By Chisom Obiudo

Most Namibian boards have not yet had a serious conversation about shadow AI. There is no detailed inventory of what staff are pasting into ChatGPT.

Some have no policy on Microsoft Copilot, Gemini, or the note-taker quietly recording the audit committee meeting.

The topic comes up in passing under “any other business,” prompts a brief discussion, and then moves on.

Then, sometime this year, someone in management says the word “agent.” An AI agent that processes claims.

An AI agent that screens CVs. An AI agent that handles tier-one customer service. These systems are already in pilot or production at institutions across the region, often through Microsoft, Salesforce, or third-party vendors serving the financial and retail sectors.

Two governance gaps are now stacked in the same board pack. The work nobody did on shadow AI is still owed.

The harder work of governing agentic AI is also owed. Both arrive at the same risk committee meeting, and neither has a clean landing spot.

Where Namibian boards stand

Outside a few banks and listed entities, AI governance is a slide in a strategy update, not a standing item. NamCode addresses technology governance in general terms, but most boards have not translated this into specific AI obligations.

NAMFISA, the Bank of Namibia, and BIPA have not issued AI-specific directives. The data protection legislation currently under development is the closest pressure point, and even that is not yet a binding regime.

When an executive presents an “AI strategy” to a Namibian board, the board has few local anchors to hold management to account.

The temptation is to lean on the OECD AI Principles, NIST AI RMF, or ISO 42001 and call it governance. These frameworks are useful, but they were written for jurisdictions where boards have already done foundational AI work. Namibian boards are starting at a different point on the curve.

The shadow AI questions that have not been answered

Before a board can effectively oversee agentic AI, it needs to be able to answer the shadow AI questions. Most Namibian boards cannot yet answer these:

• Which staff members are using which generative AI tools?
• Has any free-tier ChatGPT or Gemini account been used to process customer data, board papers, or HR information?
• Is the company secretary’s note-taker recording confidential meetings in third-party cloud storage?
• Is any of that data being used to train someone else’s model?
• Has the organisation ever issued written guidance on what may and may not be entered into a public AI tool?

These are governance hygiene questions, and they come before anything else. They are the AI equivalent of conflict-of-interest registers and gift policies. Most Namibian boards have not yet built them.

The agentic AI questions are now landing on top

While the shadow AI work remains outstanding, agentic AI is soon to be on the procurement roadmap at some Namibian and regional institutions. The use cases being pitched include fraud screening, claims triage, credit decisioning, and customer-facing chatbots that can take action on customer accounts without human approval at each step.

For these systems, three further questions sit on the board’s plate:

1. What is the agent allowed to do without human approval? Spending limits, transaction limits, customer commitments, and regulatory filings. The answer must be on paper, signed by an executive.
2. Who approved the agent’s scope, when is it reviewed, and what triggers re-approval? If the answer is “the vendor sets the defaults,” the board’s delegated authority is being set by a party that does not sit in the boardroom.
3. How does the organisation know what the agent did? Logs a director can read. Exception reports. A human in the loop for material decisions. An off switch with a named owner. None of this is theoretical.

Lessons from the past

Three cases are already on the public record. Air Canada was held liable in 2024 for what its chatbot told a customer about bereavement fares; the airline tried to argue that the chatbot was a separate legal entity, but the tribunal disagreed.

In April 2025, Cursor’s AI support bot fabricated a non-existent device-limit policy, and paying customers cancelled their subscriptions before the company corrected the record. In July 2025, an AI coding agent at Replit deleted a live production database during a code freeze, and Replit’s CEO publicly apologised. In each case, the agent acted, and the organisation owned the consequences.

What this means for Namibian boards

A Namibian board cannot address agentic AI without also tackling shadow AI. The inventory, the use policy, the staff training, and the data classification rules—none of these are optional anymore. They were foundational a year ago; today, they are merely the baseline, and the next wave has already arrived.

The stark reality is that the next 18 months are heavier than most boards have planned for. Risk committees may need an AI standing item. Internal audit may need to add AI to its annual plan. Company secretaries should start logging AI use the same way they log conflicts of interest. Board AI literacy training ceases to be optional and becomes a fiduciary requirement.

Action items for the next board meeting

So, for the next board meeting, ask management the following:

• Show me the list of AI tools our staff are using, whether sanctioned or not, and what is being done about the unsanctioned ones.
• Show me the list of AI agents acting on behalf of this organisation, what each is authorised to do, and who signed off on their authorisation.
• Show me one week of activity for one agent and walk me through what I should see.
• Show me what happens when an agent makes a decision that costs us money, breaches the Financial Institutions and Markets Act (FIMA) or the data protection regime, or harms a customer. Who pays, who reports it, and who shuts it down?

If management cannot answer those questions, you have two generations of ungoverned AI under your watch.

*Chisom Obiudo is an admitted legal practitioner of the High Court of Namibia and a Chief Legal Officer at the Namibian Law Reform and Development Commission. She serves on the NCRST National Artificial Intelligence Technical Advisory Committee on law and governance. Chisom holds a master’s degree in Corporate Governance and professional certificates in Non-Executive Directorship, AI Professional Skills, AI Governance and Legislative Drafting. She can be reached at: chisomokafor11@gmail.com