When the Central Bank Speaks, Boards Should Listen — and the SARB Just Said AI Is More Dangerous Than a War
- Johan Steyn

- 1 day ago
- 6 min read
The South African Reserve Bank has identified frontier AI as a more immediate short-term risk to the financial system than an active Middle East conflict driving oil prices and interest rates. That is a governance signal, not a headline.

Sign up for my Substack daily AI newsletter here.
See my AI Training course portfolio for corporate Business Leaders here.
Follow me on LinkedIn: https://www.linkedin.com/in/johanosteyn/
On 10 June 2026, the South African Reserve Bank published the first edition of its Financial Stability Review for the year. The FSR is the central bank’s biannual assessment of systemic risk — a carefully worded, evidence-based document produced by economists and supervisors whose professional mandate is to identify the threats that matter most to the stability of South Africa’s financial system. It is not written for headlines. It is written for boards, risk officers, regulators, and the institutions whose decisions determine whether the financial system can absorb what is coming.
The June 2026 FSR identifies two primary short-term risks operating simultaneously and at the same level of severity. The first is the US-Iran war, which has driven oil prices higher, triggered a 25-basis-point interest rate increase in May, made further rate cuts in 2026 highly unlikely, and increased financial distress for interest-rate-sensitive households across the country. The second is advances in frontier AI, with the review specifically naming Anthropic’s Claude Mythos Preview as a model posing financial stability risks. The SARB’s assessment is that both risks represent severe, compounding pressure on the financial system at the same time — with frontier AI having graduated to the same risk tier as a live geopolitical conflict.
A central bank has placed a technology in the same severe risk category as an active war. That is a governance signal of the first order — and it is not receiving the boardroom attention it deserves.
CONTEXT AND BACKGROUND
The SARB’s Financial Stability Review is not a speculative document. It draws on supervisory data, market intelligence, stress testing, and the bank’s institutional relationships with the financial institutions it oversees. When the SARB identifies a risk as a severe compounding pressure on the financial system, it is identifying something that its evidence-based and analytical frameworks have assessed as material to systemic stability. The threshold for naming a specific AI model — Anthropic’s Claude Mythos Preview — in an FSR is considerably higher than the threshold for a technology company publishing a blog post or a think tank producing a white paper.
The SARB’s specific language about AI and cyber risk is the most important phrase in the June 2026 review: “Cyber risk has shifted from episodic and largely manageable events to continuous and compounding.” That is a precise and consequential characterisation. Episodic risk is discrete — it occurs, it is managed, it ends, and the system returns to its prior state. Compounding risk accumulates continuously — each undetected vulnerability, each AI-enabled probe that is repelled today, each successful breach that contains novel elements, adds to a compounding exposure that the organisation’s risk architecture may not be measuring or managing adequately.
The other risks the FSR identifies are significant but familiar in character. Capital outflows amid heightened market uncertainty. Unsustainable fiscal dynamics. Rising household financial distress. A sovereign debt-to-GDP ratio that may not stabilise within the timeframe National Treasury anticipated.
These are risks that South African financial system participants have frameworks for assessing and governing. What the FSR is signalling about AI is that it has joined geopolitical conflict in the top tier of systemic concern — a technology risk that existing governance frameworks were not designed for and may not be adequate to manage.
INSIGHT AND ANALYSIS
Understanding why the SARB places frontier AI in the same severe risk tier as an active war requires attention to the nature of the two risks rather than their current visible consequences. The Iran war has already produced measurable financial consequences: a rate increase, delayed rate cuts, higher fuel prices, a deteriorating fiscal position. These are not hypothetical risks. They are current conditions. Global financial markets have, in the SARB’s own assessment, adjusted to the geopolitical shock in an orderly manner. The risks are real but the system knows how to process them — central banks adjust monetary policy, governments adjust fiscal positions, financial institutions mark their exposures. The governance architecture for geopolitical and macroeconomic risk is mature and tested.
AI risk operates differently. It is less visible, harder to measure, and accumulates in ways that existing governance frameworks were not designed to detect. The war acts as an immediate macroeconomic shock wave, hitting inflation and fiscal balances through known transmission mechanisms. Frontier AI acts as an accelerated threat multiplier, hitting operational resilience and cybersecurity infrastructure simultaneously and continuously. These are not comparable risks in their mechanisms, which is precisely why the SARB presents them as coexisting, multi-layered threats rather than alternatives. The financial system must manage both at the same time, with fundamentally different governance architectures for each.
The SARB’s characterisation of cyber risk as having shifted from episodic to compounding is a statement about the rate of change in the threat environment relative to the rate of change in the governance response. AI-enabled attacks on financial system infrastructure are becoming more sophisticated, more frequent, and more difficult to attribute and remediate faster than most financial institutions’ cyber governance frameworks are evolving. The absence of a significant AI-enabled incident in your institution’s recent history is not evidence of adequate governance. It may simply mean the compounding has not yet become visible.
IMPLICATIONS
The SARB’s FSR has three specific implications for South African boards that deserve explicit attention.
The first is about the adequacy of current cyber governance frameworks. If the SARB’s characterisation of cyber risk as having shifted from episodic to compounding is accurate — and the central bank’s evidence base gives it significant credibility — then organisations whose cyber governance was designed for episodic risk are operating with an architecture that the regulatory authority has just described as inadequate for the current environment. Annual penetration tests, periodic risk assessments, and incident response plans designed around discrete breach events are governance instruments calibrated to the old model. The new model requires continuous monitoring, real-time response capability, and board-level accountability for the accumulation of exposure over time, not only for individual significant incidents.
The second is about the scope of AI risk. The SARB’s FSR is addressed primarily to financial institutions, but the systemic risk it describes does not stop at the boundaries of the banking sector. The AI-enabled cyber threats the SARB identifies affect the infrastructure on which financial institutions depend — payment systems, data centres, third-party technology providers, cloud platforms — most of which are not themselves regulated by the SARB. South African boards outside the financial sector whose organisations interact with or depend on financial system infrastructure are carrying AI risk that the FSR describes but cannot directly address through its supervisory mandate.
The third implication is the most uncomfortable. The SARB has produced a more sophisticated AI risk assessment than most of the corporate boards operating in the South African financial system. The supervisory authority is ahead of the institutions it oversees. That gap — between what the SARB has assessed and what most boards have yet to assess — is itself a governance risk. The FSR is the most useful starting point available for any South African board that has not yet produced a serious AI risk assessment of its own. The gap between the FSR’s conclusions and most boards’ current frameworks is the measure of the work that needs to be done.
CLOSING TAKEAWAY
The South African Reserve Bank publishes its Financial Stability Review twice a year. It is not written to be provocative. It is written to be accurate. When an institution of the SARB’s standing and analytical rigour places frontier AI in the same severe risk tier as an active geopolitical conflict that has already produced a rate increase and delayed rate cuts for an entire year, that assessment deserves to be taken seriously by every board in every institution that operates in or interacts with South Africa’s financial system.
The war in the Middle East is visible. Its consequences are measurable. The financial system knows how to respond. AI risk is less visible, less measurable, and accumulating at a pace that most governance frameworks were not designed to track. The SARB has placed both in the same category. The difference is that the financial system has mature governance architecture for the first, and most boards have barely begun to build it for the second.
Johan Steyn is a prominent AI thought leader, speaker, and author with a deep understanding of artificial intelligence’s impact on business and society. He is passionate about ethical AI development and its role in shaping a better future. Find out more about Johan’s work at https://www.aiforbusiness.net



Comments