SA is rushing towards a more modern way of working as hybrid offices, cloud tools and artificial intelligence reshape how businesses operate, collaborate and grow.
For many employees, this shift has brought real relief. Less time commuting, lower costs and more flexibility have improved both financial wellbeing and quality of life.
But beneath that progress lies a quieter, more uncomfortable truth: the very systems making work more efficient also make businesses more vulnerable.
Hybrid work did not just change where people work. It changed what the workplace is. For many small businesses today, the office is no longer a physical space.
It exists in a browser, across dozens of applications, from banking platforms to customer systems and, increasingly, AI tools.
Employees log in from home, from cafes, from anywhere, often switching between multiple platforms in a single session.
This level of access and flexibility was never fully anticipated when these systems were designed. For many SMMEs, the cracks are beginning to show, and AI is accelerating this shift rapidly.
Tools like ChatGPT are being adopted at remarkable speed, often without clear policies or training. Staff use them to draft emails, analyse data and improve productivity.
In many cases, this means they feed these tools sensitive business information, including contracts, customer records and f inancial data.
This is what is now referred to as shadow AI. It is happening inside businesses every day, often without leadership being aware of it.
Data flows out of organisations, to be processed in systems they do not control, stored in ways they do not fully understand and exposed to risks they are unprepared for.
At the same time, cyber threats themselves are evolving.
Artificial intelligence is not only a tool for productivity, it is also a major boon for attackers.
Phishing emails that once relied on obvious red flags are now highly personalised, convincing and scalable.
Tasks that used to require time and expertise can now be automated.
The line between legitimate communication and malicious intent is becoming increasingly difficult to detect.
For years, businesses relied on human instinct as a final layer of defence. Employees would question unusual requests, verify instructions and flag inconsistencies.
That safety net is weakening. AI is making it easier to bypass human judgement, not strengthen it.
More concerning is that while businesses save money through hybrid work, many are not reinvesting those savings into cybersecurity.
Productivity is increasing and costs are decreasing, but in the background, risk is expanding.
And small businesses are the most exposed.
They are under pressure to stay competitive, adopt new tools quickly and operate efficiently, often without dedicated cybersecurity teams or the resources to monitor threats.
Yet they remain central to SA’s economic growth and job creation.
The fiasco associated with SA’s first draft AI policy framework document raises concerns beyond the obvious ones that led to several senior suspensions last month.
Parts of the framework itself have shown inconsistencies associated with AI-generated content, which points to a deeper issue.
If we are to regulate AI effectively, the process itself must reflect the standards of accuracy, accountability and human oversight we expect from its use.
Otherwise, we risk regulating a system we do not fully understand, using tools we have not yet properly governed.
More broadly, the framework leaves open questions around implementation, enforcement and the practical realities faced by small businesses.
Regulation without clarity risks adding pressure without reducing risk. What is needed now is not a slowdown in adoption, but a shift in approach.
*First, cybersecurity must be treated as a core business function. It cannot sit as an afterthought or a compliance exercise. Businesses need to build continuous monitoring practices, not rely on once-off audits. Even simple measures such as secure browsers, access controls and data policies can significantly reduce exposure.
*Second, there must be a stronger focus on awareness and internal discipline. Employees need clear guidelines on how AI tools can and cannot be used, especially when it comes to sensitive information. Shadow AI thrives in the absence of direction.
*Third, investment in skills is critical. The real gap is no longer access to technology, but the ability to use it responsibly and securely.
SMEs need practical, affordable support to build this capability, whether through industry partnerships, training programmes or shared services.
*Finally, policy must move with greater precision. Rather than broad, reactive regulation, there is a need for targeted guidance that helps businesses navigate real risks in real time.
Collaboration between government, industry and professional bodies will be key in making this practical.
SA stands at an important gateway. We are building a more flexible, more digital and more innovative economy.
But we are also building it on systems that are not yet fully secure. The conversation cannot only be about access, adoption and growth.
It must also be about protection, resilience and trust.
Because in the race to modernise how we work, we cannot afford to move faster than our ability to keep that system safe.
Buzani is a business consultant and youth empowerment advocate, as well as a founding member of an award-winning SME and Mdantsane entrentrepreneur network Kasi Konversations
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.