King V Code enhances principles regarding AI Governance and Cyber Risks in South Africa

The King V Code on Corporate Governance (King V) in South Africa was published by the Institute of Directors in South Africa (IoDSA) and the King Committee of South Africa on 31 October 2025. It supersedes King IV and is effective for financial years beginning on or after 1 January 2026, with early adoption encouraged.

Introduction

The publication of King V underscores the commitment of the IoDSA to keeping corporate governance standards relevant and effective. It aligns with amendments to the Companies Act 71 of 2008, evolving remuneration practices, advancements in sustainability reporting, and the dynamic progression of technology. 
Unlike King IV, which contained 17 principles, King V has been streamlined to allow for 13 principles and recommended practices.

A Disclosure Template now accompanies the Code, outlining the form and content for disclosure on the application of principles and explanation of practices. The governing body must approve the content of the Disclosure Template. The purpose of the Disclosure Template is to provide transparency for both the organisation itself and external parties such as industry regulators. 

Principles for Data, Information and Technology 

King IV laid the groundwork for governance in a digital context by:

• Being cognisant of the reality of technological advancements and the associated opportunities and risks.
• Recognising the overlap between and strategic importance of technology and information.
• Encouraging the integration of these into risk and strategy discussions and frameworks.

While King IV recognised technological advancement and what it acknowledged as the “dawn of a Fourth Industrial Revolution” it did not go into detail regarding emerging technologies and machine learning. ¹

King V builds on the groundwork laid by King IV regarding data, information and technology governance. Principle 10 provides that the governing body governs data, information and technology in a way that enables the organisation to sustain and optimise its strategy and objectives.

Principle 10 goes on to provide for two recommended practices:

• Data and information
• Technology

The recommended practices offer concrete actions and processes to be carried out in support of the principle. Along with the governance outcomes and the principles, the recommended practices form the third building block of King V. 

Data and information:

This recommended practice requires the governing body to provide the strategic direction and to be accountable for the effective, compliant and ethical management and control (including acquisition, creation, use, dissemination and disposal) of data and information.

The governing body may in its discretion delegate its information-related responsibilities to the committee responsible for risk governance or to another committee, as is appropriate for the organisation.

The governing body should also consider and approve policies, standards and frameworks that give effect to its direction on the management and control of data and information governance.

In respect of oversight and monitoring, the governing body should, inter alia, ensure:

• The structuring of the organisation’s data resources and information assets to optimise the management and control (including acquisition, creation, use, dissemination and disposal) of data and information throughout their lifecycle.
• Ethical and responsible management and control (including acquisition, creation, use, dissemination and disposal) of data resources and information assets.
• Compliance with laws and regulations. 
• As regards sensitive data and information, identification and classification of the organisation’s data resources and information assets to enable effective management and control (including acquisition, creation, use, dissemination and disposal) thereof.
• Information security and data protection which safeguard the confidentiality, integrity and availability of data and information.
• The protection of privacy of personal data and information.
• Adherence to quality requirements for data and information.
• Effective management of the risks associated with the management and control (including acquisition, creation, use, dissemination and disposal) of data and information when using outsourced services, suppliers and third parties, including across jurisdictions. 

Technology:

This recommended practice requires the governing body to provide the strategic direction and to be accountable for the effective, compliant and ethical acquisition, development, use and distribution of technology within and by the organisation.

The governing body should also consider and approve policies, standards and frameworks that give effect to its direction on the acquisition, development, use and distribution of technology products and services within and by the organisation.

In respect of oversight and monitoring, the governing body should, inter alia, ensure:

• Arrangements for organisational resilience and disaster recovery planning and testing.
• Effective cyber security strategies and practices to protect technology assets, resources, products and services.
• Effective management of the risks associated with the acquisition and utilisation of outsourced technologies and services, including having minimum requirements for assurance to be provided by the service provider with respect to the effectiveness of the controls over significant risks.

The governing body should also oversee that the organisation’s acquisition, development, use and distribution of emerging, innovative and disruptive technologies result in, inter alia:

• The assessment, evaluation and responses to the risks and opportunities associated with emerging, innovative and disruptive technologies to ensure the alignment of current risk exposures with established risk appetite and tolerance levels.
• With respect to artificial intelligence:
  • Adherence to the values of ethics, human centricity, accountability, transparency, explainability, security, privacy, fairness and trustworthiness.
  • Clear accountability for designs, actions, outputs and outcomes – which includes subjecting the processes, data, models, algorithms, resources and tools used in the development, implementation, monitoring and management of automated technologies to human oversight and override mechanisms that are commensurate with the level of risk to the organisation and its stakeholders.

Conclusion

The publication of King V is timely given the rapid development and widespread use of emerging and disruptive technologies, including artificial intelligence. 

According to the IoDSA, governing bodies must in today’s operating environment also be technologically literate, and not just financially literate. 

It remains to be seen how South Africa will regulate the use of artificial intelligence, and whether we will follow the European Union approach by adopting a comprehensive Artificial Intelligence Act and regulatory framework, as has been suggested in the South African National Artificial Intelligence Policy Framework. ² 

King V also recognises the evolving nature of the cyber risk landscape, and the changing tactics threat actors use to access valuable company data. Globally, recent cyberattacks involving high-profile organisations such as M&S, Harrods, and Jaguar Land Rover highlight the massive impact and threat of supply chain disruption. King V provides important guidance on managing these risks.

Although voluntary, King V will supplement existing legal and regulatory frameworks such as the Protection of Personal Information Act 2013 and regulatory guidelines like the Joint Standard 2 of 2024 issued by the Financial Sector Conduct Authority and the Prudential Authority regarding Cybersecurity and Cyber Resilience Requirements.

We encourage organisations and their boards to review King V, evaluate its practical impact and take the relevant steps to align their governance practices.

Please reach out to our team should you have any questions regarding King V and/or if you require any guidance in respect of your cyber risk framework, cyber security strategies and cyber simulations. 

The Institute of Directors in South Africa NPC

¹ King IV Report on Corporate Governance for South Africa 2016, Technology and information, page 30
² Published in August 2024 by the Department of Communications and Digital Technologies.