria apply — are not yet defined. That is consultation territory.
Academic research. Data treated as a public good, open data initiatives, and data commons (Section 9.2.2). The policy commits to "significant investments in local data collection and the development of Africa-relevant datasets" (Section 9.4.2) — the strongest procurement signal researchers will see this year. Federated African cloud and data platforms (Section 9.5.2) extend the same logic to cross-border research infrastructure, which matters for long-running climate, health, and agricultural datasets that individual countries cannot sustain alone. Research ethics committees and university tech-transfer offices should expect new scope around AI impact assessments in grant applications — and grant review panels should expect to receive them.
Insurance. Pricing, underwriting, and automated claims decisioning sit in the zone that will attract stricter controls. The AI Insurance Superfund (Section 9.3.1) is the piece without a comparable mechanism in any of the 70+ jurisdictions on the global AI regulation map — who funds it, on what basis, and whether it displaces or supplements existing liability routes is a question for the industry associations in the comment window. For cross-jurisdiction patterns that will shape the final text, the AI regulation for insurance analysis covers what the EU, NAIC, MAS and others have already settled; the IFRS 17 adoption map is the adjacent disclosure-regime reference.
What practitioners can do in the eight-week window
The consultation closes on 10 June 2026 at 16h00. Six concrete actions between now and then, in rough order of return on effort.
- Read the draft. It is available at www.dcdt.gov.za and www.gov.za. Budget one focused sitting.
- Map it to your book of work. Three questions to run through: which AI systems in the estate would fall into the high-risk category under the draft classification; which would require algorithmic impact assessments or human-rights impact assessments; and which touch the critical-infrastructure language. The output is a heat-map of obligations, not a compliance tick-list.
- Draft a written comment. Submissions go to
aipolicy@dcdt.gov.zaby 10 June 2026. Mark the subject line "Draft South Africa National Artificial Intelligence (AI) Policy." Comments are disclosable under the Promotion of Access to Information Act unless the author requests confidentiality on one of the listed statutory grounds. - Organise a sector response. Industry bodies carry more weight than individual firms. Actuarial, banking, healthcare, legal, and technology sector associations all have standing channels into DCDT. Coordinate.
- Flag the engineering implications internally. Impact assessments, explainability, auditable decision logs, plain-language notifications, human-in-the-loop — these need engineering roadmaps, not compliance memos. If current delivery processes cannot produce these artefacts today, the time to design them is now, not after Year 1 requirements are published.
- Watch the Year 1 regulatory requirements. The phased implementation plan publishes key draft regulatory requirements for unacceptable-risk use cases inside Year 1 (2025/26), alongside policy finalisation. If your system sits near that line, you are in scope sooner than the "full implementation 2027/28" framing suggests.
What to watch post-10 June 2026
The institutional architecture — Commission, Ethics Board, Regulatory Authority, Ombudsperson, Insurance Superfund, Safety Institute, Monitoring Centre — has to be funded and staffed to mean anything. Year 2 (2026/27) is where sectoral strategies and high-risk regulatory requirements are scheduled to arrive. The first real test of the regime will be whether the open-ended drafting approach survives industry commentary or shifts toward the EU AI Act's more prescriptive mode.
For insurers specifically, the question worth tracking is whether the Insurance Superfund design consultation runs in parallel with policy finalisation or waits until Year 2. For everyone else, the question is simpler: does the Regulatory Forum develop a coordinated view, or does each constituent regulator continue to operate to its own mandate with AI as an added concern? The answer shapes whether compliance becomes one programme or seven.
Eight weeks. Then the policy begins moving from draft to live.
Continue reading
Related reading
The AI Use Case Lifecycle: Why Governance Is a Cycle, Not a Checklist
A 5-stage iterative lifecycle for AI use cases in insurance — from context and design through ongoing monitoring — and why treating governance as a one-off approval gate is where most programmes break.
Read →AI regulation for insurance: what the global map actually shows
Analysis of AI regulation for insurance across 70+ jurisdictions. The EU AI Act, the US state patchwork, MAS MindForge, and the insurance-specific gap most frameworks still have.
Read →Reference
Tools & references
Working on something similar?
I lead a team that's delivered IFRS 17, AI advisory, and actuarial training across 15 jurisdictions. If this topic is relevant to your team, let's talk.