The eight AI-specific contract dimensions
Training-data provenance
Lawful collection, licensing of training data, OSS-license compliance, third-party-IP audits, and warranties to enterprise customers about training-set legitimacy.
Output IP allocation
Who owns model outputs — the customer, the user, the AI provider? Standard practice: customer owns inputs and outputs; vendor retains the model. Customisation and fine-tuning add nuance.
Customer-data training prohibition
Express prohibitions on using customer prompts and outputs to train the general model without consent. Critical for enterprise sales — most enterprise customers will not sign without it.
POPIA s 71 automated decisions
Where AI affects natural persons with legal or significant consequences (credit, employment, insurance), POPIA section 71 restrictions apply. Safeguards include the right to make representations.
Hallucination + accuracy disclaimers
Express disclosure that AI outputs may be inaccurate; customer obligations to verify before relying in regulated contexts (legal, medical, financial advice). Mavundla / Northbound 2025 SA case-law shows the litigation risk.
Output indemnification
Vendor indemnification against third-party IP claims arising from outputs. The most contested AI-contract clause. Leading vendors now offer it; carve-outs (customer customisation, fine-tuning) matter.
Bias + fairness commitments
Bias-testing methodology, fairness evaluation, and notification of material findings. Increasingly required by enterprise buyers and regulators in financial services and HR contexts.
Model versioning + deprecation
Defined notice periods for model changes affecting customer workflows. Critical for production deployments where output drift would break downstream systems.
Frequently asked
Is artificial intelligence regulated in South Africa?
Not by a dedicated AI statute. POPIA section 71 restricts automated decision-making affecting natural persons; the Consumer Protection Act prohibits unfair algorithmic practices; the Copyright Act raises unresolved questions about AI-generated works. The National AI Policy Framework (DCDT) sets policy direction without creating direct private-sector obligations. Sector regulators (FSCA, SARB) increasingly demand AI-governance frameworks for AI used in regulated activities.
What contracts does a SA AI / ML company need?
Production stack: master subscription agreement, order form template, AI-specific data processing addendum (training-data warranties + output-IP allocation), model service-level commitments, hallucination disclaimers, output indemnification framework, model deprecation policy. From R30,000 for the full stack.
Can a SA AI company use customer data to improve its model?
Only with explicit contractual permission. POPIA default: data processed by an operator (the AI vendor) may only be used for the purposes the responsible party (the customer) has authorised. Using customer data for AI training is a separate processing purpose requiring (i) the customer's explicit instruction or consent, or (ii) effective anonymisation that removes the data from POPIA's scope. Effective anonymisation in modern ML is harder than vendors often assume.
What is the South African case law on AI hallucinations?
Two notable 2025 cases: Mavundla and Northbound Logistics. In both, SA courts referred legal practitioners to the Legal Practice Council after AI-fabricated case citations appeared in court papers. The cases establish that the user of AI-generated content remains professionally responsible for verification — courts will not accept "the AI made it up" as a defence. Implications extend beyond legal practice to any regulated context where AI outputs are used in formal proceedings.
How do we handle AI-vendor risk in our enterprise procurement?
A structured AI vendor-assessment framework: (i) training-data provenance review; (ii) model-evaluation methodology audit; (iii) hallucination and accuracy benchmarks; (iv) bias-testing reports; (v) POPIA s 71 compliance assessment; (vi) output indemnification structure review; (vii) versioning and deprecation policy review; (viii) data-handling and customer-data-training prohibitions. Most enterprise procurement teams now require this assessment before engaging an AI vendor.
What does an AI-governance retainer cost?
For SA AI/ML companies needing ongoing contract review, regulator engagement, and vendor-assessment support: R10,000–R20,000/month. Includes 8–12 hours of advice, full review of new vendor contracts, board AI-governance support, and Information Regulator interaction where needed.