Following the US government’s temporary export controls on Anthropic’s AI models in 2026, organisations face critical questions about legal risk and corporate governance when deploying artificial intelligence systems. This analysis examines how existing South African legislation and the King V governance framework create obligations for responsible AI procurement and deployment, even without AI-specific laws.
South AfricaCorporate/Commercial Law
To print this article, all you need is to be registered or login on Mondaq.com.
Article Insights
Priyanka Raath’s articles from ENS are most popular:
- in Africa
- in Africa
- within Immigration, Transport, Government and Public Sector topic(s)
In June 2026, the US government imposed export controls on Anthropic following concerns that its newly released Fable 5 and Mythos 5 models could present significant cybersecurity risks and that certain safeguards could potentially be bypassed. The restrictions required Anthropic to restrict access to the models by all foreign nationals (including those living in the US), effectively forcing Anthropic to suspend broad deployment of the models for all its customers globally. Following engagement between Anthropic and US government officials and a review of the company’s security measures, the US government lifted the restrictions on 30 June 2026, allowing Anthropic to begin restoring access to the models.
However, for organisations (and not just those that rely on US-headquartered AI providers), the incident raises important questions about legal risk, corporate governance and responsible Artificial Intelligence (“AI”) deployment, even in the absence of AI-specific legislation in South Africa.
Why organisations should be concerned
Historically, export controls have focused on the infrastructure underpinning advanced technologies, such as semiconductors, supply chains and manufacturing equipment that support the development of sophisticated systems. The Anthropic restrictions indicate a shift towards regulating access to AI capabilities themselves.
Although South Africa does not yet have AI-specific legislation, organisations are not operating in a regulatory vacuum. Existing legal frameworks – including the Protection of Personal Information Act, 2013 (“POPIA“), the Electronic Communications and Transactions Act, 2002, the Consumer Protection Act, 2008, and the Companies Act, 2008 (“Companies Act“) – all already impose obligations that intersect with AI deployment.
As AI becomes embedded in business-critical functions, organisations should consider not only technical and commercial factors, but also the legal risk that law and even foreign regulatory intervention could disrupt access to services on which they depend. Although alternative models may be available, the challenge is often the cost and complexity of transitioning between models.
The King V Report on Corporate Governance (2025), which succeeds King IV, reinforces the governing body’s responsibility to oversee technology and information governance as an integral component of organisational strategy. Principle 10 of King V specifically addresses the governance of technology, including artificial intelligence and requires the governing body to ensure that AI systems are deployed responsibly, with appropriate oversight mechanisms, transparency and accountability. Organisations that rely heavily on a single AI provider without documented governance and contingency frameworks risk falling short of these governance expectations.
AI Procurement as a legal and governance obligation
The increasing strategic importance of AI means that procurement decisions should be evaluated through a legal and governance risk management framework. Under the Companies Act, directors have a duty to exercise their powers with the degree of care, skill and diligence that may reasonably be expected of a person carrying out the same functions and having the general knowledge, skill and experience of that director. Failing to assess material technology concentration risks, including dependency on a single AI provider subject to foreign regulatory control, could constitute a breach of this duty.
In light of these obligations, boards and management should consider questions such as:
- How dependent are we on a single AI provider? Was any concentration risk disclosed to the board in accordance with King V’s technology governance requirements?
- Can critical workloads be migrated to another platform if necessary? How do we test that migration to ensure that we meet applicable sector-specific standards on business continuity (for example, financial institutions)?
- Do we have visibility into the jurisdictions that regulate our AI provider? How do any cross-border data transfer restrictions in our privacy laws apply to these providers?
- How quickly could we respond if access to a model was restricted or withdrawn? Do we have documented exit strategies as contemplated by King V and sector-specific standards (like banks under Guidance Note 5 of 2014 on material outsourcing arrangements)?
- Are there alternative providers capable of supporting our operational requirements? Does our AI governance framework (as recommended by King V) contemplate a multi-provider or model-agnostic architecture?
These questions are familiar in other areas of technology risk management, but they now carry heightened legal significance in the context of AI – particularly where the board’s oversight responsibilities under King V extend to the responsible deployment of AI systems.
Technology agreements are often negotiated on the assumption that services will remain continuously available. The Anthropic restrictions highlight the need for organisations to address the possibility that a provider may become legally unable to offer access to a particular model.
If you think of the principles underpinning the “standard” force majeure clause: a party’s performance may be excused where it becomes objectively impossible due to some intervening event. However, a US government restriction on a third-party AI provider is unlikely to constitute force majeure automatically. Organisations should ensure that they expressly make provision in the contract to bring government-imposed access restrictions within the scope of force majeure or regulatory change clauses.
Outside of force majeure and regulatory change clauses, this risk can be mitigated through other contractual provisions as well:
- Service continuity and model switching provisions: These should address circumstances in which regulatory developments (including foreign government action) affect access to the service and should oblige the provider to offer access to other equivalent models within defined timeframes.
- Data portability provisions: These should ensure that organisations can retrieve and transfer their data, configurations and outputs in a usable format. This is particularly important under POPIA, which requires responsible parties to maintain control over personal information processed by operators.
- Exit and transition assistance: These provisions should facilitate migration to alternative providers where continued access is no longer possible, including reasonable transition periods and data extraction support. For some regulated organisations, this might not be best practice but actually legally required – for example, financial institutions have such obligations under SARB and PA directives, guidance notes, and joint standards.
Whilst these provisions cannot eliminate regulatory risk, they can significantly improve an organisation’s ability to respond when that risk materialises. Critically, organisations should also ensure their contracts include properly structured termination rights triggered by prolonged service unavailability, rather than relying solely on breach-based termination which requires notice and an opportunity to remedy.
Responsible AI Governance under King V
King V’s technology governance principles require the governing body to:
- ensure adherence to the values of ethics, human centricity, accountability, transparency, explainability, security, privacy, fairness and trustworthiness in the deployment of AI systems;
- establish clear accountability for AI-related decisions, actions, outputs and outcomes – which includes subjecting the processes, data, models, algorithms, resources and tools to appropriate oversight;
- assess and monitor risks associated with AI, including vendor concentration risk, algorithmic bias, data quality and security vulnerabilities;
- establish governance structures that assign responsibility for AI-related decisions across the lifecycle, including procurement, deployment and decommissioning; and
- ensure that AI strategies are aligned with the organisation’s values, ethical standards and applicable legal obligations.
These principles are consistent with international best practice frameworks which emphasise transparency, accountability and resilience as core pillars of responsible AI governance.
Organisations should be proactively aligning their AI governance frameworks to these standards, both to manage risk and to position themselves favourably as regulation develops.
Building resilience in AI strategies
The Anthropic restrictions may signal an emerging global regulatory approach in which governments directly regulate access to frontier AI models rather than focusing solely on the infrastructure that supports them. While South Africa has not yet enacted AI-specific legislation, the existing legal architecture, comprising POPIA, the Companies Act, sector-specific regulation and the King V governance framework, already provides a robust basis for responsible AI governance.
Organisations that embed responsible AI governance practices now will not only be better positioned to comply with future AI regulation, but will also satisfy their current legal obligations and meet the growing expectations of investors, counterparties and regulators.
The content of this article is intended to provide a general guide
to the subject matter. Specialist advice should be sought about your
specific circumstances.
