South Africa Has Africa's Best AI Rulebook. Its SMEs Still Can't Follow It.
A new GSMA study of 200 AI-active South African firms finds the problem was never the law. It's that good law, on its own, governs nothing.
There is a comfortable story about why AI governance is weak in African markets, and it goes like this: the regulation isn't there yet. Write the laws, build the frameworks, and responsible AI will follow.
A new report from the GSMA drawing on a survey of 200 AI-active South African SMEs, four detailed case studies, and stakeholder interviews across the ecosystem is a quiet demolition of that story. Because South Africa did write the laws. It has one of the most comprehensive data governance environments on the African continent: a constitutional right to privacy, the Protection of Personal Information Act (POPIA), a National AI Policy Framework, and the top ranking of any African country in the 2024 Global Index for Responsible AI.
And its small firms still cannot govern AI properly.
That gap between an excellent rulebook and a market that can't follow it is the most useful thing anyone has published about African AI governance this year. It tells you that the binding constraint was never legislative. It was everything that has to exist around a law before the law does any work at all.
The compliance mirage
Start with the number that looks reassuring and isn't. Just over 80% of surveyed SMEs claim some level of POPIA compliance, and about half say they've implemented comprehensive measures.
Read that again with the word "partial" in mind. These are organisations already running AI across multiple functions - 61% have deployed data analytics and customer-facing applications; more than half have deployed AI for risk assessment and scoring. Partial compliance in that context means the data practices underpinning live AI systems may not meet POPIA's requirements for consent, security safeguards, or automated decision-making accountability. The AI is in production the governance is in progress. The report is careful about this, and so should we be: an organisation can be broadly POPIA-compliant in its ordinary data handling and still be nowhere near compliant in what its models are actually doing.
Size makes it worse in exactly the way you'd expect. Comprehensive compliance runs at 53% among medium firms (50–249 employees) but only 44% among small ones (10–49). POPIA applies uniformly regardless of an organisation's size or maturity , the same documented consent management, the same security safeguards, the same automated decision-making accountability, whether you're a bank or a five-person startup. The obligations don't scale down. The capacity to meet them does.
And the enforcement architecture behind all this is thinner than the statute suggests. The report notes the Information Regulator's own estimate that roughly 3 million Information Officers have not registered as POPIA requires. Maximum penalties reach ZAR 10 million, but as the report puts it, the absence of enforcement capacity creates an environment of uncertainty rather than compliance. A rule that is not interpreted and not enforced is, functionally, a suggestion.
It's a money problem, and everyone has been solving the wrong one
Here is the finding that should reorganise how development finance institutions, regulators, and accelerators think about this.
Stakeholder interviews for the study consistently identified undercapitalisation as the primary barrier to investment in data governance cited more commonly than skills gaps, regulatory uncertainty, or lack of awareness. Not one of those things. Money.
The behavioural pattern is coherent and, frankly, rational. SMEs redirect resources away from governance when operational upkeep is the priority. Governance investment gets deferred until a market trigger makes it unavoidable an enterprise client demanding it as a condition of contracting, or an investor probing it in due diligence. And here's the trap: for most SMEs, the trigger never comes. Current South African due diligence practice assesses team quality, commercial viability, and market fit. It rarely probes AI governance maturity. Investors, the report observes, are largely assuming the models perform as intended.
So the sequence is: nobody asks, so nobody builds, so nothing gets governed.
The survey confirms the diagnosis from the other direction. Asked what would actually help, SMEs named technical tooling, financial support and grants, and standard templates for smaller firms, each cited by more than half of respondents. Not awareness campaigns. Not exhortation. Resources.
The report's conclusion is unusually direct, and worth sitting with: the AI data governance problem in South Africa is fundamentally a financing problem, and interventions targeting compliance culture or awareness are likely to be less effective than those addressing the capital constraints that prevent governance investment from happening at all.
Every "raise awareness" workshop, every principles document, every voluntary code aimed at African SME AI governance is, on this evidence, aimed at a problem that isn't the problem.
The consent gap is structural, and no company can fix it alone
Now the finding I find genuinely hard to shake, because it appeared in all four case studies organisations that differ wildly in sector, scale, and sophistication.
In every case, consent was obtained for a purpose that predated the AI application built on that data.
MomConnect the National Department of Health's flagship maternal health programme, reaching close to five million registered users obtained valid consent for health information delivery. Not for the secondary use of that data to train or improve AI models. And most users were registered by clinic staff on shared devices, so individually confirmed consent under POPIA was, in the report's words, never established.
JUMO , a Cape Town-founded lender that has disbursed more than $7.9 billion to over 31 million customers runs a credit engine on MNO behavioural data collected under telecommunications consent frameworks, which may not extend to credit scoring at all.
Lula, South Africa's first AI-powered SME lender, draws credit-relevant signals from customers of partner platforms like Vodacom and Takealot who may never have consented to their transactional data being used for a credit decision.
Audere's users consent via terms and conditions at their first WhatsApp interaction, with no coverage of the secondary use of conversation data for gender-based-violence risk analytics.
Four organisations. Four consent gaps. And these are, as the report notes, among the most governance-conscious operators in their sectors - MomConnect adopted POPIA compliance before it was law; Audere built harm monitoring before any funder or regulator asked for it. If they have this gap, the broader market is not close.
The point the report makes, and that I want to underline, is that this gap is structural. It is the predictable result of AI being layered onto data relationships that were built before AI existed. It cannot be resolved through the efforts of individual organisations alone, no matter how conscientious. Every firm building AI on data that was collected for something else is sitting on this problem, and there is no amount of internal diligence that makes it go away.
Nobody is answerable when the model is wrong
The third structural failure is the one this publication keeps arriving at from every direction: accountability that is distributed but not allocated.
Consider how a JUMO credit decision actually happens. An MNO holds the behavioural data. JUMO runs the AI credit engine. A licensed lending partner Mukuru, say issues the loan. The decision is fully automated, with no human review of individual applications. And there is no sector code of conduct for automated credit decisions in South Africa, and no legal framework clearly allocating responsibility for consent, explainability, or customer redress across those three parties.
So: if the model wrongly declines you, who do you complain to? The report's answer is stark — the affected individual has no obvious route to redress, because no actor in the value chain has a clear obligation to provide it. Responsibility exists everywhere in the diagram and lands nowhere in particular.
POPIA does, on paper, restrict automated decision-making with legal or significant effects, and requires that data subjects receive "sufficient information about the underlying logic" of such decisions. But ,and this is the whole ballgame, that phrase has no published interpretation for credit scoring, or health triage, or any of the contexts where these systems are actually making consequential calls. Lula's credit decisions are fully automated, directly engaging POPIA's automated decision-making provisions including the obligation to provide reasons for refusals. Nobody has told Lula, or anyone else, what a sufficient reason looks like.
The report adds a related finding that deserves more attention than it will get: none of the four organisations has publicly documented systematic bias testing for its South African deployment. And in each case, the populations served least by the AI system are also the ones least represented in its training data. Lula's training data skews to digitally active, banked businesses likely underrepresenting the informal, cash-based, and women-owned SMEs it exists to serve. That is a governance failure that, as the report notes, no current framework requires any actor to address.
Nor does anyone have to check afterwards. Post-deployment monitoring model drift, real-world performance divergence, bias accumulating over time falls outside every existing obligation and due-diligence framework examined in the study. Of the four case studies, only Audere built real-time harm monitoring, and it did so voluntarily, before anyone required it.
What actually fixes this (and why Kenya is in the report)
If the law isn't the constraint, what is? The report's answer is that governance needs infrastructure the interpretive, financial, and coordinating machinery that turns a statute into something a small firm can actually comply with. South Africa's problem, in its formulation, isn't that POPIA is too weak. It's that the infrastructure for operationalising it in AI contexts does not yet exist.
Three pieces of that infrastructure stand out.
Proportionality has to be designed, not assumed. Where it has worked elsewhere, it was built in explicitly tiered obligations, phased timelines, enforcement calibrated to organisational scale. South Africa applies POPIA uniformly regardless of size or risk profile, with no SME-specific compliance pathway, which leaves proportionality a stated intent rather than an operational reality.
Market mechanisms will move faster than regulators. Since governance investment happens when a market trigger demands it, the highest-leverage intervention is to create the trigger: put AI governance maturity into investor due diligence and public procurement standards. Ask whether training-data consent is documented, whether bias assessments exist, whether post-deployment monitoring is running. Investors and procurement officers can impose this tomorrow. A regulator would take years.
And someone has to translate, technology hubs, incubators, accelerators, and industry associations are the natural intermediaries but the report finds they currently lack the knowledge, funding, or mandate to provide AI governance support. There is no ecosystem actor dedicated to this. That absence is a structural hole, and filling it is comparatively cheap.
Then there's the detail that made me sit up, given what this publication has covered before. Among the four international models the report holds up for South Africa to learn from the EU AI Act, India's DPDP Act, the UK's ICO sits Kenya. Specifically: Kenya's fines capped at 1% of annual turnover, which link the severity of penalties to the scale of a business and make regulatory risk legible for an AI-deploying SME. And Kenya's sector-specific guidance notes, which translate abstract obligations into context-aware expectations for digital finance and telecoms.
The report's verdict is that turnover-based penalties are more directly adaptable to South Africa's context than EU models, given comparable development conditions, and that Kenya demonstrates proportionality can be achieved through sanctions architecture and interpretive guidance without rewriting the baseline law.
Kenya, in other words the market with the smaller economy, the thinner capital markets, and the lower AI Preparedness score is being cited as the governance model for the continent's most sophisticated regulatory environment. Not because its law is better. Because its law is more usable.
The lesson travels
Strip out the South African specifics and what remains is a finding that applies to every emerging market building AI in finance, and to a fair few developed ones.
A law is not a governance system. A governance system is a law, plus an interpretation of what it means in your sector, plus an enforcement capacity that makes it real, plus a financing mechanism that lets a small firm afford compliance, plus an intermediary that translates it into something operational, plus a market that actually asks whether you've done it. South Africa built the first component beautifully and, so far, very little of the rest. And so its SMEs are running AI on consent that doesn't cover it, with no bias testing, no post-deployment monitoring, no explainability standard, and no route to redress for the people the models get wrong in full compliance, more or less, with the best AI rulebook on the continent.
That is not an argument for writing worse laws. It's an argument for understanding that the law was the easy part. The hard part the money, the interpretation, the coordination, the accountability that has to be allocated rather than merely distributed is where AI governance is either won or quietly lost. South Africa is a warning to every market that thinks passing the act is the finish line.
It's the starting line. And on this evidence, most of the race has not been run.
Frontier Finance AI covers the collision of artificial intelligence and capital markets across Africa and Asia. Findings and figures in this piece are drawn from the GSMA's Scaling AI for SMEs: Insights Into South Africa's AI Data Governance Environment (GSMA Mobile for Development, 2026), based on a February 2026 survey of 200 AI-active South African SMEs. This is analysis, not legal advice.