The pace of AI tool adoption has outstripped policy development in almost every South African organisation. In most workplaces, staff are using ChatGPT, Copilot and other AI tools with no formal guidance on what data they may or may not process. This is a significant and growing POPIA compliance exposure.
The most common situation: no written AI acceptable use policy exists. Staff make their own judgements about what they can paste into AI tools. Without a policy, the organisation cannot enforce any standard, cannot discipline staff for misuse, and cannot demonstrate to the Information Regulator that reasonable steps were taken to protect personal information.
Many organisations have a general IT acceptable use policy that was written before AI tools existed. Adding a sentence like “use technology responsibly” does not create an enforceable AI governance framework. The policy must specifically address AI tools, data input restrictions, and the consequences of violations.
A policy that prohibits “unauthorised AI tools” without specifying which tools are authorised is unenforceable. Staff need to know exactly which tools they may use and for what purposes. The approved list must distinguish between consumer tools (no client or personal data) and enterprise tools (with data processing agreements in place).
The heart of an AI governance policy is a clear statement of what data may not be input into AI tools. This must be explicit: “No client personal information, no employee records, no financial statements, no legal documents, no scanned ID documents.” Vague language creates ambiguity that staff will resolve in favour of convenience.
A policy that no one has read provides no protection. All staff who use AI tools must be trained on the policy, must understand what it prohibits and why, and must acknowledge that they have read and understood it. This acknowledgement is the organisation's documentary evidence that it took reasonable steps.
Policy without monitoring is theatre. Organisations should have at minimum a process for periodic review of AI tool usage on managed devices, a reporting mechanism for suspected violations, and a defined consequence for policy breach.
The AI tool landscape changes rapidly. A policy written today may be outdated within six months as new tools emerge and existing tools change their terms of service. Policies must be reviewed at least annually and updated when significant new tools are introduced or existing tools change their data handling practices.
A defensible AI acceptable use policy for a South African organisation must cover: purpose and scope, definitions of personal and confidential information, list of approved tools with permitted uses, prohibited inputs, training requirements, monitoring and enforcement, and a review schedule. It must be version-controlled, dated, and acknowledged by all covered staff.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.