The release of the King V Code on Corporate Governance for South Africa (2025) marks the most decisive shift in local governance practice since the introduction of integrated reporting. For the first time, data, information, technology and AI form a standalone governance pillar. This article explains King V’s expectations for IT governance, why they matter, and how South African organisations can operationalise them across sectors, ownership structures and maturity levels.
What King V requires: Principle 10 explained
King V’s Principle 10 provides:
The governing body governs data, information and technology in a way that enables the organisation to sustain and optimise its strategy and objectives.
This principle reframes IT governance as a strategic, ethical, legal and risk-driven duty of the governing body—not an internal technical function.
Scope of IT governance under King V
Governing bodies must oversee:
- Data governance (lifecycle, classification, quality, privacy)
- Information governance (accuracy, integrity, availability, security)
- Technology governance (acquisition, use, development, disposal)
- Cybersecurity (prevention, detection, response, assurance)
- Resilience (BCP/DR planning and testing)
- Third-party digital ecosystems (outsourcing, cloud, cross-border risk)
- Emerging technologies (including ethics, opportunity–risk balance)
- Artificial intelligence (oversight, explainability, human control)
For regulated industries—banking, insurance, healthcare, mobility, fintech—these duties interact with POPIA, PFMA, JSE Listings Requirements, NCA, FAIS and sectoral standards.
Governing data and information: The board’s direct accountability
King V introduces a lifecycle-based approach to data and information governance.
Policy & planning
Boards must approve:
- data governance frameworks
- information classification schemes
- privacy and security standards
- cross-border and outsourcing protocols
Oversight and monitoring
The governing body must be satisfied that:
- data and information are managed ethically and responsibly
- cyber and privacy incidents are identified and responded to
- compliance with POPIA and other laws is maintained
- third-party risks are effectively controlled
- quality, completeness and usability of information are upheld
Assurance
Internal audit, risk, privacy and cybersecurity functions must provide periodic assurance on effectiveness, compliance and ethics.
Technology governance: Strategy, resilience, risk and responsible use
Under King V, technology becomes part of strategic value creation.
Strategic direction
The board must set strategy for:
- technology acquisition and investment
- digital architecture and systems
- responsible retirement of legacy systems
- alignment with the organisation’s business model and risk appetite
Organisational resilience
King V elevates resilience and disaster recovery as explicit governance duties. Boards must ensure:
- tested BCP/DR plans
- minimal downtime tolerance
- continuity of critical services
- cyber-resilience across infrastructure
Outsourced technology and cloud services
Boards must ensure:
- due diligence
- minimum assurance requirements
- enforceable SLAs
- jurisdictional risk controls
- exit strategies for critical vendors
This applies across cloud providers, AI models, SaaS, managed security services, and digital supply chains.
Cybersecurity and digital risk: A board-level responsibility
Cybersecurity is no longer a technical control—it is a governance function.
Boards must ensure:
- effective cyber prevention, detection and response
- alignment with risk appetite
- root-cause reviews of significant incidents
- uplift of security capabilities where weaknesses exist
- reporting into risk and audit committees
Cyber-risk exposure now affects an organisation’s assessment of ethical culture, conformance, legitimacy and value creation.
Governance of emerging technology and AI
King V is the first local governance code to include direct obligations relating to:
Emerging, innovative and disruptive technologies
Boards must ensure:
- technology creates sustainable value
- risks and opportunities are evaluated proportionally
- impacts align with organisational context
- technological decisions remain ethical and legally compliant
Artificial intelligence governance
Boards must demonstrate:
- clear accountability for AI-driven decisions
- human oversight and override mechanisms
- explainability and transparency
- fairness and non-discrimination
- security and privacy measures embedded in models
- ethical guardrails for automated systems
This aligns with global trends (EU AI Act, OECD principles, NIST AI RMF) and positions King V at the frontier of responsible innovation.
King V’s apply-and-explain disclosures for IT governance
Organisations must report whether:
- data and information are managed “effective, compliant and ethical”
- privacy breaches and cyber incidents were managed appropriately
- technology processes deliver intended benefits
- disruptive-tech risks are addressed
- AI accountability and human-control mechanisms exist
This increases transparency expectations for integrated reports, sustainability reports and annual governance disclosures.
Practical use cases: What King V means in real operations
Financial services
- AI-driven credit scoring must have human override
- cyber resilience becomes a risk appetite issue
- board committees must review model risk, not just financial risk
Technology and SaaS companies
- customer data lifecycle controls must be board-approved
- cloud subcontracting must include assurance and controls
- responsible-AI frameworks become a competitive differentiator
Retail and mobility
- large datasets trigger heightened privacy risk
- IT downtime directly affects revenue and legitimacy
- board must ensure robust supplier governance
Public sector and municipalities
- technology committees may be required
- resilience of critical public infrastructure becomes a governance outcome
- alignment with PFMA/MFMA oversight duties
How ITLawCo can help
| Service area | What ITLawCo provides |
|---|---|
| IT governance frameworks | Principle 10-compliant policies, standards, and lifecycle frameworks |
| Board & EXCO training | Digital accountability, cyber risk, AI oversight |
| POPIA & global privacy | Compliance, data mapping, cross-border governance |
| Cybersecurity governance | Cyber maturity assessments, incident response, resilience planning |
| AI governance | Model governance, oversight mechanisms, ethical frameworks |
| Assurance integration | Linking IT, cyber, privacy and risk into audit and assurance programmes |
FAQs
Does King V make IT governance a mandatory board responsibility?
Yes. Principle 10 explicitly requires the governing body—not management—to govern data, information, technology and AI.
How does King V’s IT governance expectation differ from King IV?
King V broadens governance to include AI oversight, emerging technology, cyber resilience, and proportional disclosure.
What must the board disclose about technology under King V?
Boards must disclose whether technology, data and information are managed ethically, effectively and in compliance with law.
Are smaller organisations required to implement the same level of IT governance?
No. King V allows proportionality, but the governing body must still achieve the objective of Principle 10.
Does King V require organisations to have a dedicated Technology Committee?
Not for everyone. Large, complex or high-impact organisations may require one; smaller entities may use combined committees.
How does King V expect organisations to manage emerging technologies like AI?
Boards must ensure AI is governed with human oversight, transparency, fairness, privacy, security and accountability.
Does King V require organisations to manage cloud and outsourced IT risks differently?
Yes. Boards remain accountable and must ensure due diligence, assurance, contract controls and cross-border governance.
How does cybersecurity fit into IT governance under King V?
Cybersecurity is a governance duty that intersects with risk, assurance, resilience and incident response.
What is expected from boards regarding data and information governance?
Lifecycle governance, classification, quality controls, privacy protection, compliance oversight and assurance.
Does King V apply to public entities, municipalities, retirement funds and NPOs?
Yes. King V applies universally with proportionality guiding implementation.
What happens if an organisation experiences a major cyber or privacy incident?
Boards must ensure effective response, consequence management, lessons learned and future prevention.
What must organisations do now to become King V-ready in IT governance?
Update frameworks, uplift cyber and AI governance, enhance data controls, improve digital literacy and strengthen assurance.
