AI Governance and Professional Liability for South African Law Firms

Posted 02 June 2026 Written by Acts Online
Category Communications & Digital Technologies

Brought to you by SA Legal Academy: Recent judgments in the High Courts of South Africa have solidified the non-delegable ethical and professional duties of legal practitioners when utilizing artificial intelligence (AI) tools, warning of severe disciplinary and financial consequences for unverified automated work product.

Judicial Precedent on AI Hallucinations

In the Pietermaritzburg High Court, the matter of Mavundla v MEC: Department of Co-Operative Government and Traditional Affairs KwaZulu-Natal (judgment delivered on 8 January 2025) exposed the severe consequences of unverified legal research. In this case, the applicant’s legal team submitted a supplementary notice of appeal citing fabricated case law authorities generated by ChatGPT. The court dismissed the application, ordered the law firm, Surendra Singh and Associates, to pay the costs of extra court appearances, and referred the practitioners to the Legal Practice Council (LPC) for investigation.

This warning was reinforced by the Johannesburg High Court in Northbound Processing (Pty) Ltd v South African Diamond and Precious Metals Regulator, where junior counsel submitted AI-generated hallucinations in their heads of argument. The court rejected the defense of commercial urgency, reiterating that legal practitioners have a non-delegable duty not to mislead the court through negligence, and referred the legal team to the LPC.

Statutory Frameworks: ECTA and POPIA

In the absence of a dedicated national AI act, firms must look to existing statutes of general application to govern automated technologies:

  • Electronic Communications and Transactions Act, No. 25 of 2002 (ECTA): Under section 1, AI systems may constitute “electronic agents”. Section 20 of ECTA dictates that an organization deploying an electronic agent is contractually bound by its actions, meaning a firm cannot void a transaction or settlement mistakenly agreed to by an automated system.
  • Protection of Personal Information Act, No. 4 of 2013 (POPIA): Law firms operate as “responsible parties” and AI vendors act as “operators” under section 1. Uploading confidential client information or litigation files into unvetted, consumer-grade AI platforms constitutes “processing” under POPIA, triggering strict statutory compliance and risking breaches of attorney-client privilege.

Policy Vacuum and Governance Controls

The regulatory landscape remains volatile following the withdrawal of the Draft National Artificial Intelligence Policy Framework on 26 April 2026. The draft, originally gazetted on 10 April 2026 by the Department of Communications and Digital Technologies, was withdrawn by Minister Solly Malatsi after it was discovered to contain fabricated academic citations and factual errors generated by AI tools.

To mitigate these risks, South African law firms must implement a formal AI governance framework containing five key controls:

  1. Standardize enterprise-grade tools: Document an internal policy distinguishing approved tools from prohibited, free consumer-grade platforms.
  2. Audit vendor practices: Conduct thorough data-handling audits of all software vendors before licensing.
  3. Enforce anonymisation: Scrub all personal information and unique identifying details before uploading data to any AI tool.
  4. Mandatory verification: Implement a strict protocol requiring qualified practitioners to manually verify every cited case and statute.
  5. Client transparency: Update letters of engagement and mandates to disclose how AI is utilized within the practice.

What this means for you, your business, or your clients

  • For yourself: You must manually verify every case citation, statute, and legal authority back to the original, official legal reporter before submitting any document to court or delivering it to a client.
  • For your business: Your firm must implement a formal AI governance policy, blacklist free consumer-grade AI tools, and update letters of engagement to include explicit AI disclosure clauses.
  • For your clients: Clients are protected against unauthorized data exposure and can remain assured that attorney-client privilege is preserved through strict POPIA-compliant operator agreements and data anonymisation.

Originally published at https://legalacademy.co.za/news/read/the-hallucinatory-reality-ai-governance-and-liability-for-south-african-law-firms

The views expressed herein are those of the author and do not necessarily reflect those of Acts Online. Acts Online accepts no responsibility for the accuracy, completeness or fairness of the article, nor does the information contained herein constitute advice, legal or otherwise.