Governance for Whom?
Every AI governance framework currently being imported into African markets was designed to answer the same question: how does the institution protect itself? Security audits, access controls, policy rewrites, compliance reviews. The institution is the protagonist, the AI is the risk to manage, and governance is the mechanism by which the institution stays whole.
That is not the shape of the risk in African markets. And designing governance as though it is would be the second mistake, after the first one of designing nothing at all.
The shadow AI crisis documented inside Fortune 50 enterprises is, at its core, a problem of unauthorized capability. Employees deploying tools their institutions had not sanctioned, at speeds their compliance teams could not track. The response, when it came, was internal: security audits, access controls, policy rewrites. The people harmed by the gap were, mostly, the institutions themselves. That is the frame currently being exported as best practice.
Here is what changes when you shift the lens from enterprise security to inclusion. When an AI agent handles customer onboarding for a bank in Kampala or a microfinance platform in Accra, the people most exposed to its behavior are not the institution’s compliance team. They are the borrowers — often women, often operating in the informal economy, often without the literacy or the institutional access to contest a decision the system made about them. A voice agent that quietly redefines a fee waiver is a governance failure for the institution. For the borrower, it may be something more concrete: a loan they did not get, a penalty they could not explain, a door that closed without a reason they could challenge.
This is the specificity that matters for African AI governance, and it is largely absent from the frameworks currently being imported.
South Africa’s Buddy Learning launched BuddyAI this week — a multilingual AI tutor running on WhatsApp, designed for learners without smartphone access. The signal is significant, and not only for the obvious reason. WhatsApp-based deployment is a design choice that reflects a real constraint: in most of sub-Saharan Africa, smartphone penetration is still well below 50%, and data costs make app-based services a quiet exclusion mechanism for the populations they nominally serve. Building on WhatsApp is how you reach the learner in a rural secondary school in KwaZulu-Natal, not just the one in Cape Town with a data bundle.
But the governance question follows the design choice. When an AI system is making pedagogical decisions — deciding what a learner knows, what she needs next, whether she is ready to move forward — those decisions have consequences. For a learner who has no other access to tutoring, no fallback teacher, no parent who can contest the system’s read of her progress, the stakes of a miscalibrated model are not abstract. Governance that only asks “is the system secure?” misses the more important question: “is the system accountable to the person it is serving?”
Fin (formerly Intercom) launched Operator, represents the next phase of the enterprise AI stack: an AI agent designed specifically to manage other AI agents. Multi-agent orchestration, as it is being called, is where the Fortune 50 is heading. The governance complexity compounds at each layer — an agent managing agents creates decision chains where accountability diffuses across the system and the human oversight point becomes harder to locate. For institutions with deep compliance infrastructure, extensive testing environments, and legal teams who understand what they are looking at, this is a hard problem. For most African institutions, it is a problem they are not yet equipped to name, let alone solve.
Which is precisely why the governance frameworks that African regulators and boards design now need to be built around a different set of starting assumptions. Not “how do we prevent unauthorized deployment” — that is the Fortune 50 problem. The African version is: “how do we ensure that the people most affected by these systems have meaningful recourse when the systems fail them?”
That is a harder question. It requires thinking about AI governance as consumer protection, not just institutional security. It requires asking whether a borrower in Nairobi who was denied credit by an AI model has any practical ability to understand why, challenge the decision, or reach a human who can review it. It requires asking whether a student in Lagos whose AI tutor has been making systematic errors in her language instruction has any way of knowing. These are not hypothetical edge cases. They are the predictable failure modes of systems deployed at scale to populations with limited alternatives and limited institutional power.
The OpenAI–Malta partnership offering ChatGPT Plus to the country’s entire population is being framed as a template for national AI deployment. It deserves more scrutiny than that. Malta has a population of roughly 500,000, per-capita GDP above $30,000, and a functioning digital infrastructure. The governance scaffolding required to roll out ChatGPT Plus nationally in that context is meaningful but manageable. Transposing that logic to a country of 50 million with fragmented connectivity, dozens of official languages, and a majority population outside formal financial systems is not a scaling exercise — it is a different design problem entirely. The deployment model does not transfer. Neither does the governance model.
African institutions are not behind on AI governance because they are slow. Many are behind because the frameworks being offered were not designed with their populations in mind, and the cost of adopting them uncritically is paid by the people least able to absorb it.
Governance that treats security and compliance as the primary frame will produce institutions that are protected. Governance that treats accountability to end users as the primary frame will produce institutions that are trusted. In markets where trust is the actual scarce resource, that is the more durable position.
Whether African enterprises are governed well is one question. Whether the people they serve are protected at all is the harder one — and it is the one worth designing toward.
What I’m Watching
1. WhatsApp is not a workaround — it is the architecture — Disrupt Africa →
Buddy Learning’s BuddyAI is being covered as an access story. It is also a governance story. When an AI system makes pedagogical decisions for learners who have no other tutoring option — no fallback teacher, no parent with institutional leverage — the design choice and the accountability question are the same choice. Building on WhatsApp is how you reach the student in a rural KwaZulu-Natal secondary school rather than the one in Cape Town with a data bundle. But it also means the system’s failure modes land hardest on the learner with the least ability to contest them. The question BuddyAI’s launch actually raises is not whether WhatsApp-based AI can scale. It is whether the governance model scales with it.
2. Malta is a proof of concept for 500,000 people — not for 50 million — OpenAI Blog →
The OpenAI–Malta partnership is being framed as a template for national AI deployment. It deserves more scrutiny than that. Malta has a population of roughly 500,000, per-capita GDP above $30,000, and functioning digital infrastructure. The governance scaffolding required to roll out ChatGPT Plus nationally in that context is real but bounded. Transposing that logic to a country of 50 million with fragmented connectivity, dozens of official languages, and a majority population outside formal financial systems is not a scaling exercise — it is a different design problem entirely. The deployment model does not transfer. The lesson worth extracting is narrower: national AI access programs require governance frameworks built around the populations they actually serve, not the ones it is easiest to serve first.
3. Multi-agent orchestration is where accountability goes to disappear — VentureBeat →
Intercom’s Fin Operator — an AI agent designed to manage other AI agents — signals where the enterprise AI stack is heading. The governance complexity does not add linearly at each layer; it compounds. When an agent is coordinating agents, the decision chain lengthens, the human oversight point becomes harder to locate, and the question of who is responsible for a failure becomes genuinely difficult to answer. For institutions with deep compliance infrastructure and legal teams who understand what they are looking at, this is a hard problem. For most African institutions that are still building the baseline, it is a problem they are not yet equipped to name. The time to build the accountability framework is before the orchestration layer arrives — not after it is already handling customer decisions at scale.
A Reflection
There is a version of the AI sovereignty conversation that stays comfortable — the one where we talk about data localization policies, compute infrastructure, and regional model development. These are real levers. But lately what I keep noticing is how rarely the sovereignty conversation and the inclusion conversation happen in the same room.
They get treated as separate projects. Sovereignty is for the technologists and the policymakers. Inclusion is for the development sector. And that separation, I think, is where something important gets lost.
Because if sovereignty means African institutions controlling how AI is built and deployed on the continent, then the question of who those institutions are accountable to is not a downstream concern — it is the whole point. A sovereign AI ecosystem that concentrates its benefits among the already-connected, the already-banked, the already-urban is not a different outcome from one designed elsewhere. It is the same extraction with a different flag on it.
What this signals to me is that inclusion cannot be an add-on to the sovereignty agenda. It has to be the test of whether sovereignty is real. Are the models being built in African languages, or only in the ones with the largest middle-class markets? Are the interfaces designed for low-literacy users, or assumed literate? Are the gains flowing to smallholder farmers and informal traders, or accumulating at the top of the same value chains that already concentrate wealth?
I do not think the people building African AI are indifferent to these questions. I think the pressure to prove viability — to show traction, to close funding, to hit the metrics that make the next round possible — narrows the aperture. You build for who can pay first.
That is a rational response to an irrational funding environment. But it is worth naming clearly: a sovereignty project that defers inclusion is making a choice, not running out of time.
One Question
If you are building or deploying an AI-facing product in an African market right now — what does your recourse mechanism actually look like for the end user when the system gets it wrong, and have you tested whether that person could realistically use it?