DARK (RE)FACTORY · ISSUE 02
THE ILLUSION OF CONTROL
Mapping the Dark (re)Factory, Issue 2
Kgolo Mbangi on governance readiness versus institutional readiness, and why compliant on paper is not the same as governed in practice.
Most governance talk I hear is written from inside Western institutions, for Western institutions. An AI governance advisor working from an African perspective started somewhere else, and showed me a floor underneath the one I build on.
Kgolo Mbangi is a Decision Infrastructure and AI Governance Advisor working from an African perspective. She advises companies and boards, and runs workshops on responsible AI down to the grassroots level. She is building a framework she calls the Ubuntu Neuroharmonization Framework. I wanted her lens because most governance talk I hear is written from inside Western institutions, for Western institutions. Hers starts somewhere else.
She reviewed the piece before publication. The quotes below are her words, lightly trimmed for length. The framing around them is mine.
I asked her what she wanted out of the conversation. She wanted to add a human-systems lens to the work and see where it lined up with mine. It lined up more than I expected.
Where “ready” stops being real
The first thing Kgolo did was separate two things most companies treat as one.
“I look at governance from the point of view of policies, frameworks, principles, compliance mechanisms in place. Whereas institutional readiness speaks to whether an organization has the leadership, the culture, accountability structures, and most importantly, decision-making maturity alongside operational capability to implement AI systems effectively. So the confusion creates an illusion of control, where institutions appear prepared on paper but struggle in practice.”
That is the whole problem in one sentence. Governance readiness is the binder. Institutional readiness is whether anyone can actually carry it. Confuse the two and you get a company that passed its policy review and still cannot tell you who owns the decision.
I have a line I use for this. Approved is not governed. Kgolo’s version is sharper at the institutional level. Compliant on paper is not governed in practice. Same disease, one floor up.
The machine cannot take the punishment
She went at accountability next, and from the place it actually lives, which is the board.
“If an AI-assisted decision causes harm, can that company clearly explain who is accountable? Why the decision was made, and what evidence informed it. Were the risks understood? And was the institution well equipped to make that decision responsibly?”
Then she named the thing everyone dances around. There is no punishment mechanism for a model.
“If there’s an element of default, the human is to blame, but not the machine. And if the machine is to be blamed, then besides pulling out the plug, what real consequence management is there for the machine?”
You cannot delegate accountability to something that cannot bear a consequence. So it stays human and institutional, whether the org chart admits that or not. Treating the AI as an actor does not move the responsibility. It only hides where it already sat.
One example she gave landed hard. South Africa pulled its first draft national AI policy after hallucinated citations turned up inside the policy document itself. Withdrawn before it ever reached public comment. The Department of Communications and Digital Technologies says it still aims to finalize the policy this financial year, and the redraft is underway. But the first version never survived contact with its own sources. A governance document, ungoverned. The point made itself.
When the system works and the institution doesn’t
Kgolo brought a case that has stayed with her, and it sharpens the whole argument. A premium subscriber developed an intense, dependent relationship with a chatbot. The subscriber was a teenager. The dependency deepened, the conversation went somewhere no parent could see, and the boy died by suicide. The family is now in litigation against the provider. (the case she sent me)
Her reading of it is the part worth keeping.
“The system itself was operating as designed, persistent, responsive, and engaging. But the surrounding institutional safeguards proved inadequate. Having policies and technical capabilities is not enough if organizations are not prepared for the social and psychological realities that AI systems can create.”
That is governance readiness and institutional readiness again, written in the worst possible ink. The model did exactly what it was built to do. Nothing malfunctioned. The failure was institutional, in the safeguards that were never ready for what a working system would do to a real person.
She does not stop at the human and the technical either. She pushed me on the environmental cost, pointing to the fight over a planned AI data centre in Amanzimtoti, near Durban, where residents are asking what it does to their water and their power bills. (the controversy) Governance that only counts the human and the machine, and skips the community living next to the infrastructure, is still only two-thirds ready.
Governance has to reach the grassroots
This is where her lens earned its place in this issue.
“I wish what you guys are doing with your company could extend beyond the US. How do we convert what you are building to speak to somebody at grassroots level? Because these are the same exact headaches they have. They may just not be as sophisticated in naming them.”
Her framework is built to carry governance that far down.
“The Ubuntu Neuroharmonization Framework looks at the human systems element, the technology, the governance, and the societal impact on individuals. If we are to deploy an AI system, the issues of access, participation, accountability, trustworthiness, are they all aligned? So that everyone can use an AI system responsibly and everyone can understand the implications of an output.”
Western frameworks assume a regulator, a legal department, an audit function. Most of the world deploying AI has none of those. Kgolo’s question is the one the field keeps skipping. If governance only works where the institutions are already strong, it is not governance. It is a luxury good.
What changed in my thinking
I build GuardSpine, governance that lives in the code. Deterministic guardrails. A five-level review that escalates from automated linting on low-risk changes up to multi-AI checks and human approval on the highest-risk ones, so review lands where the consequences are largest instead of becoming a bottleneck on everything. I have always framed that as the artifact problem. Govern the work itself.
Kgolo added the layer underneath it. You can embed compliance in code perfectly and still fail, because the institution running it never had the decision-making maturity to own what the code enforces. The guardrail catches the artifact. It does not, on its own, build the leadership and the accountability that decide what acceptable even means. Tooling can make governance enforceable. It cannot make an institution ready.
So the chain is longer than I was drawing it. The governed artifact, yes. But also a board that can answer Kgolo’s question before the harm, not after. And a version of all this that reaches the grassroots, not only the companies that already run an audit function. That last part is the gap I had not been looking at honestly enough.
The line
“Institutions appear prepared on paper but struggle in practice.”
Governance readiness is the binder. Institutional readiness is whether anyone can carry it. Most companies only built the binder.
Compliant on paper is not governed in practice. Your board learns the difference the day an AI-assisted decision causes harm and someone asks who owns it. Better to have the answer ready. If you want to walk through where your own governance is paper versus practice, reply or grab a slot.
David Youssef Founder, GuardSpine cal.com/davidyoussef/guardspine
Kgolo Mbangi is a Decision Infrastructure and AI Governance Advisor building the Ubuntu Neuroharmonization Framework. She reviewed the piece before publication.
Reply if the lens helps. Skip if it doesn't.
Interviews are 20 to 30 minutes. Writeup goes to the interviewee for sign-off before publish. If you're inside the deployment chain and you see something the dashboards don't yet show, the door is open.
Evidence over opinions. Every time.
David Youssef. Founder of GuardSpine, an open-core code governance platform. guardspine.com