The withdrawal of South Africa’s draft National AI Policy is an uncomfortable but instructive moment.
Communications & digital technologies minister Solly Malatsi confirmed last month that fictitious — likely AI-generated — citations were included in the draft document without proper verification, and pulled the policy. He called it “an unacceptable lapse” that, he said, “proves why vigilant human oversight over the use of artificial intelligence is critical”.
A document designed to govern AI was undermined by ungoverned AI. That is precisely the risk South African organisations face every day, and precisely why building human oversight into AI systems is not optional.
The policy setback does not change the underlying threat reality. Advanced AI models with powerful cybersecurity capabilities are expected to become widely available within the next six months.
Frontier AI models are highly effective at identifying system weaknesses and generating exploits. In one structured exercise, testing achieved in under three weeks the same volume of vulnerability discovery that would typically take a full year of conventional security testing. AI of this kind can also combine several smaller weaknesses into a single devastating attack, and find gaps that traditional security tools would never catch.
The threat landscape is shifting on three fronts. South African organisations need to understand all three, with or without a national AI policy in place.
The vulnerability deluge
AI will dramatically accelerate the discovery of system weaknesses by both defenders and attackers. Every unpatched system becomes a known, targetable risk. Organisations need to find and fix vulnerabilities faster than ever before.
Attackers are increasingly targeting AI tools and software supply chains to get inside an organisation’s systems without triggering conventional defences. AI infrastructure is being deployed rapidly and is often not adequately secured.
Read: Your biggest cyber threat is now sitting at the desk next to you
Tasks that once took skilled attackers days to complete will soon take minutes. Organisations that cannot detect and respond to threats within those timeframes will be outpaced. Fast, AI-driven security operations are no longer a competitive advantage. They are a baseline requirement.
The policy will be rewritten. The threat will not wait. South Africa will get a better AI policy out of this — a document built on verified, credible sources will be stronger than one that was not. But organisations that use the rewrite process as a reason to pause their own security investment will find the threat landscape has moved on without them.
- The author, Justin Lee, is regional director for sub-Saharan Africa at Palo Alto Networks
Get breaking news from TechCentral on WhatsApp. Sign up here.
