Strategy without statute: A reading of Zimbabwe’s national AI strategy

By Tashinga Ruwa Lauryn Magaya
Zimbabwe has done the easier half of AI governance.
It published a strategy. The harder half however – legislation, enforcement, institutional readiness as well as public understanding – has not yet been done.
This is not a failure. It is a moment. The next 18 months will tell us whether the strategy becomes a foundation or remains a statement of intent.
I read Zimbabwe’s National AI Strategy 2026-2030 soon after it was launched. It is 73 pages in total, and it took me three hours the first time and another two the second time around, because the second reading is the one where you stop being impressed and start being precise.
The launch took place at the New Parliament Building in Mount Hampden on 13 March 2026.
President Mnangagwa unveiled the document alongside the United Nations Resident and Humanitarian Coordinator, Edward Kallon .
Cabinet had approved the document the previous October. The Strategy is built around six pillars and three implementation phases that will run through to 2030, rooted in the UNESCO Artificial Intelligence Readiness Assessment Methodology Report for Zimbabwe completed earlier in 2025 .
I trained for this, in a quiet sort of way. Five years at The Hague University of Applied Sciences studying International and European Law, with a specialisation in Legal Technology and Artificial Intelligence.
The GDPR was the central data protection text I studied, alongside legal analytics, predictive analytics, and the wider questions of how algorithmic decision-making meets legal accountability.
By the time I sat down with Zimbabwe’s strategy, I was reading it the way someone reads a contract they are about to sign.
Slowly. Twice. Looking for what is not there as much as what is.
There is a personal interest I should name here.
The strategy speaks of a “Come Home to Build” diaspora programme, an open invitation to Zimbabweans abroad with relevant training to contribute to the national project.
Some of us came home before the invitation was published. We are here, we are reading the document, and we are writing about it.
The opening of the door is part of what comes next.
What follows is a legal reading. I am not writing this as a critic. I am writing as someone who would like to see this Strategy succeed and who thinks the conditions for that success are mostly architectural – about laws and institutions; rather than aspirational. The line between policy ambition and regulatory capacity is the line this article walks.
It is also, with candour, the line I think most of the public conversation around this topic has missed so far.
What Zimbabwe has put on paper, the strategy’s theme is “Harnessing AI for Inclusive National Development.”
It is structured around six pillars which are: AI Talent and Capacity Development; National AI Infrastructure and Computational Sovereignty; AI Adoption and Service Transformation; Governance, Ethics and Regulation; Research, Development and Innovation; and International Collaboration and Diplomacy.
The three implementation phases consist of Foundation Building (2025-2026), Scaling Core Applications (2027-2028), and Ecosystem Maturation and Leadership (2029-2030).
Five flagship initiatives are named. The AI Grand Challenge, a national problem-solving competition.
The National AI and Data Platform, branded Project Pangolin. Nzwisiso.ai, a public AI literacy campaign. The Innovation Crucible, a regulatory sandbox to be administered under POTRAZ.
And the Mugove Innovation Fund. Whether these initiatives are operational or still on the drawing board is a question this article will return to.
The drafting was, by Zimbabwean policy standards, relatively open. The UNESCO Readiness Assessment was published. 5 National multi-stakeholder consultations took place in Harare on 28 August 2025, in Bulawayo on 9 September 2025 and in Masvingo on 11 September 2025.
Cabinet approval then followed in October of 2025 with the launch coming roughly five months later.
Alongside this, the National AI Strategy proposes new institutions. A National AI Council. An AI Strategy Implementation Office, Technical Working Groups under each pillar. The National Digital Regulatory Committee (NDRC), housed within POTRAZ as the proposed AI regulator and The Innovation Crucible Sandbox under POTRAZ.
The institutional design is detailed on paper.
However, none of it has statutory authority as of yet, because a Strategy approved by Cabinet is not a law.
That last sentence is the one this article is built around.
The six pillars, read closely Most public commentary on the Strategy that I have come across stays at the level of summary.
This analysis goes further; I want to interpret instead. Three questions apply to each pillar: what does it say, what does it require in practice, and what does it leave unanswered?
The first pillar is talent. STEM reorientation begins at primary school, with Presidential AI Scholarships and a “Come Home to Build” diaspora programme .
In practice, this requires teachers who themselves understand what AI is, in a country where teacher shortages have been documented for over a decade. Foundation Building is meant to deliver AI literacy at primary level by the end of 2026, which at the time of writing is roughly seven months away.
The numbers do not yet add up. The second pillar is infrastructure. The Strategy commits Zimbabwe to a Centre for High Performance Computing and Tier IV-standard data centres.
In practice, Tier IV data centres internationally typically run into tens of millions of US dollars to construct, before staffing or power.
The strategy does not publish a capitalisation figure; that is a serious gap and not the kind of gap that policy on its own can close.
The third pillar is adoption across twelve sectors.
Agriculture, mining, healthcare, finance, education, public administration, defence and security, MSMEs, water and environment, tourism, public service and transport.
The ambition is to scale AI applications across all of them in a period of five years.
In practice, single-sector digitisation projects in several better resourced African states have taken longer than that. Twelve sectors in parallel is a sequencing question that the Strategy does not directly engage with.
The fourth pillar is governance. This is the pillar I read most critically, because it is where the law lives – and law is the discipline this analysis draws from. A considerable part of my specialisation at The Hague was spent on precisely these questions: what AI legislation should contain, what pitfalls it must avoid, and how legal systems respond when algorithms begin shaping outcomes that were once reserved for people.
Reading this pillar felt, in more ways than one, like returning to those seminars – except that this time, the document that is under discussion belongs to us.
The Strategy uses Ubuntu as its ethical foundation and it proposes the National AI Council, the AI Strategy Implementation Office, the Innovation Crucible sandbox under POTRAZ, and the NDRC as the proposed regulator. None of these proposed bodies has been formally established by a law that gives it the authority to do what the Strategy says it will do; they exist as proposals within a Cabinet document. The distinction matters immensely, and this article returns to it in full.
The fifth pillar is research and innovation.
The Mugove Fund, joint Innovation labs, the Grand Challenge competition, with a first round focused on food security.
The structure is right. The capitalisation, again, is not visible.
The sixth pillar is international engagement.
The Strategy commits Zimbabwe to participation in UN, AU and SADC AI initiatives.
This is the easiest pillar to deliver because it requires showing up. Whether showing up translates into shaping anything is a separate question entirely.
The drafting process, and a question we should ask ourselves Something specific warrants flagging here.
On 26 April 2026, the South African Minister of Communications and Digital Technologies, Solly Malatsi, withdrew that country’s Draft National Artificial Intelligence Policy after News24 reported that at least six of the document’s sixty-seven academic citations were reportedly AI-generated and pointed to articles that simply did not exist.
The Cabinet had approved that draft on 25 March 2026. It was gazetted on 10 April 2026. The withdrawal happened only three weeks later, after a public comment period had been scheduled to remain open until 10 June 2026. Zimbabwe has an opportunity here that South Africa did not take. Citation integrity is the new continental baseline after the withdrawal of the South African Draft AI Policy. Zimbabwe’s Strategy has not, to public knowledge, published an audited reference list.
Doing so would be low-cost and high-credibility- and would let Zimbabwe lead on transparency rather than catch up on it. A strategy that asks citizens to trust it should be willing to be checked.
A Strategy is not a law This sounds like a basic distinction. It is not and it may well be the most important sentence I write here. Section 117(1) combined with section 116 of the Constitution of Zimbabwe vests the legislative authority of Zimbabwe in the legislature, which consists of Parliament and the President.12 A national Strategy approved by Cabinet creates direction; it does not create binding obligations on private parties.
This means that citizens cannot sue under it, companies cannot be fined under it, and regulators cannot enforce against it.
The Strategy is, in legal terms, an instrument of policy intent.
This matters because most public reception of the Strategy has treated it as if it carries regulatory effect when it does not.
The Strategy proposes the NDRC; it does not establish it. The NDRC occupies the same legal space as the National AI Council and the AI Strategy Implementation Office – named in a Cabinet approved document, with no Act of Parliament behind it.
What is the law on AI in Zimbabwe right now? The Cyber and Data Protection Act [Chapter 12:07],13 enacted on 3 December 2021 and in force from 11 March 2022.
POTRAZ is the designated Data Protection Authority under the Act. Statutory Instrument 155 of 2024 introduced requirements for licensing for data controllers and required organisations to appoint Data Protection Officers by 12 December 2024.14 (For what it’s worth, I have seen the Act cited in several public commentaries as Chapter 11:12. It is not; the chapter is 12:07. Small mistake. Telling pattern.)
When an automated decision affects a Zimbabwean citizen’s rights today – a credit scoring outcome, a recruitment screening, a fraud flag – the recourse is not the Strategy. It is the CDPA. The CDPA is what the Strategy is meant to coexist with and eventually build upon, not what it has replaced.
Furthermore, many organisations operating in Zimbabwe are already exposed under the CDPA’s automated processing provisions and a significant number of them do not know it.
That gap, the gap between what existing law requires and what is actually being practiced, is where AI governance in Zimbabwe is being decided right now. Not in the Strategy; but in the silence around the Act we already have.
What Europe built, and how long it took The European Union’s AI Act warrants careful examination here – not simply as a comparative reference point, but as a timeline that does work that the comparison alone cannot.
The European Commission published its White Paper on Artificial Intelligence in February 2020.15 The formal legislative proposal followed in April 2021.
The European Parliament voted on the text in March of 2024, and the Council approved it in May of the same year.
The regulation was published in the Official Journal on 12 July 2024 as Regulation (EU) 2024/1689 and entered into force on 1 August 2024.
From White Paper to entry into force took roughly four and a half years, with most of the heaviest lifting done in the four years before that.
Even then, application was staged. Prohibited AI practices and AI literacy obligations applied from 2 February 2025. General-purpose AI obligations applied from 2 August 2025.
The bulk of the regulation, including the high-risk AI obligations, will apply from 2 August 2026. Embedded high risk safety system rules apply from 2 August 2027. The maximum penalty is €35 million or 7% of worldwide annual turnover, whichever is higher. The Regulation runs to 113 articles and 180 recitals. That sequence is what I want to draw attention to. Europe did not publish a strategy and call it governance. It built. And before the AI Act, it built the General Data Protection Regulation, which was adopted in 2016 and applied from 25 May 2018.
By the time the AI Act entered into force, the European Union had around six years of operational data protection enforcement to draw from. Fines issued, case law developed, national supervisory authorities trained and tested, and corporate compliance habits gradually formed.
The AI Act sits on top of that foundation. It is not the foundation.
The GDPR itself is instructive on what that foundation actually delivers. Article 22 provides data subjects with the right not to be subjected to decisions based solely on automated processing that produce legal or significant effects. Recital 71 goes further, specifying the right to obtain an explanation of the decision reached and to challenge it.
These protections took years of enforcement, judicial interpretation and regulatory guidance to become operationally meaningful.
Not because drafting was poor, but because law on paper and law in practice are separate by institutional effort.
Operational data protection, not merely written data protection, is what gave the AI Act its foundation. Zimbabwe’s Cyber and Data Protection Act has been in force for approximately 4 years. Statutory Instrument 155 of 2024 only introduced the licensing regime in late 2024.
Publicly visible enforcement actions remain limited. The infrastructure that the AI Act inherits in Europe; the regulators, the case law, the trained data protection officers, the entrenched compliance habits – is, in Zimbabwe, mostly in front of us rather than behind us.
The central observation is this: Europe governed after building. Zimbabwe is governing while building. Both approaches do have their logic.
The simultaneous approach is more ambitious, and it carries higher operational risk precisely because there is no settled enforcement layer to inherit from.
We have to build the foundation and the structure at the same time, and that is harder than the fourand-a-half-year European timeline makes it look.
We should not be embarrassed if our own timeline takes longer. We should however be embarrassed if we pretend it can run shorter.
The risk-based architecture of the AI Act is also worth noting. The Regulation groups puts AI systems into four tiers. Unacceptable, high, limited and minimal; plus, general-purpose AI, with specific obligations attached to each.
Zimbabwe’s Strategy talks about risk-based regulation but it does not yet operationalise those tiers in legislation. That move, when it comes, will be one of the most consequential drafting decisions NDRC’s enabling Act will face. Regarding enforcement mechanisms, Europe has the European AI Office, operational since February 2024, sitting alongside Member State Authorities, the AI Board, the Scientific Panel of independent experts, and the Advisory Forum.
Zimbabwe’s proposed structure mirrors much of this on paper. The difference is that Europe’s structure has statutory authority, dedicated funding and operational independence. Ours does not. Yet.
Where Zimbabwe stands among African peers I am purposefully keeping this section short. The Strategy is a national document and the most useful comparison for understanding it is the European Framework I have outlined above. Three regional observations, however, are worth making.
Zimbabwe is one of a small group of African states with a published national AI Strategy. Egypt, Mauritius, Rwanda, Kenya and Ghana are among the others. South Africa’s Draft National AI Policy was withdrawn as mentioned before and is currently being redrafted. The African Union published its continental AI Strategy in July 2024. Notably, Zimbabwe’s 2025-2026 Foundation phase broadly mirrors the AU’s own initial governance phase, suggesting regional alignment rather than coincidence, providing a continental framework against which national strategies are increasingly being read. Being part of that small group carries real meaning and deserves acknowledgment before any critique. What is genuinely distinctive about Zimbabwe’s Strategy is the Ubuntu-grounded ethics framing, the explicit integration with vision 2030 and Heritage-Based Education 5.0, the named flagship initiatives, and the Innovation Crucible Sandbox concept. What the strategy has borrowed without being explicit about it is the six-pillar structure, which echoes Egypt’s 2021 strategy and the AU Framework; the risk-based language, which is from the EU AI Act, and the regulatory sandbox concept, popularised by the UK Financial Conduct Authority’s 2016 framework.
Borrowing is not wrong, pretending you did not borrow is. The most relevant near-neighbour comparison is South Africa it has a layered accountability framework that is already operational. These include: The Protection of Personal Information Act, which governs the processing of data, including automated decision-making under section 71, which grants data subjects the right not to be subject to decisions taken purely on the basis of automated processing.
The Promotion of Administrative Justice Act, which provides procedural rights – reasons, review and procedural fairness – applicable to any administrative action affecting rights. And the King IV Code on corporate governance, which introduces ethical oversight obligations for boards, including over technology and information under principle 12. Together, these three instruments govern automated decision-making in South Africa today, in the absence of any standalone AI statute.
It is a meaningful reminder that AI accountability does not sit in AI legislation; it sits in the laws that are already in place and how seriously the laws are applied. Zimbabwe has the CDPA. The question, as with South Africa, is whether it is being applied.
What the Strategy gets right Strengths come first, because they are real and because this analysis does not hold up if it reads only as criticism.
The architecture is structurally sound. Six pillars covering capacity, infrastructure, adoption, governance, research and international engagement is, in this reading, the right shape for a national AI document.
The Strategy reflects what the EU built around the AI Act and aligns with what UNESCO recommends in its 2021 Recommendation on the Ethics of Artificial Intelligence.
The Strategy did not have to be this organised. It is. The ethics framing carries international legitimacy.
The explicit reference to the UNESCO Recommendation gives the Strategy a recognised global anchor. The Ubuntu framing is genuinely African and not derivative, even if it remains, at this stage, a values-based frame rather than a set of operational rules. I will come back to that. The political weight is real. A document launched by the Head of State at the New Parliament Building, with a UN representative present, signals state-level commitment in a way that ministry level launches do not. That matters for inter-ministerial coordination, for budget allocation conversations and for international engagement.
The flagship initiatives are very specific, which counts for more than it might seem. The NDRC, Project Pangolin, Nzwisiso.ai, the Innovation Crucible, the Mugove Fund.
Specificity is what separates strategies that deliver from strategies that drift. I have read a few African Strategy documents that name nothing concrete. This one, names five things. That is an advance.
The consultation was relatively open: three regional consultations in the country’s three largest cities.
That said, the public record is unclear how representative those consultations were beyond urban stakeholders, nor whether communities likely to be directly affected by automated decision-making were substantively included.
Published methodology. UNESCO involvement.
This is more public engagement than most comparable strategies have produced, and it is one of the things that gives the document its credibility.
What I would challenge The weaknesses are also real, and they are mostly architectural rather than aspirational. What follows is the order in which I would brief a minister.
There is no published reference list. After South Africa, this is no longer optional. Publishing the references and naming the verification methodology behind them is the highest leverage transparency move available.
It costs almost nothing and it offers reputational protection that no amount of policy language can substitute for.
The proposed NDRC has no enabling legislation.
A regulator without a statute simply cannot regulate.
Policymakers governing AI do not need to know how to build an AI system from scratch; just as a lawmaker does not need to know how to build a car in order to regulate road safety.
What they do need is the legal framework to identify risk, assign accountability and create enforceable exposure. Without that legislative foundation, the NDRC remains a name in a document rather than an institution with authority.
A draft AI Act should be introduced to Parliament within twelve to eighteen months. That is the move that converts this Strategy from policy intent to binding reality.
There is no implementation budget. The five flagship initiatives are commitments without numbers.
In a fiscal environment defined by currency instability and unresolved external debt arrears, a costed implementation plan is not an academic exercise.
It is the difference between credible delivery and credible sounding promises.
There is no gap analysis between the Strategy and the CDPA. This is, in my view, the single most important missing document. Many organisations operating in Zimbabwe right now are already exposed under the CDPA when they deploy automated decision-making systems, and many of them do not know it.
A joint Ministry of ICT-POTRAZ gap analysis showing what existing law already requires and what AI-specific legislation will need to add would do more for organisational compliance than another year of strategy commentary.
The Innovation Crucible raises a regulatory concentration question. The sandbox is housed under POTRAZ. POTRAZ is already the telecommunications regulator and the Data Protection Authority.
Adding a regulatory sandbox to that mandate risks creating exactly the “super-regulator” structure that civil society organisations, including MISA Zimbabwe, raised concerns about during the CDPA process in 2021.
Either AI oversight warrants a dedicated function, or POTRAZ should formally establish sub-units with distinct mandates and ringfenced budgets.
There is no public delivery dashboard. Foundation Building 2025-2026 is, as I write, more than half over.
The public has no structured way to know what has been delivered against the phase 1 milestones.
A quarterly dashboard, even a simple one, would convert the strategy from a document people heard about once into a document people can hold the government to.
The “Come Home to Build” programme is not operationally visible — and this one is personal. The Zimbabweans who trained in jurisdictions where AI law has been litigated for years – Hague-trained lawyers, Bradford and Edinburgh and Cape Town graduates, mostly in their mid to late twenties – are not visibly contributing to this project.
I am one of them. I am home. I’m not the only one. The government does not have to look far.
It has to look at us. A harder question about Ubuntu The Strategy is rooted in Ubuntu, and that deserves to be taken seriously rather than dismissed as branding. Ubuntu – “I am because we are” – implies relational personhood, communal accountability, restorative justice, and dignity as a foundational rather than procedural value.
As an ethical framework for an AI Strategy, it is genuinely African and it is not derivative.
The harder question, the one the Strategy does not yet answer, is what Ubuntu actually requires when an algorithm makes a decision that affects an individual.
Imagine a credit-scoring model denies someone a loan in Bulawayo. Imagine a recruitment screening tool filters a candidate out without telling her why. Imagine an AI-influenced fraud flag freezes a small business’s account. What is the Ubuntu remedy?
Is it a right to an explanation? Is it a right to human review?
Is it community participation in algorithmic design?
Or is it all three?
The Strategy treats Ubuntu as a values frame; it does not yet operationalise Ubuntu into specific procedural rights; and that gap is where original African legal scholarship has real work to do. GDPR Article 22 grants data subjects the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Recital 71 goes further, specifying the right to obtain an explanation of the decision and to challenge it.
Even so, these provisions have been criticised for their limited scope and uneven application across Member States. POPIA section 71 extends similar protection in South Africa but has itself drawn criticism from South African scholars for failing to provide a clear statutory right of notification when automated decisions are made.
Zimbabwe could potentially go further than both. Not by importing GDPR Article 22 or the EU AI Act wholesale, and not by adopting POPIA section 71 with its known limitations. Instead, Zimbabwe could draft procedural rights grounded in its own ethical tradition; a statutory right to explanation, a statutory right to human review, framed not in the language of European data protection law, but in the language of Ubuntu and relational accountability. That is more difficult than copying. It is also, if done well, the kind of provision that gets cited internationally rather than imported domestically.
What I think is realistic by 2030 The Strategy ends in 2030.
It is worth asking honestly what can be expected to be delivered by then. I think the following is realistic. Pilot success in two or three priority sectors, most likely agriculture, financial services and healthcare, where existing infrastructure and demand are strongest. Establishment of the National AI Council and the AI Strategy Implementation Office as functioning bodies, even if modest in size. Introduction of legislation establishing the NDRC in Parliament within the next twelve to eighteen months.
The Innovation Crucible sandbox operational under POTRAZ within the Foundation Building phase.
A diaspora engagement programme launched in some form. Initial AI literacy programmes in selected secondary schools in urban areas. What is aspirational with high operational risk, is more or less everything else as currently scheduled.
AI literacy at primary school level by the end of Foundation Building 2026, Tier IV data centres without published capitalisation, twelve-sector parallel adoption in five years.
A 60 per cent adult AI literacy rate by 2030 through the Nzwisiso.ai campaign, and full NDRC operationalisation by 2030 with a settled enforcement record. These are not exactly impossible. They are unlikely on the current schedule and the current resource base.
Partial execution is plausible and worth respecting. Full execution by 2030 across twelve sectors and six pillars is operationally optimistic. The honest version of the conversation is whether the Government and the public can agree on what “implementation” means before it gets measured; or whether, without that agreement, the Strategy risks becoming conference material rather than governance.
What I would recommend This article does not end as a critique. It ends as a set of proposals. If anyone asked, here is what should happen next.
Publish the Strategy’s reference list and the verification methodology behind it. After South Africa, this is the most credibility-protective step available, and it costs nothing.
Introduce the NDRC Bill to Parliament within twelve months. Without enabling legislation, the NDRC remains an aspiration.
With it, the NDRC becomes a regulator capable of acting. This is the move that converts a Strategy from policy intent to enforceable reality.
Publish a joint Ministry of ICT – POTRAZ gap analysis between the CDPA and the AI Strategy. Make explicit what existing law already requires and what AI- specific legislation will need to add.
This single document would do more for organisational compliance in Zimbabwe than another year of strategy commentary.
Build a quarterly delivery dashboard tracking progress against Phase 1 milestones.
Phase 1 is more than half over. The public has no visibility on what has been delivered. A dashboard, even a simple one, converts strategy into accountability.
Prioritise legal literacy as a foundational capacity. Policymakers governing AI do not need to know how to build AI systems from scratch – just as legislators do not need to know how to build a car to regulate road safety.
But they do need sufficient understanding to identify risk, assign accountability and recognise legal exposure.
We are building engineers when we should be building lawyers, judges, magistrates and compliance officers capable of applying existing law to AI-influenced decisions before any new statute is in force.
Application is already happening. The training has not caught up.
Open a structured public consultation channel for Zimbabweans aged eighteen to thirty five who studied this discipline or anything similar abroad.
Not as a tokenistic gesture but as a substantive contribution channel. Many of us have done this work in classrooms where AI has been argued in court for years.
We have something useful to offer. Many of us are already home. The pipeline is there. It just has not been opened.
Draft a Zimbabwean automated-decision provision that improves on the regional standard.
Build in a statutory right of notification when an automated decision has been made and a statutory right to a meaningful explanation.
Both are absent or weak in regional comparators.
This is one of the places where Zimbabwe could lead by drafting more carefully than it borrows.
What this moment is Zimbabwe has done something significant. It has also, so far, done what is easier – published a document.
The harder work is implementation, legislation, and the institutional readiness that converts strategy into a system.
I do not write this from outside the country. I write this from Harare, from a desk where I read the CDPA next to the EU AI Act and notice the gaps in both, and where I have spent enough hours with both texts to know that strategies do not enforce themselves. People do. Statutes do. Regulators with funding and independence do. None of those exist yet for AI in Zimbabwe. All of them need to. The next eighteen months will be more telling than the past five years. Either Zimbabwe will demonstrate that strategy can become substance, or it will demonstrate that documents alone do not govern. I have a view on which way this goes, but it is more useful to be constructive than predictive.
The contribution of those of us who have trained for this is on the table, if it is wanted.
Zimbabwe has done the easier half. The harder half has not yet been done.
And that is not a failure. It is a moment.
Tashinga Ruwa Lauryn Magaya, a Zimbabwean law graduate with a specialisation in legal technology and artificial intelligence. She holds an LLB and Diploma in International and European Law from The Hague University of Applied Sciences and is a Full Member of the Law Society of African AI Professionals. She writes from Harare.