While the policy is being rewritten, the threat landscape isn’t waiting. Justin Lee, Regional Director for Sub-Saharan Africa at Palo Alto Networks, unpacks three critical shifts organisations need to prepare for: the surge in AI-driven vulnerability discovery, faster and more sophisticated attack cycles, and the growing risk of attacks targeting AI system themselves.
South Africa's Draft National AI Policy has been withdrawn after Minister Solly Malatsi confirmed that fictitious, likely AI-generated citations were included in the document without proper verification. The Minister called it "an unacceptable lapse" and noted that it "proves why vigilant human oversight over the use of artificial intelligence is critical."
"The withdrawal of the policy is an uncomfortable but instructive moment. A document designed to govern AI was undermined by ungoverned AI. That is precisely the risk organisations face every day, and precisely why building human oversight into AI systems is not optional,” says Lee, who has been watching the frontier AI threat landscape evolve in real time.
The policy setback does not change the underlying threat reality. According to Palo Alto Networks' own testing, advanced AI models with powerful cybersecurity capabilities are expected to become widely available within six months. Testing by hundreds of PANW security engineers confirmed that frontier AI models are highly effective at identifying system weaknesses and generating corresponding exploits. In less than three weeks, the same volume of vulnerability discovery was achieved that would typically take a full year of conventional security testing. Frontier AI can also combine several smaller weaknesses into a single devastating attack and find gaps in systems that traditional security tools would never catch.
The threat landscape is shifting on three fronts. Here is what SA organisations need to know:
The first is the vulnerability deluge. AI will dramatically accelerate the discovery of system weaknesses by both defenders and attackers. Every unpatched system becomes a known, targetable risk. Organisations need to find and fix vulnerabilities faster than ever before.
The second is inside-out attacks. Attackers are increasingly targeting AI tools and software supply chains to get inside an organisation's systems without triggering conventional defences. AI infrastructure is being deployed rapidly and is often not adequately secured.
The third is AI-driven attack cycles. Tasks that once took skilled attackers days to complete will soon take minutes. Organisations that cannot detect and respond to threats within those timeframes will be outpaced. Fast, AI-driven security operations are no longer a competitive advantage. They are a baseline requirement.
The policy will be rewritten. The threat will not wait.
"SA will get a better AI policy for this. A document built on verified, credible sources will be stronger than one that was not. But the organisations that use the rewrite process as a reason to pause their own security investment will find the threat landscape has moved on without them," concludes Lee.
