Ninety days from now, AI governance frameworks will be enforceable across 44 African nations under the Malabo Convention and related AU instruments. The EU AI Act is already in force, with its core obligations for high-risk AI systems applying in August 2026.

There is just one problem: most of the continent is not ready.

Not because of a lack of political will. Because the infrastructure AI runs on is not theirs. The data is not theirs. The rules are not written for them. And the capacity to enforce those rules—even when they exist—is still being built.

This is not a regulatory gap. It is a sovereignty crisis.

The Infrastructure Gap

The cloud platforms powering Africa’s AI ambitions are owned by foreign providers. Synergy Research Group reports AWS holds roughly 31% of the global cloud market, Microsoft Azure about 25%, and Google Cloud approximately 11%. These same hyperscalers are expanding aggressively across Africa—AWS has invested over $840 million in South Africa and announced expansions in Morocco, Senegal, and Nigeria. Microsoft has committed 5.4 billion rand to local infrastructure. Oracle is establishing a public cloud region in Nairobi, hosted at iXAfrica’s hyperscale data centre.

The legal framework governing that data is determined by where the servers sit—not where the users live. The U.S. CLOUD Act gives U.S. authorities the legal authority to access data held by American companies, regardless of where that data is physically stored.

When a regulator in Nairobi asks where a model’s training data came from, the answer is often: “We don’t know. Ask the cloud provider.”

When a minister in Dakar asks who has access to citizen data processed by an AI system, the answer is often: “That is governed by the terms of service you agreed to.”

This is not a technical problem. It is a governance architecture problem—one that no dashboard can fix.

The Capacity Gap

Even where frameworks exist, enforcement is inconsistent. Regulators lack technical expertise. Law enforcement lacks forensic capability. Judicial systems lack AI literacy. The result is a system that can pass laws but cannot enforce them—a gap that bad actors are already exploiting.

The recent wave of “digital arrest” scams across Africa and Asia is not a coincidence. Between December 2025 and January 2026, INTERPOL’s Operation Red Card 2.0 brought together 16 African countries to crack down on cross-border cybercrime. The operation resulted in 651 arrests, the seizure of over $4.3 million, and the takedown of 1,442 malicious IP addresses, domains, and servers. Investigators uncovered fraud schemes that caused estimated losses of around $45 million, with over 1,200 victims identified.

In India, a parallel syndicate was dismantled after defrauding victims of nearly Rs 100 crore (approximately $12 million) using “digital arrest” tactics—impersonating law enforcement officers over video calls to coerce victims into transferring money. In Ghana, two suspects were arrested for creating AI-generated deepfake content impersonating the President and First Lady to facilitate financial scams.

Fraudsters are weaponizing DNS infrastructure, AI-generated deepfakes, and spoofed government portals precisely because they know enforcement is weak. The tools for these attacks are increasingly accessible. INTERPOL’s 2026 Global Cybercrime Threat Assessment notes that fraud-as-a-service kits on the dark web allow low-skill scammers to launch thousands of attacks daily, while AI-enhanced attacks surged 180 percent in 2025.

A state cannot meet its international obligations to prevent harmful cyber operations if it lacks the detection infrastructure to know when its territory is being used. Capacity building is not charity. It is a prerequisite for compliance.

The Data Gap

The most valuable resource in the AI era is not compute. It is data. And Africa’s data is largely managed by external actors.

Initial findings from the African AI Governance Index track 223 data centre facilities across 38 countries, representing an estimated market value of $3.49 billion and roughly 780 megawatts of IT capacity. Hyperscalers, including Microsoft, Google, AWS, and Oracle, are all present across the continent. Meanwhile, Dubai-based Maser Group announced a $1.6 billion investment over the next two years in African data centres and farmlands, with primary recipients including Nigeria, Ghana, and Kenya.

The AI governance moment risks repeating a familiar pattern: a continent’s digital infrastructure governed by institutions that are not accountable to it. This time, African nations can act now—to assert ownership over their own data, their own infrastructure, and their own regulatory authority.

What Must Change

First, infrastructure sovereignty: African nations must prioritize the development of locally hosted cloud capacity, data centres, and AI compute infrastructure. Not as a protectionist measure—as a functional necessity.

Second, capacity building as compliance: International partners must treat technical assistance not as aid, but as a shared obligation. A state that lacks detection capability cannot meet its due diligence obligations. That failure is not just a national problem—it is a systemic risk.

Third, data governance as sovereignty: The frameworks governing AI must include explicit provisions for data localization, cross-border data flows, and enforcement jurisdiction. Declarations are not enough. Remedy must be enforceable.

The Window Is Closing

Ninety days is not a long time. The decisions made in that window will shape Africa’s digital trajectory for a generation.

The continent has a choice: accept AI infrastructure as it is delivered—governed by foreign law, trained on foreign data, accountable to foreign regulators—or build the governance architecture that makes sovereignty real.

This is not a regulatory gap. It is a sovereignty emergency. And it will not be solved by another declaration.