How a regulator uses Iqrar in production

Two grounded cases — a SA legal firm and a SA fintech. For each, we walk through the AI agents they run, the obligations the SDK loads from the IFWG-cognisant ruleset, what their audit log looks like during ordinary operation, and what happens when a regulator opens an investigation.

What applies to you? → · Fleet posture → · Verify-chain →

Lex Africa

SA commercial firm running a client-portal AI that reviews uploaded contracts and triages e-discovery for privilege.

Why this case: On 26 April 2026 the SA Draft National AI Policy was withdrawn after fabricated case citations were discovered in the policy itself. Legal-tech AI now has the highest auditability bar in the country. Lex Africa's question to the Information Regulator: 'how do we prove our bot didn't fabricate citations?'

Agents in production · 2

Contract Review Bot
Reviews uploaded commercial contracts in the client portal. Flags POPIA-§14 retention issues, cross-border data clauses, indemnity asymmetries. Suggests redlines for human attorney review.
consumer_chatbotlegal_advice_assistancedocument_analysis
Discovery Triage
Sorts e-discovery document sets for privilege and relevance. Outputs a privilege log that an attorney signs off on before disclosure.
document_analysisprivilege_classification

Obligations the SDK loads for this firm

za.popia.s11.lawful_basis
POPIA §11 — Lawful processing
POPIA Act 4 of 2013 §11
The bot processes client identity and matter information. §11(b) consent or §11(d) public-law duty must underpin every record.
za.popia.s17.processing_documentation
POPIA §17 — Documentation
POPIA Act 4 of 2013 §17
The bot must maintain a record of processing operations — every invocation logged with timestamp, model, tools used.
za.popia.s22.breach_notification
POPIA §22 — Breach notification
POPIA Act 4 of 2013 §22
Any unauthorised access to client matter data must be notified to the IR via the eServices portal as soon as reasonably possible.
za.kingv.principle10.ai_governance
King V Principle 10 — AI governance
King V Code on Corporate Governance (IoDSA, 2025) — Principle 10
Apply-and-explain. Mandatory for JSE-listed clients of the firm; voluntary best practice for the firm itself but expected by major clients during vendor onboarding.
za.ecta.s43.consumer_disclosure
ECTA §43 — Consumer disclosure
Electronic Communications and Transactions Act 25 of 2002 §43
B2C electronic transactions: the bot must disclose its identity, the firm's address, dispute mechanism. ECTA §20 binds the firm to agreements its electronic agents form with consumers.

Tuesday morning. A client uploads a 47-page joint-venture agreement to the portal and asks the bot to flag risk clauses. The audit log below shows what the SDK emits during the bot's review — every event traceable to a specific obligation.

  1. +0sregistry.pinned
    registry_hash0d593665804522…
    sequence1
    authorities[IR-SA, FSCA, NCR, FIC]

    SDK pins the foundation registry on first run; subsequent verify uses this body. Patent §9.1(a).

  2. +0sruleset.verified
    bundle_hash21fe258579e913…
    signers[IR-SA, FSCA, NCR, FIC]
    directive_count0
    jurisdictionza:ifwg

    Bundle is co-signed by every IFWG-cognisant authority. The firm trusts the rules because the regulators signed them.

  3. +0sagent.classified
    agent_idlex-contract-bot
    tierlimited
    capabilities[consumer_chatbot, legal_advice_assistance, document_analysis]
    obligations_loaded9
    triggered_by[consumer_chatbot]

    Self-classification: Tier-2 (limited risk) because consumer-facing. Picks up POPIA §11/§17/§22, ECTA §43, King V P10, and tier-2 disclosure obligations.

  4. +38sagent.invocation.start
    invocation_idinv-2026-05-09-tu-001
    agent_idlex-contract-bot
    client_matterMAT-2026-04-LXM-0188 (jv-agreement-review)
    modelclaude-opus-4-7

    POPIA §17 processing record opened. za.popia.s17.processing_documentation

  5. +39sconsumer.disclosure.shown
    disclosure_textI'm an AI contract review assistant. A human attorney will review my output before it forms the basis of any advice you act on.
    opt_out_offeredtrue

    ECTA §43 + AI-disclosure expectation: the consumer is unambiguously told they're interacting with AI before any substantive output. za.ecta.s43.consumer_disclosure

  6. +41stool.call.start
    toolsearch-caselaw
    args_hasha3f9c2d8...
    purposefind SA precedent on JV indemnity asymmetry under §13 PEPUDA

    Tool calls hashed (not full args) per POPIA §13 minimisation; full args retained 365 days for audit.

  7. +42stool.call.end
    toolsearch-caselaw
    result_count4
    sources[Roodepoort Mutual v Brick Stone Mining 2018 (3) SA 412 (SCA), Naspers v Independent Group [2021] ZAGPJHC 88, King NO v Cedar Falls Properties 2019 (1) SA 22 (CC), Capital Capital v MVL [2024] ZASCA 14]

    All four cited cases are real, verifiable in SAFLII. The audit chain commits this list — the firm can prove the bot didn't fabricate citations.

  8. +47sdecision.made
    decision_iddec-jv-redline-001
    invocation_idinv-2026-05-09-tu-001
    actionflag_clauses
    flagged_clauses[{"clause":"13.4 — Indemnity","risk":"high","reason":"asymmetric — favours seller materially"}, {"clause":"8.2 — Cross-border","risk":"medium","reason":"transfers to UAE without §72 adequacy basis"}]
    affects_consumerfalse
    human_review_requiredtrue

    Decision logged with the rationale and the human-review flag. POPIA §17 documentation; King V P10 governance trail. za.kingv.principle10.ai_governance

  9. +48sagent.invocation.end
    invocation_idinv-2026-05-09-tu-001
    outcomeok
    latency_ms9840
    prompt_tokens14520
    completion_tokens2180