The country is rapidly adopting AI, but the security frameworks needed to control the technology are not keeping up.
South Africa is now one of the most targeted countries on the continent for cybercrime, with regional police analysis warning of a continued increase in financially motivated attacks including business email compromise and ransomware (1). The CSIR State of Cybersecurity Survey in South Africa, conducted in 2024/25, shows that the share of companies experiencing incidents is high and growing, along with large gaps in basic controls and skills (2). At the same time, the National Security Strategy identifies cyber-related threats to critical infrastructure, financial stability and public services as a national risk, acknowledging that current governance and coordination mechanisms are not yet keeping pace with the pace of digital transformation (3). And yet, says Mandla Mbonambi, CEO of Africanology, the country is moving faster on AI adoption than almost any other readiness metric. The tension between accelerating efficiency and lagging behind control is where the risk currently exists.
“AI is not waiting for governance to catch up,” he added. “Organizations are deploying it because the competitive pressure is real, but the security infrastructure to match that deployment often doesn't exist and attackers are exploiting that gap.”
The numbers support this concern. According to Cisco's 2025 Cybersecurity Readiness Index, based on a survey of 8,000 security and business leaders across 30 markets, only 4% of companies have achieved a mature level of readiness able to withstand modern cyberattacks(4). And 71% expect a cybersecurity incident to impact their business in the next 12-24 months. Cisco says most people are unprepared for these threats as preparedness levels remain relatively stagnant while AI adoption and scale continues to grow.
The structural problem is that South Africa's cybersecurity posture has been audit-driven and reactive, with many companies relying on periodic testing models and fragmented tooling. These approaches are too slow for AI-accelerated attack cycles. Adoption of AI is outstripping the foundation needed to secure it and companies are unprepared, especially for the key pillars of talent, data readiness, and a strong position to control access to AI systems and datasets.
Infrastructure preparation is equally stressful as companies struggle to establish the right levels of scalability and flexibility needed to benefit from AI, and they lack confidence in the availability of computing resources to manage AI workloads. On top of that, the security teams are worried. They are concerned that AI is reducing the time between vulnerability discovery and exploitation faster than companies can handle it.
“Enterprise AI deployment is already outgrowing the framework needed to manage it securely, so companies are facing fragmented standards around data security, AI accountability, identity risk and incident response at a time when AI systems are expanding the attack surface,” says Mbonambi. “There are encouraging signs, however. It's not all doom and gloom of AI. Companies are investing in improving existing employees and allocating more budget to hiring talent, but they have a way to be adequately prepared for the threats AI is bringing to the table.”
This is the root of the problem. The threat landscape itself has changed as AI is reimagining security on both sides of the fence. AI-generated phishing is a rapidly growing attack vector because the technology allows attackers to craft highly personalized, grammatically accurate, contextually credible communications. These intelligent threats are essentially eliminating the red flags that employees were trained to detect.
“Ransomware operators are using machine learning to automate vulnerability identification, and this is reducing the time between initial compromise and full encryption, with ransom demands being tailored based on the financial profiling of the victim,” says Mbonambi. “Then there is the growing threat of shadow AI, where employees are using tools without policy guidance and uploading sensitive information to unsecured third-party platforms. This includes, but is not limited to, no board oversight, data classification policy or audit trail. This is not only risky for the entire business, but it also puts the company in a reputational and financially compromised position. If there is a breach, it could face huge fines from the information regulator under POPIA.”
It is essential that companies find a way to create congruence between AI adoption and cybersecurity protections. As the costs for cybercriminals to conduct sophisticated and targeted campaigns are falling, the costs for companies to defend against them are also falling.
“Security,” Mbonambi concludes, “is a core business capability and needs to be built in from the start so that your business can afford less risk while moving faster towards AI adoption and innovation. South African organizations have the talent and intent, now all that is needed is urgency.”