From regulation to implementation — charting Africa’s path to ethical and secure AI adoption

Your employees, customers and other stakeholders are already using artificial intelligence (AI) in their daily activities. Are they subjecting your institution to unknown risks? Are they exposing your confidential data and trade secrets to the world? Are they creating new data security problems?

As we navigate the complexities of integrating AI across all operational spectra, the need for a robust governance and risk management framework has never been more pressing, particularly in the absence of regulation or soft laws within our immediate economy.

With the EU’s AI Act, a regulatory framework that was adopted by the European parliament and that will soon come into effect, setting a precedent, it is crucial for African governments and companies to adopt and apply international standards to the unique context of Africa and ensure risk management protocols are up to scratch.

As AI becomes pervasive within corporate environments its governance, risk management & compliance (GRC) emerge as pivotal pillars ensuring that adoption is responsible and ethical. This evolution is underpinned by a continuously developing regulatory environment, highlighted by the act, often dubbed general data protection regulation (GDPR) for AI. The act represents a significant milestone, introducing a risk-based approach and product liability that influences global AI governance standards. 

Predecessors to the act include the Organisation for Economic Co-operation & Development (OECD, 2019) framework for the classification of AI systems, the first set of AI standards pledged by governments to promote innovation and trustworthy AI, including African states. The OECD AI framework encourages users to mitigate specific risks that are typical of AI, such as bias, explainability and robustness, and promotes the development of crucial policies and regulations.

African corporations must recognise regulatory shift, understanding that adoption of the act and generally accepted frameworks is not optional given its extraterritorial reach. This is a part of the broader EU “Brussels effect”, influencing global digital and AI policies through initiatives such as the Digital Markets Act and the Digital Services Act. The stakes are high, with penalties reaching up to 7% of annual revenue for noncompliance with the EU AI Act.

Risk management

To navigate this landscape companies must adopt a proactive GRC approach, focusing on key areas such as risk management systems tailored for AI, comprehensive data governance, and rigorous technical documentation. These systems address known and foreseeable risks, ensuring AI applications do not compromise health, safety, human rights or environmental standards.

Key to commencing AI risk management is establishing how the AI life cycle aligns with operational risk management principles and governance structures within a company or institute. In the African context this alignment must consider specific internal and external constraints, such as lagging digital transformation or infrastructure capacity limitations. This process is followed by the development of an AI governance infrastructure, including mapping, planning, scoping, testing and validating, before and after deployment.

Quality management systems form the audit basis for self-certification or third-party certification, embedding revenue management systems, postmarket surveillance and other critical policies. The importance of technical documentation cannot be overstated, requiring detailed descriptions of the AI system as mandated by the EU AI Act.

With the landscape rapidly evolving, adherence to international standards becomes paramount. Organisations such as ISO, IEEE and NIST are at the forefront, developing AI standards that are likely to shape the future of AI governance, risk management and system life cycle management. Standards such as ISO 42001 for AI governance and ISO 24893 for AI risk management are becoming benchmarks for global compliance.

For African corporations, the integration of AI into their operations is not just about harnessing new technologies but about doing so in a manner that is ethical, compliant and risk-aware. The EU AI Act serves as a blueprint for global AI governance, emphasising the importance of a comprehensive GRC strategy.

As the world races to set the standards in AI regulation, African businesses must stay ahead of the curve, ensuring their AI initiatives are innovative and compliant, safeguarding their operations against myriad risks posed by this transformative technology.

• Steyn, a human-centred AI advocate and thought leader, is founder of AIforBusiness. Prem is an AI governance professional and commercial attorney, and Serandos the cofounder of the African Academy of AI and lecturer at Gibs Business School.