Artificial intelligence isn’t coming for risk management, it’s already here, sitting quietly inside your spreadsheets, dashboards and audit trails. The question is no longer if it will shape your GRC strategy, but how, and whether it will make your organisation smarter or more exposed.
The Promise: AI as a Risk Radar
In theory, AI should be a dream for GRC teams. It can process vast amounts of data, detect anomalies before humans notice them and flag compliance gaps in seconds. Imagine an audit system that never sleeps or an early warning system for emerging risks.
Globally, banks and insurers are already using AI-driven models to predict fraud, detect insider threats and automate risk reporting. Locally, South Africa’s big four banks are experimenting with AI tools for credit and compliance risk. That’s not the future. It’s happening now.
The Problem: Garbage In, Risk Out
But here’s the catch. AI doesn’t think. It calculates. And those calculations are only as good as the data and prompts we feed it. ‘Garbage in, garbage out’ is not a cliché, it’s a governance warning label. If the input data is incomplete, biased or outdated, the output can be misleading at best and catastrophic at worst.
That’s why ‘prompt engineering’, the art of asking the right questions, is becoming a compliance issue in itself. AI doesn’t generate truth, it generates probability. And that makes the human behind the keyboard more important than ever.
When AI Goes Wrong
South Africa has already had its share of close calls. Old Mutual has reported cases where AI-enabled tools have been used to perpetrate insurance fraud. Old Mutual have since enhanced their fraud detection to counteract this risk.
Even regulated professions aren’t immune to AI hallucinations. In 2025, attorneys in the Mavundla vs MEC Department of Co‑Operative Government & Traditional Affairs case submitted appeal papers citing several non-existent cases, likely generated by an AI tool. The judges struck out the fake citations, ordered cost consequences and referred the matter to the Legal Practice Council.
Finally, there’s a broader trend: adversarial attacks on AI systems, where inputs are subtly manipulated to fool models. These are being flagged as a growing threat to underwriting and claims processes. AI can amplify risk faster than traditional systems, which makes governance, oversight and auditing more critical than ever.
The GRC Opportunity
For GRC professionals, the opportunity lies in turning AI from a liability into a line of defence. That means building AI literacy across teams, understanding data lineage and stress-testing AI outputs with the same rigour applied to any third-party system.
It also means developing clear policies for AI use, from prompt guidelines to audit trails of how AI-generated content or insights were produced. AI shouldn’t replace professional judgment. Rather, it should sharpen it.
Why AI Needs GRC, Not Excuses
AI can help South African organisations predict and prevent risk but only if they govern it as carefully as they deploy it. It’s not just another system to plug in. AI is a mirror reflecting how well we manage data, ethics and decision-making. The pressing question for governing bodies in South Africa isn’t what AI can do, but what happens when it goes wrong and who is accountable?