When the Policy Fails Its Own Test

The CyberDiplomat

4 min read
Share
When the Policy Fails Its Own Test
South Africa's AI governance draft was withdrawn after its citations turned out to be fabricated—likely by the very technology it sought to regulate. The irony is damning. The lessons are universal.

In March 2026, South Africa's Cabinet approved what was intended to be a landmark document—a national framework for governing artificial intelligence across one of the continent's most digitally ambitious economies. By April, it was open for public comment. Within weeks, it was gone.

The reason for its withdrawal was not political controversy, nor a constitutional challenge, nor a change in government priorities. The draft National AI Policy had to be pulled because an unknown number of its academic citations did not exist. They were plausible. They were formatted correctly. And they were, in all likelihood, generated by the very class of AI tools the document was supposed to regulate.

"AI governance cannot begin with technology alone—it must begin with governance itself."

Communications and Digital Technologies Minister Solly Malatsi acknowledged the failure directly, attributing it to AI-generated references that slipped through without adequate human verification. Two officials have since been suspended pending investigation. An independent review panel has been assembled. A revised policy is now expected no earlier than January 2027.

The embarrassment is real. But the significance of this incident extends far beyond South Africa's borders, and far beyond a citation error.

What the draft was trying to accomplish

Before it was withdrawn, the policy built on South Africa's 2024 National AI Policy Framework and set out an ambitious governing vision. It addressed ethical AI deployment, data sovereignty, sectoral integration across healthcare, education, and public administration, and proposed new institutional oversight structures for AI regulation.

These are not trivial objectives. For a country seeking to position itself as a regional leader in digital governance, the policy represented a serious attempt to get ahead of a technology that most governments are still scrambling to understand. The ambition was sound. The process, it turned out, was not.

The governance gap, made visible

Here is the core tension the South African case exposes: governments worldwide are attempting to regulate AI while simultaneously relying on AI tools in their own policymaking processes. Generative AI can accelerate research, drafting, and synthesis. It can also hallucinate. And when hallucinated outputs are embedded in official government documents without rigorous human review, the damage is not merely reputational—it is institutional.

This is what we might call the governance gap: the space between AI adoption and the oversight mechanisms required to make that adoption safe. Across banking, healthcare, education, and public services, AI deployment is outpacing regulation. South Africa's policy delay does not freeze that deployment—it simply leaves it ungoverned while policymakers rebuild.

QUESTIONS THAT REMAIN UNANSWERED

  • Who is accountable when AI systems fail or cause harm?
  • How should algorithmic bias be identified and addressed?
  • What standards should govern AI-generated content in official contexts?
  • How should personal and sensitive data be protected at scale?
  • What safeguards exist against AI-enabled cybersecurity threats?
  • How should workforce displacement be managed and mitigated?

These questions are not unique to South Africa. They are the defining regulatory challenges of this decade, and they do not pause for policy drafts to be corrected and reissued.

· · ·

An opportunity inside the setback

There is a case—not a comfortable one, but a real one—that the delay may ultimately strengthen what emerges. The newly appointed review panel brings together expertise in AI research, cybersecurity, law, and digital policy. They are being asked not merely to clean up citations, but to rebuild a framework that must demonstrate the kind of discipline, transparency, and accountability it intends to demand from AI systems themselves.

That is a harder brief. It is also a better one. A revised framework that takes seriously the risks of unchecked AI-generated content in public administration, that establishes clear internal guidelines for how generative tools may be used in policymaking, and that builds meaningful human oversight into every layer of the process, would be worth the delay.

"The true test of governance will not be how quickly policies are published, but how effectively they can be trusted."

Lessons that travel

For governments beyond South Africa's borders, the incident offers three clear lessons worth internalizing now.

First: AI-generated content must never bypass rigorous human review, regardless of time pressure or resource constraints. The efficiency gains offered by generative tools are real—but they are not unconditional. In contexts where accuracy and public trust are foundational, the cost of a single unchecked hallucination can vastly outweigh any time saved.

Second: public trust is not a soft metric. It is a structural requirement for governance. A policy framework that is accurate but perceived as carelessly assembled, or one that demonstrates the very failure modes it seeks to prevent, cannot do what policy is meant to do. It cannot be trusted—and untrusted governance does not govern.

Third: the institutions responsible for AI oversight need their own internal AI policies. How generative tools are used in research, drafting, procurement, and public communication is not a secondary concern. It is now a matter of institutional integrity.

What comes next

South Africa's revised AI policy will arrive under considerably more scrutiny than its predecessor. That scrutiny, though uncomfortable, is appropriate. A framework governing one of the most consequential technologies of the current era should be able to withstand hard questions about how it was built—who reviewed it, what sources it relied upon, and whether the humans responsible for it actually read what they were signing.

The January 2027 target is more than a revised publication date. It is an implicit promise that the next version will be a document the government can defend, not merely a document it produced. Whether that promise is kept will say as much about South Africa's AI governance capacity as anything the policy itself contains.

For the rest of the world, watching closely: the lesson is not that AI should be kept out of policymaking. It is that using AI in policymaking requires the same rigour, accountability, and human judgment that good governance has always demanded—and that the absence of those qualities is now easier to detect, and costlier to ignore, than at any point in the past.

Read more