African businesses are building on AI systems they do not control

Across Kenya and the wider region, firms are rapidly adopting AI-enabled tools built on foreign cloud infrastructure, proprietary models and offshore data systems.

The AI adoption has enabled speed and scale, but has also introduced a new form of dependency, one that carries legal, financial and operational consequences.

Much of the conversation around AI for African countries focuses on innovation, raw talent and market opportunity. These matter. However, they obscure a more fundamental constraint: infrastructure.

According to the Africa Data Centres Association, the US accounts for roughly 45 percent of global data centre capacity. Africa accounts for approximately 0.6 percent, with an even smaller share of the high-performance compute required to train advanced models.

In East Africa, the number of research-grade Graphics Processing Units (GPUs) remains extremely limited, making local model development and deployment at scale difficult.

The result is predictable. Businesses do not build on domestic systems, instead forced to rely on external ones. As such critical business functions across finance and telecommunications, logistics and digital platforms depend on systems designed, hosted and updated outside the jurisdictions in which they operate. This is not unique to Africa.

But the asymmetry is sharper here.

When firms rely on external AI systems, they often lack visibility into how models are trained and updated, how data is processed and retained and more consequentially, how decisions are generated at scale.

These are not abstract technical questions. They shape real business outcomes because a firm that cannot interrogate the systems it depends upon assumes risk without control.

And therein lies the legal and regulatory blind spot. Most African regulatory frameworks, including Kenyan, were not designed for AI-driven systems built on external infrastructure. Procurement regimes, data protection laws and compliance mechanisms often lag the technologies they seek to govern.

There have been attempts to respond to the apparent gap. The African Union’s Continental AI Strategy and Kenya’s 2025–2030 AI Strategy signal an emerging regulatory direction. But these efforts notwithstanding, the gap between regulatory intent and operational reality remains wide.

In practice, the mechanism of control is not the existing law but contractual in nature. Yet these agreements may not provide sufficient audit rights, transparency obligations or enforceable oversight.

This creates real exposure: limited ability to verify system behaviour, weak leverage in case of disputes and vulnerability to regulatory changes in foreign jurisdictions.

Vendor-controlled infrastructure is often governed by commercial terms rather than public law safeguards, leaving institutions, and by extension businesses, without consequential oversight.

External AI systems dependency does not always manifest immediately. It accumulates.

Over time, firms may find that switching costs increase as systems become embedded, pricing power shifts toward providers, compliance obligations expand unpredictably and strategic flexibility narrows. This is not simply an emerging technology issue.

It is a strategic one. Businesses are making long-term decisions based on systems whose underlying logic, governance and evolution they do not control.

The question, then, is not whether African businesses should adopt AI. They inevitably will and the pace of adoption will only accelerate.

The question is whether firms understand the systems they are building upon and how those systems shape risk, cost and control.

Against this backdrop, three concerns need to be addressed:

First, AI must be treated as infrastructure and not just as a tool. Decisions about vendors, cloud environments and model dependencies are as consequential as decisions about capital investment or market entry.

Second, firms must interrogate contractual arrangements more carefully. Audit rights, data governance provisions and continuity guarantees are no longer optional; they are central to risk management.

Third, there is a growing case for regional coordination. No single firm can resolve infrastructure dependency alone. Collective approaches within the regional trade framework, whether through industry standards, regulatory frameworks or shared infrastructure can begin to rebalance control.

A defining business and legal question

Artificial intelligence is often framed as a driver of efficiency and growth. That is true. But it is also reshaping the distribution of power in the global economy.

For African businesses, the challenge is not just about adoption but regulatory and strategic positioning.

The firms that will succeed, whether measured in contribution to societal good, resilience or innovation are not those that simply deploy AI fastest.

Rather, they are those that understand the dependencies embedded in the systems they are building on and manage those dependencies deliberately.

The writer is an Advocate of the High Court of Kenya and a graduate of Harvard Law School. He worked at Harvard’s Berkman Klein Center for Internet and Society, focusing on the intersection of Law, AI liability and corporate governance.