Your Business Is Already Using AI. Is Anyone Securing It?
Somewhere in your organisation right now, someone is pasting company information into a chatbot. A department has quietly signed up for an AI tool that nobody in IT has reviewed. A supplier has automated part of their process with AI, and your data is flowing through it.
None of this makes your people careless. It makes them normal. AI has arrived in South African businesses faster than the policies, controls and oversight needed to use it safely, and that gap is exactly where things go wrong.
At DaVinci Forensics & Cybersecurity, we’ve spent years investigating what happens after a digital incident: the fraud, the data leaks, the impersonation scams, the reputational fallout. That experience has taught us something most AI consultancies can’t tell you first-hand, what AI risk actually looks like when it lands on a real business. Our new AI Security & Governance service exists to help you avoid ever making that call to us.
Why AI Risk Is Different
Traditional cybersecurity protects your systems from outsiders. AI risk is trickier, because much of it comes from inside the fence:
Data leakage through everyday use. Staff feeding client records, contracts or financial data into public AI tools may be handing sensitive information to third parties, a direct problem under South Africa’s Protection of Personal Information Act (POPIA).
Shadow AI. Unapproved AI tools spread through organisations invisibly. You can’t secure what you don’t know exists.
Flawed and biased outputs. AI systems can produce confident, convincing and completely wrong results. When those results feed decisions about credit, hiring, pricing or clients, the legal and reputational exposure is real.
AI-enabled attacks. Criminals now use AI too. Voice cloning, deepfake video, synthetic identities and hyper-convincing phishing are no longer science fiction, we investigate these cases. They are happening to South African companies today.
Regulatory pressure. The EU AI Act is already reshaping compliance expectations for any business trading with Europe, and international standards like ISO/IEC 42001 are fast becoming the benchmark for responsible AI management. Regulators, insurers and enterprise clients are starting to ask hard questions.
What Our AI Security & Governance Service Includes
We built this service the way we build everything at DaVinci: practical, evidence-driven, and grounded in how incidents actually unfold. You can engage us for a single assessment or an ongoing partnership.
1. AI Risk & Readiness Assessment
We map where and how AI is genuinely being used across your organisation, including the tools nobody told you about, and assess your exposure against recognised frameworks such as ISO/IEC 42001, the NIST AI Risk Management Framework and the EU AI Act. You receive a clear, plain-language report: what you’re doing well, where the risk sits, and what to fix first.
2. AI Governance & Policy Development
We develop AI usage policies, acceptable-use standards and approval processes tailored to your business, not a generic template. Your people get clear rules they can actually follow; your leadership gets defensible governance they can show clients, auditors and regulators.
3. ISO/IEC 42001 Alignment & Roadmapping
For organisations ready to formalise their approach, we guide you toward an Artificial Intelligence Management System aligned to ISO/IEC 42001, from gap analysis through to certification readiness, building on the same disciplined documentation approach we apply in our own accredited operations.
4. AI Incident Response & Digital Forensics
This is where DaVinci is genuinely different. If an AI-related incident occurs, a data leak through an AI tool, a deepfake used against your executives, a fraud built on synthetic media, our forensic investigators respond, preserve evidence to a court-admissible standard, and get you answers. Prevention is the goal; investigation is our foundation.
5. Deepfake & AI-Enabled Fraud Investigation
We identify, analyse and document synthetic media and AI-assisted impersonation attacks, supporting internal action, criminal complaints and civil recovery.
6. AI Security Awareness Training
Short, practical training that teaches your staff what safe AI use looks like day to day, and how to spot AI-enabled scams aimed at them.
Why DaVinci Forensics?
Most firms approach AI security from a compliance checklist. We approach it from the crime scene. As a Cape Town-based digital forensics and cybersecurity investigations firm, we’ve seen how attackers exploit new technology before defences catch up, and we build our advisory services around that reality.
- Investigator’s perspective: advice shaped by real incident and fraud casework, not theory.
- Local and global fluency: POPIA-aware guidance for South African businesses, aligned to international standards including ISO 42001, NIST AI RMF and the EU AI Act.
- End-to-end capability: from prevention and governance through to forensic investigation if something goes wrong.
- Plain language: reports and policies your board, staff and clients can actually understand.
Frequently Asked Questions
What is AI security? AI security is the practice of protecting an organisation from risks created by artificial intelligence, including data leaks through AI tools, flawed or biased AI decisions, unapproved “shadow AI” use, and attacks that use AI, such as deepfakes and voice cloning.
Does POPIA apply to AI tools? Yes. If personal information is entered into or processed by an AI system, POPIA’s requirements around consent, purpose, security safeguards and cross-border transfers apply. Many public AI tools process data outside South Africa, which creates specific compliance obligations.
What is ISO/IEC 42001? ISO/IEC 42001 is the international standard for Artificial Intelligence Management Systems (AIMS). It gives organisations a structured, certifiable framework for governing AI responsibly, increasingly requested by enterprise clients and regulators.
Does the EU AI Act affect South African companies? It can. If your organisation offers products or services into the EU, or your AI outputs are used there, parts of the EU AI Act may apply to you. Even where it doesn’t apply directly, it is shaping what international clients expect from their suppliers.
How do I know if my staff are using AI unsafely? Most organisations discover unsafe AI use only after an incident. An AI risk assessment identifies which tools are in use, what data is flowing into them, and where your real exposure lies, before it becomes a problem.
What should I do if my company is targeted with a deepfake? Preserve everything, recordings, messages, metadata, and avoid confronting the suspected source. Then engage a digital forensics specialist immediately. Early evidence preservation is often the difference between a recoverable situation and an unprovable one.
Start With a Conversation
AI is not a threat to be feared or a trend to be ignored, it’s a capability to be governed. Whether you need a first-look risk assessment, a full governance framework, or urgent help with an AI-enabled incident, DaVinci Forensics & Cybersecurity is ready to assist.
Contact DaVinci Forensics & Cybersecurity, Cape Town, and put your AI use on solid ground before someone else tests it for you.


