South Africa is going to build AI infrastructure. The policy direction is set, the ambition is real, and frankly, the ambition is correct. A nation serious about technological self-determination should be serious about where its data lives and who controls the compute it runs on.
This article proposes a balanced exploration.
What it is, is a question about the gap. The years between the policy commitment and breaking first ground. The period during which South African data, clinical records, financial intelligence, agricultural insight, legal research, continues to move through foreign systems while the infrastructure takes shape. That gap is by no means a failure of political will. It is simply what large infrastructure projects look like in practice. It deserves its own answer.
Meanwhile, I was in a home office in Johannesburg. Two cats. More plants than is strictly necessary. A side hustle that consists, almost entirely, of churning tokens twelve hours at a time – the new ‘token black’. Quietly building my POPIA-compliant, AI-powered clinical platform. Dr Scribble processes real patient audio. It generates real medical SOAP notes. It handles some of the most sensitive personal information the law recognises. It runs on Anthropic's Claude, OpenAI's Whisper, Supabase, Vercel, and AWS.
I did not lay a single brick. And what I built is, I hope, by every measurable legal and technical standard, sovereign, today.
Dr Scribble is not a critique of the infrastructure path. It is something more useful: a bridge that is already standing, pre-emptying South African’s data sovereignty path right now, while the exciting and imminent, longer build catches up.
What Our White Paper Gets Right
Hailed as the panacea in the pursuit of AI sovereignty, South Africa's National AI Policy Framework, published by the Department of Communications and Digital Technologies in August 2024, is prescient.
It ventilates real problems with precision. Imported algorithmic bias. Training data that reflects Global North realities applied to South African demographics and vernacular linguistic exclusion. The cultural and democratic risks of AI systems that do not know who we are, yet. Yes, the legitimate concern that sensitive national data, health records, identity databases, financial intelligence, sits on foreign servers subject to foreign law, are potentially real.
These are not invented anxieties. Instead, structural vulnerabilities that every nation building on foreign AI infrastructure ponders. The white paper is right to surface them.
It also, in a passage that deserves more attention than it has received, acknowledges that existing South African legislation already provides a mechanism for managing cross-border data transfers. POPIA's Section 72 allows data to flow to foreign jurisdictions provided the receiving party upholds protection substantially equivalent to POPIA's standards. The framework for contractual sovereignty already exists in our own law, thanks to the grounding oversight and depth of our very own Information Regulator.
The white paper's instinct toward infrastructure investment is also not wrong in principle, as sovereign compute capacity matters. The ability to run staggering workloads locally, to have domestic control over the physical layer of AI inference, is a legitimate long-term goal for any nation serious about technological self-determination.
Where I want to contribute is not to that destination. I want to talk about the bridge.
The Sequencing Gap
In my limited purview, here is the honest project management reality that our white paper addresses
Even a well-resourced public-private task team, working with honest urgency, is navigating a timeline that is simply the nature of infrastructure at this fantastic scale. It is worth mapping, by no means to dampen our ambition, but to understand the gap that could serve as a bridge, till we lay the first brick.
Years one and two: feasibility studies, procurement framework design, site selection, and environmental impact assessments. Power agreements with Eskom or independent producers begin in parallel, possible wheeling agreements and PPAs.
Years two and three: construction commences, and GPU cluster procurement opens. The NVIDIA waitlist for even medium-tier chip shipment, prolonged. Those clusters are subject to the United States AI Diffusion Framework, an export control regime governing advanced NVIDIA hardware. Navigating that framework as a non-preferred nation, may add meaningful time to any procurement timeline.
Years three to five: commissioning, hyperscaler partnership agreements, security certification, and the first meaningful workloads come online. Year five and beyond: genuine capacity at sovereign scale.
This timeline is just an armchair supposition. Large infrastructure projects of national significance take this long everywhere in the world. The question it raises is a practical one: what could South Africa's data sovereignty posture look like while that build progresses?
One could possibly be fully POPIA-compliant, architecturally sovereign, and operationally live on Anthropic, AWS af-south-1 in Cape Town, and Supabase in a matter of weeks.
That is not a challenge to the infrastructure commitment. I propose that this may run towards it. The bridge.
The Bridge That Already Exists
Let me share with you what this bridge may look like in practice.
Dr Scribble is a clinical AI scribe. A general practitioner records a consultation. The audio goes to OpenAI Whisper for transcription. That transcript goes to Claude, running on AWS Bedrock's af-south-1 region in Cape Town, for SOAP note generation. The output goes to Supabase in EU-West Ireland for storage. The GP receives the note. The patient owns their vault. Done.
At every step, the data is legally, contractually, transparently and architecturally controlled.
The AI calls are stateless. Design-by-amnesia, the default. Claude does not retain the transcript between sessions. Whisper does not store the audio. There is no learning from individual calls, no logging for model improvement, no retention. The AI is, by design, amnesiac. It processes. Then it forgets.
The API keys never touch the browser. All calls route through Vercel serverless functions, keeping credentials on the server side at all times. Patient records are isolated by Supabase Row Level Security policies scoped to each GP's authenticated user ID. Cross-access between patient records is architecturally impossible, not merely prohibited by policy. This, is Dr Scribble.
The cross-border storage in EU-West Ireland is covered by a POPIA Section 72 compliance position. Ireland operates under GDPR, which the SA Information Regulator accepts as providing substantially equivalent protection. The transfer is lawful. The Data Processing Agreement, acknowledged by every GP before platform access, documents the lawful basis, the purpose limitation, the processor relationship, and the data subject rights in full.
Most significantly: the AI inference, the moment where patient words become structured clinical intelligence, runs inside South African borders. On AWS Bedrock af-south-1. Cape Town. Full SA data sovereignty for the intelligence layer, achieved through a contractual and architectural decision. Not bricks, as yet.
As a registered Information Officer, I maintain a PAIA manual, a breach notification standard operating procedure, a data residency map, and a privacy policy on every page throughout Dr Scribble.
This is not a workaround. It is what the legislation, including the legislation the white paper itself cites, was designed to enable. The framework, the tools, and the legal instruments exist. The question is whether practitioners know how to use them.
What Fast-Track Sovereignty Actually Looks Like
A well-drafted DPA is not a replacement for local infrastructure. It is an operational sovereignty instrument available today, while we celebrate to path towards the infrastructure build.
Here is what it actually achieves, domain by domain.
On data residency: a DPA combined with deliberate cloud region selection achieves meaningful residency for the vast majority of commercial and professional workloads. AWS af-south-1 in Cape Town - Azure's Johannesburg region, also an option. The hyperscalers have already made commercial decisions to place hardware on South African soil. The question is whether local practitioners and policy experts know how to contractually bind them to specific cross-border data behaviour once that hardware is in use.
On purpose limitation: a well-drafted DPA prevents secondary use more reliably than proximity alone, because it is a legal instrument with cross-jurisdictional enforceability. A local data centre still requires identical contractual protections with every software vendor whose applications run inside it. The DPA is not avoided by building locally, it is required regardless.
On accountability: the Information Officer registration framework, the breach notification obligations, the PAIA manual requirements. These apply regardless of where data sits physically. Compliance is a governance question, not a provenance question.
On innovation speed: there is no comparison. A South African founder using Anthropic, Supabase, and Vercel, under a properly structured DPA, can ship a compliant AI product in weeks, underscored by the fact that the infrastructure path is still being baked.
Where the infrastructure argument wins is real and should be acknowledged plainly: classified state intelligence; national security systems; biometric identity databases; critical national infrastructure where foreign vendor access is itself the threat vector, not merely a risk to be mitigated.
For those categories, local sovereign infrastructure is the correct answer, and the white paper's instinct is critically sound - the DPA is not the right instrument for the national grid.
But those categories represent a fraction of South Africa's AI workload. The clinical platform. The agricultural intelligence system. The legal research tool. The financial advisory application. The SMME automation. For all of these, contractual sovereignty, properly architected, is available now.
Fast-track sovereignty is not a concession. It is what an ambitious nation does while it builds.
The Translation Opportunity
There is a gap worth naming, not to assign blame, but because closing it is where the most immediate progress is possible.
AI compliance architecture, the decisions that determine whether a product is genuinely sovereign or merely compliant on paper, sits at the intersection of law, infrastructure, and software. It is a narrow discipline. It requires someone who has read the AWS data processing addendum, understood Supabase's Row Level Security model, and also read POPIA's Section 72 with enough care to know which cloud regions qualify under its equivalency provision.
That combination of skills is, perhaps, rare in any sector. It is particularly rare in policy environments structured around legal and economic disciplines. This is not a criticism of those environments. It is simply an observation about where the translation work may need to happen.
What sovereignty looks like from inside a codebase, a region selector, a stateless API call, a DPA clause that binds a vendor to specific deletion timelines, is genuinely difficult to communicate to someone who has not tokenised it, relentlessly. But it can be communicated. That translation is, in fact, one of the most valuable things practitioners in this space can offer the policy process. It is also a translation mechanism. A way to get the people who have built sovereign AI products into the same room as the people who are designing the framework that governs them.
The Trinity and the Bridge
Against the backdrop of our data factory ambitions, I propose three things that could happen in parallel with the infrastructure build.
First: Imagine our Information Regulator publishing a standardised, publicly available, legally vetted DPA template for AI API deployments. One that any South African data controller, a GP, a school principal, a township entrepreneur, can download, adapt with minimal legal assistance, and deploy. This closes the distribution gap that academics and civil society advocates correctly identify. Not every data controller is a registered Information Officer who also wrote the platform, most are not. The idea bridges that gap without spending a Rand on compute.
Second: A public-private AI compliance working group should be established, drawing on practitioners who have actually built compliant AI products in South Africa, to develop sector-specific guidance. The SAAIA is one such entity already positioned to contribute. Healthcare. Legal services. Financial advice. Agricultural intelligence. Each sector has distinct risk profiles and distinct compliance architectures. Specific, practitioner-authored guidance is much needed.
Third: The infrastructure investment should be targeted. Not a general-purpose data centre competing commercially with hyperscalers that have already committed to South African soil. Instead, sovereign compute capacity for the specific workload categories where contractual sovereignty genuinely cannot reach: defence, national identity infrastructure, critical national systems. Allocate the billions where they cannot be substituted. Let the DPA do the work everywhere else.
I propose that these are the kinds of questions we could answer in months, not years, guided by existing frameworks, with practitioners who have built inside them available and willing.
The Person This Is Really About
On a Sunday afternoon in Soweto, a seventeen-year-old taught herself Python on her phone. The school computers are mostly broken. There is no laptop at home. But she found Claude Code a few months ago, and she told someone recently that it changed everything for her. She asks it questions about her code and it explains things in a way her textbook does not.
She read an article about South African AI sovereignty. She wrote down every word she did not recognise, from Inferences and Row Level Security to a stateless API, and looked each one up. It took her most of that Sunday.
What she said afterwards was this: She knows our data centre is imminent. She needs reliable electricity, a working device, and someone who explains things clearly. That is what would actually change her future.
The infrastructure build will not reach her for a while. The DPA framework, if properly codified, standardised, and taught as part of a national AI literacy programme, could reach her in a semester. She could be a registered Information Officer before she finishes her degree. She could build a compliant AI product before our sovereign data centre breaks ground.
This article is ultimately about her. The sequencing question is not abstract. It is the difference between a generation that inherits sovereignty and a generation that builds it.
She does not have a verdict on the policy. She just wanted someone to know she was reading.
The Question Worth Asking
If a developer in Johannesburg, working across Anthropic, OpenAI, Supabase, Vercel, and AWS, can build a POPIA-compliant, architecturally sovereign AI product without a single government rand or a single data centre, what does that tell us about what is possible right now, today, before we break ground?
It tells us the bridge exists. It tells us people are already crossing it.
South Africa does not have to choose between sovereignty now and infrastructure later. A well-drafted DPA is not the destination. It is the bridge. And the bridge is open. The bricks will come. Build them. We must celebrate them. Let’s not wait on the other side of the river until they are laid. The river is real. So is the bridge. The only question is whether we are willing to cross it before the racks fire up.