CATEGORIES
- (41)Agriculture, Land Reform & Rural Development
- (32)Auditors & Accountants
- (11)Broad-based Black Economic Empowerment
- (7)Built Environment
- (90)Communications & Digital Technologies
- (3)Company Law
- (3)Consumer Law
- (36)Courts
- (5)Criminal Law
- (1)Cybercrimes
- (2)Disaster Management
- (19)Education & Training
- (8)Electoral Law
- (134)Environmental Law
- (4)Family Law
- (192)Financial Sector
- (5)Fisheries & Aquaculture
- (10)General Interest
- (30)Health & Safety
- (27)Home Affairs
- (4)Housing
- (33)In the Spotlight
- (1)International Co-operation
- (91)Justice & Constitutional Development
- (76)Labour Law
- (23)Legal Practice Council
- (28)Local & Provincial Government
- (37)Minerals & Energy
- (1)Monetary Policy
- (2)National Development Plan
- (38)National Treasury
- (95)New Legislation
- (31)Opportunities for Public Comment
- (10)POPIA
- (379)Parliament
- (1)Practice Management
- (8)Presidency
- (19)Property Law
- (9)Public Service
- (4)Retirement Reform
- (19)Road Accident Fund
- (30)Safety and Security
- (1)Science, Innovation & Technology
- (14)Small Business Development
- (28)Social Development
- (13)Sport, Arts & Culture
- (15)State Owned Enterprises
- (4)State of Disaster (energy)
- (27)Taxation
- (9)Tourism
- (103)Trade, Industry & Competition
- (47)Transport
- (21)Water & Sanitation
- (1)Wills, Estates & Trusts
- Show All
The Hallucinatory Reality: AI Governance and Liability for South African Law Firms
- 01 June 2026
- Communications & Digital Technologies
- SA Legal Academy
The grace period for blind technology adoption in the South African legal sector is officially over. For years, artificial intelligence has been discussed as a futuristic efficiency driver, an abstract concept discussed at legal tech conferences, or a helpful assistant for draft preparation. Today, however, AI is no longer a passive tool. It is an active participant in our practice, and the South African judiciary has made it perfectly clear that if your firm uses it blindly, you are putting your professional license on the line.
The hard truth is that the technology is evolving at a pace that traditional risk models and regulatory frameworks struggle to match. As South African law firms face mounting commercial pressure to deliver faster, more cost-effective services, the temptation to integrate automated workflows is understandable. Yet, as recent landmark judgments and high-profile government failures demonstrate, the legal and ethical risks of unmanaged AI adoption are not theoretical. They are immediate, severe, and personally binding on legal practitioners.
The Landmark Precedents of Strict Legal Liability
In South Africa, the responsibility for any work product submitted to a court or delivered to a client remains solely with the instructing practitioner. Accountability cannot be delegated to an algorithm. The high courts have recently established clear precedents that treat the blind use of AI tools as a breach of professional and ethical duties.
Mavundla v MEC: The Cost of Unverified Research
In the Pietermaritzburg High Court, the matter of Mavundla v MEC: Department of Co-Operative Government and Traditional Affairs KwaZulu-Natal (judgment delivered on 8 January 2025) exposed the severe consequences of unverified legal research. In this case, the applicant's legal team submitted a supplementary notice of appeal that cited several case law authorities. Upon preparing his judgment, Judge Bezuidenhout discovered that most of these cited authorities did not exist in any legal database.
The court's investigation revealed that the research had been drafted by a candidate attorney who relied on ChatGPT, and the work was subsequently filed without being verified by either the instructing attorney or counsel. Judge Bezuidenhout went so far as to run live test prompts on ChatGPT during the proceedings, demonstrating how easily the tool hallucinates and invents non-existent cases when prompted. The court dismissed the application for leave to appeal, ordered the law firm, Surendra Singh and Associates, to pay the costs of extra court appearances, and referred the practitioners to the Legal Practice Council (LPC) for investigation. The court emphasized that when counsel cites an authority, they make a tacit representation to the court that the authority exists and is accurate.
Northbound Processing: The Rejection of the Urgency Shield
The warning was reinforced shortly thereafter by the Johannesburg High Court in Northbound Processing (Pty) Ltd v South African Diamond and Precious Metals Regulator. In this urgent application for interim relief, the applicant's heads of argument included fabricated case citations generated by an AI tool. When the fictitious citations were flagged, junior counsel initially blamed a drafting mix-up and submitted a corrected version, which still contained errors.
Eventually, counsel admitted that the references were AI-generated hallucinations, apologized to the court, and argued that the mistake was unintentional, driven by the extreme urgency of the application, and resulted in no prejudice to the other parties. The Johannesburg High Court rejected this apology as a shield. The acting judge reiterated that legal practitioners have a trite, non-delegable duty not to mislead the court, whether by intent or negligence. The court referred the conduct of the legal team to the LPC for disciplinary investigation, establishing that commercial urgency or time pressure does not excuse a practitioner from their fundamental professional duties of verification and diligence.
The Compliance Limbo: POPIA, ECTA, and the Failed April 2026 Policy
Compounding these judicial warnings is a highly fragmented and volatile regulatory landscape. Many firm leaders are waiting for a comprehensive national guideline on artificial intelligence. However, relying on a unified state framework is currently a fool's errand.
The stark reality of South Africa's AI policy development was laid bare in April 2026. On 10 April 2026, the Department of Communications and Digital Technologies gazetted the highly anticipated Draft National Artificial Intelligence Policy Framework for public comment. The draft was intended to unify national thinking on AI governance, data privacy, and ethical standards across both the public and private sectors.
However, the framework became the victim of the exact phenomenon it aimed to regulate. Within weeks, academic researchers and investigative journalists exposed a series of fabricated academic citations and blatant factual errors embedded directly in the gazetted document. The "National AI Policy" had itself been drafted using unverified generative AI tools. On 26 April 2026, the Minister of Communications and Digital Technologies, Solly Malatsi, officially withdrew the draft framework in embarrassment, suspending the officials responsible.
This historical policy failure leaves South African law firms in regulatory limbo. Without a dedicated national AI act, firms must look to existing statutes of general application to govern their use of automated technologies.
The Electronic Communications and Transactions Act (ECTA)
Promulgated in 2002, ECTA remains highly relevant in an automated legal environment. Section 1 of ECTA defines an "electronic agent" as a computer program or automated means used to independently initiate an action or respond to data messages. Under Section 20 of ECTA, an organization that deploys an electronic agent is presumed to be bound by its actions, even if no human reviewed the specific transaction.
If your firm implements an AI email workflow that automatically drafts and sends replies to clients, or a chatbot that proposes contract terms, those systems may legally constitute electronic agents. If the AI agent incorrectly accepts a settlement offer or waives a contractual right, ECTA holds your firm contractually bound to that outcome. The law does not allow you to void a transaction simply because your technology made an error.
The Protection of Personal Information Act (POPIA)
Every law firm is a "responsible party" under POPIA, and any AI vendor you use acts as an "operator" under Section 1. The moment you upload client documents, email correspondence, or litigation files into an AI tool, you are "processing" personal information. This triggers strict statutory conditions that most firms are currently failing to meet:
- Operator Agreements: Section 21 of POPIA requires a written contract between the responsible party and the operator. The operator must establish and maintain the security safeguards prescribed in Section 19. Ticking a box on a standard online software agreement for an overseas AI tool does not satisfy this requirement.
- The Cross-Border Block: Most commercial AI models operate on servers located in the United States or the European Union. Section 72 of POPIA strictly regulates the transfer of personal information outside South Africa. You cannot lawfully send client data across borders unless you have obtained explicit client consent, or can prove that the recipient country has data protection laws substantially similar to POPIA, backed by binding corporate rules or data transfer agreements. If you do not know exactly where your AI vendor stores and processes data, your firm is exposed to severe compliance penalties.
The Dual Threat to Client Confidentiality and Legal Privilege
Beyond statutory data privacy lies the cornerstone of the legal profession: attorney-client privilege and the ethical duty of confidentiality. While POPIA protects personal data, legal privilege protects the entire exchange of information between a client and their legal advisor. This protective layer is at extreme risk when consumer-grade AI tools are integrated into daily workflows.
Most free, consumer-grade AI platforms use input data—including the prompts you write and the files you upload—to train and improve their machine learning models. If you paste a client's draft agreement, a confidential witness statement, or a sensitive commercial strategy into a free AI tool to summarize it, you have effectively shared that information with an unvetted third party.
This act has devastating legal consequences:
- Waiver of Privilege: For legal privilege to apply, the communication must be made in confidence. Uploading privileged documents to a public cloud or a shared machine learning model can be legally construed as a waiver of privilege. Once privilege is waived, those documents may become discoverable by opposing parties in litigation.
- Sub-Processor Exposure: Enterprise and consumer software providers routinely use third-party sub-processors to review data for quality control and system performance. If your AI vendor exposes client data to unvetted sub-processors without a binding non-disclosure agreement, your firm has committed a direct breach of its fiduciary duties.
- High-Risk Practice Areas: While all legal work is vulnerable, certain practices are at extreme risk of devastating data leaks:
- Mergers and Acquisitions (M&A): Uploading target company data or deal structures to an AI tool before public announcement can lead to market leaks and insider trading investigations.
- Family and Criminal Law: Processing highly sensitive personal testimonies, financial disclosures, or evidence files through unauthorized AI systems can result in irreparable reputational and psychological harm to vulnerable clients.
Implementing a Robust AI Governance Framework
To protect your clients, your firm's reputation, and your professional license, you must move away from ad-hoc AI usage. Every South African law firm must implement a formal AI governance framework.
This framework must be established and enforced by the firm's leadership, including the designated Information Officer and Chief Technology Officer, and must include five key actionable controls:
1. Establish an Approved AI Policy
Document an internal policy that clearly distinguishes between approved and prohibited tools. Standardize enterprise-grade tools across the firm and blacklist all free, consumer-grade platforms. Specify permitted use cases, such as contract comparison and document summarization, while explicitly forbidding the use of AI for raw legal research without direct source-document verification.
2. Conduct Strict Vendor Due Diligence
Before purchasing any software license, conduct a thorough audit of the vendor's data handling practices. You must obtain written answers to three non-negotiable questions:
- How is our data used? The vendor must contractually agree that our data and prompts will not be used to train their models.
- Where is the data stored? Identify the physical server locations to ensure compliance with POPIA's cross-border transfer rules.
- What security protocols are in place? Ensure the vendor provides enterprise-grade encryption and access controls.
3. Mandate Data De-identification
Even when using approved, secure enterprise tools, implement a strict rule of anonymisation. Before uploading any contract, pleading, or email for analysis, professional and administrative staff must scrub all personal information, company names, and unique identifying details. Treat the AI prompt window as an public forum unless a binding, vetted operator agreement is active.
4. Enforce Human-in-the-Loop (HITL) Verification
Establish a mandatory verification protocol for all work product. No AI-generated draft, summary, or research note may be sent to a client or submitted to a court without independent, manual verification by a qualified legal practitioner. Practitioners must check every cited case, statute, and regulation back to the original, recognized legal reporter.
5. Secure Client Disclosure and Informed Consent
Do not hide your use of technology in the fine print. Build client trust through absolute transparency. Update your letters of engagement, written mandates, and terms of business to include a clear AI disclosure. This disclosure must explain:
- Which automated tools your firm uses.
- The specific tasks those tools perform (e.g., document review, administrative summaries).
- The technical and organizational safeguards in place to protect client confidentiality.
- An explicit option for the client to opt out of AI assistance, requiring their matter to be handled through traditional methods at an adjusted fee structure.
Adapt or Atrophy
Artificial intelligence is not a passing trend, nor is it a threat that can be ignored. It represents a fundamental shift in the practice of law. The firms that succeed in this new digital era will not be those that reject automation, but those that manage it with rigorous professional discipline and absolute ethical clarity.
The high courts have shown that they will not tolerate negligence disguised as technological progress. A single unverified citation can lead to a disciplinary referral, severe reputational damage, and civil liability. In legal practice, the human mind remains the ultimate custodian of justice. Use the tools to eliminate administrative bottlenecks, manage your inbox, and streamline your due diligence, but never let an algorithm replace your professional judgment.
Master the Risks of Digital Practice
To successfully implement these safeguards and protect your firm from liability, you need a deep, practical understanding of legal risk management and compliance.
Don't wait for a costly mistake to force your hand. Register for the SA Legal Academy's comprehensive, expert-led training on AI risk management, POPIA compliance, and legal project management.
Learn how to audit your firm's data flows, draft watertight AI policies, and build resilient, tech-enabled workflows that protect your clients and your professional standing.
Secure your practice and register today: AI Governance and Risk for SA Law Firms
About the SA Legal Academy (SALA)
The SA Legal Academy (SALA) provides authoritative, practice-oriented legal education across a full spectrum of learning solutions. Whether you are seeking targeted short courses or accredited training, SALA equips attorneys, advocates, candidate attorneys, and corporate legal officers with the tools to succeed. Explore our expert-led resources at legalacademy.co.za.