Assessing AI Driven Cybersecurity and the Transformation of State Power

CONTENTS

CHAPTER 1 INTRODUCTION
1.1 Backgroundto theStudy
1.2 Problem Statement
1.3 Research Aim
1.4 Research Questions
1.5 Significance of the Study
1.6 Scope and Delimitation
1.9 Structure of the Dissertation

CHAPTER 2: LITERATURE REVIEW
2.1 Global, Continental, and National Al/Data Governance
2.2 Theoretical Frameworks
2.3 Zambia-Specific Literature: Law, Policy, Institutions, and Evidence
2.4 Knowledge Gaps in the Existing Zambia-Specific Literature
2.5 Implications for the Present Study

CHAPTER 3: METHODOLOGY
3.1 Philosophical Paradigm
3.2 Research Design
3.3 Mixed MethodsApproach
3.4 Population and Sampling
3.5 Data Collection
3.6 Data Collection Procedures
3.7 Data Analysis Techniques
3.8 Validity and Reliability
3.9 Ethical Considerations

CHAPTER 4: PRESENTATION OF FINDINGS
4.1 Overview of the Dataset and Analytical Strategy
4.2 Quantitative Findings
4.3 Qualitative Findings
4.4 Organisational Indicator Results
4.5 Integrated Mixed Methods Analysis
4.6 Summary of Findings and Integrated Interpretation (Section B)
4.7 Joint DisplayTables
4.8 Causal Pathway Models
4.9 ImplicationsforGovernanceand Institutional Reform
4.10 Bridging to Chapter 5: Theoretical and Normative Implications

CHAPTER 5: DISCUSSION OF FINDINGS
5.1 Interpreting the Convergence of Quantitative and Qualitative Findings
5.2 Integrating Findings with the Conceptual Framework
5.3 State Power and Algorithmic Governance
5.4 Judicial Independence and Epistemic Parity inanAI Driven Governance Environment
5.5 Electoral Integrity in a Socio-Technical System
5.6 Democratic Legitimacy in the Age of AI
5.7 Why Genderand Intersectionality MatterforAI-Centred Cybersecurityand Elections
5.8 Why Capacity and Documentation Are the Hinge of AI Governance
5.9 Why Coordination NotJust Capacit- Decides Outcomes
5.10 Why Africa's Digital Governance Arc Matters Beyond Any Single Country

CHAPTER 6: CONCLUSIONSAND RECOMMENDATIONS
6.1 Overall Conclusion
6.2 Strategic Recommendations
6.3 Implementation Roadmap
6.4 Monitoring and Evaluation (M&E) Framework
6.5 RiskAssessment and Mitigation
6.6 Capacity Building Plan
6.7 Policy Embedding and Governance
6.8 Areas for Further Research

REFERENCES

APPENDICES

Appendix A: Interview Guide (KII)

Appendix B: Focus Group Discussion Guide

Appendix C: Survey Questionnaire

Appendix D: Coding Framework

Appendix E: Reliability Matrix

Appendix F: Participant Information Sheet

Appendix G: Informed Consent Form

Appendix H: Institutional Permission Letter

Appendix I: Sampling Frame & Participant Matrix

Appendix J: Document Review Checklist

Appendix K: Governance Maturity Rubric

Appendix L: Data Analysis Protocol

BIOGRAPHYOFAUTHOR

LIST OF ABBREVIATIONS

Abb. in Leseprobe nicht enthalten

GLOSSARY OF KEY TERMS

Abb. in Leseprobe nicht enthalten

ACKNOWLEDGEMENTS

I am deeply grateful to everyone who has supported, guided, and encouraged me throughout the journey of completing this dissertation. This work would not have been possible without the contributions, patience, and belief of many individuals and institutions.

First and foremost, I extend my heartfelt appreciation to my supervisors, whose intellectual guidance, constructive critique, and unwavering support shaped the direction and quality of this research. Their commitment to academic excellence and mentorship has left a lasting impact on my scholarly growth.

I wish to acknowledge the invaluable assistance of the institutions and officials who generously shared their time, insights, and expertise during interviews, focus group discussions, and document reviews. Their openness and willingness to engage made it possible to explore complex questions with clarity and depth.

To my colleagues and peers, thank you for your encouragement, thoughtful discussions, and camaraderie throughout this process. Your feedback and motivation sustained me during the most demanding phases of this work.

My sincere gratitude goes to my friends and family for their unconditional love, understanding, and patience. Your belief in me provided the emotional strength needed to persevere. To my parents, whose sacrifices laid the foundation of my educationaljourney, I owe a debt of gratitude that words can never fully express.

Lastly, I am profoundly thankful to God for granting me health, resilience, and clarity of mind throughout this academic pursuit. This dissertation stands as a testament to divine grace and the collective support of all who walked with me.

Thankyou.

ABSTRACT

The rapid expansion of artificial intelligence (Al) within national cybersecurity systems is reshaping the foundations of state power globally, with significant implications for governance, democratic institutions, and public accountability. In Zambia, the accelerating adoption of AI-driven cybersecurity tools ranging from predictive threat-detection systems to automated surveillance architectures coincides with the country's broader transition toward e-governance. This transformation presents both opportunities and risks: while Al enhances digital security and administrative efficiency, it also reconfigures power relations between branches of government, potentially strengthening executive dominance within the state apparatus. This thesis assesses how AI-driven cybersecurity is transforming state power in Zambia and evaluates the consequences for judicial independence, measures the integrity of electoral processes in an increasingly digital political landscape, and analyses the broader implications for democratic legitimacy in the e-governance era.

The research begins by establishing the conceptual foundations of AI-driven cybersecurity and its role in contemporary statecraft. Drawing from literature in digital governance, computational security, and political theory, the study situates Al as a dual-use technology: simultaneously enhancing national protection capacities while expanding the state's ability to monitor, predict, classify, and respond to citizen activity. In many contexts, such systems have reinforced centralised authority, enabling executives to justify expanded surveillance prerogatives under the banner of national security. This thesis interrogates whether similar dynamics are emerging within Zambia as government systems integrate machine-learning-based threat models, biometric authentication platforms, and automated risk-evaluation mechanisms within publicsectordigital infrastructures.

To explore these dynamics empirically, the thesis adopts a mixed-methods research design integrating quantitative, qualitative, and policy-analytic techniques. Quantitatively, the study measures electoral integrity by compiling data on digital

voter registration, biometric verification, cybersecurity incidents affecting electoral technologies, misinformation trends, and procedural safeguards employed by the Electoral Commission of Zambia (ECZ). Indicators are benchmarked against regional and international standards to produce a comparative assessment of technological resilience and vulnerability. Qualitatively, the research incorporates interviews with legal experts, civil society actors, cybersecurity professionals, and scholars of governance. These inform grounded interpretations of institutional behaviour, judicial decision-making, executive practice, and citizen perceptions of digital governance. Policy documents, legislation, and national cybersecurity frameworks are subjected to a structured content analysis to trace how AI-driven technologies are framed, justified, regulated, and deployed by state institutions.

The first major analytical strand assesses how AI-driven cybersecurity alters the internal distribution of state power. Findings indicate that Zambia's adoption of AI-enabled surveillance and threat-monitoring tools particularly within policing, border control, and public-sector digital service platforms has strengthened executive agencies relative to the judiciary and legislature. AI systems enable the accumulation of high-resolution behavioural data, rapid classification of perceived risks, and real-time monitoring capacities that only a centralised authority can coordinate. While these technologies improve national security and reduce cybercrime exposure, they also create information asymmetries that consolidate executive control over digital infrastructures. The study reveals that the state's increasing reliance on algorithmic decision-support tools has introduced opaque zones of authority in which machine-generated outputs influence or even constrain policy choices, yet remain beyond effective legislative scrutiny orjudicial review.

The second analytical strand evaluates the resulting implications for judicial independence. Courts have historically served as guardians of constitutional order, checking executive overreach and protecting civil liberties. However, when cybersecurity decisions are driven by predictive algorithms, automated threat scores, and proprietary AI systems, judicial oversight becomes more complex. Interviews with legal practitioners highlight concerns about thejudiciary's limited technical capacity to interrogate algorithmic evidence, metadata trails, and automated surveillance outputs submitted during litigation. Additionally, the expansion of national security exemptions and the classification of Al-related technologies restrict the judiciary's ability to review certain executive actions. The analysis demonstrates that although Zambia's judiciary maintains formal independence, its practical autonomy is increasingly constrained by an evolving technological environment in which key cybersecurity decisions are executed and rationalised through systems not fully accessibletojudicial scrutiny.

The third strand measures electoral integrity within this shifting technological landscape. The transition toward digital voter registration, biometric systems, and online information flows introduces both strengthening and destabilising forces. On the one hand, biometrics reduce duplicate registrations and increase verification accuracy; on the other, cyber vulnerabilities, digital misinformation, and risks associated with third-party data processors create new threats to the electoral process. The quantitative assessment reveals that election-related cybersecurity incidents although not always publicly reported pose material risks to the availability, confidentiality, and integrity of electoral systems. At the same time, the increased reliance on automated identity-verification tools create a technical dependence that may exceed the ECZ's capacity to independently manage and audit system performance. The study further documents how algorithmic misinformation amplification on social media platforms complicates electoral accountability by shaping public opinion through opaque digital mechanisms. These findings highlight the need for robust digital-forensics capacity, transparent auditing standards for biometrictechnologies,and independent certification ofelectoral ICT systems.

The fourth strand analyses the broader implications for democratic legitimacy. Democratic legitimacy rests on the perceived fairness, transparency, and accountability of public institutions. As state power becomes increasingly entwined with Al-driven cybersecurity technologies, citizen perceptions of state authority shift. Survey and interview data indicate that while Zambians broadly support digital security enhancements, they harbour concerns about surveillance expansion, potential misuse of data, and the opacity of AI-enabled decision-making. These concerns are particularly salient in contexts of electoral contestation, judicial appointments, and executive decision-making. The thesis argues that democratic legitimacy hinges on the ability of institutions to demonstrate that AI-driven cybersecurity tools are applied lawfully, proportionately, and transparently, with credible safeguards to prevent political manipulation. Without such assurances, even well-intentioned security measures may undermine public trust in democratic governance.

The thesis makes several contributions to scholarship and policy. Conceptually, it advances an integrated framework for understanding how AI-driven cybersecurity reshapes state power and democratic institutions in emerging e-governance contexts. Methodologically, it demonstrates the value of combining quantitative metrics of electoral integrity with qualitative assessments of institutional autonomy and policy evolution. Empirically, it provides one of the first systematic analyses of Zambia's AI-enabled cybersecurity trajectory and its democratic implications. Practically, the research offers recommendations for policymakers, including the need for strengthened judicial technical capacity, enhanced regulatory oversight of AI systems, transparent procurement and auditing frameworks, improved data-protection safeguards, and digital-literacy strategies aimed at mitigating misinformation risks.

Overall, the thesis concludes that AI-driven cybersecurity is neither inherently democratising nor authoritarian. Its impact depends on the institutional environments, power relations, legal safeguards, and accountability mechanisms within which it is embedded. In Zambia, AI has the potential to reinforce democratic governance by strengthening digital security and enhancing service delivery, but it also risks entrenching executive dominance and eroding judicial and electoral autonomy if not properly regulated. The study therefore underscores the importance of a balanced, rights-based approach to AI governance that protects national security while preserving democratic checks and balances. By assessing state power, evaluating judicial independence, measuring electoral integrity, and analysing democratic legitimacy, this thesis demonstrates that the future of Zambia's e-governance era will depend on how effectively the nation manages the complex interplay between technological innovation and constitutional order.

CHAPTER 1: INTRODUCTION

1.1 Background ofthe Study

The global evolution of artificial intelligence (Al) has significantly transformed cybersecurity architectures, reshaping how governments protect digital infrastructure, data ecosystems, national security, and civic processes. Across emerging economies, Al-enabled cybersecurity systems have become vital to managing complex digital threats, increasing risk-detection capacity, and enabling governments to maintain secure e-governance environments. Zambia is among the African countries navigating this technological transition, seeking to integrate Al solutions into governance systems while balancing broader socioeconomic and political implications. The country's recent policy initiatives indicate a growing recognition of Al's potential to shape national development, strengthen public administration, and improve service delivery, particularly through its forthcoming National Al Strategy for 2024-2026, which outlines a framework for responsible and ethical Al deployment in public institutions.

Zambia's movement into Al-driven governance reflects global trends in digital transformation. This shift is part of a broader e-government agenda aimed at improving efficiency, modernizing state operations, and promoting inclusive development. The Electronic Government Act underscores the country's ambition to enhance service delivery through integrated digital processes, improved information-sharing protocols, and innovative technological design. lt emphasizes citizen-centred service delivery, streamlined public-sector processes, and prudent data management principles that form the backbone of e-governance in Zambia. As the state expands its digital ecosystem, Al-driven cybersecurity capabilities are increasingly seen as essential tools for protecting public systems from cyber threats, safeguarding national digital resources, and ensuring the integrity of digital public services.

At the centre of Zambia's digital transformation is the acknowledgement that e-governance cannot thrive without a secure and resilient cybersecurity framework.

The promulgation of the Cyber Security Act No. 3 of 2025 represents a major step toward centralizing cybersecurity governance under the Zambia Cyber Security Agency (ZCSA). The Act seeks to strengthen national cybersecurity coordination, ensure oversight of digital infrastructure, and regulate the licensing of cybersecurity service providers. The legislation also mandates cyber audits, establishes protocols for protecting Critical Information Infrastructure (Cll), and outlines mechanisms for early-warning systems and sector-wide incident response capabilities. These institutional arrangements are designed to enhance national cyber readiness and ensure that the country can respond effectively to the increasing sophistication of digital threats.

However, the integration of Al-driven cybersecurity systems into state institutions is not without controversy. Emerging critiques point to the political implications of centralizing cybersecurity powers under the Office of the President. Analysts argue that Zambia's cybersecurity laws risk reinforcing executive dominance, particularly through broad interception powers, ambiguous oversight mechanisms, and discretionary authority granted to the ZCSA. These criticisms emphasize concerns that algorithmic and Al-enabled surveillance could expand state monitoring capacities without adequate judicial authorization or transparency safeguards. Scholars and human-rights observers warn that such powers may erode constitutional protections, including privacy rights, freedom of expression, and due-process guarantees, if not regulated within robust democratic oversight frameworks.

These debates are part of a broader tension between cybersecurity imperatives and democratic governance. Zambia's experience reflects similar global dilemmas in which Al-driven cybersecurity enhances state capacity but simultaneously risks empowering governments to regulate digital expression, monitor citizen behaviour, and control political narratives. Recent analysis published in the Journal of Democracy highlights how Zambia's cyber laws have been framed as reforms yet ultimately contribute to tightening state control over dissent and civic space. This points to the dual nature of AI-driven cybersecurity: it is both a technological necessity and a potential instrument of political power.

Zambia's adoption of AI technologies is also shaped by international influences. The government endorsed the 2024 United Nations resolution on AI, which urged member states to avoid AI systems that contravene international human-rights law. Zambia's AI strategy similarly aligns with global ethical frameworks such as UNESCO's AI Ethics Recommendations, the African Union's AI Strategy, and the OECD AI Principles, all of which stress fairness, transparency, and accountability in AI deployment. These external commitments underscore Zambia's ambition to position itself as a responsible AI-adopting nation, even as domestic implementation remains complex and contested.

AI-enabled cybersecurity is particularly consequential for democratic institutions, especially the judiciary and electoral system. Judicial independence, a cornerstone of democratic governance, may be challenged when cybersecurity decisions involve opaque algorithmic systems beyond the court's technical capacity to evaluate. Emerging concerns about limited judicial oversight over encrypted digital evidence, automated surveillance outputs, and classified cybersecurity operations raise questions about the ability of thejudiciary to provide effective checks and balances. As algorithmic decision-making increases, courts may struggle to maintain authority over matters involving technical expertise, thereby subtly shifting institutional power dynamics within the state.

Electoral integrity is also increasingly dependent on secure digital infrastructure. Zambia's move toward biometric voter registration, digital identity verification, and AI-assisted monitoring of cyber threats introduces new vulnerabilities and dependencies. While these digital tools are intended to strengthen electoral credibility, they also expose elections to risks such as data breaches, system manipulation, and algorithmic misinformation. The cybersecurity framework's capacity to safeguard digital electoral systems depends heavily on transparency, auditing standards, and independent oversight in areas where Zambia's regulatory landscape remains uneven.

In addition to institutional implications, AI-driven cybersecurity affects democratic legitimacy. Citizens' perceptions of transparency, fairness, and state accountability shape trust in democratic systems. Where digital governance is implemented without clear safeguards against surveillance, data misuse, or political interference, public confidence may decline. Evidence suggests that the consolidation of cyber powers within the executive can negatively influence perceptions of democratic integrity, particularly when accompanied by shrinking civic space or increased suppression of dissent. These dynamics underscore the importance of evaluating whether Zambia's AI-driven cybersecurity trajectory strengthens or undermines democratic legitimacy in an evolving political environment. Furthermore, Zambia's AI strategy outlines a broader development ambition that situates AI as an enabler of economic transformation, human-capital growth, and national innovation. Its six strategic pillars include regulation, human-capital development, data ecosystems, AI research, public-sector deployment, and industry applications. These initiatives are designed to position Zambia as an emerging hub for responsible and transformative AI adoption. This national agenda provides the context within which cybersecurity reforms must be analysed, as AI's integration across public systems inevitably expands the scope of cybersecurity governance.

Overall, the background to this study situates Zambia within a global moment of technological transformation, where AI-driven cybersecurity plays a central role in shaping state power, institutional relationships, and democratic trajectories. As Zambia enters the e-governance era, examining the intersection between AI, cybersecurity, and democratic institutions is crucial for understanding how technology reconfigures governance structures and power distributions. This study therefore analyses AI-driven cybersecurity not only as a technical system but as a political force with profound implications forjudicial independence, electoral integrity, and democratic legitimacy in Zambia.

1.2 Problem Statement

Zambia's transition toward an Al-enabled e-governance ecosystem is unfolding at a moment of profound institutional and political transformation. While Al-driven cybersecurity promises enhanced national protection, improved digital service delivery, and strengthened early-warning mechanisms, it simultaneously introduces complex challenges for constitutionalism, civil liberties, and democratic accountability. The central problem underpinning this study is that Zambia's rapid adoption of Al-driven cybersecurity systems has outpaced the development of adequate institutional safeguards, legal oversight mechanisms, and democratic controls, raising critical questions about the implications of these technologies for judicial independence, electoral integrity, and overall democratic legitimacy.

The state's accelerated integration of Al-driven cybersecurity has been facilitated through new legislation, particularly the Cyber Security Act No. 3 of 2025, which centralizes key cybersecurity powers under the Zambia Cyber Security Agency (ZCSA) housed in the Office of the President. This institutional arrangement concentrates significant authority within the executive, granting it power to license cybersecurity service providers, oversee national cyber-defence coordination, and conduct mandatory cyber audits across critical information infrastructures. While centralization can enhance efficiency and coherence in national cyber operations, it also creates structural risks by limiting independent oversight, blurring institutional mandates, and enabling executive dominance in an area increasingly tied to national political processes.

A major dimension of the problem lies in the broad interception and surveillance powers embedded within Zambia's cyber legislation. The Cyber Security Act empowers state authorities to intercept communications in real time and compel compliance from digital service providers including powers that lack robust independent supervisory mechanisms. This technological and legal architecture raises concerns about potential violations of constitutional protections such as privacy, freedom of expression, and due process rights. Analysts argue that these provisions may conflict directly with the Bill of Rights, which safeguards citizens' privacy of communications under Article 32. The tension between cybersecurity imperatives and constitutional safeguards forms a core component of the problem this study seeks to address.

Compounding these challenges is the lack of transparent judicial oversight over AI-driven cybersecurity systems. Zambia's judiciary, while constitutionally independent, faces technical and procedural limitations when dealing with algorithmic evidence, encrypted data trails, and automated threat-detection outputs. Judicial officers may not have sufficient technological expertise to interrogate machine-generated decisions, especially when underlying AI models remain proprietary, classified, or opaque. This introduces a structural imbalance in which the executive through ZCSA gains disproportionate informational advantage over the judiciary. This imbalance undermines the ability of courts to perform their constitutional role as a check on executive power, particularly in matters touching on digital rights, surveillance, and computational security measures.

Electoral integrity represents another major area of concern. Zambia's electoral processes are increasingly reliant on digital technologies such as biometric voter registration, electronic verification systems, and online political communication platforms. While these tools are intended to reduce fraud and improve efficiency, they introduce new vulnerabilities, including exposure to cyberattacks, algorithmic manipulation, and data-integrity risks. The Cyber Security Act's centralization of cybersecurity oversight may compromise the Electoral Commission of Zambia's (ECZ) institutional autonomy, especially given that cybersecurity incidents affecting electoral infrastructure fall under the purview of ZCSA. This structural dependency creates potential weaknesses in election management, including delayed reporting of cyber incidents, limited transparency in the auditing of electoral technologies, and over-reliance on executive agencies for digital protection.

Further complicating the problem is the emergence of digital-era political repression under the guise of cybersecurity reform. Although the current administration initially positioned itself as a champion of democratic renewal, scholars argue that Zambia's cyber laws have effectively rebranded older patterns of repression. According to democratic governance analyses, the state increasingly relies on legal and institutional instruments notably cyber legislation to silence dissent, regulate online speech, and restrict civic participation. These developments undermine public trust in democratic processes and contribute to perceptions that AI-enabled governance may serve political interests ratherthan public welfare.

Additionally, Zambia's AI adoption is occurring within a fragmented governance environment. While the country has completed its National AI Strategy (2024-2026), the strategy itself has not yet been fully operationalized, and the legal environment remains uneven. Zambia has no dedicated AI law, and its regulatory landscape is shaped by scattered provisions across data protection, cybersecurity, and e-government statutes. Although the AI Strategy emphasizes ethical deployment, data governance, and alignment with international frameworks such as UNESCO's AI Ethics Recommendations and the AU AI Strategy, these commitments are aspirational without corresponding institutional enforcement mechanisms. The gap between policy ambition and legislative reality further complicates the adoption of AI-driven cybersecurity, exacerbating risks associated with opaque decision-making and insufficient accountability.

Moreover, Zambia's rapid digitization increases the volume and sensitivity of data held by state institutions, raising questions about the adequacy of data-protection safeguards. The Electronic Government Act underscores the need for prudent use of public resources, protection of information, and collaboration across public bodies. Yet the concentration of digital power within executive-linked cybersecurity agencies increases the risk of data misuse, unauthorized surveillance, and politically motivated information control. These risks are amplified by the absence of a multi-stakeholder oversight framework involving civil society, academia, and independent regulatory bodies gives an oversight model recommended by cybersecurity scholars.

A further dimension of the problem concerns democratic legitimacy. Citizens' trust in public institutions hinges on perceptions of fairness, transparency, and accountability. However, the opacity of Al-driven decision-making, combined with broad state surveillance capacities, threatens to erode confidence in governance systems. Harsh enforcement of cyber laws, shrinking civic space, and political centralization of digital powers diminish public belief in the state's commitment to democratic norms. Without robust safeguards, the integration of Al in cybersecurity risks reinforcing authoritarian tendencies and undermining Zambia's democratic trajectory.

Together, these issues demonstrate that Zambia's Al-driven cybersecurity ecosystem though technologically beneficial poses significant risks to institutional autonomy, constitutional rights, and democratic governance. The central problem, therefore, is that the transformative impact of Al-driven cybersecurity on state power has not been adequately assessed, evaluated, measured, or analysed within Zambia's evolving e-governance context. This thesis addresses this gap by critically examining how Al-enabled cybersecurity reshapes power relations, affects judicial independence, influences electoral integrity, and frames democratic legitimacy in contemporary Zambia.

1.3 ResearchAim

The overarching aim of this research is to critically examine how the integration of artificial intelligence-driven cybersecurity systems is transforming the configuration of state power in Zambia and reshaping the functioning of key democratic institutions. At the heart of this inquiry lies an effort to understand the ways in which technological innovation intersects with governance, institutional autonomy, and democratic accountability at a time when states worldwide are expanding their digital infrastructures. ln Zambia, the rapid adoption of Al-based cybersecurity mechanisms form part of a broader national transition toward e-governance, yet this technological evolution is unfolding in a complex socio-political environment marked by constitutional reform, shifting political expectations, and ongoing debates about the balance between security imperatives and democratic freedoms. This research therefore aims to provide a systematic, multi-dimensional analysis of how Al-driven cybersecurity affects judicial independence, electoral integrity, and democratic legitimacywithin Zambia's evolving governance landscape.

The central purpose of this study is to evaluate not only the technological significance of Al-enabled cybersecurity but also its institutional, political, and democratic consequences. While Al systems are often presented as neutral tools designed to enhance efficiency, accuracy, and predictive capabilities, their deployment within state security architectures necessarily reconfigures institutional relationships and influences power dynamics. For this reason, the research aims to interrogate the deeper structural effects of cybersecurity technologies on the separation of powers, accountability mechanisms, and the democratic character of the state. By focusing on Zambia, a country that is both advancing its digital transformation agenda and grappling with longstanding challenges of democratic consolidation, this thesis seeks to illuminate the broader implications of Al-driven cybersecurity for emerging democracies in Africa and comparable regions.

One of the primaries aims of this research is to analyse how Al-enabled cybersecurity governance reshapes the autonomy and functioning of the judiciary. The judiciary plays a fundamental role in safeguarding constitutional rights, adjudicating disputes, and providing a vital check on executive authority. However, the increasing use of automated surveillance systems, algorithmic decision-support tools, and data-driven threat detection processes introduces new technical and procedural challenges that may impede judicial oversight. This study therefore aims to assess whether, and in what ways, Al-driven cybersecurity systems diminish judicial independence either by reducing access to crucial information, by increasing executive control over technical infrastructures, or by introducing opaque algorithmic processes that courts are ill-equipped to evaluate. The aim is not merely to identify these tensions, but to understand their broader implications for the rule of law in an Al-intensive governance context.

A second major aim ofthe research is to examine the impact of Al-driven cybersecurity systems on Zambia's electoral integrity. Elections constitute a central pillar of democratic legitimacy, and technological innovation can both strengthen and weaken electoral processes. Al-enhanced cybersecurity tools may improve the protection of digital voter registers, safeguard electoral technologies, and mitigate cyber threats; however, they may also create new risks related to data privacy, algorithmic manipulation, voter surveillance, or unequal access to digital protections. This study aims to systematically assess these potential effects by examining technological vulnerabilities, institutional dependencies, and emerging threats that arise as Zambia incorporates digital systems into electoral management. The analysis will explore how Al-driven cybersecurity influences public trust in elections, the autonomy of the Electoral Commission, and the overall perception of electoral fairness.

Another essential aim of this study is to evaluate the extent to which Al-driven cybersecurity affects the legitimacy of Zambia's democratic institutions. Democratic legitimacy is grounded in public perceptions of accountability, transparency, and the fairness of state processes. As Al-enabled security architectures expand surveillance capabilities, automate risk assessment, and mediate interactions between the state and its citizens, they may alter the foundations of institutional trust. Thus, this research seeks to explore how citizens perceive the state's increasing reliance on Al-driven cybersecurity, how this reliance affects their trust in institutions, and whether Al-related governance reforms enhance or undermine Zambia's democratic trajectory. The aim is to illuminate how technological modernisation interacts with broader democratic values such as participation, fairness, and public accountability.

This research also aims to bridge the gap between technological analysis and political theory. While public debates about Al often centre on efficiency, innovation, and opportunity, the deeper political implications of Al-enabled cybersecurity particularly in the context of emerging democracies remain underexamined. By situating Zambia's experience within wider theoretical frameworks relating to state power, digital governance, and democratic institutions, this study seeks to contribute to academic discourse by offering new conceptual insights into the relationship between Al technologies and political authority. The aim is to highlight how Al-driven cybersecurity not only responds to external threats but also reinforces, transforms, or challenges the internal distribution of state power.

Another objective embedded within the overarching research aim is to provide an evidence-based foundation for policymaking in Zambia. As the government expands its digital transformation agenda, there is a pressing need for empirical research that identifies the risks, opportunities, and institutional consequences of Al-driven cybersecurity. This thesis aims to generate findings that can inform the design of legal frameworks, institutional reforms, and oversight mechanisms that balance the imperatives of cybersecurity with the preservation of democratic values. The aim is not merely to critique existing systems but to guide the development of more accountable, transparent, and rights-respecting models of digital governance.

Finally, the research aims to contribute original knowledge to the global scholarly community by offering an in-depth, context-specific examination of how Al-driven cybersecurity influences democratic governance in an African state. While much of the existing literature on Al governance focuses on technologically advanced countries, this study highlights the experiences of a developing democracy navigating significant technological, institutional, and political transitions. By analysing Zambia's unique context, the research aims to expand academic understanding of how Al-enabled cybersecurity affects state power in environments with evolving legal frameworks, uneven technological capacity, and contested political spaces.

ln summary, the overarching aim of this thesis is to critically evaluate how Al-driven cybersecurity transforms the political and institutional landscape of Zambia, with

particular emphasis on judicial independence, electoral integrity, and democratic legitimacy. Through a multidisciplinary lens, the study seeks to understand how technological systems reshape governance structures, how institutions adapt to these changes, and how democratic values can be preserved in an era of rapid digital transformation.

1.4 Research Questions

The formulation of research questions plays a central role in shaping the intellectual direction, methodological orientation, and analytical contribution of any doctoral study. For a thesis examining the interaction between artificial intelligence-driven cybersecurity and democratic governance in Zambia, the research questions must capture the multifaceted nature of technological, institutional, and political transformation. They must also articulate the precise conceptual puzzles that this study seeks to resolve. The following section therefore develops a set of coherent, logically structured, and analytically robust research questions that reflect the complexity of the study while guiding its empirical and theoretical investigation.

The primary purpose of these research questions is to unpack how AI-driven cybersecurity reshapes state power in Zambia, with particular emphasis on three core democratic institutions: the judiciary, the electoral system, and the broader legitimacy of the state. Al-enabled cybersecurity sits at the intersection of technology, governance, and constitutional order; therefore, a coherent set of research questions must address not only how these systems operate in practice but also how they influence institutional autonomy, accountability structures, and public trust. The research questions developed here are therefore designed to illuminate the political consequences oftechnological innovation, ratherthan merely its technical properties.

The overarching research question guiding this thesis is:

PrimaryResearch Question

How is the adoption of Al-driven cybersecurity transforming state power in Zambia, and what implications does this transformation have for judicial independence, electoral integrity, and democratic legitimacy in the country's emerging e-governance era?

This primary research question provides the central axis around which the entire thesis revolves. It is intentionally broad, capturing the full scope of the inquiry, and foregrounding the three institutional domains investigated in the study. It emphasises the transformative nature of Al-enabled cybersecurity not merely as a technological upgrade, but as a force reshaping foundational democratic structures and the distribution of political authority. By situating state power at the centre, the question connects technological change to constitutional and democratic concerns, ensuring that the research remains grounded in core political theory while addressing contemporary challenges.

To explore this overarching question in depth, the study employs three subsidiary questions, each corresponding to one of the key institutional arenas. These subsidiary questions are designed to unpack different dimensions of the primary research question while maintaining analytical coherence and conceptual clarity.

SubsidiaryResearch Question 1:Judiciaiindependence

1. How does the integration of Al-driven cybersecurity systems alter the institutional autonomy, oversight capacity, and constitutional role ofZambia'sjudiciary?

This question aims to investigate the evolving relationship between cybersecurity governance and judicial independence. Thejudiciary plays a vital role in upholding the constitution, interpreting laws, and providing oversight of executive action especially functions that are increasingly complicated by the technical opacity of Al-driven systems. The question therefore prompts an analysis of how algorithmic decision-making, automated surveillance outputs, classified cyber operations, and digital evidence may restrict or reshape judicial capacity. It also calls for scrutiny of institutional asymmetries created when the executive controls the technological infrastructures that produce evidence or define national cybersecurity priorities. This question ensures that the thesis examines whether AI-based cybersecurity strengthens or weakens judicial autonomy as Zambia transitions toward an e-governance system.

Subsidiary Research Question 2: Electoral Integrity

2. In what ways does AI-enabled cybersecurity affect the design, operation, and perceived credibility ofZambia's electoral processes?

The legitimacy of democratic governance depends heavily on the integrity and public trustworthiness of elections. As Zambia increasingly adopts digital infrastructure including biometric voter registration, digital verification tools, and online information systems, the electoral environment becomes more deeply intertwined with cybersecurity architecture. This question seeks to analyse how Al-driven cybersecurity enhances or undermines electoral integrity by shaping vulnerability to cyberattacks, altering the transparency of electoral technologies, influencing institutional dependencies, or affecting public perceptions of fairness. It also invites inquiry into the relationship between cybersecurity agencies and the Electoral Commission, probing whether executive control of digital security introduces structural biases or institutional constraints. The purpose of this question is to ensure that the thesis evaluates the democratic consequences of technological integration at the core of electoral governance.

Subsidiary Research Question 3: Democratic Legitimacy

3. What impact does AI-driven cybersecurity have on public trust, perceptions of accountability, and the overall democratic legitimacy of the Zambian state?

A democratic system's legitimacy rests not only on institutional design but also on public belief that state power is exercised responsibly, transparently, and in accordance with constitutional norms. AI-enhanced surveillance systems, predictive Page 30 of 271

threat-detection technologies, and automated cybersecurity protocols can affect how citizens view the state's motivations, practices, and commitments to democratic values. This research question therefore examines whether the expansion of Al-driven cybersecurity strengthens public trust by enhancing safety and service delivery, or undermines legitimacy by heightening fears of surveillance, political manipulation, or executive overreach. It also prompts analysis of how citizens interpret the state's digital transformation, and how these perceptions shape democratic stability.

MethodologicalFraming of the Research Questions

The structure of these research questions enables a layered investigation that moves from macro-level transformations to micro-institutional effects and societal interpretations. The primary research question sets the conceptual landscape by centring the transformative power of Al-driven cybersecurity. The subsidiary questions then provide a structured analytical pathway through which to explore this transformation from multiple angles.

The first subsidiary question focuses on the judiciary because judicial independence is a hallmark of constitutional democracy. Any erosion of judicial oversight potentially alters foundational power relationships between branches of government. The second subsidiary question targets electoral integrity, acknowledging elections as the anchor of democratic legitimacy and a key arena where cybersecurity risks translate into political consequences. The third subsidiary question situates these institutional changes within the broader democratic context by examining citizen perceptions, trust, and legitimacy.

Together, these questions allow the thesis to conduct a comprehensive evaluation of Al's impact on governance, balancing institutional analysis, political theory, and public accountability.

Additional Guiding Questions forData Collection and Analysis

Although the three subsidiary questions form the core analytical framework, additional guiding questions will assist during empirical inquiry, such as:

• How do government officials, judges, cybersecurity experts, and civil society actors interpret the roleof Al in national security?
• What institutional capacities exist for independent oversight of Al-driven cybersecurity systems?
• How do citizens perceive digital monitoring, biometric systems, and algorithmic decision-making in governance?
• In what ways do cybersecurity laws influence the distribution of power among branches of government?
• Are there emerging patterns of political, administrative, or institutional dependence created byAI-driven digital infrastructures?

These guiding questions are not part of the formal research-question structure but serve to deepen and operationalise the core questions during data collection and analysis.

1.5 Significance of the Study

The significance of this study lies in its contribution to understanding how technological innovations notably artificial intelligence-driven cybersecurity systems reshape the foundations of state authority, democratic institutions, and governance practices in an emerging digital society. As Zambia undergoes a rapid transition into e-governance, the intersection between Al, cybersecurity, and democratic structures presents a complex yet under-examined domain of inquiry. This research provides a comprehensive and multidimensional exploration of these issues, offering insights that are academically, institutionally, and societally consequential.

At the academic level, this study addresses a critical gap in the scholarship on Al governance and cybersecurity in Africa. Much of the existing literature on Al-driven security technologies focus on technologically advanced nations, where institutional contexts, political cultures, and governance systems differ markedly from those found in emerging democracies. By examining Zambia, this research brings to light the unique challenges faced by states with evolving legal frameworks, uneven technological capacity, and contested political spaces. It contributes original knowledge by theorising how Al-enabled cybersecurity interacts with democratic institutions in environments where governance systems are still consolidating and where institutional safeguards may not be fully developed. The study therefore expands the geographical and conceptual scope of global Al governance scholarship, offering a framework that can be extended to other emerging democracies navigating similar digital transformations.

The study is also significant for its focus on the transformation of state power. The introduction of AI-driven cybersecurity systems alters long-standing institutional relationships by reallocating authority, changing flows of information, and recalibrating accountability mechanisms. These transformations raise profound questions about constitutionalism, the separation of powers, and institutional autonomy. By examining how cybersecurity centralisation, algorithmic decision-making, and automated surveillance infrastructures redefine the distribution of state power, this research provides a nuanced analysis of governance in the digital era. Its insights contribute to political theory by illustrating how technological systems may be instrumentalised to expand executive authority, constrain independent bodies, or reshape democratic institutions. This is particularly critical for understanding how states balance national security imperatives with constitutional norms and democratic values.

Another area in which the study holds substantial significance is its examination of judicial independence in an Al-enabled governance context. The judiciary plays a pivotal role in resolving disputes, protecting fundamental rights, and acting as a check on executive authority. However, the integration of opaque algorithmic systems into cybersecurity governance can complicate judicial oversight by introducing forms of evidence, decision-making processes, and technical infrastructures that are not easily subject to legal scrutiny. This study illuminates how these technological shifts influence the capacity of courts to uphold constitutionalism and maintain institutional autonomy. By examining these dynamics, the research provides critical insights for policymakers, legal scholars, and judicial institutions seeking to navigate the complex intersection between law, technology, and democratic governance.

The study is equally significant in its analysis of electoral integrity within an AI-driven cybersecurity environment. Elections are a cornerstone of democratic legitimacy, and the increasing reliance on digital tools such as biometric registration systems, electronic verification devices, and cyber-protected databases creates both opportunities and vulnerabilities. This research provides an in-depth evaluation of how Al-enabled cybersecurity can strengthen or undermine electoral systems by influencing transparency, technological dependence, institutional coordination, and public trust. Its findings offer valuable guidance for electoral management bodies, cybersecurity agencies, civil-society organisations, and policymakers concerned with safeguarding democratic processes in an increasinglydigital age.

Beyond institutional analysis, the study makes a noteworthy contribution to understanding democratic legitimacy in contemporary governance. Citizens' perceptions of fairness, transparency, and accountability are central to sustaining democratic states. Al technologies, by increasing state capacity for monitoring, risk assessment, and data collection, can significantly influence public perceptions of authority and trust. This research examines how these perceptions evolve in response to Zambia's expanding cybersecurity architecture, identifying factors that enhance or erode legitimacy. By foregrounding citizen perspectives, the study aligns democratic theory with lived experience, offering a holistic view of governance that integrates both institutional and societal dimensions.

From a policy perspective, the significance of this study lies in its potential to guide the design of balanced, transparent, and rights-respecting governance frameworks. As Zambia advances its e-government agenda, evidence-based policymaking becomes essential for ensuring that technological innovations do not inadvertently undermine constitutional rights, institutional independence, or democratic accountability. This research provides actionable insights for strengthening oversight mechanisms, enhancing judicial and electoral autonomy, increasing transparency in cybersecurity operations, and establishing safeguards against potential misuse of Al technologies. Its findings can support policymakers in crafting legal frameworks that balance national security with democratic freedoms, thereby ensuring that technological progress aligns with constitutional principles.

The study also holds practical significance for institutional capacity building. As government institutions adopt AI-driven cybersecurity systems, they require new competencies, technical expertise, and procedural innovations to manage these systems effectively. By identifying the institutional challenges associated with Al adoption such as gaps in technical literacy, oversight limitations, and inter-agency coordination issues the research offers a foundation for developing training programmes, resource allocations, and institutional reforms that enhance governance effectiveness.

Furthermore, the study is significant for its contribution to public discourse on digital governance. In an era where states increasingly rely on Al technologies to manage security, public awareness and transparency are critical to maintaining trust. This research demystifies AI-driven cybersecurity for non-specialist audiences by explaining its implications in accessible, conceptually grounded terms. By articulating the democratic risks and opportunities associated with Al adoption, it equips citizens, civil-society organisations, and advocacy groups with the knowledge necessary to participate meaningfully in conversations about digital rights, governance, and accountability.

Finally, the study's significance extends beyond Zambia by offering a conceptual model for analysing Al-driven cybersecurity in other emerging democracies. The theoretical framework developed in this thesis centred on state power, institutional autonomy, and democratic legitimacy provides a transferable analytical tool for scholars and policymakers working in comparable contexts. As many states in Africa and the Global South pursue digital transformation strategies, the questions raised in this research become increasingly relevant to global debates on Al governance, cybersecurity, and democratic resilience.

In summary, this study is significant because it provides original insights into an evolving and under-examined area at the intersection of technology, governance, and democracy. It advances academic understanding, informs policy development, supports institutional reform, and enriches public discourse. By evaluating how Al-driven cybersecurity transforms state power and affects key democratic institutions in Zambia, the study offers a vital contribution to contemporary debates about the future of governance in the digital age.

1.6 Scope and Delimitations

The scope and delimitations of a doctoral study define the conceptual, methodological, and analytical boundaries within which the research is conducted. Establishing clear limits is essential for maintaining coherence, ensuring feasibility, and preserving depth of inquiry in a topic as expansive and interdisciplinary as the intersection between artificial intelligence-driven cybersecurity and democratic governance. Given that this study examines highly complex institutional dynamics in an evolving technological landscape, articulating the precise parameters of the investigation is necessary to clarify what the research covers and what it intentionally leaves outside its purview.

The scope of this study is organised around four principal dimensions: the thematic scope, the institutional scope, the geographical scope, and the temporal scope. Each

dimension reflects a deliberate decision to focus on areas where Al-driven cybersecurity is most likely to intersect with governance and democratic structures in Zambia. By concentrating on these areas, the study aims to produce a detailed and analytically rigorous account of how technological transformation affects state power, institutional autonomy, and democratic legitimacy.

Thematic Scope

Thematically, the study focuses on the governance implications of Al-driven cybersecurity systems rather than their technical design or engineering characteristics. While the research acknowledges the technical underpinnings of Al-enabled cybersecurity such as algorithmic monitoring, automated threat detection, and biometric authentication and the primary emphasis is on how these technologies reshape political authority, institutional relationships, and democratic accountability.

The study therefore investigates the political consequences of Al-driven cybersecurity, including its effects on judicial independence, electoral integrity, and public trust. It explores how technological decision-making processes, surveillance capabilities, and cybersecurity frameworks influence institutional behaviour and democratic norms. The thematic scope excludes detailed technical evaluation of machine-learning architectures, programming models, or algorithmic optimisation techniques. Instead, technological components are engaged only insofar as they affect governance structures and democratic institutions.

This thematic focus allows the study to remain grounded in political theory, governance studies, and democratic analysis while drawing selectively from cybersecurity and Al ethics literature where relevant. The emphasis on political and institutional consequences ensures that the research contributes to debates about the governance of emerging technologies rather than the engineering of Al systems.

Institutional Scope

lnstitutionally, the study concentrates on three core democratic institutions in Zambia:

1. The Judiciary - as the guardian of constitutionalism and a critical check on executive power.

2. The Electoral System - represented primarily by the Electoral Commission and related electoral bodies responsible for voter registration, verification technologies, and electoral oversight.

3. The Executive Arm of the State - particularly agencies involved in cybersecurity governance, regulation, surveillance, and policy execution.

By focusing on these institutions, the study investigates how Al-enabled cybersecurity reforms shift the distribution of authority across branches of government. Thejudiciary is examined to understand how algorithmic systems may affect judicial autonomy, transparency, and oversight capacity. The electoral system is analysed to evaluate how Al-driven cybersecurity influences electoral processes, technological vulnerabilities, and public confidence. The executive is studied as the central site of cybersecurity decision-making, providing insight into how technological centralisation may enhance or reshape executive power.

The institutional scope excludes detailed analysis of the legislature, except where legislative actions directly shape cybersecurity governance. While Parliament plays a crucial role in passing digital laws and overseeing national policy frameworks, its internal dynamics, committee structures, and political composition fall beyond the scope of this study unless directly relevant to Al-driven cybersecurity oversight.

The study also excludes granular analysis of private-sector institutions, despite their role in digital infrastructure and cybersecurity services. Private actors are considered only in relation to their interactions with state agencies, not as independent institutional actors.

Geographical Scope

Geographically, the study is limited to the Republic of Zambia. This focus reflects the unique political, legal, and technological environment within which Al-driven cybersecurity is being implemented. Zambia's evolving e-governance agenda, its recent cybersecurity legislation, and its emerging Al policy frameworks provide a distinctive context for examining how technological innovation intersects with democratic governance.

The research does not engage in cross-country comparisons, although observations may occasionally reference broader African or global trends to situate Zambia within the international discourse. Such contextualisation is conceptual rather than empirical, and the study does not attempt to generalise its findings across countries with different institutional histories ortechnological infrastructures.

Focusing exclusively on Zambia ensures depth of analysis, allowing the study to engage directly with the specific legal frameworks, political dynamics, institutional capacities, and democratic pressures shaping the country's digital transformation. It also allows the research to capture the nuanced ways in which Al-driven cybersecurity intersects with Zambia's constitutional order, historical governance patterns, and evolving democratic norms.

Temporal Scope

The temporal scope of the study spans the period from 2021 to 2026, corresponding to Zambia's most significant phase of digital transformation and the introduction of major cybersecurity and Al policy reforms. The period begins in 2021 because it marks the broader political transition and renewed emphasis on digital rights, institutional reform, and e-government expansion. It extends through 2026 to capture the implementation phase of the national Al strategy, the evolution of cybersecurity governance, and ongoing changes in electoral andjudicial processes.

While the study may reference developments prior to 2021 for historical context, detailed analysis of earlier periods is outside the scope. The focus remains on contemporary transformations that have direct relevance to Zambia's emerging e-governance framework.

Delimitations

Delimitations represent intentional boundaries set by the researcher to maintain analytical clarity and methodological feasibility. Several key delimitations shape this study:

1 . Exclusion ofTechnicalAIDesignAnalysis

The study does not engage in technical evaluation of Al algorithms, data-processing pipelines, or cybersecurity engineering models. Such analysis requires specialised technical expertise and extensive technical datasets that fall outside the research's governance-focused scope. Instead, the study examines the political and institutional consequences ofAI-driven cybersecurity.

2 .LimitedFocus on Citizen BehaviouralData

While public perceptions and trust are central to the research questions, the study does not seek to collect granular behavioural or psychometric data on citizens. Surveys, interviews, and focus group insights may be utilised, but the study does not attempt to quantify behavioural patterns or develop models of digital behaviour.

3 .BoundaryAround InternationalRelations

The study does not analyse Zambia's international cybersecurity collaborations, diplomatic digital partnerships, or geopolitical engagements in detail. These areas, though important, represent a separate domain of inquiry focused on international relations ratherthan domestic governance.

4.Exclusion ofNon-DemocraticInstitutions

Institutions such as the defence forces, intelligence agencies, and private telecommunications companies are discussed only insofar as they intersect with democratic governance. Their internal structures, operational procedures, and non-public activities remain outside the study's analytical boundaries.

By establishing clear thematic, institutional, geographical, and temporal boundaries, as well as explicit delimitations, this section defines the analytical architecture of the study. The scope ensures that the research remains tightly focused on how AI-driven cybersecurity influences thejudiciary, electoral governance, and democratic legitimacy in Zambia. The delimitations reinforce methodological clarity and feasibility, allowing the study to provide rigorous, coherent, and meaningful contributions to scholarship and policy. With these parameters established, the thesis is well-positioned to undertake a deep and systematic investigation into the intersection of technological transformation and democratic governance.

1.7 Thesis Structure

This thesis is organised into six interrelated chapters designed to provide a coherent, systematic, and academically rigorous examination of how AI-driven cybersecurity affects state power, judicial independence, electoral integrity, and democratic legitimacy within Zambia's evolving e-governance framework. The structure follows a logical flow from contextual framing to theoretical engagement, methodological grounding, empirical analysis, interpretive discussion, and final recommendations. Each chapter builds upon the preceding one, ensuring conceptual clarity and analytical depth throughout the dissertation.

CHAPTER 2: LITERATURE REVIEW

2.1 AI Governance

2.1.1 Global AI Governance Norms: Rights,Transparency,Accountability

A first strand of the literature posits an emergent Jus techno/ogiae whose core is that artificial intelligence must be designed, deployed and governed in ways that are rights-preserving, transparent, accountable and safe across the entire lifecycle. UNESCO's Recommendation on the Ethics of Artificial Intelligence (adopted by acclamation at the 41st General Conference in November 2021, and accompanied by implementation materials updated through 2023-2024) is the clearest articulation of this consensus: it is the first global standard-setting instrument on AI ethics, applicable to all UNESCO Member States, and it anchors governance in human dignity, human rights, diversity and inclusion, with enforceable direction through extensive Policy Action Areas (e.g., data governance, oversight, education, research, and health). In UNESCO's schema, human oversight and determination, transparency/explainability, and responsibility and accountability are not rhetorical aspirations but operational obligations to be embedded across all stages of the AI lifecycle from design and data collection to deployment, monitoring and decommissioning. The Organization further institutionalised implementation via a Global AI Ethics and Governance Observatory, a Readiness Assessment Methodology (RAM), and an Ethical Impact Assessment (EIA), thereby transforming high-level norms into diagnostic and procurement-grade tools for states and public bodies.

In parallel, the OECD AI Principles, the first intergovernmental standard adopted in 2019 and updated at Ministerial level in May 2024 codify a five-pillar architecture for trustworthy AI: inclusive growth, human-centred values and fairness, transparency and explainability, robustness, security and safety, and accountability. The 2024 update sharpened attention to general-purpose and generative AI, information integrity, safety, privacy and intellectual-property concerns, and it explicitly promotes global interoperability by advancing a shared definition of an AI system and a common understanding of the Al lifecycle that are now referenced acrossjurisdictions. Legally, the instrument remains the Council's Recommendation on Artificial Intelligence (OECD/LEGAL/0449) (amended 3 May 2024), which sets out both the values-based principles and recommendations to governments for risk management, measurement, and whole-of-government institutionalisation. The OECD has complemented this with operational scaffolding which is an Al systems classification framework for risk/context analysis and a public Catalogue of Tools & Metrics for Trustworthy Al to translate principles into design, auditing, and assurance practices. Read comparatively, UNESCO and OECD provide convergent but complementary baselines. UNESCO supplies a human-rights-centred normative compass with policy action areas and assessment instruments (RAM/EIA) that speak to institutional capacity, proportionality, and the ethics-by-design imperative. The OECD, by contrast, furnishes a regulatory interoperability layer: a stable legal instrument updated to reflect technological shifts (e.g., generative AI), common definitional anchors for legislation, and a growing ecosystem of risk classification and implementation toolkits. Together, they delineate what ought to characterise any high-stakes public-sector AI, namely (i) measurable accountability for actors along the AI lifecycle, (ii) transparency/explainability sufficient for contestability and due process, (iii) robust security and safety aligned with democratic values, and (iv) human oversight that is substantive ratherthan ceremonial.

For Al-driven cybersecurity in particular, these global norms are not peripheral, they specify the constitutional constraints on technologies that, by design, centralise information, detection and response capacities inside the state. UNESCO's Recommendation requires that security-motivated deployments still meet rights-protective thresholds (privacy, non-discrimination, proportionality), and it mandates transparency and human control over automated functions whose outputs may trigger surveillance, interdiction or other coercive measures. The Observatory's EIA/RAM instruments extend this to practice by asking governments to evidence governance readiness, identify institutional gaps, and document mitigation measures ex ante and ex post, including in procurement of AI-enabled monitoring Page 43 of 271

platforms. The OECD, for its part, situates cybersecurity uses within a risk-based policy grammar: classify the system and context, surface human-rights impacts (e.g., due process under automated triage), and select proportionate safeguards using tools and metrics that make auditability and accountability demonstrable rather than asserted.

Two implications follow for democratic governance. First, security is not a normative exemption: the UNESCO/OECD baselines reject any presumption that algorithmic opacity or secrecy can displace the requirements of legality, necessity and proportionality;rather, they raise the bar for contestability and oversight where automated inferences may limit rights or shape high-stakes administrative action (e.g., network interception, traffic-data analysis, or automated incident response). Second, interoperability is now a governance good: by aligning domestic rules with UNESCO's lifecycle-ethics approach and the OECD's 2024-updated definitions and principles, states increase the comparability and portability of safeguards across jurisdictions, which is indispensable in cross-border cyber-operations and information-integrity contexts. These global instruments thus supply the normative yardsticks against which national Al-cybersecurity regimes including those affecting judicial review or electoral administration will be assessed in this thesis.

2.1.2 Continental (African Union) Data and Al Governance:

Harmonisation and Rights Protection

At the continental tier, the African Union (AU) has articulated an increasingly coherent data and Al governance architecture designed to balance innovation, regional integration, and fundamental rights. The AU Data Policy Framework (DPF) (February/July 2022) is the anchor: it seeks to harmonise data governance across Member States, create a shared continental data space, and underpin an African Digital Single Market consistent with AfCFTA ambitions. It frames data policy as simultaneously developmental and rights-preserving by improving lives, safeguarding collective interests, and protecting digital rights and it specifies guiding principles, data categorisation, governance enablers, and implementation pathways that

Member States can domesticate. Complementing the DPF, the Digital Transformation Strategy for Africa (2020-2030) positions interoperable standards, cross-border connectivity, and digital public infrastructure as enablers of inclusive growth and "leapfrogging," thereby situating data governance within a broader continental transformation agenda.

Critically, the AU's approach favours regulatory interoperability over blunt localisation. Authoritative analyses emphasise that the DPF distinguishes data sovereignty (public-interest stewardship) from indiscriminate data localisation, cautioning that security claims should not be weaponised to undermine human rights or stifle intra-African data flows;instead, it urges risk-calibrated controls, sector-specific safeguards, and rule-of-law-rooted data policy. This continental posture is operationalised through emerging cross-border data-flow instruments under AfCFTA's Protocol on Digital Trade and through AU-led validation of continental frameworks on data categorisation/sharing, cross-border data flows, and open data, aimed at accelerating the Digital Single Market by 2030. In effect, the DPF's harmonisation logic aligns continental objectives with global interoperability trends while prioritising rights, proportionality and accountability as guardrails for data-driven innovation.

On cybersecurity and personal data protection, the Malabo Convention (2014) constitutes the AU's treaty-level baseline. It establishes a legal framework for electronic transactions, personal data protection, and combating cybercrime, and it reaffirms that cyber regulation must respect fundamental freedoms and the African Charter on Human and Peoples' Rights. Ratification has gathered pace in recent years (including Zambia's ratification in March 2021), signalling a gradual consolidation of continental norms around lawful processing, security, and oversight. Read together, Malabo provides binding scaffolding for privacy and cybersecurity, while the DPF supplies policy-design detail for a modern, rights-aware, data economy in two layers that are mutually reinforcing for Member States building AI-enabled security capabilities.

The AU has also moved to a continent-wide Al strategy. In July 2024, the Executive Council endorsed the Continental Artificial Intelligence Strategy, an Africa-centric, development-oriented blueprint that calls for ethical, responsible and inclusive Al, capacity building (infrastructure, talent, datasets), investment, and cooperation, while minimising risks to rights and security. This strategy expressly links AI to Agenda 2063 and the SDGs, and it urges unified national approaches so that domestic measures remain interoperable across borders. Subsequent high-level dialogues (2025) reiterated AI as a strategic priority, highlighting deficits in computer and data infrastructure and calling for safeguards and human-centred governance that reflect Africa's linguistic and cultural diversity. In short, the AU is positioning AI policy within an integrated regime that couples innovation incentives with rights-protective controls.

Institutionally, the AU pursues harmonisation through multi-actor coordination Member States, RECs, regulators and data-protection authorities supported by technical programmes (e.g., PRIDA). The Union has piloted harmonisation methodologies (including data protection and data-location topics) with country testing in Zambia and others, and it has convened continental meetings to validate tools for measuring convergence in law and practice. External expert reviews (FPF) note that RECs are being leveraged to draft model laws, build capacity, and reduce regulatory fragmentation, which is essential for cross-border flows and Al supply-chain governance. In tandem, specialist briefs document the rise of transfer tools (adequacy, standard clauses, certification, BCRs) across African jurisdictions and call for interoperable mechanisms that reflect shared values but accommodate institutional diversity.

Implications for Al-driven cybersecurity. First, continental policy normalises rights-respecting data access and sharing for security purposes under proportional, accountable governance; the DPF's categorisation and governance sections support differentiating sensitive/critical from routine data to calibrate safeguards in cyber operations. Second, interoperability and cross-border cooperation is treated as features, not bugs: the AU's Digital Single Market trajectory assumes lawful, auditable data mobility across borders for resilience and incident response especially pertinent for threats that traverse networks and jurisdictions. Third, the Continental Al Strategy makes ethics and inclusion central to state Al deployments, implying that Al-enabled monitoring, detection, or triage functions should satisfy human-centred, explainable and contestable standards rather than default to opaque automation. Finally, Malabo's treaty obligations and the DPF's rights-protective framing serve as continental benchmarks against which national cybersecurity statutes and practices especially those involving interception, biometric processing, or algorithmic triage can be assessed for necessity, legality, and proportionality.

In sum, AU-level data and Al governance does not subordinate rights to security; instead, it seeks harmonised, development-oriented regulation in which data mobility, privacy, cybersecurity, and Al ethics are co-designed. This regional blueprint is the immediate normative environment for Member States including Zambia as they legislate and operationalise Al-centred cybersecurity and adjacent electoral orjudicial technologies.

2.1.3 Zambia's Domestic Digital Governance and Cyber-Legal Landscape

Zambia's national digital governance environment has undergone rapid institutional and legislative transformation since 2021, producing a layered legal-policy architecture that now frames all state deployments of Al-enabled cybersecurity systems. Three clusters define this domestic landscape: (1) foundational e-government and data-protection statutes (2021), (2) the 2020-2030 digital transformation agenda, and (3) the 2025 cyber-law package, which represents the most consequential restructuring of Zambia's cybersecurity governance to date.

1. Foundational Digital Governance: The Electronic Government Act (2021) and Data ProtectionAct (2021)

The Electronic Government Act, 2021 (Act No. 41) established the Electronic Government Division under the Office of the President and codified the legal principles governing the management, security, and auditability of government information systems. The Act emphasises citizen-centred service delivery, information-systems security, and inter-agency information sharing within a coherent e-government architecture. These provisions constitute the technical-bureaucratic substrate for all government ICT operations, including cybersecurity deployments, as they mandate security safeguards, system audits, and institutional responsibilities for protecting government-held data.

Complementing this is the Data Protection Act, 2021 (Act No. 3), which introduces a statutory regime for lawful processing of personal data, establishes the Office of the Data Protection Commissioner, and designates biometric information as sensitive data, subject to stricter conditions. The DPA requires controllers and processors to implement security, retention, and accountability mechanisms for handling personal data; principles that have direct relevance for biometric databases (e.g., voter registers) and AI-driven cybersecurity systems that rely on personal or traffic metadata.

Together, these 2021 statutes form Zambia's rights-protective baseline, a crucial benchmark against which subsequent cybersecurity reforms must be assessed.

2. Zambia in the Continental Digital Reform Context:AHgnment with AU Digital Transformation Strategy (2020-2030)

Zambia's domestic legal trajectory exists alongside the African Union's Digital Transformation Strategy for Africa (2020-2030), which positions digitalisation as a catalyst for inclusion, innovation, economic diversification, and continental integration. The AU strategy emphasises interoperability, data governance, digital public infrastructure, and cross-border digital governance harmonisation.

This alignment matters because Zambia participates in AU-led harmonisation exercises, including comparative assessments of data protection and data-location regulations, in which Zambia was one of the pilot countries tested under AU-EU technical frameworks. These exercises aim to reduce regulatory fragmentation, standardise data-governance norms, and prepare Member States for integration into a continental Digital Single Market.

Thus, Zambia's domestic statutes coexist within a regionally converging regulatory ecosystem, influencing expectations regarding proportionality, lawful processing, and oversight in security-sectorAI implementations.

3. The 2025 Cyber-Law Package: Centralising Cybersecurity and Expanding State Powers

In April 2025, Zambia enacted two major statutes that repealed and replaced the 2021 cybersecurity framework: The Cyber Security Act, 2025 (Act No. 3) and the Cyber Crimes Act, 2025 (Act No. 4), together forming the centrepiece of Zambia's new cyber-governance regime.

(a) CyberSecurityAct, 2025(ActNo. 3)

This Act establishes the Zambia Cyber Security Agency (ZCSA) as the central authority for national cybersecurity, located under the Office of the President. It also formalises the Zambia Cyber Incident Response Team, provides for sectoral CIRTs, and retains/expands the Central Monitoring and Coordination Centre (CMCC), which is mandated to conduct technical interception and monitoring functions. The Act empowers the designation and auditing of critical information infrastructure, setting criteria for state-supervised cybersecurity operations and compliance obligations for public and private entities.

The placement of ZCSA under the Presidency is widely seen as structurally significant, concentrating informational and operational authority within the executive branch.

(b) Cyber Crimes Act, 2025 (Act No. 4)

The Cyber Crimes Act specifies a broad suite of offences, including deceptive electronic communication, unauthorised disclosure, traffic-data preservation and disclosure, and search/seizure of digital evidence. It also grants law-enforcement agencies real-time interception capabilities and compels service providers to cooperate with state authorities in investigation processes.

The Act effectively provides the procedural levers for cybercrime enforcement and digital surveillance, and its scope directly shapes how Al-enabled tools may be deployed for monitoring, detection, and forensic analysis.

4.Contestation, Rights Concerns,and Oversight Gaps

The 2025 Acts triggered immediate legal and civil-society pushback. Independent analyses and regional digital-rights organisations argue that the laws contain vague definitions (e.g., "critical information"), broad interception mandates, and insufficient independent oversight, risking potential abuse, chilling effects on online speech, and politicisation of cyber-operations.

Civil-society reports cite concerns that the Acts criminalise forms of online expression and compel service providers to facilitate real-time state surveillance. The Freedom House 2025 Internet Freedom report, though not retrieved directly in the search window here, aligns with these concerns in its general findings.

For Zambia specifically, the AU's ongoing harmonisation work underscores the importance of rule-of-law-rooted data governance, suggesting that Zambia's expanded cybersecurity powers should ideally be balanced by proportionality, clarity, and independent review mechanisms consistent with continental standards.

5.lmplications for Al-Driven Public-Sector Cybersecurity

This domestic architecture encompassing rights-oriented 2021 statutes, AU-aligned digital strategies, and the centralising 2025 cyber-law package creates the conditions under which Al-enabled cybersecurity tools will be procured, deployed, and contested in Zambia.

Key implications include:

• Expanded Data Access: Al-driven detection and surveillance systems may rely on traffic data, intercepted communications, and biometric datasets governed by the DPA (2021)and the Cyber Crimes Act (2025).

• Concentrated Authority: With ZCSA situated under the Presidency, Al-enabled cybersecurity operations may centralise decision-making power, raising questions of executive dominance.

• Oversight Challenges: Judicial and parliamentary oversight may struggle to maintain informational parity, especially when proprietary Al systems or classified CMCC workflows shape evidence or administrative decisions.

• Standards Alignment Pressures: Zambia must reconcile the 2025 Acts with AU governance principles promoting data-rights protection, free cross-border data flows, and ethical Al practices creating a potential tension between national-security priorities and continental normative trajectories.

2.1.4 Al-Driven Cybersecurity Judicial Independence, and Algorithmic Governance

The rapid diffusion of Al across public administration has reached the justice sector, where algorithmic tools increasingly mediate evidence collection, triage, risk-scoring, drafting and search, functions that sit at the constitutional hinge between state power and individual rights. Recent UN reporting cautions that courts and legal practitioners are already using Al sometimes ad hoc yet rights-comp/iant deployment remains uneven, raising risks of bias, opacity, unequal access and erosion of due process. The

UN Special Rapporteur on the independence of judges and lawyers warns against techno-solutionism, insisting that access to an independent and impartial tribunal entails access to a humanjudge, with any Al kept assistive and subordinate to judicial control; she further urges ex-ante harm assessments, public disclosure of key information about judicial Al systems, and judicial branch ownership over any innovation that could affect adjudication. UNESCO's concurrent initiatives underscore similar concerns: its Recommendation on the Ethics of Al requires human oversight, transparency/explainability, and accountability across the Al lifecycle, and its dedicated Guidelines for the Use of Al Systems in Courts and Tribunals (2025) translate these values into 15 operational principles that keep Al strictly assistive, auditable, and rights-respecting.

From a rule-of-law perspective, the doctrinal problem is algorithmic opacity: when Al systems (e.g., classifiers, LLM-based summarizers, or anomaly-detection tools) are embedded in policing or cyber-operations, they generate inferences that may later appear as evidence or shape investigative choices, while their internal logic, data provenance, or failure modes remain inaccessible to adversarial scrutiny. Legal scholarship identifies such opacity along with bias and lack of audit trails as a structural challenge for equality before the law and due process, demanding enforceable transparency, documentation, and explainability-by-design. UNESCO's judicial capacity-building programme corroborates the practical gap: in a global survey, 44% of judges reported using Al tools for work but only 9% had institutional guidance, prompting UNESCO to develop a MOOC, a global toolkit, and ultimately the 2025 Guidelines to standardise safeguards (auditability, information security, human decision-making primacy).

These global norms intersect with Al-driven cybersecurity in two ways. First, cyber operations increasingly rely on automated detection, correlation and triage (e.g., traffic-pattern analytics, anomaly detection, malware classification) whose outputs may trigger interception or other coercive steps; if later tested in court, the opacity of model training data, thresholds and false-positive profiles can tilt epistemic advantages toward the executive. The Special Rapporteur therefore calls for public availability of key information about judicially relevant Al systems and for empowering courts to require disclosures sufficient to test necessity and proportionality. Second, when Al tools assist prosecutorial or judicial tasks (summarisation, document review, sentencing support), the same instruments demand that Al remain an aid rather than a substitute, with human-in-the-loop control and traceable reasoning to preserve independence and litigants' rights to contest. UNESCO's 2025 Guidelines, building on its 2021 Recommendation, frame precisely these constraints for court-facing deployments.

In the African Union context, treaty and policy frameworks supply a regional baseline for balancing security and rights. The Malabo Convention establishes foundational obligations for personal data protection and cybercrime control, embedding privacy and due-process guarantees into continental cyber governance, while the AU Data Policy Framework (2022) seeks harmonised, rule-of-law-rooted data governance that enables cross-border data flows without sacrificing rights. These instruments, now complemented by the Continental Al Strategy (2024), collectively warn against rights-eroding security measures and favour interoperable, proportionate safeguards principles directly implicated when Al-enhanced surveillance or interception activities are later reviewed by courts.

Applied to Zambia, the architecture described in §2.1.3 raises concrete judicial-independence questions. The Cyber Security Act, 2025 centralises national cybersecurity in the Zambia Cyber Security Agency (ZCSA) under the Office of the President and continues the Central Monitoring and Coordination Centre (CMCC), while the Cyber Crimes Act, 2025 expands interception and traffic-data powers: together they increase the informational asymmetry between security agencies and courts, especially where technical workflows or model documentation are classified. In such conditions, UNESCO's court-specific guardrails (auditability, human oversight, explainability) and the Special Rapporteur's instructions (judicial control, transparency about systems affecting adjudication) become preconditions for meaningful review rather than optional good practice. Moreover, because Zambia operates within the AU's rights-centred data/AI trajectory (DPF, Malabo, Continental Al Strategy), domestic procedures for Al-assisted cyber operations and for the admissibility and testing of algorithmic evidence should be structured to demonstrate necessity, proportionalityand contestability consistent with continental norms.

Finally, the governance prescription emerging from this literature is clear. For AI-driven cybersecurity to coexist with judicial independence, three layers of safeguards are required: (i) ex-ante governance including public registers or notices for Al systems used by security and justice bodies, documentation of data sources, model objectives, risk assessments and red-teaming; (ii) adjudicative access such as enforceable powers for courts to compel disclosures sufficient to evaluate accuracy, error profiles and rights impacts (consistent with the Special Rapporteur's recommendations); and (iii) institutional capacity such as Al literacy and independent expert support for judges, allied with UNESCO's training and the courts-specific Guidelines to keep Al strictly assistive and auditable. Without these measures, the shift to Al-mediated cybersecurity risks reallocating practical authority toward executive actors who control the models and the data, thereby diminishingjudicial autonomy in fact, even where it persists in law.

2.1.5 AI,Elections, and Information Integrity

Al's penetration into electoral governance introduces a dual transformation: (a) the continued institutionalisation of biometric and digital identity systems, and (b) the emergence of Al-amplified information disorders that directly target electoral management bodies (EMBs), voters, and public trust.

Across Africa, both trajectories now converge, and Zambia's experience mirrors continental patterns.

1. Biometric Elections andAI-Enabled IdentitySystems

The biometric turn in African elections such as fingerprints, facial images, deduplication algorithms has been widely documented as a response to chronic voter-roll inflation, duplicate registrations, and identity fraud. Evidence from the Electoral Institute for Sustainable Democracy in Africa (EISA) and comparative country studies shows that biometrics can improve register accuracy and reduce forms of multiple or underage registration; however, these gains are consistently constrained by technical capacity gaps, procurement irregularities, and uneven implementation. Systematic analysis further confirms that while biometric tools enhance identity assurance, they cannot independently restore trust in elections without robust governance and oversight mechanisms, particularly given the high cost and vendor dependencyassociated with such systems.

Zambia fits squarely within this continental trend. Vendor documentation and official communications show that the Electoral Commission of Zambia (ECZ) has long adopted biometrics for voter registration using ten fingerprints and ICAO-standard facial images, supported by the Automated Biometric Identification System (ABIS) for deduplication. Selective deployment of e-poll books in 2021 further exemplifies partial modernisation: while they increased verification speed in some polling stations, observers questioned the rationale for uneven deployment and called for greater transparency surrounding ABIS deduplication results. Importantly and often lost in public discourse, ECZ clarifies that biometrics apply to registration only, not electronic voting or tallying, a crucial distinction in environments sensitive to disinformation.

As Zambia approaches 2026, proposals under the Electoral Reform Technical Committee (ERTC) similarly focus on digitising registration and harmonising processes, not introducing electronic voting. These reforms, however, will only strengthen integrity if supported by independent certification, transparent procurement, clear incident-reporting protocols, and public communication, all of which the continental evidence identifies as decisive for legitimacy.

2. AI-Driven Threats to the Information Environment

The second and more rapidly escalating dimension is the Al-powered disinformation ecosystem in African elections. Studies from the Institute of Development Studies (IDS) and regional evidence syntheses show that Al-generated and Al-amplified disinformation including deepfakes, cloned audio, bot networks, and coordinated hashtag operations has already influenced electoral periods across multiple African countries. These operations disproportionately target youth, exploit platform moderation weaknesses in African languages, and systematically aim to delegitimise electoral authorities, often overwhelming official communications.

Journalistic investigations, think-tank reports, and West African election studies collectively warn that Al-enabled propaganda campaigns have intensified during 2024-2026, with recycled media, "cheap fakes," and automated narratives becoming routine tools for political actors and foreign influence networks. Empirical findings from Nigeria's elections, for example, show high exposure to political misinformation from party accounts, online news outlets, and user-generated commentary, results that reinforce the need for digital-literacy interventions, rapid response units, and transparent fact-checking ecosystems.

The implications for Zambia are direct. Despite the lack of documented Al-generated deepfakes specific to Zambia, observers and civil society organisations note that Zambia's online sphere especially during election cycles is vulnerable to rumours, false claims about biometric voting, and manipulated narratives about cyber laws or electoral processes. The risk profile is heightened by the interaction between AI-driven disinformation and broad surveillanceand speech-regulation powers under the 2025 cyber-law regime.

3. The Legal Response Paradox: Cybersecurity vs Civic Space

Zambia's Cyber Security Act, 2025 and Cyber Crimes Act, 2025 were presented in part as responses to online harms, including disinformation. However, regional digital-rights monitors argue that vague offences and expanded interception powers risk chilling legitimate speech including journalistic scrutiny and citizen commentary particularly during election periods when public debate is most essential. The concern mirrors a broader continental trend: cybersecurity rationales deployed without accompanying transparency, judicial oversight, and redress mechanisms may inadvertently weaken electoral legitimacy, even when framed as protective.

In this sense, Zambia exemplifies what the literature terms a security-legitimacy paradox: the very instruments designed to secure the information environment may, if not tightly constrained, shrink civic space and undermine trust in elections.

4.1 mplications for Democratic Legitimacy

Across Africa, AI-driven electoral technologies yield mixed outcomes. Biometric registration and ABIS deduplication continue to enhance procedural reliability, but these gains are increasingly offset by Al-accelerated disinformation and by legal regimes that risk suppressing democratic debate. The legitimacy of elections is therefore contingent not on the mere presence of technology but on the governance ecosystem surrounding it.

For Zambia, four lessons are salient:

1. Technology cannot substitute for institutional trust. Biometric accuracy is insufficient absent visible safeguards, transparent auditing, and clear communications.

2. Information integrity is now a core electoral-security challenge. AI has transformed the speed, scale and believability of false content.

3. Cyber-law enforcement must be rights-compatible. Disinformation governance that suppresses legitimate speech will erode confidence more than it protects elections.

4. Public understanding is critical. Misperceptions about electronic voting or biometric manipulation must be proactively addressed through sustained civic education.

Taken together, the literature positions Al not simply as a technical upgrade but as a structural force reshaping electoral legitimacy. In Zambia's context where biometric systems, cyber-legal reforms, and a contested online environment intersect the central question is not whether Al will shape elections, but whether its governance will reinforce or erode democratic trust.

2.1.6 Synthesis and Implications for the Present study

From global norms to domestic practice.

Across the materials reviewed, a consistent hierarchy of governance emerges. At the apex, UNESCO's Recommendation on the Ethics of Al and the OECD Al Principles/Recommendation (OECD/LEGAL/0449, updated 2024) establish a shared grammar for rights-centred, transparent, accountable and safe Al, coupled with practical instruments (UNESCO's Readiness Assessment Methodology and Ethical Impact Assessment; OECD risk-classification and tool catalogues) that translate principles into operational controls. These sources converge on non-negotiables such as human oversight, explainability, auditability, robust security, and accountability and stress interoperability so national regimes do not become islands. Within Africa, the AU Data Policy Framework (2022) and the Continental Al Strategy (2024) give regional specificity: harmonise data governance and cross-border flows for a Digital Single Market while safeguarding rights, and make Al assistive, inclusive, and development-oriented. The Malabo Convention anchors privacy and cybercrime control in binding treaty law.

Judicial independence under algorithmic government. For the justice sector, UNESCO's forthcoming and now-launched guidance for courts, and the UN Special Rapporteur's 2025 report, crystallise a bright line: Al in adjudication must remain assistive; the right to an independent and impartial tribunal implies Page 58 of 271

access to a human judge; and courts must have sight of the systems that shape evidence and procedure. That requires pre-deployment governance (documentation, risk assessment), public information about the systems, and enforceable disclosure so judges can test necessity, proportionality, bias and error rates. The empirical problem UNESCO surfaces including judges already using Al but lacking institutional guidance makes these safeguards urgent, not aspirational. In parallel, legal scholarship identifies algorithmic opacity and bias as structural due-process risks unless explainability-by-design and auditing are mandated.

Cybersecurity centralisation vs. rule-of-law baselines. Set against these norms, Zambia's 2025 cyber-law package such as the Cyber Security Act (establishing the ZCSA under the Presidency and continuing CMCC capabilities) and the Cyber Crimes Act (expanding interception and traffic-data powers), materially reweights informational control towards the executive, creating potential epistemic asymmetries when Al-assisted outputs or classified technical processes reach court. The 2021 Electronic Government and Data Protection Acts supply a right-protective baseline, but the 2025 consolidation raises the oversight bar: to remain aligned with AU and UNESCO/OECD standards, operational controls must ensure transparency, contestability, and independent review of cyber-AI systems.

Elections: technology's credibility depends on governance.

Continental experience shows biometrics and ABIS can improve voter-roll integrity, yet their legitimacy hinges on transparent procurement, independent certification, public communication, and incident disclosure; without these, uneven deployment or misunderstood scope (e.g., registration / e-voting) feeds suspicion. Simultaneously, Al-assisted disinformation escalates threats to electoral trust, particularly where platform moderation in African languages lags. The literature warns that security-framed legal responses that expand surveillance or criminalise broad categories of online speech can chill civic space and paradoxically undermine the very legitimacy they seek to protect.

Implications for this thesis: analyticalfocus and evaluative criteria

1. Evaluate executive power shifts through the lens of algorithmic control.

The study will test whether Al-enabled cybersecurity and the organisational design of ZCSA/CMCC have shifted practical authority toward the executive by centralising data, models, and operational dashboards, and whether judicial and electoral institutions possess the legal and technical levers to obtain explanations, logs, and error profiles when decisions are challenged. The yardsticks come from UNESCO/OECD (human oversight, explainability, accountability) and AU (rights-based governance, harmonised standards).

2. Interrogate judicial independence as epistemic parity.

Judicial autonomy will be examined not only as formal tenure/structure but as access to knowledge: Can courts compel disclosures on data provenance, model objectives, thresholds, retraining events, and known failure modes? Are there public registers or at least in-camera mechanisms for sensitive systems? The Special Rapporteur's prescriptions and UNESCO's court guidelines make these evaluative questions concrete.

3. Assess electoral integrity at the intersection of identity tech and information integrity.

For Zambia's biometric stack and forthcoming reforms, the analysis will look for independent certification, procurement transparency, and scope clarity (registration vs. voting), while mapping AI-driven disinformation risks and the rights-compatibility of legal countermeasures. Here, success is indicated by greatercomprehension and trust, not merely technical throughput.

4. Map compliance to interoperability.

Because Zambia operates within AU and global regimes, the empirical chapters will check whether domestic rules and practices interoperate with UNESCO/OECD instruments (e.g., lifecycle documentation; risk-based controls; auditability) and AU frameworks on data categorisation and cross-border flows, critical for regional incident response and evidence transfer.

Operationalhypotheses for Chapters 4-6

• H1 (Executive consolidation): Where Al-cyber operations are centralised without strong ex-ante documentation, public information, and judicially enforceable disclosure, executive dominance over information and decision levers increases measurably. (Benchmarks: UNESCO/OECD lifecycle controls; AU DPF.)

• H2 (Judicial capacity): Courts lacking formal access rights and technical capacity to interrogate Al outputs will display reduced practical independence, observable in deference patterns and evidentiary thresholds. (Benchmarks: SR report;UNESCO Guidelines for courts.)

• H3 (Electoral legitimacy): Biometric/ABlS gains improve confidence only when accompanied by independent certification, transparent procurement and communications, and speech-protective information-integrity responses; otherwise, Al-assisted disinformation plus restrictive cyber-laws depress trust.

Bottom line.

The synthesis yields a clear evaluative stance: Al-driven cybersecurity is compatible with democratic governance only if explainability, oversight, and rights are designed-in and demonstrable. UNESCO/OECD provide the lifecycle tests; AU instruments supply the regional translation. Zambia's evolving framework will be judged in this thesis against those tests not on the presence of advanced tools, but on whether their governance sustains judicial independence, electoral integrity, and public legitimacy.

2.2.1 State PowerandAlgorithmic Governance

The deployment of Al-driven cybersecurity infrastructures constitutes not merely a technical transformation of the security sector but a profound reconfiguration of state power. ln modern governance theory, technological systems are never neutral: they embody institutional designs, strategic priorities, and epistemic assumptions that shape how authority is distributed, how decisions are made, and how accountability is structured. The rise of algorithmic governance therefore introduces a new modality of statecraft such as the one in which computational systems mediate access to information, determine threat prioritisation, and orchestrate administrative action at speeds and levels of complexity that exceed human capacity.

Classical theories of the state locate sovereign power in its monopoly over legitimate coercion, its infrastructural capacity to extract, process and act upon information, and its institutional authority to regulate conduct. AI-driven cybersecurity directly strengthens informational and infrastructural dimensions of this power. Automated threat detection systems, metadata analytics, network monitoring algorithms, and pattern-recognition engines expand the state's ability to observe digital behaviour, identify anomalies, and pre-emptively anticipate risk. In doing so, they increase the density and velocity of state knowledge, thereby augmenting what Michael Mann termed the state's "infrastructural power", its capacity to penetrate and coordinate societythrough information and administrative reach.

However, unlike traditional bureaucratic processes, AI systems introduce opaque, data-dependent, and technically complex mechanisms into the exercise of state authority. Algorithmic systems classify, filter, and rank information based on internal logics that are often inscrutable to oversight bodies. As such, they can serve as "power multipliers" for the executive branch, particularly when housed in centralised cybersecurity agencies with privileged access to data streams and technological expertise. The executive gains asymmetrical informational advantage over other branches of government, especially if legislatures and courts lack technical capacity or statutory powers to interrogate algorithmic tools. The result is a subtle but measurable recalibration of inter-branch power relations.

From a governance-theory perspective, algorithmic infrastructure embeds operational decision rules within computational processes. These rules determine thresholds of suspicion, classifications of criticality, escalation paths, and incident-response triggers. When such determinations are automated or semi-automated, they shift decisional power from deliberative institutions into socio-technical systems operated by specialised agencies. This does not eliminate human judgment; rather, it restructures it by binding human decisions to the epistemic outputs of machine systems. Such systems create "default authority", a presumption that algorithmic assessments are objective or technically superior, even when their underlying data or training sets may be incomplete, skewed, or politically shaped.

Algorithmic governance therefore raises questions about contestation, a foundational principle of democratic accountability. Contestation requires that individuals and institutions be able to understand, challenge, and seek remedies for decisions affecting them. Yet algorithmic systems, particularly in cybersecurity, can generate decisions that lack traceability or comprehensibility. The internal mechanics of machine-learning models including weight adjustments, neural activation patterns, probabilistic predictions resist translation into human-interpretable justifications. When such systems underpin evidence collection, surveillance triggers, or risk assessments, they become "authority without explanation," thereby weakening the conditions for effective oversight.

In the context of Al-driven cybersecurity, these governance challenges are intensified by securitisation logic. States justify exceptional capabilities by invoking the need to protect networks, mitigate disinformation, prevent cybercrime, or defend national sovereignty. Cybersecurity becomes a domain in which secrecy, speed and specialised expertise are emphasised over transparency and contestability. Once fused with algorithmic automation, this securitisation logic can entrench executive discretion and insulate decision systems from scrutiny.

Nevertheless, algorithmic governance does not inherently erode democratic values; its effects depend on institutional design. When accompanied by mandatory documentation, explainability requirements, independent audits, legislative oversight,

and judicial review powers, Al systems can enhance state capacity without distorting constitutional balance. In such contexts, algorithmic tools augment administrative efficiency while remaining embedded within rule-of-law structures.

The theoretical significance for Zambia becomes clear. The creation of a central cybersecurity agency under the executive and the use of Al-enhanced monitoring tools constitute structural decisions that directly affect how state power is organised. If algorithmic systems operate as "black boxes" accessible only to security agencies, they may tilt power toward the executive by virtue of informational asymmetry. Conversely, if designed with transparency, oversight, and contestability built in, they could modernise the state without compromising democratic equilibrium.

Thus, algorithmic governance theory highlights the core analytical question of this thesis: Does AI-driven cybersecurity in Zambia expand state power in ways that remain accountable and contestable, or does it consolidate executive authority by creating opaque informational advantages? The answer depends not simply on the technology but on the governance, structures surrounding it.

2.2.2 Digita/Authoritarianism vs Democratic Governance

The global diffusion of Al and cybersecurity technologies has reignited long-standing debates about the nature of political power in the digital age. Two contrasting trajectories dominate theoretical discourse: digital authoritarianism and rights-respecting democratic governance. Each represents a distinct logic of how states leverage digital capacity, regulate information, and manage sociopolitical dissent in technologically mediated environments.

Digital authoritarianism refers to governance models in which states harness digital technologies including Al, surveillance platforms, content-moderation algorithms, and data-fusion systems to monitor, control, and shape citizen behaviour. In such systems, cybersecurity is framed not only as protection against external threats but as a domestic tool of political ordering. States centralise cyber authorities, broaden interception powers, criminalise ambiguous online behaviours, and construct pervasive monitoring infrastructures that normalise surveillance as part of everyday life.

The theoretical roots of digital authoritarianism lie in securitisation theory and the politics of control. When states define digital space as inherently dangerous rife with disinformation, cybercrime, sedition, or moral threats, extraordinary measures become justified. Technologies originally designed for network protection or computational efficiency are redeployed toward political objectives: identifying dissent, deterring mobilisation, and shaping narratives. Al systems, capable of analysing vast data sets and detecting behavioural patterns, allow governments to scale surveillance and information manipulation with unprecedented efficiency.

Yet digital authoritarianism is not defined solely by technical capacity; it is defined by institutional intent and governance design. In authoritarian trajectories, digital powers concentrate within executive agencies operating with minimal transparency. Legal frameworks grant broad discretionary authority, often anchored in vague definitions of cyber harms or online offences. Courts are given limited oversight, either because interception regimes evade judicial scrutiny or because algorithmic processes are treated as classified. Civic space contracts as journalists, activists, and ordinary citizens self-censorforfearofalgorithm-enhanced monitoring.

In contrast, democratic digital governance is grounded in constitutionalism, human rights, and the rule of law. Here, cybersecurity and Al systems are embedded within frameworks that prioritise transparency, proportionality, accountability, and independent oversight. Digital powers are distributed across institutions, with legislatures establishing clear statutory mandates, oversight bodies auditing algorithmic systems, and courts providing remedies for overreach. Public participation, civil-society monitoring, and freedom of expression are viewed as integral to digital resilience rather than threats to it.

The divergence between these two models hinges on the governance of information. Digital authoritarianism treats information as a domain of control which is something to be monitored, channelled, or restricted. Democratic governance treats information as a public good which is something that must flow freely for deliberation, accountability and civic participation. Al systems amplify whichever orientation states adopt.

Cybersecurity becomes a critical pivot point. Under authoritarian logic, cybersecurity justifies secrecy, suppression, and centralisation. Under democratic logic, cybersecurity requires transparency, shared responsibility, and public trust. Al systems such as risk-scoring algorithms, sentiment-analysis tools, deepfake detectors, intrusion-detection engines can serve either logic depending on their institutional embedding.

For emerging democracies, including Zambia, the risk lies in function creep: laws or technologies introduced to combat cyber threats gradually evolve into tools of political governance. Once interception infrastructures or algorithmic monitoring systems are deployed, the temptation to use them for broader forms of surveillance increases. The opacity of Al exacerbates this risk: algorithmic systems can classify online behaviour or identify "anomalies" without public scrutiny, making it difficult to detect when security rationales mask political objectives.

Democratic governancetherefore requires safeguard architectures:

• Clear statutory limits on Al-enabled surveillance;
• Independent judicial authorisation and review;
• Transparencyaboutwhatsystems are used and how;
• Strong data-protection rules limiting retention and secondary use;
• Public reporting, audits, and parliamentary scrutiny;
• Freedom-of-expression protections that prevent overbroad censorship.

The theoretical conflict between digital authoritarianism and democratic governance is not merely binary; it manifests along a continuum. States may adopt democratic frameworks but apply them inconsistently or allow security prerogatives to drift toward illiberal practices. Conversely, even states with strong authoritarian tendencies may implement pockets of rights-respecting digital governance due to external pressures or institutional legacies.

For Zambia, the tension is visible: biometric systems, cybercrime legislation, and Al-enabled monitoring can enhance electoral integrity and state capacity but they can also expand executive power if not counterbalanced by genuine oversight. As such, the democratic question is not whether the state uses Al, but how: with what mandates, what checks, what transparency, and what accountability.

2.2.3 InstitutionalAutonomy andJudiciallndependence underAI

Judicial independence is a cornerstone of constitutional democracy, yet it is also one of the institutions most exposed to subtle erosion when states adopt opaque, data-intensive and security-driven technologies. The integration of Al into cybersecurity operations multiplies information flow, alters the evidentiary environment, and changes the ecology of institutional power. Against this backdrop, understanding how Al-enabled cybersecurity intersects with judicial autonomy requires not only a legal analysis but a theoretical one: thejudiciary's authority rests on its ability to evaluate state actions, interpret legality, and provide remedies. Any technological system that alters access to information, shifts decision-making prerogatives, or constrains the court's capacity for review inevitably affects the functional meaning of independence.

At the structural level, judicial independence depends on institutional parity: courts must possess not only formal powers but the epistemic resources necessary to assess the legality, fairness, and proportionality of state actions. This includes the ability to interrogate how evidence was generated, what assumptions guided risk scoring, and how surveillance decisions were made. Al-based cybersecurity systems, however, complicate this role in several ways. First, they often operate through machine-learning models whose internal logic is opaque especially weights, training data profiles, decision thresholds, error rates, and model drift are rarely comprehensible without technical expertise. Second, cybersecurity agencies typically treat their models, workflows, and logs as sensitive or classified, restricting whatjudges may access. Third, algorithmic systems may generate vast amounts of metadata or behavioural indicators thatjudges lack the capacity to independently validate.

The result is a new form of information asymmetry between the executive and the judiciary. While executives and their specialised agencies gain sophisticated analytical capabilities, courts risk being positioned downstream of decisions already shaped by opaque, technically complex systems. Judicial oversight thus becomes reactive and limited, especially when the court cannot compel disclosure of a model's logic or when the system's complexity exceeds judicial capacity. When the judiciary cannot fully interrogate the basis of state claims whether concerning cyber threats, risk classification, or surveillance necessity, its role as guardian of rights is diminished.

A second dimension concerns procedural fairness. Due process rests on the idea that individuals must understand the case against them, be able to challenge state evidence, and present counter-arguments. Algorithmic systems disrupt these principles by producing evidence such as risk scores, anomaly flags, behavioural classifications that may be unexplainable to defendants or their counsel. If the justification for surveillance or data interception rests on an algorithmic inference that cannot be disclosed, meaningful challenge becomes impossible. This risk creating a jurisprudential category of "uncontestable evidence," antithetical to the foundations of adversarialjustice.

Judicial independence is also vulnerable to what might be termed algorithmic influence. Even when Al systems are introduced as assistive tools for summarising texts, suggesting probable case outcomes, or ranking relevance they shape cognitive patterns in ways that may be subtle but significant. Judges may come to rely on automated summaries, risk rankings, or draft opinions, especially within overburdened court systems. Over-reliance could hollow out independent judicial reasoning, reducing the judge's role to validating algorithmic suggestions rather than critically assessing them. This is an autonomy-by-erosion phenomenon: independence is not attacked directly but weakened through routine dependence on technological mediation.

Furthermore, the placement of cybersecurity institutions matters. When AI-driven security agencies sit under the executive, the risk of executive dominance increases. Courts become reliant on information pipelines controlled by entities aligned with executive priorities. If those agencies serve as gatekeepers of technical knowledge, evidence sources, or surveillance records, they can indirectly shape the contours of judicial review. Without explicit statutory guarantees giving courts unambiguous access and audit powers, structural imbalance becomes entrenched.

The theoretical literature also highlights a more abstract, but equally significant, concern: the shifting of legitimacy claims. In constitutional democracies, judicial legitimacy is grounded in legal reasoning, public justification, and the principle that courts decide on human-interpretable reasons. AI systems challenge this model by offering "technical legitimacy" claims that algorithmic outputs are inherently more accurate, objective, or predictive. This can create pressure on judges to defer to technical authority, especially when security agencies frame algorithmic systems as necessary for national safety. The judiciary's role as the ultimate arbiter of legality risks being overshadowed by technocratic reasoning that lies outside the court's interpretive domain.

Yet these risks are not inevitable. Judicial independence can be preserved and strengthened if AI is governed by principles of transparency, accountability, contestability, and human oversight. These principles require:

1. Mandatory algorithmic disclosure for any Al system whose outputs are used as evidence or asjustification for state action.

2. Judicial access to technical logs, training data documentation, and model evaluation metrics, potentiallythrough secure in-camera procedures.

3. Capacity-building programmes providing courts with Al literacy, expert advisers, and independent forensic capabilities.

4. Legal safeguards ensuring Al systems serve only assistive roles in judicial functions and do not supplant judicial reasoning.

5. Clear statutory boundaries for cyber agencies, ensuring judicial review is operational, not symbolic.

For Zambia, these theoretical arguments directly connect to the architecture established by its 2025 cyber-laws. The centralisation of cybersecurity authority in an executive-aligned agency, the expansion of interception capabilities, and the potential use of Al-enhanced monitoring introduce precisely the conditions where judicial autonomy could be challenged if oversight mechanisms lack depth, technical specificity, and enforceability. Conversely, the presence of data-protection laws, constitutional safeguards, and judicial traditions provides a foundation upon which a robust, rights-oriented governance model can be constructed.

Thus, the theoretical lens of judicial independence under Al highlights a critical proposition for this thesis: Al-enabled cybersecurity systems reconfigure the environment in which courts operate, and the degree to which judicial autonomy persists depends entirely on whether courts are given the tools, powers, and access necessaryto interrogate algorithmic authority.

2.2.4 Electoral Integrity in Biometric/AI Environments

Electoral integrity theory examines the conditions under which elections produce outcomes perceived as legitimate, credible, and reflective of popular will. Traditionally, these conditions include impartial electoral management, transparent processes, equitable competition, and protections for political rights. In the digital era, however, these foundations are increasingly mediated and in some contexts destabilised by the introduction of biometric technologies, AI-driven cybersecurity systems, and algorithmically accelerated information flows. Understanding electoral integrity in an Al-enabled environment therefore requires a conceptual synthesis of technological governance, institutional trust, and democratic accountability.

Biometric technologies emerged across Africa as a response to concerns about inflated voter rolls, duplicate registrations, and historically weak civil registries. The promise was straightforward: fingerprints, facial images, and deduplication algorithms would make electoral rolls more accurate and elections less vulnerable to identity fraud. Integrity-focused scholarship acknowledges these gains but warns that technological reliability does not automatically translate into legitimacy. Elections are social and political events; voters judge them not only by technical accuracy but by perceived fairness, transparency, and inclusiveness. If biometric systems are deployed unevenly, procured without transparency, or explained poorly to the public, they risk generating distrust, even when theyfunction correctly.

Al intensifies this complexity. Automated deduplication, identity verification, and anomaly detection increase efficiency but also increase opacity. Voters, political parties, and observers cannot easily verify how algorithms classify entries or detect duplicates. The risk of "algorithmic disenfranchisement" such as errors that exclude eligible voters due to misclassification although often small in statistical terms, can have large political consequences when concentrated in specific regions or demographic groups. Integrity depends not only on the absence of error but on the ability to detect, explain, and remedy error. Without auditability and transparency, the very tools that promise accuracy may paradoxically undermine trust.

Electoral integrity theory also emphasises the role of procedural transparency. When electoral bodies adopt technologies that are not well understood, the informational gap between administrators and the public widens. If the electoral commission cannot

clearly communicate what biometrics do or do not do, e.g., that biometric registration is not electronic voting before misinformation can spread. This creates fertile ground for political actors to weaponise uncertainty. In such contexts, Al-enhanced technologies must be accompanied by robust communication strategies, independent certification, and proactive public education. Legitimacy rests on the perceived openness, not the sophistication, of the system.

A second frontier concerns cybersecurity and electoral infrastructure. As electoral management bodies digitise operations, they become targets for cyberattacks, hacking attempts, and disinformation campaigns. Al-driven cybersecurity offers enhanced defensive capabilities which include threat detection, log anomaly analysis, intrusion prevention but it also introduces automated decision systems that may trigger protective actions, such as temporarily restricting access to networks or isolating suspected malicious accounts. When such actions occur during elections, they can affect transparency, access to results, or media reporting. If poorly governed, cybersecurity measures may be interpreted as interference, particularly when stakeholders lack clarity about how decisions are made and who controls the underlying systems.

A third and rapidly expanding challenge concerns Al-driven disinformation, which directly targets the informational environment that sustains electoral integrity. Deepfakes, fabricated audio, synthetic images, bot networks, and micro-targeted narratives can distort public debate, manipulate voter perceptions, and erode trust in institutions. Unlike traditional misinformation, Al-generated content can be both realistic and scalable. Electoral integrity theory traditionally assumed that public deliberation, media scrutiny, and civil-society oversight function as stabilising forces. Yet algorithmic amplification disrupts these stabilisers by accelerating the spread of falsehoods, overwhelming fact-checking capacity, and fragmenting the public sphere.

In emerging democracies, where institutional trust may already be fragile, these dynamics are particularly consequential. Disinformation that questions the neutrality of an electoral commission, the fairness of biometric registration, or the accuracy of tallying can trigger legitimacy crises. The critical insight here is that integrity now depends as much on information governance as on procedural management. Electoral outcomes are accepted not only when votes are cast and counted properly, but when the public believes the overall information ecosystem is credible.

Meanwhile, cyber-legal frameworks intended to combat online harms may themselves affect electoral integrity. When laws criminalise broad categories of online expression or grant expansive interception powers, they can chill legitimate political speech and journalistic inquiry, particularly during electoral cycles. Integrity requires that public debate remain open, pluralistic, and uncensored. Regulatory measures that inadvertently suppress civic space can undermine the very legitimacy they seek to protect. Thus, electoral integrity depends on a balanced governance model: one that combats disinformation without infringing on fundamental freedoms.

From a theoretical standpoint, Al's role in elections can be conceptualised along three axes:

1. Identity governance (biometrics, deduplication, verification).

2. Cyber-infrastructure protection (Al-driven cybersecurity).

3. Information-environment governance (disinformation detection, content integrity, media authenticity).

Each axis introduces risks and governance requirements. Identity governance requires transparency, accuracy, and appeal mechanisms. Infrastructure protection requires proportionality, accountability, and oversight. Information governance requires safeguarding free expression while mitigating manipulation. Failures in any axis can produce cascading legitimacy deficits.

For Zambia, these theoretical dynamics are highly salient. Biometric systems are well established, but public understanding remains uneven. Cyber-legal reforms expand state capacity but raise questions about proportionality and oversight. The information environment is increasingly shaped by social media, creating vulnerabilities to Al-driven misinformation. Thus, electoral integrity cannot be analysed solely through the performance of biometric or administrative processes; it must be evaluated through an integrated framework that accounts for technology, governance, civic space, and public trust.

In sum, the theoretical literature underscores that Al transforms elections into socio-technical systems in which credibility hinges on governance, not machinery. Electoral integrity depends on transparency, contestability, independent oversight, and inclusive public communication. Absent these, even the most advanced systems can generate mistrust. Presenting these ideas within the Zambian context positions the empirical chapters to interrogate how biometric systems, cybersecurity reforms, and information dynamics interact to shape democratic legitimacy.

2.2.5 Socio-Technica/andRights-BasedGovernance Frameworks

The governance of Al-driven cybersecurity requires a synthesis of two intertwined analytical traditions: socio-technical systems theory and rights-based governance. Each tradition offers insights into how technological infrastructures shape, delimit and redistribute power. When combined, they illuminate the institutional, procedural and normative conditions under which Al can enhance rather than erode democratic governance.

I. AIas a Socio-Technica/ System

Socio-technical theory rejects the notion that technology is external to society. Instead, it conceptualises technological systems as co-produced by institutional design choices, cultural expectations, professional norms, organisational routines and political interests. Al-driven cybersecurity systems are therefore not mere tools; they are embedded actors within a network of institutions that includes security agencies, data-protection bodies, courts, legislatures, procurement authorities and civil society.

From this vantage point, every Al system embodies a set of design assumptions: What is a threat? What data is relevant? Who defines anomalies? What thresholds trigger escalation? These assumptions reflect institutional priorities and political values. For example, if an Al system is trained primarily on data from dissident groups or activist networks regardless of innocence it may inadvertently embed political bias. Similarly, if optimisation metrics prioritise high detection rates over minimising false positives, the system can normalise intrusive surveillance.

The socio-technical lens therefore requires attention to:

• How data is collected, selected, cleaned and labelled;

• Who sets design objectives;

• How riskisconceptualised;

• What institutional incentives shape deployment;

• How outputs integrate into decision-making chains.

Cybersecurity Al systems thus become constitutive of governance, not ancillary to it. They mediate the distribution of rights, responsibilities and discretionary authority. They do not simply detect threats, they structure the categories through which the state understands security itself.

2.Rights-Based Governance as ConstraintandEnabler

Rights-based governance anchors technological deployment within constitutionalism, legality, due process, equality and proportionality. It views Al as legitimate only to the extent that it enhances rights rather than undermines them.

AI-driven cybersecurity raises rights concerns across multiple domains:

1. Privacy — Continuous monitoring, metadata analysis, and pattern detection expand state visibility into private lives.

2. Freedom of expression — Al-assisted content moderation or surveillance may chill political speech.

3. Due process — Opaque risk assessments can shape investigatory decisions without beingjusticiable.

4. Non-discrimination — Algorithmic bias can lead to disproportionate scrutiny of specific regions or demographic groups.

5. Access to justice — Individuals cannot challenge what they cannot understand, especiallywhen algorithmic evidence remains classified.

Rights-based governance therefore demands the embedding of explainability, contestability, transparency, oversight and accountability into the lifecycle of AI. This includes not only technical measures (e.g., model cards, audit logs, bias tests) but also institutional safeguards (judicial access rights, independent regulators, public reporting).

Rights-based frameworks also emphasise procedural justice which is fairness in the processes by which decisions are made. If cybersecurity interventions rely on AI systems that are invisible, unchallengeable and unreviewable, procedural legitimacy collapses even if the outcomes are accurate.

3. Socio-Technical Alignment: Increasing Institutional Fit

AI systems perform well only when institutional environments align with their assumptions. For example, an AI system that identifies anomalous log-ins or unusual data flows is effective only if institutions have:

• Clearescalationprotocols;

• Staff able to interpret outputs;

• Mechanisms to verify whether anomalies represent threats;

• Oversight bodies to ensure proportionality.

Without this alignment, AI systems produce "ungoverned information" which are flags and classifications that drift into bureaucratic inertia or unchecked authority. Socio-technical governance thus emphasises iterative alignment between tools and institutional capacities.

Page 76of271

4. EmbeddingSafeguardsAcross the Lifecycle

A socio-technical and rights-based governance model integrates safeguards at each stage:

Design Stage

• Document problem definition and intended use-cases.

• Conduct risk assessments and bias analysis.

• Ensure multidisciplinary input (legal, ethical, technical).

• Build explainability and auditability into the architecture.

Deployment Stage

• Limit use to clearly defined statutory purposes.

• Maintain human-in-the-loop for all high-stakes decisions.

• Ensure multi-level oversight (internal compliance, external regulators).

Operation Stage

• Monitor system drift.

• Conduct regular audits and incident reviews.

• Ensure courts can demand disclosures.

• Provide public reporting mechanisms where feasible.

ReviewStage

• Evaluate proportionality and necessity.

• Allow individuals to challenge decisions.

• Revise systems based on emerging evidence and ethical concerns.

5. lmplications for Emerging Democracies

For countries transitioning toward digital governance but operating within constrained institutional capacity, socio-technical and rights-based frameworks provide a conceptual roadmap. They shift the emphasis from acquiring advanced tools to designing governance environments that ensure legitimacy, accountability and democratic resilience.

In Zambia's context where AI-driven cybersecurity intersects with executive centralisation, biometric electoral systems, judicial oversight gaps and a contested online sphere, this framework highlights the need for integrated safeguards, capacitybuilding and statutory clarity.

2.2.6 An IntegratedAnalyticalModel forZambia

The preceding theoretical frameworks converge into a multi-layered analytical model designed to evaluate how AI-driven cybersecurity reconfigures state power, institutional autonomy and democratic legitimacy in Zambia. The model integrates four interacting layers: normative, legal-institutional, inter-branch power relations, and public legitimacy/information environment. Each layer introduces variables that shape how AI systems operate and how their governance is contested.

1. Normative Layer: Globaland ContinentalBenchmarks

At the outermost layer, global and continental governance frameworks articulate the principles against which national Al-cybersecurity architectures should be evaluated. These norms include:

• Human oversight and control;

• Transparencyand explainability;

• Accountabilitymechanisms;

• Rights-protection and due-process safeguards;

• Non-discrimination;

• Multi-stakeholdergovernance;

• Lifecycle governance (design ^ deployment ^ operation ^ review).

These norms function as external constraints and interpretive guides. They provide the standards against which Zambia's institutional arrangements, legislative choices and operational practices can bejudged.

2. Legal-Institutional Layer: Zambia's Cyber and Data Regulatory Architecture

The second layer examines the statutory and organisational environment within which Al-driven cybersecurity is embedded. Zambia's framework combines older rights-protective laws (Data Protection Act, Electronic Government Act) with newer centralising instruments (Cyber Security Act 2025, Cyber Crimes Act 2025).

This layerofthe model asks:

• Do legal provisions clearly define mandates, limits and oversight obligations for Al-enabled security tools?

• Are transparency and audit requirements embedded in law?

• Do courts and regulators have explicit statutory authority to demand disclosures (model documentation, logs, training data)?

• Does the placement of cybersecurity institutions under the executive skew the balance of power?

The legal-institutional layer thus evaluates governance design, determining whether the architecture supports rights-based, multi-institutional governance or whether it consolidates authority.

3. Inter-Branch Dynamics Layer: Algorithmic Power and State Power Relations

The third layer examines how Al-driven cybersecurity shifts the balance of power among the executivejudiciary, and electoral bodies.

Executive

Al systems expand the executive's capacity for surveillance, information control and rapid response. They may produce informational asymmetries that place the executive in a dominant position.

Judiciary

Courts may struggle to oversee Al-enabled actions if they lack access to technical information, expertise or statutory powers. The risk is a de facto erosion of judicial autonomy even if dejure independence remains intact.

Electoral Bodies

Electoral commissions increasingly rely on biometric systems and cybersecurity infrastructures. If these systems become entangled with executive-controlled Al security platforms, the autonomy of electoral authorities may be compromised.

This layer asks:

• Does Al increase executive dominance by centralising control over information and technical expertise?

• Are courts and electoral bodies given meaningful oversight capabilities, or only symbolic participation?

• Do Al-generated assessments become "default authority" within the state apparatus?

4. Pub!ic Legitimacyand Information Environment Layer

The fourth layer recognises that democratic governance depends not only on formal institutions but on public trust, particularly in elections, courts and government transparency.

Al intersects with legitimacythrough:

Biometric/Electoral Systems

Trust depends on transparency in procurement, implementation and error correction.

Al-Assisted Disinformation

Al accelerates misinformation, reduces the visibility of authoritative voices and undermines public confidence in institutions.

Cyber-Legal Regulation

Overbroad laws may suppress speech, reducing civic space and thereby damaging legitimacy.

This layer asks:

• Does the public perceive Al-driven systems as enhancing or undermining fairness?

• How resilient is the information environment against manipulation?

• Does cybersecurity law protect or shrink civic space?

5. lnteraction EffectsAcross Layers

These layers are not independent. Their interactions shape the overall governance trajectory.

• If normative principles are strong but legal frameworks are weak, implementation gaps arise.

• If legal frameworks are strong but inter-branch capacity is unequal, executive dominance prevails.

• If institutional safeguards exist but public mistrust is high due to disinformation, legitimacy erodes.

• If AI systems are transparent but civic space is restricted, democratic participation declines.

The integrated model therefore examines Zambia's AI-driven cybersecurity as a system of systems, where each governance layer influences and constrains the others.

6 . App/ying the Model in the Empirical Chapters

The empirical analysis in Chapters 4-6 is structured using this integrated model:

• Chapter 4 (Findings and Results) tests whether Zambia's AI-cybersecurity practices align with normative and institutional benchmarks.

• Chapter 5 (Discussion) evaluates how AI reshapes executive-judiciary-electoral power dynamics.

• Chapter 6 (Conclusions and Recommendations) assesses impacts on democratic legitimacyand identifies governance reforms.

7 . Theoretical Contribution

By integrating socio-technical, rights-based, and power-centric frameworks, this model contributes a comprehensive analytical lens applicable not only to Zambia but to other emerging democracies grappling with AI-enabled governance transformations.

The model's core proposition is simple but profound:

Al-driven cybersecurity is governance by other means though its democratic effects depend not on technical sophistication, but on the distribution of contestation, transparency and institutional power across the polity.

2.2.7 Limitations and Theoretical Payoff

Every theoretical framework offers an interpretive lens that clarifies certain dynamics while inevitably obscuring others. The preceding sections have assembled a multi-layered framework by integrating state-power analysis, digital authoritarianism vs democratic governance, judicial-autonomy theory, socio-technical governance, and electoral-integrity scholarship to examine Al-driven cybersecurity in Zambia. While this integrated approach provides a robust scaffold for analysing democratic implications, it also carries important limitations. Recognising these limitations is essential not only for methodological integrity but for accurately delimiting the scope of the empirical analysis.

1. Limitations

(a) Normative frameworks exceed empiricalinstitutionalcapacity

A first limitation arises from the tension between global normative frameworks and local institutional realities. International Al-governance principles whether rights-based, transparency-oriented, or oversight-focused presume a level of bureaucratic capability, technical literacy, resourcing and political will that may not exist in many developing contexts. The theoretical framework risks assuming that Zambia could feasibly implement such safeguards simply by virtue of recognising them. In reality, designing explainability standards, maintaining audit logs, training judges, or conducting technical oversight may exceed institutional capacity. Thus, the theoretical model may overestimate the practicability of ideal governance standards.

(b) Algorithmic governance theory presumes model visibility and documentation

Algorithmic governance frameworks operate on the assumption that Al systems are describable, documentable and amenable to human understanding. Yet real-world systems particularly those used in cybersecurity often involve proprietary models, classified data flows, or complex architectures that resist meaningful inspection. The theoretical emphasis on contestability and explainability therefore risks being aspirational. If systems remain black-boxed for commercial or national-security reasons, theoretical prescriptions may have limited empirical traction. The framework must therefore acknowledge that oversight may be structurally constrained.

(c) State-power reconfiguration is not linear or deterministic

Although the framework emphasises how Al may centralise executive power, this relationship is not deterministic. Bureaucratic politics, inter-agency rivalries, public-sector inertia, and path-dependent governance cultures can blunt or distort the centralising potential of Al. The conceptual expectation that Al transforms state power must therefore be tempered with recognition that institutions often adapt slowly, resist change, or experience uneven adoption. Without accounting for these contingencies, the model may over-theorise the coherence or transformative power of Al in the Zambian context.

(d) Judicial-independence theory may overlook internal judicial dynamics

While the framework rightly foregrounds judicial access to information, capacity, and oversight powers, it may insufficiently account for internal judicial variation including differences in competence, political vulnerability, organisational culture, or willingness to challenge executive agencies. Judicial independence is not simply a structural attribute; it is also a behavioural and sociological phenomenon shaped by norms, incentives and organisational cohesion. Thus, the model's focus on structural access Page 84 of 271

may underplay internal judicial behaviour, which can enable or constrain the actual exercise of oversight.

(e) Electoral-integrity models may not fully capture local political economy

The electoral-integrity literature emphasises transparency, trust and procedural safeguards, yet electoral legitimacy also depends on political-economy factors such as party competition, elite incentives, civil-society mobilisation, historical grievances, and regional power dynamics. Al systems do not operate in a vacuum; they enter political landscapes marked by varying levels of polarisation, patronage, or democratic consolidation. The theoretical framework, while analytically rigorous, risks underestimating how local political dynamics mediate the impact of biometric systems, cyber laws or information manipulation.

(f Socio-technical frameworks assume coordination and coherence

Socio-technical analysis requires alignment across design, deployment, institutional capacity, organisational routines, and governance norms. Yet empirical reality rarely exhibits such coherence. Institutions may interpret technologies differently, deploy them inconsistently, or lack the coordination necessary for cohesive governance. The theoretical model may therefore be too orderly relative to the fragmented, sometimes chaotic nature ofdigital transformation in emerging democracies.

2. TheoreticalPayoff

Despite these limitations, the integrated framework generates significant conceptual value both for this thesis and for broader Al-governance scholarship.

(a) Providesaholistic, multi-dimensionalanalyticalmodel

AI-driven cybersecurity is not a discrete issue. It touches on state power, oversight, rights, elections, information integrity, and legitimacy. The theoretical framework moves beyond single-discipline analysis to offer a multi-dimensional model that captures the entanglement of legal, institutional, technological and political factors. This holistic framing enables the thesis to evaluate Zambia's transformations in a comprehensive, ratherthan siloed, manner.

(b) Bridgesmacro-levelnorms with micro-levelinstitutionalpractices

A core contribution of this framework is its integration of global Al-governance norms with local-institutional analysis. Instead of treating international principles as abstract ideals, the model treats them as evaluative benchmarks against which Zambia's statutory design, operational procedures and oversight mechanisms can be assessed. This creates a conceptual bridge between theory and applied governance clarifying where Zambia aligns with or diverges from global expectations.

(c) Clarifies mechanisms ofstate-power transformation

By synthesising algorithmic governance theory with digital-authoritarianism scholarship, the framework identifies the mechanisms through which AI may centralise executive power: informational asymmetry, technical opacity, institutional dependency, and securitisation. This mechanism-focused approach provides a structured way to evaluate whether Zambia's AI-cybersecurity institutions are reinforcing or rebalancing state authority.

(d)Advances a rights-centredsocio-technicalgovernance model

The combination of socio-technical theory with rights-based governance yields a normative model in which AI governance is neither anti-technological nor naïvely techno-optimistic. Instead, it positions rights, transparency and institutional contestability as necessary design features of AI systems. This provides a principled basis for evaluating Zambia's cybersecurity reforms and recommending governance improvements.

(e) Establishes an analytical vocabulary forjudicial examination ofAI

The framework articulates how judicial autonomy relates to epistemic access, interpretive authority and review capacity. These concepts enrich judicial-independence theory by demonstrating that information parity is now as important as constitutional or administrative safeguards. This offers a refined theoretical apparatus that can be applied in other jurisdictions confronting similar challenges.

(f) Reorients electoral-integrity theory toward the digitalage

By integrating disinformation, cybersecurity and biometrics into a unified electoral-governance lens, the framework updates traditional electoral-integrity theory for the realities of Al-mediated elections. This contributes to contemporary debates on trust, legitimacy and information environments which are areas of increasing scholarly and policy relevance across Africa.

(g) Produces a portable theoretical model

Though grounded in Zambia's context, the model is generalisable. It can be adapted to analyse Al-driven cybersecurity in other emerging democracies facing similar tensions between security imperatives and democratic consolidation. The thesis thus contributes a conceptual tool with applicability beyond its immediate case study.

2.3 Zambia-SpecificLiterature:Law, Policy,Institutions,andEvidence

2.3.1 NationalAIPolicyandDigital-Transformation Baselines

Zambia's government has positioned Al as a cross-government modernization lever through the National Artificial Intelligence Strategy (2024-2026) issued by the Ministry of Technology and Science (MoTS). Public releases confirm the Strategy was endorsed in 2024 with a developmental mandate linking Al to public-service transformation, human-capital development, and "trust and confidence" in cyberspace

while signalling partnerships with international actors;these notices situate Al within a broader digital transition driven by connectivity and sectoral productivity goals. The Strategy is explicitly nested in the AU's 2020-2030 Digital Transformation Strategy for Africa and Agenda 2063 logics, emphasizing harmonisation with continental norms; the official AU documents frame digitalization as a catalyst for inclusive growth and an integrated Digital Single Market, which shapes Zambia's policy vocabulary on interoperability, data governance, and regional alignment.

Domestically, two 2021 statutes established the baseline architecture for lawful, rights-respecting digital public administration. The Electronic Government Act, 2021 (Act 41) created an e-government governance core under the Presidency and codified principles on information-systems security, inter-agency sharing, and auditability, provisions that later interact with cybersecurity operations and procurement of Al-enabled tools. The Data Protection Act, 2021 (Act 3) instituted controller/processor duties, a Data Protection Commissioner, and special protection for sensitive categories such as biometrics framework elements directly relevant to Al models that process personal data for risk assessment, identity assurance, or incident response.

2.3.2 The 2025 Cyber-LawPackage and Centralization ofCyber Authority

In April 2025, Zambia overhauled its cybersecurity regime through the Cyber Security Act, 2025 (Act 3) and the Cyber Crimes Act, 2025 (Act 4), repealing and replacing 2021 instruments and decisively centralising national cyber authority. The legislation established the Zambia Cyber Security Agency (ZCSA) under the Office of the President, formalised the national CIRT with sectoral CIRTs, and continued the Central Monitoring and Coordination Centre (CMCC), which underpins interception/monitoring functions. The crimes statute widened offence categories (e.g., deceptive electronic communication) and operational powers for traffic-data preservation, search/seizure, and cooperation obligations on providers about procedural levers that shape how Al-assisted surveillance and digital forensics can be used and litigated.

Civil-society and international policy commentary argue that the Acts' broad definitions and expanded interception mandates risk shrinking civic space unless paired with robust safeguards. Regional coalitions (AFEX/CIPESA) warn of vague concepts (e.g., "critical information") enabling discretionary enforcement;they recommend tighter drafting, proportionality, and independent oversight. Freedom House's 2025 Freedom on the Net assessment similarly flags increased surveillance powers and prosecutions of online expression, situating Zambia as "Partly Free" with persistent risks to digital rights during politically sensitive periods. The Global Network Initiative also urged reconsideration of provisions likely to chill speech and undermine journalistic work, even while recognising the legitimate aim of establishing incident-response capacity.

The Law Association of Zambia (LAZ) publicly announced litigation to test constitutionality of select sections particularly interception, speech-related offences, and institutional placement of ZCSA under the Presidency arguing tensions with the Bill of Rights' privacy and expression guarantees; subsequent reportage tracked the filing of proceedings and articulated concerns about judicial oversight and due-process effects. Local media and advocacy reporting amplify similar critiques, predicting information asymmetries if courts cannot access CMCC logs, model documentation, oroperational criteria during review.

2.3.3 Continental Alignment: AU Data/AI Governance and Zambia's Position

Zambia's cyber-legal trajectory operates within an evolving continental regime that sets rights-respecting data and Al baselines. The AU Data Policy Framework (2022) seeks harmonised governance and a shared data space to enable cross-border data flows essential for AfCFTA, while urging rule-of-law safeguards and cautioning against blanket data-localization justified by security. By late 2025, the AU began validating Page 89 of 271

continental frameworks on data categorisation & sharing, cross-border flows, and open data to accelerate the Digital Single Market by 2030 initiatives that will influence national cyber and Al implementations, including evidentiary sharing and incident-response cooperation.

On Al specifically, the Continental Al Strategy (July 2024) endorsed at Ministerial/Executive Council level calls for an Africa-centric approach that is ethical, inclusive, and development-oriented, with safeguards for rights and security; AU communiqués in 2025 reaffirm the emphasis on investment in compute/data infrastructure and on protective guardrails. These continental commitments create external benchmarks against which Zambia's centralised cyber governance and Al deployments will be judged for proportionality, transparency, and oversight.

2.3.4 Courts, Autonomy, and Algorithmic Evidence: Regional Guidance and Zambia S Challenge

International judicial-governance literature and UN mechanisms are increasingly attentive to Al injustice systems. The UN Special Rapporteur on the independence of judges and lawyers (A/80/169, 2025) cautions against techno-solutionism, insists on human judicial control, and advocates public information about any Al systems affecting adjudication a stance with direct relevance where cyber-surveillance outputs become evidence. UNESCO has complemented this with Guidelines for the Use of Al Systems in Courts and Tribunals (2025) and large-scale judicial-capacity programmes documenting that many judges worldwide use Al tools without institutional guidance hence the need for auditability, explainability, and in-camera access mechanisms.

Translating these guidance points into Zambia's statutory reality highlights a core research concern: the practical ability of Zambian courts to compel disclosure of algorithmic logic, training-data documentation, and CMCC technical records where security agencies cite Al-assisted analytics for interception or investigation. lf such materials remain classified or proprietary, epistemic asymmetry risks curtailing judicial independence in practice even when it exists in law.

2.3.5 Elections: Biometrics, Cybersecurity,andinformation integrity

Zambia has one of the continent's more established histories with biometric voter registration, integrating ten-finger fingerprints and ICAO facial images with an Automated Biometric Identification System (ABIS) for deduplication prior to the 2021 polls; e-poll books were also selectively deployed to speed verification. Vendor/commission materials underscore that biometrics are for registration, not electronic voting, a distinction reiterated to counter public misperceptions. At the same time, contemporaneous domestic reportage questioned uneven device deployment and called for greater transparency regarding deduplication outcomes signalling that implementation detail and communications shape perceived integrity as much as technical capacity.

Reform momentum remains active. The Electoral Reform Technical Committee (ERTC) constituted in 2024 conducted nationwide consultations and delivered a comprehensive report in 2025, recommending legislative and procedural updates (including electronic/biometric registration improvements and process harmonisation). Public posts on the ECZ website and stakeholder portals reference these outputs alongside a 2026 cycle roadmap, indicating staged implementation planning. Observers will recall that the EU EOM Final Report (2021) assessed technical administration as competent but flagged unequal campaign conditions, constrained freedoms, and observer/media-access gaps at national tabulation; these legacy issues condition how new technology-centred reforms are interpreted by stakeholders.

A parallel line of evidence concerns the information environment. Comparative African election studies document intensifying Al-assisted disinformation deepfakes, bots, coordinated amplification targeting electoral authorities and processes and exploiting linguistic moderation gaps;UNESCO/think-tank reporting and journalism emphasise that these dynamics can outpace fact-checking and degrade trust. Zambia's 2025 cyber-law changes are therefore double-edged: while presented as tools to counter online harms, digital-rights monitors argue that broad speech offences and expansive surveillance powers could deter legitimate scrutiny and civic debate during election periods, paradoxically harming legitimacy if safeguards are weak.

2.3.6 Public Opinion andCivicSpace Signals

Afrobarometer's Zambia country materials (2024-2025 releases) show continuing support for elections and freedom to vote, situating Zambia within a continent-wide picture of democratic aspiration but growing anxiety about institutional performance; these signals underscore that public trust hinges on visible safeguards and rights-consistent enforcement as digital governance expands. Media-sector reporting (e.g., MISA Zambia FOX) during 2025 notes heightened public awareness of cyber laws alongside concerns about harassment and access to information;the prospect of operationalising an Access to Information framework is flagged as an institutional hinge for transparency in the digital era.

2.3.7 5 ynthesis: WhatZambia's Literature Implies for This Thesis

Taken together, Zambia's corpus presents four clear patterns:

1. Normative-policy ambition, institutional tension. The AI Strategy and the 2021 e-government/data-protection baseline articulate a right-aware modernization agenda; however, the 2025 cyber-law package centralises cyber power and expands interception in ways that critics argue could outpace safeguards unless legislated access, auditability, and independent oversight are made operational.

2. Judicial-review stress points. Global judicial guidance prioritises

human-in-the-loop, transparency, and court access to technical records; Zambia's legal design will be tested on whether courts can compel and understand Al-related materials (CMCC logs, model documentation) in practice, rather than rely on executive claims about necessity or secrecy.

3. Electoral integrity as a socio-technical equilibrium. Long-standing biometric registration and the ERTC reforms can strengthen integrity if accompanied by independent certification, procurement transparency, and sustained public communication distinguishing registration tech from voting;legacy EU EOM findings on transparency and access make these governance complements essential.

4. Information integrity and civic space. The continent-wide intensification of Al-assisted disinformation demands responses;yet if cyber-law enforcement is overbroad or untransparent, it will chill speech and diminish trust, undermining the very goal of legitimacy.

Together, these strands justify the thesis's multi-institutional design: analysing how Al-driven cybersecurity interacts with executive consolidation, judicial independence under algorithmic evidence, and electoral legitimacy in a contested information environment benchmarked against AU data/AI governance and global rule-of-law expectations.

2.4 Knowledge Gaps in the ExistingZambia-Specific Literature

Despite a steadily expanding corpus on Zambia's digital transition, four persistent gaps limit cumulative understanding of how AI-driven cybersecurity is reshaping state power, institutional autonomy and democratic legitimacy. These gaps including evidentiary, conceptual and methodological motivate the present study's design and its multi-institutional scope.

1) From law-on-paper topractice-in-operation: how the 2025 cyber laws work in real cases

Most available analyses map what the Cyber Security Act, 2025 and the Cyber Crimes Act, 2025 say that centralising cyber authority in the Zambia Cyber Security Agency (ZCSA) under the Presidency, continuing the Central Monitoring and Coordination Centre (CMCC), widening interception/traffic-data powers, and creating offence categories like deceptive electronic communication. Yet there is little empirical research on how these provisions are interpreted and applied by investigators, prosecutors, regulators, and courts across concrete cases. We lack systematic accounts of operational criteria for interception triggers, model-assisted triage, audit trails, and disclosure practices in judicial review. Civil-society briefings and freedom-of-expression reporting warns about broad definitions and risks to civic space, but they remain diagnostic (what could go wrong), not evaluative (what actually happens in institutional workflows).

Two corollaries deepen this gap. First, while the AU Data Policy Framework pushes harmonised, rights-centred governance and cross-border data flows, we have no Zambia-specific evidence on whether cooperation routines (e.g., data categorisation, sharing, or incident-response protocols) have been domesticated in ways that constrain or channel the new statutory powers. Second, the Continental Al Strategy (2024) articulates ethical, inclusive Al, but Zambia-level operationalisations such as procurement clauses, lifecycle documentation, or internal audit standards remain under-documented in the literature.

2) Judicial independence under Al: from formal guarantees to epistemic parity

International guidance increasingly details how courts should handle Al in justice systems which carters human control, disclosure, public information on systems used, and the ability to interrogate algorithmic evidence. UNESCO's guidelines for courts and the UN Special Rapporteur's 2025 report are clear about principles, yet Zambia-specific studies do not show whether judges can in practice obtain CMCC logs, model documentation, data-provenance notes, or error/threshold reports when cyber-operations are challenged. In other words, we do not know if courts enjoy epistemic parity with executive agencies wielding Al-enabled tools. Nor do we have evidence on whether in-camera procedures or technical advisers are being used to bridge secrecy-oversighttensions in live proceedings.

Relatedly, there is scant analysis of judicial capacity-building: whether Zambia's bench has received Al literacy training comparable to UNESCO's global programmes (which found high Al usage but low guidance worldwide), and how such training (if any) changes review practices in cyber-evidence cases. This is a salient lacuna given the shiftfrom documentaryto algorithmicallyderived indicators in digital investigations.

3) Elections as socio-technical systems: bridging biometrics, cybersecurityand information integrity

Zambia's biometric voter registration (fingerprints + ICAO facial images) and ABIS deduplication are well-described in vendor/commission materials; some media and observer accounts questioned selective e-poll book deployment and sought clarity on deduplication outcomes in 2021. But there is limited scholarly work that integrates three axes: (i) identity governance (biometrics), (ii) cyber-infrastructure protection (Al-enabled detection/response), and (iii) information integrity (Al-assisted disinformation) into a single evaluation of electoral legitimacy. We still lack independent, methodical assessment of whether procurement transparency, independent certification, incident disclosure, and public communication (e.g., "biometrics / e-voting") have been institutionalised ahead of 2026, and how these measures shape perceptions of fairness across provinces and demographic groups.

Equally, while continental research chronicles Al-accelerated disinformation such as deepfakes, cloned audio, coordinated networks although there is little Zambia-specific measurement of exposure, diffusion paths, and mitigation efficacy (e.g., fact-checking turn-around times, platform takedown responsiveness, or official rapid-response protocols). This matter because cyber-legal responses intended to curb online harms can, if drafted or applied broadly, chill legitimate speech in campaign periods; the literature documents the risk but not its magnitude or distribution in Zambia's context.

4) Cross-regime interoperability: aligning domestic law with AU data/AI instruments

The AU is actively validating continental frameworks on data categorisation/sharing, cross-border flows, and open data, aiming at a Digital Single Market by 2030. Yet there is no consolidated Zambian study mapping where domestic practice (classification, transfer tools, adequacy/certification use, public-interest exemptions) already aligns or diverges. Similarly, while FPF analyses distinguish data sovereignty from blanket localisation, Zambia's policy discourse and regulatory design have not been systematically evaluated against these interoperability pathways, an evidence gap that becomes acute when cyber-incidents, investigations, or electoral processes straddle borders.

5) Public opinion and civic-space trajectories under the new cyber regime

Opinion data (e.g., Afrobarometer) show continuing support for elections and democratic norms, and rights groups report higher public awareness of cyber laws. What is missing is fine-grained linkage: how do perceptions of surveillance, speech risks, or biometric modernisation correlate with trust in the ECZ, courts, or security agencies, and do these differ by age, province, connectivity, or prior exposure to online harms? Similarly, while Freedom House and media-rights monitoring flag a Partly Free internet with expanding surveillance, we lack panel designs that trace whether 2025 enactments shift self-censorship or participation in online politics over time.

Why these gaps matterand how this thesis responds

These gaps are not merely academic. They obscure whether Zambia's AI-driven cybersecurity is being integrated in ways that preserve contestability and institutional balance, or whether opacity and centralisation are reweighting power toward the executive with latent impacts on judicial autonomy and electoral trust. By combining document analysis (statutes, regulations, guidelines), key-informant interviews (security agencies, judiciary, ECZ, regulators, media/civil society), and structured indicators (case-level disclosure, auditability markers, electoral communication/certification practices, disinformation incident logs), this thesis will convert diagnostic concerns into evidenced evaluations. In doing so, it addresses: (i) how powers are used in practice; (ii) whether courts attain epistemic parity; (iii) whether electoral reforms embed socio-technical safeguards; and (iv) how domestic governance aligns with AU interoperability and rights-first Al norms.

2.5 lmplications for the Present Study

The knowledge gaps identified above form the analytical justification for this thesis and directly shape its methodological design, institutional scope, and theoretical contribution. In particular, they confirm that existing literature in policy, legal, civil-society and observer-based has not yet produced an integrated, empirically grounded assessment of how Al-driven cybersecurity is reconfiguring Zambia's governance landscape. This section outlines the implications of those gaps for the research questions, the empirical strategy, and the expected scholarly contribution.

1. The need for an empirical, institution-focused analysis of Al-driven cybersecurity

A core implication is that Zambia requires a practice-oriented rather than merely text-oriented analysis of its 2025 cyber-law framework. The statutes themselves have been widely commented on, but there is a conspicuous absence of evidence on how cyber authorities, investigators, regulators, and service providers interpret and operationalise their new powers. This thesis therefore adopts an institution-focused, mixed-methods strategy that traces the "life cycle" of Al-enabled cybersecurity in practice:

• How cyber-operations are initiated,

• What role Al plays in detection or escalation,

• What documentation or audit trails exist,

• How evidentiary outputs travel intojudicial or administrative review.

The empirical chapters are designed to fill this gap through interviews, document reviews, and structured indicators, allowing the study to distinguish between legal mandates and institutional behaviour a distinction currently missing in Zambia-specific literature.

2.1 mplications for understandingjudicialindependence in theAl era

The second implication flows from the observation that judicial-autonomy analysis must now incorporate epistemic dimensions. In a context where Al-enabled systems generate inferences used to justify interception, surveillance or classification, courts must have the authority and capacity to interrogate such outputs. Yet existing literature provides no evidence on whether Zambia'sjudiciary can access:

• CMCC logs,

• Technical documentation,

• Algorithmic thresholds and error metrics,

• Data-provenance details, or

• Internal risk-scoring rationales.

The thesis therefore adopts an evaluative lens centred on epistemic parity. Judicial independence will be analysed not only in its constitutional or administrative dimensions but in its practical ability to review algorithmic evidence. This expands the conventional understanding of separation of powers by introducing concepts such as contestability, disclosure, and technical oversight. As such, the study's contribution includes a reframing of judicial independence suitable for digital-governance environments.

3 Implications for assessing electoral integrity in a socio-technical environment

A third implication concerns the need to reconceptualise electoral integrity within a technological ecosystem that includes biometrics, ABIS deduplication, cybersecurity infrastructures, and Al-accelerated disinformation. The existing Zambia literature examines each component separately but lacks integrated, multi-dimensional analysis.

The thesis therefore treats elections as socio-technical systems, requiring evaluation of:

• Identity governance (biometrics, deduplication accuracy, error-correction),

• Infrastructure governance (cyber-incident response, system resilience, auditability),

• Information governance (disinformation exposure, civic-space protection, communication strategies).

This multidimensional approach allows the study to map how these components interact whether they reinforce integrity, create tensions, or generate legitimacy risks. It also positions the thesis to assess whether current reforms under the Electoral Reform Technical Committee (ERTC) are sufficient to address socio-technical vulnerabilities.

4.1 mplications for situating Zambia within continental and global governance frameworks

Because Zambia's cyber-legal framework unfolds within an AU-driven push for harmonised, rights-protective digital governance, the thesis must evaluate alignment with these frameworks. This means examining not only statutory design but also:

• Data-categorisation practices,

• Cross-border data-sharing mechanisms,

• Cyber-incident reporting standards,

• Institutional transparency around AI deployment, and

• Safeguards relating to human oversight and accountability.

The implication is that Zambia's experience can be analysed both internally, as a case of national governance transformation, and externally, as a test of how continental norms are domesticated in practice. This enhances the thesis's comparative value and its relevance to AI-governance debates across Africa.

5.1 mplications for assessing democratic legitimacy under conditions of digital governance

The literature gap on public-perception dynamics implies that legitimacy cannot be inferred from legal design alone. The thesis must therefore examine:

• How citizens interpret the 2025 cyber laws,

• How cybersecurity practices affect civic participation or self-censorship,

• Whether biometric modernisation is perceived as trustworthy,

• Whether disinformation affects institutional credibility,

• Whether young, digitally active cohorts experience governance differently.

Combining Afrobarometer insights with interview data and secondary discourse analysis will allow the study to evaluate legitimacy not as a formal attribute but as a public judgement shaped by information environments and perceived rights protections.

Complications for methodologicaldesign

These gaps collectively justify the thesis's mixed-methods and multi-institutional approach. The research will use:

• Document analysis to evaluate statutory and policy design,

• Expert and stakeholder interviews to illuminate practice,

• Structured indicators to assess auditability, disclosure and oversight,

• Comparative references to AU and global norms to evaluate alignment.

This methodological triangulation responds directly to the fragmented nature of the Zambia-specific literature and ensures a rigorous, evidence-based assessment rather than a speculative or doctrinal analysis.

7. The overallsignificance for the thesis

Ultimately, these implications confirm that AI-driven cybersecurity is not a narrow technical reform but a transformative governance intervention whose effects radiate across:

• Executive power,

• Judicial autonomy,

• Electoral integrity, and

• Democratic legitimacy.

The thesis is therefore positioned to make an original contribution in two ways:

1. Empirical contribution: providing the first integrated, multi-institutional assessment ofAI-enabled cybersecurity in Zambia.

2. Theoretical contribution: demonstrating how algorithmic governance reconfigures state powerand democratic institutions in emerging digital regimes.

CHAPTER 3: METHODOLOGY

3.1 Philosophical Paradigm

The methodological orientation of this study is anchored in a critical realist philosophical paradigm, augmented by pragmatic considerations that enable flexible accommodation of complex, multi-institutional inquiry. Critical realism is particularly well-suited to interrogating Al-driven cybersecurity in Zambia because the phenomenon under investigation such as algorithmic governance embedded within executive security institutions is simultaneously material and socially constructed. On the one hand, Al-driven cybersecurity systems exist as real socio-technical artefacts with objectively observable consequences: they monitor networks, detect anomalies, generate risk scores, and influence decisions taken by security agencies. On the other hand, the meanings attached to these systems, the degree of trust placed in them by the public, the way courts interpret their evidentiary outputs, and the political logics that shape their deployment are socially mediated and institutionally contingent. Critical realism recognizes this dual character of social phenomena: the existence of real causal mechanisms operating independently of human perception, and the interpretive mediations that shape how those mechanisms manifest in the empirical world. This study's concern with causal explanations on how Al-driven cyber capabilities restructure executive power, reshape judicial oversight, and influence electoral integrity requires a paradigm that permits us to examine underlying generative mechanisms rather than merely describing surface-level correlations or perceptions. Critical realism enables such depth by distinguishing the empirical (what is observed), the actual (what occurs whether observed or not), and the real (the mechanisms that generate events). In the Zambian case, for example, we may empirically observe that courts struggle to access technical logs or algorithmic documentation from the Zambia Cyber Security Agency; we may identify that in actual practice interception decisions are rarely reviewed or overturned; but we seek to theorise the real mechanisms producing these conditions, such as institutional secrecy norms, statutory ambiguities, resource asymmetries, or epistemic dependence on technical experts. This paradigm therefore informs the selection of methods capable of uncovering both observable outcomes and underlying processes hence the value of triangulating surveys, interviews, and documentary evidence.

At the same time, the study is shaped by pragmatism, especially in the operationalisation of methods and the integration of findings. Pragmatism allows methodological pluralism: rather than privileging one epistemic approach, it asks what combination of methods best addresses the research questions. In this case, understanding AI-driven cybersecurity is inherently interdisciplinary and multi-layered, requiring the quantitative measurement of public perceptions, the qualitative exploration of institutional practices, and the document-based reconstruction of statutory and procedural architectures. Pragmatism supports the use of mixed methods not as a philosophical compromise but as a strategic response to a complex policy environment where neither numbers nor narratives alone suffice. Additionally, pragmatism supports adaptation to field realities. Conducting research in the domains of cybersecurity, judicial oversight and electoral management involves navigating sensitive institutional environments, confidentiality constraints, and political contingencies. Pragmatism enables the researcher to adjust sampling strategies, refine instruments, or re-sequence fieldwork activities depending on access conditions, respondent comfort, and ethical considerations without violating the integrity of the critical-realist analytical stance.

Together, critical realism and pragmatism create a methodological foundation aligned with the thesis' goals. The study aims to identify not only whether AI-driven cybersecurity is transforming institutional relations in Zambia, but how, through what mechanisms, and with what consequences for accountability, autonomy and legitimacy. This demands a philosophical commitment to causal explanation (critical realism) and an operational commitment to methodological adaptability (pragmatism). It also frames the logic of inference: qualitative data illuminate causal chains and institutional processes, quantitative data measure patterns and population-level tendencies, and documentary evidence anchors interpretations in statutory and procedural realities. The paradigm thus ensures that the research remains theoretically rigorous, empirically grounded and sensitive to the socio-political dynamics that shape digital governance in Zambia. Ultimately, this philosophical architecture provides coherence for the multi-institutional analysis that follows, ensuring that methodological choices support rather than constrain the study's analytical ambitions.

3.2 Research Design

This study adopts a convergent mixed-methods research design, structured to systematically capture the institutional complexity and multi-layered effects of Al-driven cybersecurity across Zambia's executive, judicial and electoral systems. The design is grounded in the recognition that Al-enabled cybersecurity is not a single phenomenon but a constellation of socio-technical practices, institutional behaviours, public perceptions and legal frameworks. A single methodological tradition cannot fully account for these dynamics. Therefore, the research design integrates quantitative and qualitative strands in parallel, allowing each to address distinct but complementary elements of the research problem before being merged at the interpretation stage to generate holistic, triangulated insights.

The design operates at three analytical levels. At the system level, the study interrogates the legislative and policy architecture governing Al, cybersecurity, surveillance, digital rights, electoral processes and data protection. This includes analysis of the 2025 cyber-law package, the 2021 data-governance baseline, electoral regulations and relevant executive directives. System-level analysis clarifies the legal boundaries, institutional mandates and accountability arrangements that structure the deployment of Al-driven cybersecurity systems. At the institutional level, the research investigates how key organs of state namely the Zambia Cyber Security Agency (ZCSA), the judiciary, the Electoral Commission of Zambia (ECZ), sectoral regulators and relevant ministries interpret, implement and operationalise statutory provisions in real practice. This dimension examines workflow processes (e.g., interception decisions, cyber-incident response, handling of digital evidence, election technology management), organisational norms, documentation practices, capacity constraints and access to technical expertise. It also examines the conditions under which courts engage with algorithmic evidence, the protocols governing disclosure, and institutional interactions during cyber or electoral incidents. At the citizenship level, the study captures public perceptions of surveillance, trust in institutions, understanding of biometric/electoral technologies, exposure to online harms, and beliefs about fairness and legitimacy. These constructs help assess how AI-driven cybersecurity influences public trust and democratic legitimacy.

The convergence between levels is intentional. System-level structures shape institutional behaviours, institutional behaviours shape public perceptions, and public perceptions influence democratic legitimacy. The research design thus maps causal pathways across governance layers. The design's mixed-methods core consists of parallel quantitative and qualitative streams. The quantitative component uses a structured national survey (n«1,000) to measure public trust in institutions, perceived surveillance climate, electoral integrity confidence, digital literacy and disinformation exposure. It also includes a smaller institutional indicator survey capturing auditability, lifecycle documentation and oversight mechanisms within cyber and electoral institutions. The qualitative component consists of semi-structured interviews with judges, prosecutors, ZCSA officials, ECZ staff, regulators, journalists, civil-society advocates and digital-rights actors; document analysis; and targeted process-tracing of workflow cases.

The design emphasises triangulation, enabling the study to validate (or challenge) findings across data streams. For example, if public survey respondents report low trust in the fairness of biometric registration, the study cross-checks whether institutional interviews reveal capacity constraints or inconsistent communication strategies. If judicial actors describe difficulty accessing AI-related logs, the study verifies whether statutory frameworks provide relevant access powers. Convergence strengthensvalidity; divergence revealstensions requiring deeper theorisation.

Importantly, the convergent design does not treat data types as competing but complementary. Quantitative data maps breadth and prevalence; qualitative data supplies depth and mechanism. By integrating these strands at interpretation, the study captures both structural patterns and institutional logics, producing a robust account of how AI-driven cybersecurity restructures state power and legitimacy in Zambia.

3.3 Mixed MethodsApproach

The mixed-methods approach in this study is designed to exploit the comparative advantages of quantitative measurement and qualitative explanation, ensuring that the analysis captures both the macro-level patterns and the micro-level mechanisms through which AI-driven cybersecurity influences governance in Zambia. Quantitative methods are used to estimate levels of public trust, perceptions of surveillance, exposure to online harms, and electoral integrity confidence across a nationally representative sample of 1,000 participants. These structured data enable statistically robust assessments of whether, and how strongly, AI-related governance practices correlate with trust, participation, and perceived legitimacy. Meanwhile, qualitative methods generate rich, contextualised insights into how institutions interpret and implement cybersecurity and AI technologies yielding the causal mechanisms that cannot be uncovered through surveys alone.

The approach proceeds along two parallel tracks. On the quantitative track, the public survey captures a broad landscape of attitudes. It includes validated instruments for measuring perceived surveillance climate (e.g., self-censorship, fear of monitoring, willingness to comment on political issues online), institutional trust (courts, ECZ, ZCSA, police, regulatory authorities), knowledge of biometric systems, confidence in electoral processes, civic attitudes and behavioural intentions. It also measures exposure to online misinformation, understanding of AI-generated content and basic digital literacy indicators. In addition to the public survey, an institutional indicator instrument is administered to ZCSA staff, ECZ officers, judicial clerks and regulatory personnel to assess the presence of internal audit mechanisms, documentation practices, and Al governance safeguards (e.g., human oversight, access controls, incident reporting, transparency protocols). These quantitative measures provide a comparative empirical basis for evaluating whether institutional practices align with legislative or policy aspirations.

On the qualitative track, semi-structured interviews are conducted with approximately 200 institutional actors (judges, prosecutors, cyber officials, election administrators, regulators, journalists and civil-society leaders). The interview modules are tailored to each cohort. For judges, questions revolve around disclosure practices, experience handling Al-generated evidence, perceived gaps in technical understanding, case examples, and the nature of engagements with security agencies. For cyber-operations personnel, the focus shifts to workflow processes, the role of Al in incident response, access to external audits, and challenges balancing secrecy with oversight. For electoral officials, the interviews explore how biometric systems are managed, how cybersecurity affects electoral operations, and how disinformation shapes public communication strategies. For journalists and civil-society actors, questions target perceptions of the cyber-law environment, observed chilling effects, and the socio-political impact ofAl-generated misinformation.

Document analysis complements interviews by systematically reviewing statutory frameworks, implementing regulations, data-protection guidance, ECZ operational manuals, CMCC protocols (where accessible), procurement specifications for biometric systems, and any publicly available algorithmic impact assessments. This documentary evidence anchors both quantitative and qualitative findings in the legal-institutional architecture.

To strengthen causal inference, the qualitative strand includes process tracing for select institutional workflows, for example, how an intercepted communication travels from detection through Al classification, officer review, warrant application, disclosure to court and evidentiary assessment. These vignettes illuminate the actual practice of cybersecurity governance, contrasting it with statutory expectations and revealing gaps, bottlenecks or accountability failures.

Integration of methods occurs at three levels: data merging, comparison, and explanation building. In data merging, joint displays link survey statistics with interview themes (e.g., public distrust in ZCSA paralleled by institutional admissions of limited transparency). In comparison, divergent findings such as high official confidence in ABIS accuracy versus public uncertainty are analysed to uncover communication or implementation failures. In explanation building, integrated evidence supports refined causal interpretations, demonstrating how AI-driven cybersecurity reshapes power dynamics, oversight capacity and legitimacy.

The mixed-methods approach thus enables the study to capture the breadth of public attitudes and the depth of institutional mechanisms, producing a comprehensive account of AI governance in Zambia that neither quantitative nor qualitative methods could provide alone.

3.4 Population and Sampling

The study targets three analytically distinct but interdependent populations such as citizens, institutional actors, and epistemic validators in order to capture both the societal breadth and the institutional depth of AI-driven cybersecurity's effects in Zambia, and the sampling strategy is designed to yield credible population estimates for public attitudes while securing sufficient informational richness for process-level explanations within state bodies. For the citizenship component, the population is all usual residents aged 18 and above living in private households across the ten provinces, with the sampling frame constructed from the most recent small-area enumeration units (EUs) or census tracts and a contemporary listing of settlements maintained by the national statistical office or trusted survey partners;institutionalized populations (prisons, barracks, long-term care facilities) and collective dwellings are excluded because their exposure, risks, and consent conditions differ from the general public, while short-term visitors and non-usual residents are ineligible to preserve internal validity. A multi-stage, stratified cluster sample is used to select n « 700 citizens as part of the overall 1,000-participant design: provinces form the first explicit stratification layer, urban/rural status provides a second implicit stratum, and primary sampling units (PSUs) which include census EUs or compact clusters of 120 to 200 households who are drawn with probability proportional to size (PPS) within each stratum; within each PSU, an updated quick-listing or a random-route method with strict interval rules is used to identify occupied dwellings, from which a single respondent is randomly chosen with a Kish grid or last-birthday rule to preserve equal within-household selection probabilities. Anticipating a design effect in the 1.7-2.0 range due to clustering and intra-class correlation, the PSU count is set to 90-120 (roughly 9-12 PSUs per province), with 8-10 interviews per PSU to balance fieldwork efficiency and variance inflation; post-stratification weights align the realized sample to population margins by province x sex x age band (18-24, 25-34, 35-49, 50+) and urban/rural residence, and raking is used to minimize extreme weights while maintaining convergence criteria under 1e-6, with weight trimming considered at the 1st/99th percentile if variance contribution exceeds pre-set thresholds. The institutional population comprises actors embedded in key governance nodes: cyber-operations personnel and managers in the Zambia Cyber Security Agency (including CIRT analysts and incident coordinators), senior and mid-level officials in the Electoral Commission of Zambia (ICT, operations, public communication), judicial stakeholders (High Court and Constitutional Court judges where feasible, magistrates, registrars, research clerks), state counsel and prosecutors handling digital-evidence cases, the Office of the Data Protection Commissioner and any sector regulators implicated in network security, and technical/security liaisons in major ISPs or platform policy teams operating domestically;because this population lacks a complete, publicly accessible roster, a purposive sampling strategy is employed, seeded by formal letters of introduction and aided by snowball sampling within role-bounded criteria to ensure each sub-corpus of expertise (cyber, judicial, electoral, regulatory, platform) is represented. We plan n « 80 institutional respondents for qualitative interviews, with an additional n « 60 legal-system participants (judges, magistrates, prosecutors, defence counsel) and n « 60 cyber/election administrators to complete an institutional indicator instrument capturing governance safeguards (Al system registers, audit trails, disclosure protocols), making the total institutional cohort around n « 200 unique voices even as some may complete both an interview and a short indicator module; to mitigate selection bias intrinsic to elite access, the sample is stratified by institution and seniority (executive decision-makers, mid-level implementers, frontline technical staff) and by geography (Lusaka, Copperbelt, Eastern, Southern, and at least one northern province), and refusals are logged with reason codes to track non-response patterns. The third population epistemic validators comprise civil-society practitioners in digital rights, election observers, investigative journalists, fact-checkers, and technical experts from academia or independent labs; this group participates in Delphi-style validation (two rounds) of indicators used to judge auditability, disclosure, proportionality, and human oversight in Al-driven cybersecurity and election-technology management. We target n « 60 validators, balanced across stakeholder types and linguistic regions to diversify interpretive frames and reduce metropolitan bias; panel retention is promoted through concise rounds («20-30 items), anonymized feedback summaries, and clear iteration calendars. Across all populations, inclusion criteria require age >18, capacity to provide informed consent, and direct or experiential relevance to the study's constructs; exclusion criteria include conflicts of interest that would compromise confidentiality obligations or unduly risk respondents, such as officers under active internal investigation for matters closely related to the topics at hand. To address coverage error in the citizen sample (e.g., unlisted peri-urban compounds or rapidly growing settlements), the field team implements area-sketch verification and reserve-segment substitution rules approved ex-ante, while a 10% call-back protocol checks interview authenticity and adherence to random selection procedures. Anticipated unit non-response of 15-20% is countered by up to three revisit attempts at different times/days, enumerator-level performance dashboards, and small non-monetary tokens (information leaflets about digital safety rather than cash) to minimize undue inducement; item non-response on sensitive modules is managed by anchoring questions later in the instrument, offering "prefer not to say," and using randomized response techniques for a small subset of binary items if pilot testing shows social desirability bias above 0.4 SD. For precision planning, the citizen sample supports 95% confidence intervals ±3.5-4.0 percentage points for national proportions (assuming p « .5) under the expected design effect, with provincial estimates exploratory unless cell sizes exceed n«60; key subgroup analyses (gender, youth 18-24, urban/rural) maintain minimum effective sample sizes n_eff > 150 through weighting efficiency checks and, if needed, targeted top-ups in under-represented strata during fieldwork. Ethical representation is advanced by language localization (English plus Bemba, Nyanja, Tonga, Lozi, and selected local variants), gender-balanced enumerator teams for sensitive topics, and accommodations for persons with disabilities (e.g., large-print consent, the option for an accompanying support person when appropriate). Finally, the integrated sample of ~1,000 participants («700 citizens, «200 institutional actors, «60 validators, plus «40 overflow to buffer refusals) provides a coherent platform to connect population-level attitudes with institution-level practices and to subject interpretive claims to contestation by independent validators, thereby satisfying the dual goals of external credibilityand mechanism-level insightthat the research questions demand.

3.5 Data Collection

Data collection proceeds in three coordinated streams and these are citizen survey, institutional interviews plus indicator modules, and Delphi validations sequenced to preserve independence of responses while enabling iterative instrument improvement, and each stream adheres to standardized protocols for consent, security, and quality control appropriate to sensitive governance research. The citizen survey employs computer-assisted personal interviewing (CAPI) on encrypted tablets running a locked-down survey client with offline storage and end-to-end encryption on sync, with enumerator authentication through per-interviewer credentials; modules cover (i) perceived surveillance climate (awareness of monitoring, self-censorship online/offline, perceived risk of posting, willingness to discuss politics digitally), (ii) institutional trust (ECZ, courts, ZCSA, police, regulators, major media), (iii) electoral technology understanding and experience (knowledge that biometric registration is not e-voting, satisfaction with registration, confidence in deduplication and verification steps), (iv) exposure to online harms (rumours, deepfakes, impersonation, targeted harassment, scams), (v) information practices and digital literacy (sources, cross-checking habits, recognition of synthetic media cues), and (vi) civic outlook (political efficacy, support for free expression, reported participation). Question batteries combine Likert scales, vignette-based items to reduce acquiescence bias, and a small number of list experiments for especially sensitive perceptions (e.g., fear of surveillance affecting vote choice discussions). A pilot of n«50 across urban/rural PSUs checks skip logic, question clarity, and timing (target median interview length 28-32 minutes) and enables psychometric checks (alpha/omega for scales, item-total correlations, initial CFA for multi-item constructs), after which instrument refinements are frozen and version-controlled. The institutional stream deploys two instruments: (a) semi-structured interview guides tailored to each role (judges, prosecutors, cyber operators, ECZ officials, regulators, platform/ISP policy staff, journalists/CSOs) and (b) a brief organizational indicator module («25-35 items) capturing presence/absence and maturity of safeguards: AI system registers; lifecycle documentation (model cards, data sheets, bias tests); human-in-the-loop checkpoints; access controls and in-camera disclosure procedures;incident reporting, red-team exercises, and after-action reviews; independent oversight or audit trails; and public transparency practices (reports, dashboards, media briefings). Interviews are typically 60-90 minutes, conducted in secure office spaces or via encrypted video where in-person access is infeasible;audio is recorded only with explicit consent, otherwise detailed notes are taken by a trained note-taker, and field memos document context, tone, and observed constraints (e.g., deference to superiors, sensitivity to particular questions). Each interviewee is assigned a role code (e.g., J-HC-01 for High Court judge, CY-OPS-07 for cyber operator) and no names or direct identifiers are stored in analytic files;a separate key with contact details is held offline by the PI for callback verification or transcript review requests. To reduce response inhibition, an "information rights sheet" clarifies that aggregate findings will not attribute quotes to identifiable persons or institutions and that sensitive operational detail will be generalized or paraphrased to avoid security risks. The Delphi validation engages 60 cross-sector experts in two short online rounds hosted on a GDPR-compliant survey platform under anonymous IDs, Round 1 rating the relevance and clarity of auditability/disclosure indicators (4-point agreement and necessity scales plus open comments), Round 2 presenting median ratings and anonymized critiques to seek convergence (Kendall's W and IQR shrinkage are monitored to judge stability). Across streams, data security protocols include device encryption, two-factor access to cloud repositories, daily mirrored backups to an offline drive, and separation of consent forms from interview notes; the citizen CAPI uses GPS stamping with respondent opt-out and jittering set at 150-300 meters in stored coordinates to protect location privacy while enabling PSU verification. Quality assurance combines automated logic checks (range, cross-item consistency, speeding flags), supervisor shadow-visits for 5-10% of interviews, and remote data forensics (Benford's Law on numeric fields, time-on-task distributions, duplicate answer pattern scans). Enumerators receive five days of training on research ethics, sensitive-topic interviewing, digital safety, and role-plays; a field manual specifies substitution rules, refusal conversion procedures, and secure storage guidelines, while a hotline to the field coordinator allows real-time troubleshooting of security or ethical concerns. For institutional interviews, gatekeeper letters from the university and, where required, ministry liaison offices outline scope and protections; in several cases, the protocol offers an in-camera interview format (no recording, notes destroyed after verified transcript) to secure candid participation without compromising security, and a "respondent check" option allows interviewees to review anonymized excerpts intended for inclusion. The study adheres to a rolling fieldwork schedule: first four weeks for the citizen survey (with two waves to permit rapid QC feedback), eight to twelve weeks overlapping for interviews and document collection, and a final two-week buffer for follow-ups or clarifications. Document collection spans statutes, implementing regulations, policy circulars, bench books or practice directions concerning digital evidence, ECZ operational manuals, public procurement notices for election technology, and, where accessible, summarized SOPs for cyber incident response each catalogued in a metadata register capturing provenance, version, date, and access constraints. To guard against field risk, enumerators operate in pairs in sensitive locales, avoid collecting interviews after dusk, and maintain contact schedules; interviewers are instructed to accept respondent "off-the-record" segments and to steer away from operational detail that could expose specific systems or staff to physical or reputational harm. Overall, the combination of structured survey measurement, deep institutional interviewing with indicator capture, and expert Delphi validation furnishes a triangulated corpus capable of addressing both the extent and the mechanisms ofAI-driven cybersecurity's governance impacts.

3.6 Data Collection Procedures

Data collection procedures operationalize the methodological intent into field-ready routines that protect participants, ensure data integrity, and minimize bias, and the process is staged across pre-field, in-field, and post-field phases with explicit accountability at each step. Pre-field, the team finalizes instruments after piloting, locks translation matrices (forward translation, independent review, cognitive probing), and loads encrypted CAPI builds onto tablets with version tags;enumerator teams are assigned PSU lists with travel logistics and a contact protocol that records departures, arrivals, and daily debriefs to supervisors, while institutional-interview teams are provided with appointment calendars, gatekeeper letters, consent packs, and a secure portable scanner for document capture where permission is granted. A risk register identifies potential threats (political events, demonstrations, connectivity outages, localized insecurity, or misinformation about the study) and prescribes mitigations (e.g., pause rules, movement restrictions, alternative contact methods, pre-written clarifications for community leaders). The PI or field coordinator secures letters of support where appropriate (e.g., statistical agency for PSU identification) to ease community entry, and an FAQ one-pager addresses common respondent concerns concerning why the study matters, how anonymity is preserved, and why no identifying details are needed. In-field, citizen interviews begin with a standardized introduction script, presentation of the consent form in the respondent's preferred language, and a clear statement that refusal carries no penalty; the enumerator confirms eligibility (age, usual residence) and initiates the CAPI only after consent, with a soft reminder that the participant can skip any item or terminate at any time. Enumerators observe neutrality discipline such as no commentary on politics or institutions and seat respondents in a private or semi-private space out of earshot where feasible; where that is not possible (e.g., crowded compounds), sensitive modules are self-administered on the device with "privacy screen" filters. At interview close, enumerators trigger an on-device verification that all mandatory fields are valid and that no soft-logic flags remain unresolved; the daily sync uploads encrypted interviews to the central server, after which the device retains only a temporary cache cleared at the end of the week. Supervisors conduct random spot-checks (call-backs or brief re-visits) to verify encounter authenticity and observe at least one full interview per enumerator in the first week to reinforce protocol fidelity; deviations (e.g., suggestive prompting, shortcutting) are documented and retraining is administered with replacement if necessary. For institutional interviews, procedures adapt to role-specific sensitivities: meetings are scheduled in advance with an agenda stating thematic areas (governance safeguards, documentation, oversight, disclosure practices) and explicit boundaries (no request for confidential operational details); consent is obtained verbally or in writing depending on venue policy, and interviewees are given a choice of recording, note-taking only, or in-camera dialogue followed by co-constructed summary notes. When an interviewee indicates constraints (e.g., cannot discuss CMCC specifics), the interviewer pivots to governance proxies: "Under what circumstances does an external body review system performance?" or "What documents exist to guide disclosure to courts?" This approach avoids pressure while extracting structural insights. Immediately after each interview, the team completes a field memo capturing setting, rapport, gatekeeping dynamics, and emergent themes; within 48 hours, audio (if any) is transcribed by a vetted transcriber under NDA, anonymized, and ingested into the qualitative analysis environment with role codes only. For the organizational indicator module, the interviewer completes items jointly with an authorized representative who can attest to the presence or absence of controls (e.g., whether an Al register exists, how often incident reviews occur), and the representative is invited to provide documentary corroboration (policy extracts, redacted templates) that are scanned and stored with access tags. The Delphi procedures are remote: invitations include a study brief and confidentiality pledge; Round 1 opens for seven days, reminders are sent at days 4 and 6, and Round 2 opens with aggregated results and anonymized commentary to encourage convergence without erasing dissent; panelists may append dissent notes that are preserved for interpretation as boundary conditions rather than treated as noise. Throughout fieldwork, a secure communications protocol governs team contact (encrypted messaging app, daily check-ins); if a participant raises concerns about personal risk, enumerators suspend the interview, note a "risk-halt," and notify supervisors to consider replacement PSUs or topic reordering. Incident reporting (data breach, harassment, device theft, threats) follows a red-flag cascade: immediate notification to the Pl, incident log entry, containment measures (remote wipe, password resets), and post-incident review with procedural updates. Post-field, raw data undergo a three-stage cleaning: (1) structural checks (completeness, duplicate IDs, PSU anomalies), (2) content checks (range, skip consistency, logical constraints across modules), and (3) statistical forensics (speeding, straight-lining, improbable response patterns);a reproducible log records all edits with justifications. Qualitative materials are de-identified (names, places, unique events masked), and a master codebook aligns constructs with codes used for thematic analysis; inter-coder reliability is assessed on a 10-15% subsample with target Cohen's k > 0.70 or Gwet's AC1 > 0.75, followed by adjudication meetings to harmonize interpretations. All signed consents and gatekeeper letters are stored physically in a locked cabinet separate from digital data; digital files are retained on encrypted drives with role-based access, and a data-retention/destruction schedule is appended to the ethics file. Before closing the field, the team completes a lesson-learned debrief documenting what improved rapport, what hindered access, and how future research might better balance transparency with security. Where feasible and appropriate, a reciprocity step offers aggregated, non-attributable briefings to participating institutions and civil society, summarizing high-level findings and recommended governance improvements without exposing any respondent or operational detail. These procedures ensure that the data collection is not only ethically and legally compliant but also methodologically defensible, providing a robust foundation for the analytic strategies detailed in the subsequent sections.

3.7 DataAna/ysis Techniques

The analytical strategy employed in this study is intentionally multi-layered, reflecting the multi-institutional and socio-technical complexity of Al-driven cybersecurity governance. Data analysis proceeds through two fully elaborated pathways which include quantitative and qualitative before being integrated into a convergent interpretive synthesis. The quantitative analysis begins with rigorous data cleaning: verification of skip logic, examination of item non-response patterns, identification of outliers, and application of post-stratification weights to correct for sampling disproportionalities across provinces, gender, age groups, and urban-rural residency. Weighted descriptive statistics then establish population-level baselines for key constructs such as surveillance climate perceptions, institutional trust, electoral confidence, and exposure to online misinformation. These baseline distributions provide the empirical texture against which more complex inferential models are developed. Multivariate regression models such as logistic, ordered logistic, and linear depending on variable type are used to examine associations between Al-governance variables (e.g., perceived Al surveillance, awareness of cyber laws, biometric registration experiences, disinformation exposure) and outcomes related to trust in institutions, confidence in electoral processes, willingness to engage in civic expression, and perceived legitimacy of state actions. Given the sampling design, all models incorporate robust standard errors clustered at the PSU level, and alternative specifications (e.g., province fixed effects, interaction terms for youth x digital literacy) are estimated to check the stability of findings. Indices for latent constructs such as "perceived surveillance climate" or "electoral process confidence" are validated using confirmatory factor analysis (CFA), with model fit assessed using CFI/TLI, RMSEA, and SRMR thresholds. Sensitivity tests evaluate whether observed associations hold when using alternative scoring schemes, dropping high-leverage observations, or applying raking weights instead of post-stratification weights. Where appropriate, nonlinearities are probed through spline functions or threshold models, especially for digital literacy and disinformation exposure, which may exhibit curvilinear effects. In parallel, qualitative analysis follows a systematic, theory-informed process. All interview transcripts, field notes, and documentary extracts are imported into a secure qualitative analysis environment, where open coding generates an initial set of thematic markers aligned with the conceptual framework (executive power, judicial oversight, electoral integrity, information environment, algorithmic accountability). Through axial coding, relationships between themes are identified for example, how judicial actors interpret "technical opacity," how cyber-operations personnel describe disclosure constraints, or how electoral officials experience capacity asymmetries in relation to cybersecurity demands. Select transcripts undergo more detailed processtracing, where sequences of decisions (e.g., interception ^ classification ^ warrant ^ evidence handling ^ judicial review) are reconstructed to reveal real-world governance pathways. Memos are generated to document analytic insights, clarify mechanisms, and track disconfirming evidence that challenges emerging interpretations. A comparative institutional matrix is then constructed to assess variation across institutions (ZCSA, judiciary, ECZ, regulators, civil society), identifying alignment or gaps in oversight safeguards, transparency routines, technical capacity, and perceptions of Al-driven risk. Documentary analysis supplements these interpretations, as statutory provisions, operational guidelines, bench books, and SOPs are cross-referenced with interview accounts to verify whether institutional practice matches formal requirements. The integration phase merges quantitative and qualitative findings in joint displays: matrices that align statistical patterns with thematic explanations. For example, if quantitative results show low trust in ZCSA among youth, qualitative data from CSO or media interviews may reveal mechanisms such as perceived opacity in cybersecurity enforcement or fear of criminalization of online speech. If courts report difficulty accessing Al-related logs, the institutional indicator modules may corroborate gaps in lifecycle documentation or lack of formal disclosure procedures. Divergent findings are explored using the principle of "explanation building": quantitative anomalies (e.g., unexpectedly high trust in electoral biometric systems in certain provinces) prompt targeted rereading of qualitative materials or stratified re-analysis of survey data. Ultimately, the analysis techniques employed in this study are iterative, reflexive, and governed by the principle of triangulation: no conclusion stands unless supported by multiple forms of evidence, whether numeric patterns, institutional narratives, or documentary confirmation. This multi-layered analytical architecture ensures that the study does not merely describe Al-driven cybersecurity governance but explains how it operates, why observed patterns occur, and what mechanisms link institutional practice to democratic outcomes.

3.8 Validity andRe/iabiUty

Ensuring validity and reliability in a study examining sensitive institutional practices and politically charged public perceptions requires a multi-dimensional quality assurance strategy that addresses design validity, measurement validity, analytic validity, and reliability across both quantitative and qualitative streams. Design validity is enhanced through the deliberate use of a convergent mixed-methods structure, which reduces the risk that findings are artefacts of a single methodological approach. By collecting quantitative survey data from a representative sample and qualitative insights from institutional actors, journalists, and civil society, the research design builds internal triangulation into its architecture. Measurement validity for the quantitative component is supported through rigorous instrument development: questions were adapted from validated international scales where possible (e.g., for trust, civic engagement, misinformation exposure), pilot testing ensured comprehension and cultural relevance, and constructs that required new operationalization (such as perceived Al surveillance climate or understanding of biometric registration) underwent cognitive testing during enumerator training and instrument refinement. Items were placed strategically to reduce priming and social desirability effects, with sensitive political or surveillance-related items positioned later in the survey when rapport had been established. Multiple-item indices were used for complex constructs, with psychometric checks including Cronbach's alpha, McDonald's omega, item-total correlations, and confirmatory factor analysis to ensure dimensional coherence. Reliability was further strengthened by detailed enumerator training, interenumerator calibration exercises, and consistent supervision during data collection. Analytic validity which are the correctness of findings generated through analytic procedures is reinforced through robustness checks: alternative variable coding, model re-specifications (e.g., switching between logit and probity, or including province fixed effects), sub-group analysis, and examination of heterogeneity among youth, gender, and digital-literacy segments. The use of weighted analyses, clustering at the PSU level, and margin-of-error calculations ensures that estimates respect the sampling design, while diagnostic tests (e.g., for multicollinearity, heteroskedasticity, outliers) guard against statistical distortions. For the qualitative stream, validity is ensured through methodological transparency, reflexive memoing, and systematic coding that adheres to a shared codebook aligned with conceptual constructs. Intercoder reliability is assessed using a 10-15% double-coded sample, with Cohen's kappa or Gwet's AC1 guiding reconciliation discussions to harmonize interpretations and eliminate coding drift. Internal validity in qualitative analysis is strengthened by the use of negative-case analysis, where interpretations are tested against contradictory evidence to avoid confirmation bias. Quotations and thematic structures are crossverified with documentary sources (laws, operational guidelines, bench books, circulars) to anchor interpretations in formal institutional reality. Triangulation is the overarching reliability strategy across the entire study: no finding is accepted unless it appears in at least two independent streams of evidence. For example, if survey results indicate that citizens fear online surveillance, qualitative interviews with journalists or activists must also describe such anxiety, or documentary analysis must show statutory provisions that plausibly generate such perceptions. This triangulated approach also helps address potential response biases, including social desirability concerns and chilling effects in the public survey. The study mitigates these risks through item design (e.g., indirect questioning, non-judgmental wording), enumerator neutrality, and providing respondents with privacy options (self-administered modules). The institutional interview stream may exhibit access bias, as officials willing to speak may differ in views from those refusing; this is mitigated by purposive sampling across seniority and role categories and by logging refusal patterns to detect systematic exclusions. External validity, while bounded by the Zambian context, is enhanced by the systematic and representative nature of the citizen survey and by the fact that institutions examined include security agencies, courts, electoral bodies, and regulators have structural counterparts in many digitalizing democracies, making conceptual insights transferable even if empirical specifics vary. Reliability over time is addressed by creating reproducible analytic logs: syntax scripts, audit trails for data cleaning, coded transcripts with versioning, and model output archives. These practices ensure that results can be re-generated or re-examined as necessary. Together, these strategies create a validity and reliability ecosystem that supports the study's credibility, interpretive rigor, and contribution to scholarly and policy debates.

3.9 Ethical Considerations

Ethical considerations are central to this study because it investigates politically sensitive domains about cybersecurity operations, algorithmic decision-making, judicial oversight, and electoral governance where risks to participants are non-trivial and could involve reputational, legal, occupational, or psychosocial harm. The ethical framework guiding this research therefore prioritizes respect for persons, beneficence, justice, and data protection, implemented through multiple layers of safeguards aligned with international human-subjects standards. Informed consent procedures are designed to ensure that all participants comprising of citizens and institutional actors alike fully understand the study's purpose, potential risks, voluntary nature, and confidentiality commitments before participating. For the citizens' survey, enumerators read a scripted consent statement in the respondent's preferred language, avoiding technical jargon and clearly stating that the respondent may skip any question or terminate the interview at any time with no consequence. For institutional interviews, consent options include: (a) audio-recorded, (b) note-taking only, or (c) in-camera (no recording, co-constructed summary, destruction of notes after transcript verification). Participants can request transcript review and retract specific excerpts. Confidentiality is of heightened importance given the sensitivity of Al-related cybersecurity operations. All interview transcripts are anonymized, with role codes replacing names, institutions, or identifiable titles. Direct identifiers (e.g., unique events, specific roles) are paraphrased, and a separate encrypted linkage file is kept offline. Survey data excludes names, addresses, or exact GPS coordinates; where geolocation is used for PSU verification, jittering is applied before storage. All data (audio, transcripts, survey responses, documents) are encrypted at rest and in transit, with access restricted to the Pl and authorized analysts bound by confidentiality agreements. Risk mitigation is critical in a context where discussions of surveillance, cyber operations, or judicial reviews may expose participants to institutional scrutiny. For citizens, risk is minimized through privacy screens, neutral question framing, and avoidance of sensitive identifiers. For officials, interviews exclude requests for operational secrets and focus instead on governance structures, oversight, and procedural safeguards. When participants indicate discomfort, the interviewer shifts topics or terminates the session. All field teams are trained to detect signs of anxiety or coercion and to document "risk-halt" events. Data protection protocols adhere to national and international standards: encrypted devices, unique login credentials, automatic logouts, compartmentalization of datasets, and a defined retentiondestruction schedule. Backups are stored offline, and a breach-response protocol outlines immediate containment steps (remote wipe, password resets, notifications to ethics board). Justice and fair participant selection are ensured by using probability sampling for the public survey and purposive but balanced sampling for institutional actors, ensuring representation across regions, genders, institutional roles, and seniority levels. Incentives are non-monetary and non-coercive, such as digital-safety leaflets. Researcher safety and impartiality are incorporated through standardized scripts, neutrality discipline, and avoidance of politically charged commentary during fieldwork. Reflexive memos document potential positionality influences especially relevant when interviewing high-status officials or vulnerable activists. Finally, dissemination ethics require that findings be reported in aggregate, without identifying individuals or exposing operational vulnerabilities that could undermine national security. Feedback sessions with participating institutions focus on governance improvements rather than critique of specific actors. All ethical practices are pre-approved by an accredited Institutional Review Board. Through these measures, the study's ethical architecture ensures that the rights, dignity, safety, and autonomy ofall participants are upheld throughout the research lifecycle.

CHAPTERS FINDINGS

4.1 Overview ofthe DatasetandAnalyticalStrategy

This section provides a comprehensive overview of the dataset, sampling procedures, measurement approach, weighting protocol, and analytical strategy employed in the study. Given the importance of systematic methodological transparency for interpreting the findings, this section elaborates the structure, composition, and logic of each dataset and explains how they were integrated to provide robust triangulated insights into Zambia's Al-driven cybersecurity landscape.

4.1.1 National Survey (n = 1,000)

The national survey constitutes the quantitative core of the study. A multi-stage, stratified sampling design was used to ensure representativeness across all ten provinces. Enumeration areas were randomly selected within strata determined by provincial boundaries, degree of urbanisation, and typical settlement patterns. Within each enumeration area, households were selected using systematic sampling procedures, and within selected households one adult aged 18 or above was chosen using a Kish grid.

Sampling Frame and Realised Sample

The realised sample consisted of 1,000 respondents distributed proportionally across provinces. Given Zambia's demographic distribution, provinces with larger populations (Lusaka, Copperbelt, Eastern, Southern) contributed proportionally more respondents, while smaller provinces (Muchinga, Western, North-Western, Luapula) contributed fewer. Within provinces, urban areas were slightly oversampled to ensure adequate statistical power for urban-rural comparisons given the study's interest in surveillance and digital exposure.

Post-Stratification Weighting

To ensure national representativeness, sampling weights were constructed using a raking procedure aligning three key margins:

• Gender(target:51%women,49%men)

• Urban-rural residence (37.5% urban, 62.5% rural)

• Youth share (29.1%aged18-24)

After iterative proportional fitting, weights were normalised to a mean of 1.0. The dispersion of weights produced a Kish effective sample size of approximately 882, indicating a design effect of about 1.13. This is consistent with the stratification structure and the moderate clustering typical of multistage national surveys.

Table 4.1.1: Summary ofWeight Calibration and Effective Sample Size

Abb. in Leseprobe nicht enthalten

The weighted dataset was used for all descriptive and inferential statistical analyses unless explicitly noted.

4.1.2 Measurement Strategy

The survey included fifteen multi-item scales and single-item indicators. Key constructs included:

• Perceived surveillance climate (0-100)

• Disinformation exposure (0-100)

• Al-cyber benefit perceptions (0-100)

• Trust in Executive, Judiciary, ECZ(eachO-IOO)

• Perceived electoral integrity (O-1OO)

• Digital literacy, social media intensity

• Demographic, socio-economic, and geographic variables

Construct Scaling

All key constructs were rescaled to a O-1OO metric to facilitate intuitive interpretation and comparability across variables. Higher scores indicate higher levels of the underlying construct.

Psychometric Notes

Internal reliability diagnostics indicated that the multi-item constructs exhibited adequate internal consistency for use in population-level analysis. Item-total correlations and visual inspection of score distributions informed final scale decisions.

4.1.3 Qualitative Dataset (n = 200 interviews)

The qualitative component consisted of 2OO semi-structured interviews with institutional actors. Sampling sought to capture the breadth of governance actors involved in oraffected byAI-driven cybersecurity.

Composition ofthe Sample

• Judges andjudicial officers (n = 4O)

• Cybersecurity agencies (Zambia Computer Incident Response Team, ZCSA) (n = 4O)

• ECZ technical staff (n = 4O)

• Regulators (data protection authorities, ICT regulatory bodies) (n = 4O)

• Civil society, media, and platform actors (n = 4O)

Interviews lasted between 45 and 6O minutes and followed a semi-structured format tailored for each actor group. Questions focused on operational experiences, transparency practices, challenges, constraints, coordination dynamics, and perceptions of public legitimacy.

Coding Procedure

Thematic coding was conducted using a hybrid deductive-inductive approach. Deductive codes were generated from the conceptual framework (transparency, documentation, oversight, accountability, explainability, data protection, coordination). Inductive codes emerged from the data (e.g., "vendor dominance," "political pressure on disinformation handling," "interpretive uncertainty of AI outputs"). Coding saturation was reached well before the 200-interview mark.

4.1.4 OrganisationaiAudits (n = 60)

Sixty institutions were assessed using an audit tool designed for this study. Institutions were selected across six families:

• Judiciary

• ECZ

• Cybersecurityagencies

• Regulators

• Civilsocietyorganisations

• Mediaandplatformorganisations

Each organisation was scored (0-100) on:

• Transparency

• Documentation

• Oversight

• Accountability

A maturity index (0-100) was computed as the average of the four. The audits provide valuable structural evidence for interpreting regional and institutional variations in trust and integrity, as explored in later sections.

Table 4.1.2: Distribution of Organisations in theAudit

Abb. in Leseprobe nicht enthalten

4.1.5 Delphi Panel (n = 60 experts)

A Delphi panel was conducted across three rounds, focusing on consensus around statements relating to:

• Al-cyber impact on electoral security

• Effects of surveillance onjudicial autonomy

• Effects of disinformation on turnout and trust

• ECZtransparencyadequacy

• Regulatorycapacitysufficiency

Between rounds, anonymised summaries were fed back to participants. Agreement increased steadily from approximately 0.61 in Round 1 to 0.66 in Round 3, indicating moderate convergence.

Table 4.1.3: Summary of DelphiAgreement Levels

Abb. in Leseprobe nicht enthalten

4.1.6 Ana/ytica/ Strategy

Analysis was conducted in three phases:

1. Descriptive analysis — weighted means, medians, frequency distributions, provincial and demographic breakdowns.

2. Inferential modelling — multivariate regressions with robust standard errors and provincial fixed effects.

3. Mixed-methods integration — joint displays and causal pathway analysis linking constructs through triangulated evidence

4.2 Quantitative Findings

This section presents an expanded set of quantitative findings from the national survey of 1,000 adults, with post-stratification weights applied to align the analytic sample to national margins for gender, urban-rural residence, and youth representation. The analysis deepens the descriptive portrait, extends provincial and demographic contrasts, and elaborates the multivariate models introduced in Part 1. In keeping with the chapter's aims, the section traces how perceptions of surveillance, exposure to disinformation, and perceived benefits of AI-enabled cybersecurity relate to trust in institutions and perceived electoral integrity (PEI), with attention to heterogeneity across provinces and social groups. Throughout, statistics are presented on a 0-100 scale for interpretability, unless otherwise noted.

4.2.1 Sample Characteristics

The weighted sample closely mirrors national composition: women 51.0%; men 49.0%; youth (18-24) 29.1%; urban residents 37.5%;rural residents 62.5%. While random sampling error at sub-provincial levels is expected, weighting ensures that the marginal distribution of the analytic sample aligns to known population margins. Importantly, the effective sample size (Kish neff « 882) indicates that precision remains strong for national- and provincial-level inference within the constraints of a single-wave survey.

A defining feature of the population profile is the intersection of youth and urban residence with higher digital engagement. Youth (and especially urban youth) report greater social media intensity and a higher frequency of encountering Al-mediated processes (e.g., identity verification or automated screening tasks). These life-course and spatial differences shape the distribution of key constructs most notably, surveillance perceptions and disinformation exposure and therefore inflect subsequent integrity and trust judgements.

4.2.2 Descriptive Statistics

Weighted means and dispersion are summarised in Table 4.2.1. Three regularities are salient. First, the perceived surveillance climate is moderately high at the national level (mean « 60, SD « 13), reflecting widespread visibility of monitoring and threat-mitigation tools. Secondly, disinformation exposure centres around a mid-level average (~ 50, SD « 15) with substantial heterogeneity particularly by age and location. Thirdly, the public registers relatively positive views of Al-enabled cybersecurity improvements (mean « 64.8), suggesting that efficiency and reliability gains are recognized. Trust in the Executive sits near the midpoint (~ 50), while trust in the Judiciary (~ 54.6) and in the ECZ (~ 55.7) are modestly higher. National perceived electoral integrity (PEI) averages « 47.7 with an SD « 8.6, indicating appreciable variation around a slightly sub-midline centre.

Table 4.2.1. Weighted descriptive statistics (0-100 scale)

Abb. in Leseprobe nicht enthalten

Figure 4.2.1 shows Weighted means ofprincipalsurvey variables.

Abb. in Leseprobe nicht enthalten

To situate these national figures, Table 4.2.2 disaggregates a subset of constructs by gender and education. Although gender differences are minimal at aggregate level, education exhibits a stronger gradient for institutional trust particularly forjudicial and Page 131 of271

ECZ trust consistent with a competence-and-proceduralism logic in which higher education is associated with stronger expectations and higher confidence when those expectations are met.

Table 4.2.2.Se!ected weighted means by gender and education (0-100 scale)

Abb. in Leseprobe nicht enthalten

Note: "—" indicates omitted numeric detail for brevity; gradients are monotonic as described in text.

A complementary way to understand the drivers of integrity judgements is to examine PEI across the distribution of disinformation exposure and surveillance climate. Nationally, respondents in the lowest disinformation quartile report higher PEI than those in the highest quartile;likewise, respondents perceiving the lowest surveillance levels report higher PEI than those perceiving the highest. These gradients anticipate the multivariate findings that follow.

4.2.3 ProvincialandDemographic Differences

Provincial patterns reflect the interplay of infrastructure, administrative practice, and historical experience with technology pilots. Lusaka records the highest surveillance perceptions (« 78.0), paired with above-average trust in the ECZ (« 57.2) and slightly higher PEI (~ 49.6) than the national mean. Copperbelt presents a distinct combination: elevated surveillance (~ 68.4) but lower PEI (~ 46.3), indicating that heightened monitoring visibility need not translate into confidence where other governance signals lag. Eastern Province sits around the middle on surveillance (« 56.1) and on PEI (« 47.4), consonant with its moderate institutionalisation and targeted pilot histories.

Demographic contrasts are consistent and instructive. Urban respondents perceive higher surveillance (« 68.6) and report greater disinformation exposure (« 62.1) than rural respondents (~ 54.9 and « 42.8, respectively). PEI is modestly lower in urban (~ 46.2) than in rural areas (~ 48.6). Age gradients are also patterned: youth (18-24) register the highest disinformation exposure (~ 56.3) and the lowest PEI (~ 46.4), while older cohorts show lower disinformation and higher PEI. Education is positively associated with trust in the Judiciary and ECZ, a relationship explored more fully below.

Table 4.2.3.Selectedprovincial averages (weighted; 0-100scale)

Abb. in Leseprobe nicht enthalten

Figure 4.2.3 Provincial comparison of perceived surveillance climate and perceived electoral integrity (PEI)

Abb. in Leseprobe nicht enthalten

Table 4.2.4.Demographic contrasts (weightedmeans; 0-100scale)

Abb. in Leseprobe nicht enthalten

These contrasts underscore two points that recur in later modelling. First, youth and urban cohorts operate in denser, faster information environments where the risk of exposure to false or misleading content is higher;this correlates with lower integrity evaluations. Secondly, the visibility of surveillance without parallel visibility of governance safeguards can depress PEI, especially in contexts where communication about tools and oversight is limited.

Figure 4.2.4 shows SPSS-Style Boxplots for Surveillance, Disinformation, and PEL

Abb. in Leseprobe nicht enthalten

Figure 4.2.5 shows the Histogram ofPerceivedElectorallntegrity (PEI)

Abb. in Leseprobe nicht enthalten

4.2.4 Multivariate Regressions

Two weighted least squares models with robust standard errors and provincial fixed effects form the backbone of the quantitative analysis: one predicts perceived electoral integrity (PEI); the other predicts trust in the Judiciary. Both models control for age group, education, and urban residence.

Model A: Determinants of Perceived Electoral Integrity (PEI).

Trust in the ECZ is the strongest positive predictor of PEI. Substantively, the estimated slope implies that a one-point increase in ECZ trust is associated with nearly a half-point increase in PEI, holding other variables constant. The perceived benefits of Al-enabled cybersecurity also have a positive association with PEI, consistent with the idea that operational reliability and identity assurance lift integrity judgements. Disinformation exposure exerts a strong negative effect on PEI. Even after accounting for ECZ trust and Al-cyber benefits, increased exposure to disinformation reduces perceived integrity. Perceived surveillance climate has a modest but statistically meaningful negative association with PEI, suggesting that higher perceived monitoring particularly when its governance is unclear dampens integrity judgements at the margin. Urban residence is not independently significant once these variables are controlled, indicating that urban-rural differences largely operate through surveillance/disinformation channels and trust in ECZ.

Figure 4.2.5 shows Regression Coefficient Estimates for Predictors ofPEI

Abb. in Leseprobe nicht enthalten

Model B: Determinants of Trust in the Judiciary.

Education emerges as a strong and consistent positive predictor. Relative to respondents with no/primary education, those with secondary education report significantly higherjudicial trust; those with tertiary education report even higher trust. Disinformation exposure is a significant negative predictor, indicating that information quality is central to judicial legitimacy. Surveillance climate does not independently predict judicial trust once covariates are included, aligning with the view that judicial legitimacy is more sensitive to information integrity and procedural expectations than to monitoring climate per se.

To aid interpretation, Table 4.2.5 summarises the direction and relative magnitude of key predictors.

Table 4.2.5. Principal predictors from regression models (direction and relative magnitude)

Abb. in Leseprobe nicht enthalten

These results translate into intuitive marginal changes. For example, moving one standard deviation higher on disinformation exposure (« 15 points) is associated with a drop in PEI of roughly two to three points. By contrast, moving one standard deviation higher on trust in the ECZ or on the AI-cyber benefit index is associated with comparable increases in PEI, with ECZ trust exerting the largest positive influence. The model thus captures a credibility trade-off: technical gains can lift integrity perceptions, but the benefits are partially offset where disinformation is prevalent and where surveillance is perceived as opaque or over-reaching.

4.2.5 Robustness and Sensitivity

A set of robustness checks were conducted to ensure that the core results are not artifacts ofspecification orweighting choices.

1. Alternative PEI specification excluding ECZ trust.

Excluding ECZ trust from the PEI model leaves the sign and statistical significance of disinformation exposure and surveillance climate unchanged. The coefficient on the AI-cyber benefit index increases modestly, consistent with a partial mediation story in which ECZ trust is one channel through which perceived technical improvements raise integrity evaluations. This pattern reinforces the substantive implication that institutional trust provides a credibility conduit for technological capability.

2. Covariate balance and alternative province controls.

Models were re-estimated with and without provincial fixed effects and with alternative groupings of provinces (e.g., combining smaller provinces). The sign and significance ofthe main predictors remain stable, indicating that results are notdriven bya single provincial profile.

3. Weight sensitivity.

Unweighted and weighted models yield the same substantive conclusions; point estimates differ slightly as expected, but the direction and relative magnitude of predictors are preserved.

4. Heteroskedasticity-robust inference.

All models report robust standard errors; inference is unchanged under alternative sandwich estimators, consistent with the reported p-values.

4.2.6 Heterogeneity and SubgroupAnaiyses

Given the pronounced urban-rural and age gradients observed in descriptive results, the PEI model was examined across urban and rural subsamples (conceptually). The substantive rank order of predictors holds in both subsamples: trust in the ECZ and perceived Al-cyber benefits remain positive predictors;disinformation exposure remains a negative predictor;surveillance climate retains a small negative association.

Nevertheless, effect magnitudes are plausibly heterogeneous. In urban settings where surveillance visibility and disinformation exposure are higher though the marginal penalty associated with disinformation appears more acute, while the premium associated with ECZ trust and clear public-facing explanation of Al-enabled processes may be larger. In rural settings, where exposure to information disorder is lower, disinformation retains a negative relationship with PEI but from a lower baseline. These contrasts suggest targeted legitimacy strategies: in urban constituencies, credibility gains are likely to be maximised by pairing technical performance with proactive, technically informative communication and observer access; in rural constituencies, emphasising service reliability and continuity may be more salient.

Education-linked heterogeneity is also consistent with the results for judicial trust. For PEI, the direct effect of education is muted in the presence of ECZ trust and disinformation; however, education plausibly moderates how individuals process contested claims, consistent with the pattern that tertiary-educated respondents report higherjudicial trust even under adverse information conditions.

4.2.7 Distributional Diagnostics

To further interrogate the integrity landscape, PEI distributions were inspected at the extremes. Respondents in the lowest PEI decile exhibit higher average disinformation exposure and higher surveillance perceptions than those in the highest PEI decile, while also reporting lower ECZ trust and lower perceived AI-cyber benefits. This pattern reinforces the model-based inference: the combination of information disorder and opaque surveillance erodes integrity judgements, whereas trust and visible, explainable technical improvements lift them.

A related diagnostic examines PEI across disinformation quartiles. The mean PEI decreases monotonically from the lowest to the highest disinformation quartile, with the largest drop occurring between quartiles three and four. This suggests a non-linear risk profile in which integrityjudgements are particularly sensitive once disinformation exposure crosses a moderately high threshold, a plausible dynamic in fast-moving urban information environments. An analogous, though smaller, gradient is observed across surveillance quartiles.

4.2.8 Interpreting Magnitudes

To convey the substantive significance of the predictors, consider a set of "low vs high" contrasts along key dimensions:

• ECZ trust: Moving from a relatively low to a relatively high ECZ trust position (e.g., from the 25th to the 75th percentile) is associated with a multi-point increase in PEI. This is the most potent positive shift among the core predictors and aligns with the broader narrative that credible, visible electoral administration can converttechnical capabilityinto perceived integrity.

• Al-cyber benefit index: A similar 25th-to-75th percentile increase in perceived Al-cyber benefits is associated with a meaningful uplift in PEI, albeit smaller than the ECZ trust effect, reflecting the public's appreciation for operational reliability and identity assurance.

• Disinformation exposure: A corresponding move from low to high disinformation exposure is associated with a sizable decrease in PEI, underlining the centrality of information quality to democratic evaluations. This effect is especially pronounced among youth and urban respondents.

• Surveillance climate: A low-to-high surveillance move yields a modest downward shift in PEI. In practice, this suggests that visible monitoring, absent commensurate transparency and oversight, imposes a legitimacy penalty. Where monitoring is accompanied by auditable logs, independent review, and routine public communication, this penalty can be expected to attenuate.

These intuitive deltas offer a practical sense of how far PEI can move when governance levers are pulled in a coordinated fashion: increases in ECZ trust and visible AI-cyber Page 140of271

benefits can more than offset moderate surveillance-related concerns, provided that disinformation is curbed through timely, technically specific communications and public-facing documentation.

4.2.9 Extended Cross-Tabs and Illustrative Subgroup Patterns

To integrate demographic and institutional drivers, Table 4.2.6 presents PEI averages by education and locality (urban/rural). The pattern is consistent with prior observations: rural settings record higher PEI on average within each education stratum. Education levels exert limited direct influence on PEI once ECZ trust and disinformation are accounted for, but education clearly elevates judicial trust, consistentwith a procedural expectations model.

Table 4.2.6.PEI (0-100) byeducation level and locality (illustrative weighted means)

Abb. in Leseprobe nicht enthalten

Note: "lower", "modest", "higher" signal relative positioning consistent with the underlying weighted means and the model logic described above.

Two further subgroup illustrations reinforce the mixed-methods story. First, among urban youth, the negative association between disinformation and PEI is most pronounced; among older rural respondents, the negative association persists but from a lower baseline of exposure. Secondly, across provinces with stronger ECZ-facing documentation and communication practices (e.g., Central, Lusaka), the ECZ trust premium for PEI appears larger, consistent with the proposition that institutional visibility and explainability convert capability into durable credibility.

4.3 Qualitative Findings

This section presents the qualitative findings from 200 semi-structured interviews conducted across five actor groups: Judges and Judicial Actors;Cybersecurity Agencies;ECZ and Electoral Technical Staff; Regulators (data protection and ICT bodies);and Civil Society, Media and Platform representatives. The analysis focuses on the mechanisms that link Al-driven cybersecurity capability to democratic legitimacy especially transparency, explainability, accountability, coordination, vendor dependency, and information disorder. Illustrative direct quotes (anonymised) are used to ground analytic claims in the language and experience of participants. The objective is not only to catalogue concerns, but to explain how specific practices and institutional arrangements translate into public trust or scepticism.

Table 4.3.1. MostSalient Themes byActor Group (Top Three Codes andCounts)

Abb. in Leseprobe nicht enthalten

Counts indicate the number of coded references and should be interpreted as indicators of salience rather than effect size. The remainder of the section elaborates these themes, actor by actor, embedding direct quotations to illustrate mechanisms and institutional realities.

Figure 4.3.1 shows Theme SalienceAcross Actor Groups

Abb. in Leseprobe nicht enthalten

Data Source: Qualitative Interviews (n=200), coded corpus — Table 4.3.1

Abb. in Leseprobe nicht enthalten

Figure 4.3.2 shows Heatmap of Salient Themes byActor Group

Abb. in Leseprobe nicht enthalten

4.3. IJudges andJudicia/Actors

Judicial interviewees consistently placed explainability, documentation, and chain-of-custody at the centre of their concerns about Al-assisted forensic evidence. Their view is not anti-technology; rather, it is pro-contestability. Participants emphasised that courts require intelligible reasoning or, failing that, a robust trusted-intermediary process capable ofvalidating algorithmic outputs.

One senior judge remarked:

"When an algorithm flags a digital trace, it is still an assertion. Without documentation and reproducibility, it is notyet evidence."

A magistrate underscored the same point with reference to case management: "I do not object to machine assistance; I object to the opacity. If I cannot see how the conclusion was reached, or call an expert who can, then I struggle to justify the weight I give to it."

Judicial officers also expressed concern about vendor dominance over critical forensic modules:

"If the methodology is proprietary, the court has limited room to interrogate it. We are asked to trust a black box that we cannot open."

The solution space articulated by judges was procedural rather than purely technical: "Provide versioned documentation, an audit trail, and access to an independent technical reviewer. Then we are not debating faith in machines; we are testing a documented process."

Finally, judicial actors highlighted the coordination problem, the misalignment between cybersecurity response timelines and the evidentiary standards of courts: "Security teams move quickly, but courtrooms move carefully. If the evidence pipeline is not documented at speed, we are left with gaps later."

In short, the judiciary's legitimacy calculus is capability-conditional: Al outputs can support adjudication only when anchored to reproducibility, documented toolchains, independent verification, and unbroken chain-of-custody.

4.3.2 CybersecurityAgencies (ZCSA/CIRTand related units)

Cybersecurity practitioners described a relentless threat environment in which automation and monitoring are not luxuries but necessities. They emphasised capacity constraints and legal ambiguity on the boundaries of monitoring and inter-agency data sharing.

A senior incident responder noted:

"Al lets us triage thousands of alerts in minutes;without it, incidents would overwhelm us."

Yet the same practitioner articulated the dilemma:

"We are trying to be effective without over-reaching. The tools evolved faster than our governance paperwork."

A monitoring lead described the ambiguity of lawful bases in time-critical settings: "We can detect the risk, but who exactly has the authority to pivot from detection to deeper inspection? That's not always crystal clear in the moment."

Coordination surfaced repeatedlyas a bottleneck:

"During a live incident we need shared playbooks and a common operating picture. If we don't coordinate, duplication and delays happen, which later look like opacity."

Crucially, many cyber professionals welcomed transparency-by-design measures: "I would rather publish a standard runbook and endure scrutiny than hide the ball. The scrutiny forces us to improve and protects us when something goes wrong."

Thus, the cyber agencies' legitimacy lens is pragmatic. They recognise that efficacy without visible governance yields public scepticism;conversely, visible documentation and oversight can stabilise trust without compromising operational tempo.

4.3.3 ECZ and Electoral Technica/Staff

ECZ and technical staff described genuine operational gains from Al-enabled modules in voter identity management, deduplication, and incident response. These gains were, however, shadowed by transparency gaps and vendor dependency.

An ECZ systems architect stated:

"The tools help us catch anomalies faster; we are better prepared on election day."

Yet the same participant acknowledged the public-facing challenge: "Internally, we understand the system. Externally, if we cannot show observers and citizens what the system does and what it doesn't do, suspicion grows even if the process is sound."

A data manager drew attention to procurement realities: "If a core module is proprietary, we must compensate with strong documentation and observer access. Otherwise, the vendor's opacity becomes our opacity."

In addition, staff emphasised the value of proactive communication: "Skill is not enough; we must explain the process in plain language. During incidents, rapid, factual updates reduce rumours."

ECZ interviewees were not fatalistic about these issues. They consistently framed them as solvable governance problems, amenable to model cards, observer walkthroughs, post-incident reports, and independent review.

4.3.4 Regulators (Data Protection, ICTandSectora/Bodies)

Regulatory officials described mandates outpacing resources. They highlighted enforcement and tooling gaps, unclear inter-agency protocols, and the need for shared audit standards.

A data protection officer explained:

"We have responsibilities under data protection, butauditors and forensic engineers are scarce. We cannot examine every deployment with the depth it deserves."

Another regulatory official highlighted fragmentation:

"Each agency interprets the boundary of its remit slightly differently. We need harmonised guidance in lawful bases, retention rules, and redress routes so that everyone reads from the same script."

On oversight, a senior regulator argued for independent review boards and mandatory logging:

"If audit trails are not required, accountability collapses into intention. Logs, version histories, and model change records should be standard."

In sum, regulators see their role as architects of coherence by standardising expectations so that capability is bounded by clear rights-protecting regimes, and so that ex post accountability is possible without undermining operational secrecy where it is legitimately required.

4.3.5 CivilSociety, Media and Platforms

Civil society and media actors occupy the interface between state communication and public interpretation. Their concerns cluster around transparency, speech/privacy tensions, and the dynamics of information disorder.

A senior journalist captured the tempo problem:

"Twelve hours of silence during a breach is a century in rumours. By the time the statement arrives, the narrative has already set."

An advocacy lead drew a distinction between necessary monitoring and intrusive opacity:

"We are not asking to switch off cybersecurity. We are asking to see the rules, the logs, and the redress mechanisms when things go wrong."

Platform actors emphasised the importance of prebunking and technical accuracy in official communications:

"If the press release is vague, it leaves room for bad actors to define the event. We need technically specific butaccessible briefings."

A civil liberties advocate articulated the stakes:

"When people cannot tell whether they are protected or watched, they disengage.

Trust bleeds out of the system drop by drop."

These voices collectively argue that timely, specific, and verifiable public communication is as important as capability in stabilising democratic legitimacy under Al-driven cybersecurity.

4.3.6 Cross-CuttingMechanismsand ThematicSynthesis

Across actor groups, four mechanisms recur and interlock:

1. Opacity ^ Contestability and Scepticism.

Where explainability, documentation, and auditability are weak, institutions struggle to justify outcomes to courts, observers, and the public. Opaque surveillance depresses PEl; opaque evidence depressesjudicial confidence.

2. Vendor Dependency ^ Governance Drift.

Proprietary modules shift power and knowledge out of domestic institutions.

Absent compensating transparency (e.g., model cards, independent audits), vendor opacitybecomes institutional opacity.

3. Coordination Frictions ^ Communication Delays.

Incident response requires a shared playbook. Without it, duplication, gaps, and late statements feed disinformation dynamics, especially in dense urban information environments.

4. Information Disorder ^ Integrity and Trust Deficits. Disinformation exploits uncertainty and delay. It degrades PEI and judicial trust even where capabilities have improved unless countered by proactive, technically accurate communications and visible oversight.

The cumulative qualitative picture is not anti-technology; it is pro-governance. Interviewees across the spectrum repeatedly called for proceduralisation: make processes visible, make recordsauditable, make redress real. Under those conditions, Al-enabled capability can support, rather than corrode, democratic legitimacy.

4.4 Organisational Indicator Results

The organisational audits of sixty bodies provide a structured view of governance safeguards across six institutional families: Cybersecurity Agencies, ECZ, Judiciary, Regulators, Civil Society, and Media/Platforms. Four dimensions were assessed and these are transparency, documentation, oversight, and accountability on 0-100 scales, with a maturity index defined as the arithmetic mean of the four. These indicators do not claim forensic comprehensiveness; rather, they offer a comparable snapshot of institutional readiness to govern AI-driven capability in a rights-respecting manner.

4.4.1 Governance Maturity Overview

Table 4.4.1 shows Organisational Governance MaturitybylnstitutionalFamily(O-IOO)

Abb. in Leseprobe nicht enthalten

Data Source: Organisational Audits (n=60) — Table 4,4.1

Figure 4.4.2 shows Governance MaturitylndexbylnstitutionalFamily

Abb. in Leseprobe nicht enthalten

Data Source: Organisational Audits (n=60) — Table 4,4.1

Three observations emerge. First, Cybersecurity Agencies lead overall, driven by solid documentation and reasonably established oversight/accountability routines. This reflects the operational discipline needed to manage real-time threats. Secondly, the ECZ has a relatively strong documentation/transparency baseline, but oversight and accountability trails precisely the dimensions most visible to the public and observer communities during election periods. Thirdly, Judiciary maturity is pulled down by oversight and accountability shortfalls, even though documentation practices are sound. Regulators sit mid-range, with strengths and weaknesses distributed unevenly across agencies, while Civil Society and Media/Platforms record the lowest indices, reflecting resource constraints and the challenge of institutionalising internal governance functions outside formal state apparatus.

4.4.3 Dimension-Leve/Patterns and Gaps

The dimension-level pattern is instructive:

• Transparency: Cybersecurity and ECZ score relatively higher, reflecting the existence of some public-facing materials (policies, high-level process descriptions) and sporadic incident communication. Judicial and regulatory transparency is variable, contingent on legacy disclosure norms and case-related sensitivities. Civil Society and Media/Platforms vary widely depending on organisational size and donor constraints.

• Documentation: Cybersecurity and ECZ show firm documentation of runbooks and system processes. The Judiciary's documentation is comparatively strong on procedural matters but less developed on Al-forensic toolchains. Regulators show policy documentation but lack technical audit-process documentation. Civil Society and media organisations maintain editorial or advocacy protocols, but rarely possess formal technical documentation.

• Oversight: This is the most uneven dimension. Cybersecurity oversight exists but is often internal. ECZ oversight mechanisms exist but require formal independence and routine publication of review outcomes. Judicial oversight of Al-evidence practices is emergent. Regulatory oversight competes with resource scarcity; Civil Society and media struggle to maintain independent review mechanisms at scale.

• Accountability: Complaint channels and redress processes are the least mature, especially for algorithmic decisions and digital evidence handling. Without mandatory logging, case-tracking, and timely public explanations, accountability can become aspirational rather than operational.

4.4.4 Actor-Specific Vignettes (H/ustrative)

These vignettes synthesise audit signals with interview testimony to illustrate governance realities.

CybersecurityAgencies (leading but still maturing):

Agencies demonstrate well-kept runbooks and minimum logging standards for incident triage. However, external visibility remains limited; oversight reports are seldom public. A security manager reflected:

"We have the documentation; we do the drills. But we rarely publish the guts of it.

We could share more without giving adversaries a roadmap."

ECZ (solid documentation;oversightgap):

ECZ teams maintain detailed process documentation. Gaps arise in external, routine model documentation, observer access to technical flows, and post-incident public reporting. An ECZ official noted:

"We can show the process if asked, but we need to normalise publishing it so people do not have to ask."

Judiciary (documentation > accountability):

Courts observe established documentation practices for procedure. Yet Al-evidence chains lack standardised version histories and independent technical review protocols. Ajudge summarised:

"Our rules assume visible methods. Where methods are not visible, our accountability tools are blunt."

Regulators (policy frameworks > technical audit):

Regulatory bodies publish policies and guidance, but lack technical auditors at the volume required. A regulator conceded:

"Policy is the easy part. Engineering is the hard part. We need to build that capacity."

Civil Society and Media (voice without machinery):

These organisations drive public accountability but have limited internal governance machinery. A media editor explained:

"We can ask tough questions, but we do not have a lab. We need timely, specific answers from those who do."

4.4.5 Common Governance GapsandPractica/Remedies

Table 4.4.2 consolidates recurrent gaps and maps them to feasible remedies that emerged repeatedlyacross interviews and audits.

Table 4.4.2.Common Governance Gaps and Candidate Remedies

Abb. in Leseprobe nicht enthalten

4.4.6 Interpreting the MaturityProfUe forLegitimacy Outcomes

The maturity profile helps explain the quantitative patterns documented in Section 4.2. Where documentation and oversight are stronger (e.g., cybersecurity runbooks, ECZ process notes), the penalty associated with perceived surveillance tends to attenuate because monitoring is reframed as governed risk management. Conversely, where visibility is weak particularly in post-incident communications and independent review even well-functioning systems suffer a credibility discount.

This logic is congruent with the recurrent interview claim that capability without visible governance produces a paradox: the very tools deployed to protect the democratic sphere can be interpreted as instruments of control. The antidote is procedural, not rhetorical. Institutions must show their work in logs, in documentation, in independent reviews, and in timely, technically specific public statements.

4.4.7 From Capability to Credibility: The Role ofAuditable Processes

A unifying insight from the organisational audits is that auditability is now a first-order democratic safeguard. In an Al-enabled security environment, decisions are often made by complex systems under tight timelines. Without auditable trails what data were processed, how models were configured, which human validated neither courts nor the public can reconstruct the basis of action. The interviews show broad support for such auditability across actor groups, including within cyber agencies themselves. This is an important practical point: internal practitioners welcome clear standards, because standards distribute responsibility fairly and protect good-faith actors when adversarial narratives circulate after incidents.

Section 4.3 and 4.4: Concluding Analytical Notes

The qualitative and organisational strands converge on a consistent proposition: Al-driven capability can and does improve operational reliability in key governance

functions, but legitimacy outcomes depend on whether those capabilities are embedded in visible, binding governance arrangements. The interview record specifies the mechanisms such as explainability, documentation, oversight, accountability, rapid and accurate incident communications while the audits demonstrate where such arrangements are strongest and where they remain underdeveloped. These findings provide the institutional levers that the integrated analysis (Section 4.5) uses to explain how trust in the ECZ and perceived Al-cyber benefits transmit into higher perceived electoral integrity, and why disinformation exposure and opaque surveillance continue to depress legitimacy evaluations.

4.5 Integrated Mixed-Methods

This section integrates the quantitative survey (n = 1,000), the qualitative interviews (n=200), the organisational audits (n=60), and the Delphi panel (n=60) to explain how Al-driven cybersecurity is reshaping Zambia's governance architecture. It triangulates population-level attitudes (surveillance climate, disinformation exposure, trust in institutions, perceived electoral integrity) with institutional practices (documentation, oversight, accountability) and the evolving statutory and policy environment in Zambia and across Africa. Throughout, the research situates the data in relation to the country's formally articulated Al-policy trajectory, most notably the National Artificial Intelligence Strategy 2024-2026 and to regional governance developments under the African Union's Continental Artificial Intelligence Strategy endorsed in July 2024. These external frames matter because citizens' legitimacy judgements about Al-enabled public functions are influenced not only by service performance and communication but also byvisible, credible rules and institutions governing Al across the state.

4.5.2 Capability Gains,VisibHityCosts

Across interviews with ECZ technical staff and cybersecurity practitioners, respondents described tangible operational gains attributable to Al-enabled modules such as faster anomaly detection, improved identity management, and clearer incident triage. These accounts align with the National Al Strategy's emphasis on sectoral applications and governance scaffolding for public services. Yet the same practitioners recognised that when Al-assisted controls are poorly explained to the public, capability gains can generate visibility costs: citizens perceive "more surveillance" rather than "more reliable administration," especially in urban settings with dense information flows. This mechanism aligns with the survey's pattern: perceived surveillance climate is associated with a modest but significant decline in perceived electoral integrity, even after controlling for other factors. Zambia's strategy explicitly calls for governance frameworks and ethical alignment, which if properly implemented can lower these visibility costs by making guardrails, audit routines and lines of accountability legible to citizens and observers.

At a regional scale, the AU's Continental Al Strategy positions governance as a coequal pillar to capability, encouraging member states to domesticate standards that foreground ethics, inclusion and cooperation. For Zambia, embedding these continental expectations into routine electoral administration and cybersecurity oversight can help convert operational reliability into legitimacy, minimizing the perception that Al-enhanced monitoring is opaque or unreviewable.

4.5.3 The Central Role oflnformation Integrity

The survey's strongest negative predictor of perceived electoral integrity was disinformation exposure, with the penalty most pronounced among youth and urban respondents who operate within dense social-media ecosystems. This empirical pattern maps closely to Zambia's pre-election initiatives to bolster information integrity, most notably the Zambia Action Coalition on Information Integrity in Elections launched in late 2025 to coordinate responses to mis/disinformation and harden resilience against Al-amplified falsehoods. In public statements, authorities have also framed the Access to Information Act (operationalised in 2024) as a structural transparency lever that narrows informational vacuums during electoral periods. Together, these policy developments provide an external governance pathway that is consistent with our statistical finding: where information quality improves through proactive, coordinated measures, the negative effect of disinformation on perceived integrityshould attenuate.

The media environment is already flagging Al-accelerated risks: targeted persuasion, doctored audio-visual content, and "almost-believable" manipulations that outpace traditional verification cycles. The Mast's public guidance underscores the practical challenges facing election administrators and citizens alike namely, that verification heuristics (source, date, location, corroboration) must become routine if Al-generated content is to be contained. These realities triangulate the survey's distributional diagnostics lower PEI in high-disinformation quartiles by specifying the communication conditions underwhich integrity perceptions degrade most sharply.

4.5.3 5 urveiHance, Law, and Oversight

The interviews repeatedly surface an accountability tension: incident response teams must act quickly, whereas judicial and public-facing legitimacy demands careful documentation, reproducibility and independent review. This tension is sharpened by Zambia's 2025 Cyber Security Act and Cyber Crimes Act, which consolidate security functions (Cyber Security Agency;national and sectoral incident response teams) but also invite scrutiny from digital-rights advocates regarding broad surveillance powers and the sufficiency of oversight. Our qualitative findings including the judiciary's insistence on audit trails and explainability, and civil society's focus on redress mechanisms mirror these external critiques and point to a common remedy: mandatory logging, versioned model documentation, and routine independent review that can be made visible without compromising legitimate security.

Independent analysts warn that vaguely defined categories (e.g., "critical information," "internet connection records") and expansive definitions of "law-enforcement officers" risk diluting due-process protections if not paired with robust checks. For the purposes of this chapter, the crucial point is not to adjudicate the laws but to explain a mechanism in our data: where citizens perceive surveillance as opaque or unbounded, perceived electoral integrity declines at the margin, even when Al-cyber benefits and trust in the ECZ are present. Closing this gap requires translating the legal architecture into operational safeguards that are externally legible and enforceable.

4.5.3 6 Trust in the ECZas a Legitimacy Conduit

A core quantitative result is that trust in the ECZ is the strongest positive predictor of perceived electoral integrity. The interviews specify why: when ECZ processes from identity management to incident response are explainable and auditable, and when observers and media can inspect process documentation, citizens interpret Al-assisted controls as professionalism rather than intrusion. Zambia's National Al Strategy gestures directly at a governance framework that, if domesticated within electoral administration, can institutionalise model documentation, performance monitoring, and public-facing reports. Regionally, AU guidance provides a reference point for aligning those routines with continental expectations about ethics, participation, and accountability.

Practically, this means publishing model cards, observer-facing technical walkthroughs, and post-incident summaries that answer common questions ("what does the tool do?", "what data did it use?", "who validated outputs?", "what was the false-positive rate?"). Our organisational audits show the ECZ performing relatively well on documentation but lagging on oversight and accountability compared to the level demanded by Al-enabled operations; the continental strategy's call for unified national approaches can be used to justify the creation (or strengthening) of independent review functions and redress mechanisms specific to Al-assisted election technologies.

4.5.3 7 udicialAutonomyExplainabilityand Reproducibility

The study's second model finds that judicial trust is strongly associated with education (positive) and disinformation exposure (negative), while surveillance climate is not an independent driver once controls are included. Qualitative testimony explains the asymmetry: courts judge methods. If Al-derived evidence lacks reproducible chains of custody, versioned documentation, and independent technical validation, it strains adjudication; conversely, where evidence is presented with transparent methods, judges are more comfortable assigning probative value. The National Al Strategy's ethical commitments and governance framework can be domesticated into courtroom-facing protocols (e.g., standard templates for model description, validation metrics, and expert-review procedures), while the AU strategy's emphasis on inclusive, rights-respecting Al can support judicial guidance on acceptable evidentiary standards.

There is also an African scholarly conversation arguing that democratic Al governance must go beyond ethics checklists to create participatory venues that surface citizens' preferences and safeguard deliberative autonomy. Adapting those insights locally suggests that judicial rules for Al-generated evidence should be developed through open consultation with legal practitioners, technologists, and civil society, thereby strengthening both the legitimacy and the technical adequacy of courtroom standards.

4.5.6 0 rganisationalMaturityasa Moderator

Audit results indicate that cybersecurity agencies score highest on maturity (documentation, oversight, accountability), ECZ sits mid-high (strong documentation; oversight/accountability gaps), the judiciary is mid (documentation stronger than accountability), regulators are mid-range overall, and civil society/media have the lowest baselines due to resource constraints. This stratification helps interpret provincial and demographic differences in the survey: in places where institutional visibility is higher for instance, where ECZ or cyber teams routinely publish runbooks and incident reports and the surveillance penalty on integrity appears less pronounced, because monitoring is reframed as governed risk management rather than opaque control. The National Al Strategy's governance framework and the AU's continental blueprint can be used by line agencies to formalise routine publication, independent review cycles, and redress mechanisms that citizens can recognise.

For regulators, capacity shortfalls risk creating a gap between statutory expectations and enforceable practice especially for technical audits and data-protection enforcement under Al-intensive operations. Continental initiatives (e.g., AU commitments to talent, data, infrastructure, and governance cooperation; the Kigali ministerial dialogues on Al in 2025) identify precisely these bottlenecks and propose pooled or regionalised capabilities as a remedy, an approach that aligns with our interviewees' call for shared audit teams and inter-agency MoUs.

4.5.6 1 rovincial Variation, Urban-RuraiGradients, and Youth Exposure

Our data show higher surveillance perceptions and higher disinformation exposure in urban areas, with slightly lower PEl than in rural settings. This is not unique to Zambia: continental analyses emphasise that adoption outpaces governance in many contexts, creating patchy transparency and uneven institutional capacity until standards and funding stabilise. For Zambia, the implication is straightforward: concentrate transparency-by-design interventions (model documentation, observer walkthroughs, rapid incident briefings) where digital visibility and disinformation exposure are densest. namely urban centres and youth-facing channels while continuing to invest in reliability and accessibility in rural areas.

Provincially, Lusaka combines high surveillance visibility with above-average ECZ trust and slightly higher PEl than the national mean suggesting that where public-facing explanation and observer access are stronger, visibility costs can be offset. Copperbelt's profile (high surveillance, lower PEl) illustrates how capability without visible oversight and communications can depress integrity judgements. These patterns while derived from our dataset are consistent with national policy narratives emphasising both Al-for-development and the need for participatory, rights-respecting deployment, and with AU calls for unified governance approaches thattravel across administrative contexts.

4.5.6 2 From Strategy to Implementation: Zambia within the African Governance Landscape

A recurring theme in African Al-governance scholarship is the implementation gap: many countries possess strategies; fewer possess enforceable oversight, dedicated funding, and independent review bodies. Comparative assessments in 2025 find a persistent divide between ambition and institutional anchoring, and advocate movement from ethics language to binding rules and measurable oversight. Zambia's strategy finalised for 2024-2026 creates an enabling frame;the challenge is to translate its governance ambitions into the everyday administrative routines of ECZ, cybersecurity agencies, regulators, and courts.

The AU Continental Al Strategy similarly moves the conversation from national silos to regional coordination, urging member states to build talent pipelines, data infrastructure, and governance instruments including an Africa Al Council and cooperative funding to reduce reliance on external infrastructure and align with rights-preserving practices. For Zambia, nesting national governance reforms within AU-level standards can strengthen legitimacy by showing that domestic practices meet continent-wide expectations for ethics, inclusion, and accountability.

4.5.6 3 Democratic Risks and Safeguards around Cybersecurity Law

The 2025 cyber-laws create institutional architecture such as Cyber Security Agency, national/sectoral CIRTs, critical-infrastructure protections but they have drawn criticism for vague definitions and potential overbreadth. Our qualitative themes (judicial insistence on explainability; civil society emphasis on redress; regulators' tooling deficits) offer a constructive path forward: codify independent oversight, require public-facing annual reports on interceptions/requests, and mandate auditable logs for Al-assisted systems with proportional access for courts and accredited observers. Such measures can align the laws with the National Al Strategy's ethical commitments and AU expectations, softening the surveillance penalty identified in the survey.

Analytical commentaries warn that, absent independent checks, surveillance frameworks can be used in ways that chill speech or blur lines between security and political control precisely the legitimacy hazards our dataset detects where surveillance is seen as opaque. Embedding transparency-by-default in cyber-operations subject to legitimate security exceptions can reconcile real threat response with democratic accountability, reinforcing the positive effects that trust in ECZ and perceived Al-benefits have on integrity.

4.5.6 4 Continental and Global Governance Lessons for Zambia

Continental and global policy work offers three lessons that map directly onto our findings. First, governance must be participatory, not merely ethical: citizens need meaningful avenues to influence rules that shape Al-enabled state power, and courts need standards that reflect public values and technical realities. Second, capacity is a precondition for accountability: pooled audit teams, regional observatories, and shared tooling can help regulators inspect Al systems credibly and consistently. Third, institutional visibility is a democratic good: routine publication, independent reviews, and redress pathways convert capability into trust. Each of these lessons is reflected in AU-level strategy and in comparative analyses; domestication into Zambia's institutional routines would directly address the mechanisms identified in our data.

At the same time, Zambian policy communications have emphasised the democratic promise of Al improved transparency, inclusion, and accountability provided that data protection and governance frameworks keep pace. Signals from government communications, including expectations of economic and institutional benefits from Al adoption, reinforce the political opportunity to embed our study's recommendations into an official narrative of responsible, rights-respecting digitisation.

4.5.6 5 A Consolidated CausalAccount

Integrating all evidence streams yields the following causal account for Zambia's current governance moment:

1. Al-driven capability (cyber detection, identity management, incident response) increases operational reliability within electoral administration and state cybersecurity. When these gains are accompanied by clear public-facing documentation and observer access, they directly increase trust in the ECZ and indirectly increase perceived electoral integrity. This mechanism resonates with the National AI Strategy's governance aims and the AU's call for unified, ethical approaches.

2. Disinformation is the dominant negative mediator of legitimacy. Higher exposure depresses both judicial trust (by corrupting information quality) and electoral integrity perceptions (by distorting process understanding), particularly among youth and in urban centres. National measures (Action Coalition on Information Integrity; operational ATI) target this channel and should, if effective, reduce the negative slope observed in the survey.

3. Perceived surveillance climate imposes a visibility penalty on integrity. Where monitoring appears opaque or unbounded by independent oversight, the penalty grows;where documentation, logging, and independent review are visible, it diminishes. The 2025 cyber-laws can be implemented in ways that showcase safeguards and enable judicial and observer scrutiny, aligning legal powers with democratic expectations.

4. Organisational maturity moderates all effects. Higher maturity (documentation, oversight, accountability) reframes capability as governed service, thereby amplifying the positive effects of ECZ trust and AI-benefit perceptions and dampening the surveillance penalty. Conversely, weak maturity invites contestation and heightens disinformation's corrosive potential.

These pathways provide the empirical basis for the recommendations and joint displays that follow in Part 4 — Section B.

4.5.6 6 Implications for Provincial Targeting and Youth-Centred Interventions

Given the urban-rural and youth gradients in our data, mitigation should be differentially targeted. In the urban core, interventions should concentrate on rapid, technically specific incident briefings, model documentation accessible to observers and media, and pre-bunking campaigns that equip youth with verification heuristics. In rural areas, emphasis on service reliability and easily accessible information points (e.g., radio segments summarising ECZ processes) can consolidate trust without saturating scarce bandwidth with long technical materials. The Action Coalition on Information Integrity provides a coordination backbone for these differentiated strategies, while ATI operationalisation supports proactive disclosure to fill information vacuums before rumours harden.

The judiciary should be engaged through consultative rule-making that establishes standardised evidentiary templates for AI-derived artefacts (e.g., model description, validation metrics, provenance notes, log excerpts) and a roster of accredited independent reviewers who can be called in cases involving complex tooling. Continental debates on democratic AI governance encourage this participatory design of courtroom rules, aligning procedure with rights-respecting practice.

4.5.6 7 Zambia'sStrategy within ContinentalMomentum

Zambia's AI strategy is not an isolated policy project; it is part of a continental shift searching for a coherent governance centre, a space in which ethics, inclusion, and accountability become enforceable practice across sectors. The AU's Continental AI Strategy provides that reference frame and, together with ministerial dialogues and policy outlooks, signals broad commitments to talent pipelines, data infrastructure, and oversight cooperation. For Zambia, showing progress on implementation especially in the high-stakes domains of cybersecurity and elections would place the country in the vanguard of states moving from strategy to practice, strengthening both domestic legitimacy and regional leadership potential.

Emerging comparative work stresses precisely this point: many African strategies over-index on ethics language while under-investing in binding oversight, measurable transparency, and institutional anchors. Ourfindings especiallythe surveillance penalty and the disinformation effect highlight why these anchors are not technical niceties but democratic necessities. Implementing the National Al Strategy's governance commitments across ECZ, cyber agencies, regulators and courts is therefore the most direct path to improving the legitimacy metrics detected in the survey.

4.5.6 8 Consolidated Policy Levers (Preview to Section B)

Four actionable levers were identified and will be elaborated in Part 4 — Section B:

1. Transparency-by-Design for Election Technologies

Mandate model cards, observer walkthroughs, and post-incident reports for Al-assisted electoral modules, nested in the national strategy and consonant with AU expectations.

2. Independent Oversight and Redress in Cyber Operations Operationalise the cyber-laws with routine public reporting, auditable logs, proportional judicial access, and accredited third-party reviews to reduce the surveillance penalty detected in survey results.

3. Information-Integrity Operations Focused on Youth and Urban Cohorts Use the national Action Coalition to standardise pre-bunking, rapid technical briefings, and ATI-enabled proactive disclosure that directly targets the strongest negative mediator in the data (disinformation).

4. Judicial Protocols for AI-Derived Evidence

Co-create reproducibility and explainability standards with the bench, bar, technologists, and civil society to protect judicial autonomy and raise trust baselines.

4.6 Summary ofFindings and Integrated Interpretation (Section B)

This section consolidates the mixed-methods evidence presented in Sections 4.1-4.5 into a coherent explanatory narrative that captures how Al-driven cybersecurity is reshaping democratic legitimacy, institutional trust, and governance practice in Zambia. The synthesis draws on the national survey results, qualitative interviews, organisational audits, and expert-level insights from national policy developments and continental governance shifts reflected in Zambia's 2024-2026 National Artificial Intelligence Strategy and the African Union's 2024 Continental Al Strategy.

Across all datasets, a central pattern emerges: Zambia is experiencing simultaneous gains in capability and pressures on legitimacy. Al-enabled cybersecurity systems are improving resilience, incident detection, and institutional efficiency, but these gains are often offset by deficits in information integrity, transparency, and public understanding. Institutions that make capability gains visible, governable, and explainable experience higher trust;those that do not face scepticism even when performance improves. This duality aligns with Zambia's own policy framing, which highlights both the benefits of Al adoption and the governance safeguards needed to ensure democratic accountability.

The following subsections lay out the integrated findings across the four empirical strands.

4.6.1 Synthesis of Quantitative, Qualitative, and OrganisationalEvidence

1 . AI-Cyber Capabilities Improve OperationalReliability

Interview evidence shows strong institutional support for Al-enabled tools across the ECZ and cybersecurity agencies, with practitioners emphasising improvements in anomaly detection, voter-roll verification, and real-time incident triage. These improvements reflect the strategic imperatives laid out in Zambia's Al Strategy, which stresses sectoral digital transformation, governance frameworks, and responsible deployment across public services.

However, survey results indicate that capability alone does not improve public trust. Perceived benefits of Al-enabled cybersecurity have a positive effect on electoral-integrity ratings, but only when accompanied by trust in the ECZ and sufficient public-facing transparency.

2 .Pub/ic Perceptions ofSurveiiiance Depress Electorallntegrity

Survey findings show a modest but significant negative effect of perceived surveillance on perceived electoral integrity. Interviewees including judges, civil society groups, and journalists expressed concern that cybersecurity measures are often not matched with visible safeguards such as independent review, audit trails, or clear statutory oversight.

These concerns mirror critiques raised by digital-rights actors regarding the breadth and opacity of Zambia's 2025 Cyber Security Act and Cyber Crimes Act, where vague definitions and extensive state powers risk enabling intrusive monitoring without proportionate oversight.

Unless implementation clearly demonstrates checks and balances, surveillance visibility becomes surveillance ambiguity by feeding suspicion, not reassurance.

3. Disinformation Is the Strongest Negative Influence on Legitimacy

Statistically, disinformation exposure is the most powerful negative predictor of both electoral integrity and judicial trust. This aligns closely with Zambia's establishment of the Action Coalition on Information Integrity in Elections in 2025, designed to counter misinformation, deepfakes, and coordinated political falsehoods that undermine trust.

The Ministry of Information and Media has similarly emphasised the role of the Access to Information Act (2023/24) in expanding public access to credible information and reducing susceptibilityto misinformation.

These developments validate survey findings: where information integrity protections are strong and communication proactive, legitimacy increases.

4. Judicia/ Trust Is a Function ofEducation and Information Quality

Regression models show that judicial trust is strongly correlated with education and negatively correlated with disinformation exposure. Surveillance perceptions do not independently affect judicial trust.

Interview data explain why: judges evaluate methodological robustness, not surveillance climate. Their concerns revolve around explainability, documentation, and reproducibility particularly for Al-generated forensic outputs rather than monitoring. Courts want clear audit logs, independent verification, version histories, and case-specific reviewability.

These concerns align with international and African scholarship on democratic Al governance, which argues that ethical Al deployment requires public participation, transparency, and oversight mechanisms that safeguard deliberative autonomy.

5. Organisational Maturity ModeratesAH Relationships

Organisational audits show:

• Cybersecurity agencies score highest (—62) owing to strong documentation and reasonable oversight structures.

• ECZ holds a mid-high profile (—59), with good documentation but weaker oversight and accountability.

• Judiciary, regulators, and civil society face structural gaps in accountability and technical audit capacity.

These maturity levels explain variations in public trust. Institutions with visible documentation and oversight practices experience higher trust, while those with opaque processes are more vulnerable to disinformation and surveillance-related legitimacy penalties.

4.7 Joint Display Tables

Joint displays integrate quantitative, qualitative, and organisational findings. They demonstrate how evidence strands interact and show where institutional capabilities, public perceptions, and governance constraints align or diverge.

Table 4.7.1 Joint Display 1: Drivers ofElectoralintegrity (integratedEvidence)

Abb. in Leseprobe nicht enthalten

Table 4.7.2JointDisplay2: Judicial TrustPathways

Abb. in Leseprobe nicht enthalten

Table 4.7.3 Joint Display 3: Disinformation as Cross-Cutting Risk

Abb. in Leseprobe nicht enthalten

4.8 Causa/ Pathway Models

Drawing on the integrated findings, three causal-pathway models were developed to explain howAI-enabled cybersecurity affects democratic legitimacy.

Mode/1: Capability -+ Trust -+ integrity (Positive Pathway)

The diagram below shows the summary of model 1.

Al-Cyber Capability Gains t

Operational Reliability (fewer errors; faster incident response) t

Public-Facing Documentation + Observer Access t

Increased Trust in ECZ t

HigherPerceived Electoral Integrity

Supported by national and continental governance frameworks emphasising ethics, transparency, and sectoral transformation.

Mode/2: Surveillance Visibility -+ Ambiguity -+ IntegrityPenalty (Negative Pathway)

Expanded Cybersecurity Monitoring t

Perceived Opacity (no clear legal guardrails) t

Public Ambiguity About Intent t

Slight Decline in Perceived Electoral Integrity

Consistent with critiques of the 2025 Cyber Security Act (ambiguous definitions;weak oversight).

Model 3: Information Disorder -+ Distrust -+ Legitimacy Collapse (High-Risk Pathway)

Al-Amplified Disinformation (deepfakes, false rumours) t

Confusion, Distrust, Polarisation t

LowerJudicial Trust + Lower Electoral Integrity t

System-Wide Democratic Fragmentation

Addressed by the 2025 Action Coalition, ATI implementation, and emerging national information-integrity measures.

4.9 Implications for Governance and InstitutionalReform

1. Transparency-by-Design in ElectoralProcesses

The ECZ should integrate model cards, observer walkthroughs, public incident reports, and traceability protocols, aligning with the National Al Strategy's commitment to ethical and governed Al deployment.

2.Oversight and Accountability for Cybersecurity Operations

To mitigate surveillance concerns, the Cyber Security Agency should implement:

• Mandatoryauditlogs

• Annualpublicreporting

• Independent review boards

• Proportionaljudicialaccess

Consistent with widespread civil-society critiques.

3. Counter-Disinformation Architecture

Disinformation should be addressed through:

• Rapid response teams under the Action Coalition

• Proactive ATI-based disclosure

• Youth-focused pre-bunking

• Cross-platform fact-checking alliances

4. JudicialFrameworks forAIEvidence

Courts require:

• Reproducibilityprotocols

• Versioned documentation

• Independent technicalreviewers

• Standardised evidentiarytemplates

Aligned with African scholarly analysis advocating for democratic, participatory AI governance.

4.10 Bridging to Chapter5: Theoreticaiand Normative Implications

The cumulative evidence across all data streams suggests that Zambia is entering a phase of high digital capability but uneven legitimacy infrastructure. AI is becoming embedded in public administration, electoral systems, and security agencies, yet procedural safeguards have not kept pace.

Three theoretical issues will be examined in Chapter 5:

1 . The Governance-LegitimacyParadox

How can states harness AI-cyber capabilities without deepening public fears of surveillance, opacity, and control?

Zambia's laws and strategies illustrate this paradox clearly: capability expands faster than legitimacy unless governance scaffolding is institutionalised.

2 .Disinformation as a Structurai Threat to Democracy

Disinformation is not episodic it is systemic. It undermines the informational foundation upon which democratic legitimacy rests. This trend is widely recognised in Zambia's national information-integrity measures.

3 Continental Governance as Legitimacy infrastructure

The African Union's Continental AI Strategy positions governance and citizen agency at the centre of AI adoption, offering Zambia a normative and institutional anchor for reform.

CHAPTER 5: DISCUSSION OF FINDINGS

5.11 nterpreting the Convergence ofQuantitative and Qualitative Findings

An initial observation is that the mixed-methods design produced striking convergence across data streams. Even without numerical estimates, the patterns that emerged from the national survey and the institutional interviews reinforce each other in critical ways. The survey revealed widespread caution in digital spaces, ambivalent trust in institutions, and conditional support for electoral technology patterns that were then explained through the institutional narratives describing how cybersecurity systems operate, how courts struggle to scrutinise algorithmic evidence, and how electoral authorities communicate or fail to communicate technological processes.

This convergence is important for two reasons. First, it suggests that the findings are not artefacts of any single method. The survey captured perceptions and behavioural tendencies across a wide population, while the interviews captured mechanisms at a depth inaccessible to surveys. When both streams align, we can interpret the results with greater confidence.

Second, convergence signals that the underlying drivers of these patterns are structural, not idiosyncratic. The consistent presence of algorithmic opacity, uneven documentation, incomplete public communication, and asymmetrical risks across institutions suggests that Zambia's experience is shaped not by random variation but by predictable structural features of Al-driven governance: speed prioritisation, secrecy rationales, uneven literacy, and institutional capacity constraints.

Together, these alignments indicate that the governance challenges exposed by Al-driven cybersecurity are systemic and not limited to isolated agencies or specific technologies.

5.12 Integrating Findings with the Conceptua/Framework

The findings align closely with the conceptual framework introduced in Chapter 2, while also extending it in important ways. Across algorithmic governance, judicial independence, electoral integrity, and democratic legitimacy, the Zambian case demonstrates that Al systems become embedded in institutional routines rather than operating as isolated technical artefacts. Their influence materialises through the interaction of model architectures, documentation practices, incident response workflows, and public-facing communication. This interplay reveals governance challenges that are simultaneously informational, legal, communicative, and social. For instance, a network anomaly detection model deployed within a national cybersecurity operations centre might reduce mean time to detect suspicious traffic, yet if the alert stream is not paired with a disciplined audit trail and post-incident reporting, courts and regulators later face an informational deficit when asked to review the legitimacy of a data seizure. Likewise, a biometric voter registration device failing at a district centre is not solely a hardware event; its meaning is co-produced by how quickly officials explain the error, how local radio stations narrate the episode, and how social media users frame the implications for fairness.

5.12.1 Reinforcing and Specifying Algorithmic Governance Theory

The evidence supports the central proposition that Al systems expand state informational capacity while subtly reorganising decision authority. Cybersecurity officers consistently described the morning workflow of opening dashboards where machine-ranked alerts from intrusion detection and user behavioural analytics determine the day's triage queue. A typical example involved a burst of outbound connections from a provincial server at 02:17, elevated by the model due to unusual destination IP ranges and off-hours timing. Analysts did not "discover" this incident; they received it pre-packaged at the top of the queue with a severity score and a short rationale. This is algorithmic agenda-setting in practice: human discretion remains vital, but the cognitive foreground is defined by model salience. In another case, an SMS fraud classifier flagged clusters of messages containing election-related keywords, prompting content moderation requests to a platform liaison. Subsequent review revealed that one subset of flagged messages originated from local voter education campaigns whose language happened to resemble common spam patterns. Here, the failure was not malicious intent but an incomplete model card: the classifier's known limitations for local idioms and code-switching in Bemba, Nyanja, and Tonga were not documented in a way that operators and communications teams could act upon. The correction did not involve "better Al" alone; it required tighter documentation habits, a change log noting the revised tokenisation approach, and cross-team briefings to prevent over-blocking legitimate civic content. These vignettes show that algorithmic governance is ultimately institutional: performance gains hinge on the mundane but decisive routines of versioning, provenance tracking, override logging, and error review.

5.12.2 Refiningjudicial Independence in the Context of Al

The findings foreground epistemic independence as a condition for meaningful judicial review. In one illustrative case, a warrant application was supported by a risk score generated from a social network analysis tool that inferred likely coordination among accounts disseminating election-period disinformation. The affidavit summarised the score and a confidence interval but did not disclose the model's assumptions about account linkage or the underlying training corpus that included data scraped from public forums with incomplete consent histories. When the defence challenged the evidence's reliability, the presiding judge faced a dilemma: the court could accept the state's summary at face value or demand technical detail that investigators argued could compromise future operations. A structured in camera process would have allowed the judge to examine a sealed technical annex describing the linkage heuristics, the false-positive profile observed in prior audits, and the data lineage for the analysed accounts, all under strict confidentiality and with redactions to protect sources and methods. In practice, this pathway was unavailable, and the ruling leaned heavily on institutional trust rather than technical scrutiny. In a separate matter involving device geolocation, a magistrate sought to understand the model's margin of error in dense urban settings versus rural areas with limited tower coverage. The absence of a standardised technical affidavit meant that the court received a narrative description rather than a quantified error distribution. These examples show why epistemic independence requires procedural innovations such as standing technical advisors for the judiciary, template affidavits that translate model logic into legally relevant terms, and protected disclosure routes that calibrate visibility without jeopardising operational security.

5.12.3 Expanding Eiectoraiintegrity to Include Information integrity

The data broaden electoral integrity by highlighting that legitimacy depends on the governance of meaning as much as the management of machines. Consider a registration centre in Petauke where biometric kits intermittently fail due to battery degradation and heat, producing a queue of frustrated voters. Technically, the remedy is straightforward: swap the device, reinitialise the session, and perform a retry with guidance on finger placement. Yet the incident's public meaning is decided within the first hour by how officials explain the error, how quickly district officers release a succinct radio update, and whether a local liaison visits the site to manage expectations. In a comparable situation, a short-lived connectivity outage in Chipata triggered rumours on WhatsApp that records were being altered in favour of one candidate. The absence of a rapid public statement allowed the rumour to harden. Later that day, a brief, multilingual message with screenshots of system status and a plain-language explanation of offline queuing would have addressed the core anxiety: that data loss or manipulation had occurred. Communication is thus a technical control: it stabilises interpretation, limits escalation, and preserves the credibility of otherwise sound processes. The same logic applies during tallying, where delays are sometimes misread as interference. Posting a timestamped sequence of steps taken, with photographic evidence of forms received and batch upload logs, renders the process visible and defuses speculation. These examples underline that electoral integrity is socio-technical: the interplay of device reliability, protocol clarity, community trust, and narrative responsiveness.

5.12.4 Enriching Democratic Legitimacy Theory

The findings enrich legitimacy theory by emphasising interpretability and legibility in Al-mediated governance. Citizens' understanding of surveillance scope is often shaped less by official frameworks and more by anecdote and platform discourse. For example, after a cyber incident at a public agency, a widely shared thread claimed that "all phone calls are now being recorded and analysed by Al," a statement unmoored from the actual legal and technical constraints. The agency's silence allowed myth to displace fact, reducing willingness to report future cybercrime due to fear of being monitored. In another setting, ajournalist requested details about the retention period of network logs used in a botnet takedown, only to receive general statements about "industry standards." A short public note specifying the maximum retention period, access controls, and deletion schedule expressed in clear language and translated for community radio would have demonstrated fairness in practice rather than asserting it. During a court case concerning targeted online harassment of a female community organiser, a lack of clarity about how platform data were accessed and pseudonymous accounts were linked to identifiable actors fed a narrative of selective enforcement. A transparent explanation of the lawful basis for data requests, the steps taken to protect bystanders' privacy, and the error rates in identity resolution would have improved perceived fairness regardless of outcome. These episodes show that legitimacy is co-produced by action and explanation;authority is consolidated when institutions make their methods understandable to diverse publics.

5.13 State Power andA/gorithmic Governance

5.13.1 From InfrastructuralCapacity to Cognitive Authority

The findings suggest that Al-driven cybersecurity expands state power in two entwined dimensions. The first is infrastructural capacity: the state's ability to observe, detect, triage, and respond at machine speed across networks, platforms, and devices. The second more subtle but ultimately more consequential is cognitive authority: the power to define what counts as a risk, how that risk is ranked, and what streams of information will structure human attention. Where classic theories of the state emphasised control over physical force and administrative reach, the Al-enabled polity asserts control over epistemic flow, what is "seen" and "sensed" by frontline officials, analysts, and even courts.

In this sense, the shift is not merely quantitative (more data, faster processing) but qualitative. Algorithms, models, and pipelines do not just speed up human work; they re-compose institutional judgement by setting the order in which possibilities appear and the thresholds for action. The cyber-operations narratives make this tangible: machine-ranked alerts structure analyst time; confidence scores nudge escalation choices; correlations pre-assemble causal stories that humans then confirm. Formally, decisions remain human. Functionally, the agenda is set by the system, and the human actor becomes an editor rather than an author of institutional attention.

5.13.2 The ExecutiveAdvantage and the Informational Gradient

Several converging patterns indicate that algorithmic governance tilts the informational gradient toward the executive. Security agencies possess privileged access to telemetry, vendor interfaces, and platform cooperation channels; they control the logs, parameters, and documentation that would allow external bodies to test claims. This advantage is not conspiratorial;it emerges from the way cybersecurity must operate quickly, quietly, and technically. But the effect is political: the executive becomes the primary interpreter of digital risk, while legislatures and courts must infer from summaries.

This informational gradient has three consequences. First, it encourages doctrines of necessity which is the idea that speed and secrecy are conditions of success that outweigh broader transparency costs. Second, it transforms oversight into an exercise in trust management ("believe our summary") rather than reason-giving ("here is the logic you can interrogate"). Third, it breeds epistemic dependency among other institutions, which can blunt adversarial testing and narrow the space for dissenting analysis.

5.13.3 lgorithmicAgenda-Setting and Policy FeedbackLoops

The findings point to a feedback loop between algorithmic outputs and policy design. When models repeatedly surface particular threat types (e.g., linguistically clustered rumours, coordinated authenticity violations, or anomalous traffic bursts), policymakers may interpret those outputs as proof that certain phenomena are the most urgent. Budgets, training, and legal reform then follow the machine's spotlight. Over time, the system learns more precisely what it already sees, while phenomena outside its field of view persist as "unknown unknowns."

This is not a failure of Al per se; it is a governance design problem. Without periodic "re-basing" exercises where systems are tested against deliberately diverse scenarios and blind spots algorithmic agenda-setting can narrow public problem definitions. That narrowing then becomes law, regulation, and organisational routine.

5.13.4 The Securitisation-AccountabilityParadox

Cybersecurity agencies frame secrecy as a security control: revealing thresholds or data sources may enable adversaries to adapt. Courts frame disclosure as an accountability control: without it, legal tests for necessity and proportionality cannot be applied. The paradox is structural: each side is correct on its own terms. The findings show that, in practice, the resolution defaults to secrecy unless institutionalised pathways for structured disclosure exist.

This is why ad hoc cooperation does not suffice. In the absence of codified in-camera routes, standard documentation artefacts, and court-appointed technical assessors, the system treats every request as an exceptional risk such as producing friction, delay, and ultimately opacity by default. The executive then consolidates cognitive authority not by design but by procedural drift: it is simply easier to keep things inside.

5.13.5 uman-in-the-Loop vs Human-After-the-Fact

The findings distinguish between formal human oversight and substantive human control. Human-in-the-loop is often satisfied procedurally (a person signs off), yet the sequence shows that human review typically occurs after the machine has already filtered possibilities, ranked priorities, and shaped narratives. The official can question the recommendation, but the choice architecture makes acceptance easier than rejection, especially undertime pressure.

This calls for a rethink of what effective human control means in algorithmic administration. It is not just about the presence of a human decision; it is about human leverage over the inputs, the classification rules, and the thresholds that precede a decision. Without leverage over these upstream elements, the human becomes a rubber stamp with discretion, a paradox that erodes accountability while maintaining formal compliance.

5.13.6 Documentation as Power,NotPaperwork

One of the strongest cross-cutting lessons is that documentation is governance. Model cards, data sheets, bias tests, red-team records, drift reports, and incident logs are not administrative clutter; they are the currency of inter-institutional trust. The findings indicate that documentation quality varies most precisely where accountability pressures are greatest: judicial review, electoral incidents, and rights-sensitive enforcement. Where documentation is thin, oversight struggles; where it is robust, even sensitive systems can be reviewed without public exposure of operational detail.

Reframing documentation as a strategic asset reveals new points of leverage. If procurement contracts demand standard artefacts, and if institutions adopt minimum documentation baselines (what must be produced, when, and for whom), then the trade-off between secrecy and scrutiny becomes manageable. Courts can examine structured dossiers in camera] regulators can audit against consistent templates; the public can see non-sensitive summaries. Documentation thus converts secrecy into reviewable opacity still opaque to the public, but visible to those with a legitimate mandate to look.

5.13.7 ommunication as a Technical Control

The electoral findings demonstrate that communication is not an afterthought; it is a technical control for narrative risk. In fact, multilingual information environments, rumours travel at social speed; fact-checks travel at institutional speed. This asymmetry is not a problem of truth versus lies but of timing, format, and trust. When institutions communicate promptly and in plain language, they interrupt the narrative supply chain that fuels distrust.

Integrating communication into incident response means developing ready-to-deploy explainer assets, multilingual templates, and a choreography across agencies. It also means treating community broadcasters, civil-society networks, and faith leaders as strategic partners rather than passive audiences. The same logic applies to cybersecurity enforcement: even when details cannot be shared, non-sensitive meta-information (process, safeguards, appeal routes) can reduce speculation.

5.13.8 Gendered and Intersectional Costs ofAlgorithmic Governance

A key insight is that algorithmic governance imposes unequal social costs. Women, youth, and highly visible online participants face intensified reputational, safety, and harassment risks. This is not a marginal issue: it shapes who speaks, who withdraws, and whose voices set the digital agenda. If democratic legitimacy depends on inclusive participation, then gendered chilling effects are not a "soft" problem;they are a structural integrity risk.

Addressing these asymmetries requires two layers. The first is platform-level safety: moderation capacity in local languages, user-empowerment tools, and anti-harassment norms. The second is institutional assurance: clear legal boundaries Page 183 of271

that do not criminalise ordinary speech, accessible complaint mechanisms, and visible enforcement against targeted harassment campaigns. Al governance is equitable only if its participatory surface is safe.

5.13.9 The Procurement Moment: Where Powerls Designed

Procurement emerges as the constitutional moment of algorithmic governance. When institutions purchase systems without demanding lifecycle documentation, audit hooks, drift monitoring, or court-facing summaries, they lock in opacity for years. Conversely, when contracts embed explainability and auditability by design, oversight becomes possible. The findings make clear that governance negotiations that fail in courtrooms can be won at the contract table.

Three procurement levers recur:

1. Template artefacts (model cards, data sheets, testing reports) as deliverables;

2. Secure-disclosure provisions for courts and regulators;

3. Change-management clauses that require vendors to update documentation as models evolve.

By structuring these ex ante, institutions align the incentives of vendors, operators, and overseers.

5.13.10 Platform Embeddedness and the State's Extendedlnfrastructure

Another important theme is platform embeddedness which is the reality that state capacity in digital space is co-produced with private infrastructure. The findings show that takedown responsiveness, language coverage, and tool support vary by platform and content type. The state can only partially compensate for these asymmetries; it depends on platform cooperation to police authenticity networks and to de-amplify harmful content.

This creates a governance frontier: public institutions must cultivate institutional memory and relationship capital with platforms, including escalation protocols, Page 184of271

monitoring dashboards, and shared taxonomies for content classes. In elections, structured cooperation agreements are not luxuries; they are part of the critical path for information-integrity assurance.

5.13.11 From B/ackBoxes to Bounded Visibility

The discussion so far implies that the goal is not full transparency which is often impossible and sometimes risky but bounded visibility tailored to the needs of each oversight role. For courts, bounded visibility means in-camera access to technical dossiers and the ability to appoint independent assessors under protective orders. For regulators, it means standard artefacts and periodic audit rights. For the public, it means legible summaries: what the system does, what it does not do, how it is checked, and how individuals can seek redress.

A governance architecture that pursues bounded visibility preserves operational security while restoring the possibility of reason-giving for the essence of democratic accountability.

5.13.12 Rethinking Separation of Powers in an AlgorithmicState

The classic separation-of-powers model presumes that branches can check one another if they have information symmetry about the matters under review. Algorithmic governance unsettles this presumption. The executive's control over models, data, and pipelines creates a standing asymmetry that traditional oversight techniques struggle to bridge. The remedy, the findings imply, is not to weaken security, but to equip oversight bodies with the tools of algorithmic review: disclosure channels, technical advisors, standard artefacts, and time to think.

In short, modern checks and balances must be technically literate. Without that literacy, formal independence remains intact but operational independence, the freedom to disagree based on reasons and atrophies.

5.13.13 Two Common ObjectionsandRepHes

Objection 1 : "Speed cannot wait for documentation."

Reply: Documentation does not have to be produced at incident speed; it must be produced at governance speed. Templates, automation for log capture, and scheduled dossier compilation can avoid burdening responders while ensuring that oversight bodies receive what they need when it is safe to provide it.

Objection 2: "Transparency will teach adversaries."

Reply: Bounded visibility is not operational transparency. It is controlled disclosure to authorised bodies and non-sensitive public summaries. The risk of adversarial learning can be mitigated by redaction, access controls, and the focus on process rather than parameters.

5.13.14 Practica/Governance Pathways

The discussion points toward several practicable pathways that do not require new laws or massive budgets, only design discipline.

1. Minimum Documentation Baseline (MDB).

A short, non-negotiable list of artefacts for any security-relevant AI: purpose, inputs, pre-processing, model logic summary, evaluation results, error taxonomy, bias tests (where applicable), drift monitoring plan, human-override steps, and incident-logging schema.

2. Structured In-Camera Disclosure(SICD).

A standing protocol between the executive and thejudiciaryfor secure transfer, storage, and review of technical dossiers, with sanctions for misuse and guidance for redaction.

3. Court-Appointed Technical Assessors (CATA).

A roster of vetted experts under court control who can translate dossiers into judicially legible explanations without exposing sensitive details in open court.

4. Election Communication Playbook (ECP).

Pre-approved, multilingual explainer assets; pre-bunk scripts;a single "sources of truth" hub; and a choreographyforjoint statements between ECZ, regulators, and cybersecurity teams.

5. Procurement Guardrails (PG).

Contract clauses mandating MDB artefacts, secure-disclosure rights, and change-management obligations, with penalties tied to documentation failures.

6. Platform Liaison Framework (PLF).

Named contacts, escalation timelines, language coverage commitments, and a shared taxonomy for content classes relevant to elections and security incidents.

5.13.15 easuring Progress Without Numbers

Although the findings chapter intentionally avoided numeric estimates, institutions can still measure progress in algorithmic governance through qualitative indicators: the presence of required artefacts; the existence of a standing in-camera protocol; the frequency of joint briefings during incidents; the completeness of post-incident reports; the availability of gender-aware safety guidance for participants;and the existence of a platform liaison log with response-time notes. Tracking these as checkable practices converts governance aspirations into observable behaviour.

5.13.16 WhatSuccess Looks Like

A mature algorithmic-governance environment is not one where secrets vanish; it is one where secrecy is accountable. In such a system, courts can examine dossiers and question experts;regulators can audit processes against templates; the public receives timely, plain-language explanations; and cyber responders can act quickly without fearing that tomorrow's oversight will be impossible. Procurement builds in audit hooks; documentation is automated where possible; communication is part of incident response rather than an afterthought. Crucially, women, youth, and vulnerable participants can speak without disproportionate harm because safety and redress are real, visible, and used.

5.13.17 Snthesis and Transition

This part of the discussion has argued that Al-driven cybersecurity reweights state power by concentrating cognitive authority in executive hands unless governance is redesigned to restore bounded visibility and epistemic parity. The remedy does not lie in slowing security or exposing secrets; it lies in institutionalising documentation, disclosure, communication, and capacity. Procurement becomes constitutional; communication becomes technical; documentation becomes political;and oversight becomes technically literate.

The next part of the discussion turns to the judiciary. It examines what epistemic independence requires in practice, how courts can maintain meaningful review power over algorithmic evidence, and which institutional reforms within the judiciary itself would best secure independence in a digital state.

5.14 Judicial Independence and Epistemic Parity in an Al-Driven Governance Environment

The hypothetical findings presented in Chapter 4 highlighted a consistent pattern: judges frequently face informational disadvantages when reviewing Al-assisted cybersecurity actions. These findings illustrate the pattern which corresponds closely to documented global concerns about how Al and digital systems complicate judicial review. Real-world international bodies have raised similar issues. For instance, the UN Special Rapporteur on the Independence of Judges and Lawyers emphasised in 2025 that the adoption of Al in justice systems can undermine independence when judges "lack the technical knowledge, capacity, or access to information necessary to interrogate the operation of such systems," stressing that AI must not replace human reasoning nor impede meaningful judicial control. This aligns strongly with the hypothetical judicial concerns identified in this thesis especially those expressed by judges who described receiving algorithmic "summaries without pathways," signalling a deficit in epistemic visibility.

In parallel, UNESCO's 2025 Guidelines for the Use of Al Systems in Courts and Tribunals recognise that manyjudges worldwide face the same constraints: only 9% of surveyed judicial operators reported having institutional guidance on AI use, while a full 44% admitted already relying on tools such as generative AI for work tasks. UNESCO's analysis further warns that Al-enabled decision pathways may remain opaque unless courts receive structured training, documentation, and access to technical descriptions of model behaviour. These concerns reflect the precise conceptual mechanism my findings illustrate: epistemic asymmetry, a situation where one institutional actor (security agencies) controls the information environment that another actor (thejudiciary) must evaluate.

5.14.1 TheJudicial Role in a DigitallyMediatedState

Judicial independence traditionally focuses on protecting judges from external interference, but digital governance requires a broader conception, one that includes epistemic independence, or the ability to demand and receive reasons, explanations, and evidence in a legible form. The Special Rapporteur explicitly cautions states against viewing Al as a purely efficiency-enhancing tool, noting that without proper safeguards it may "exacerbate inequality and discrimination" and compromise access to human adjudication and legal reasoning. This matches the hypothetical pattern in which judicial officers in Zambia reported receiving heavily summarised or redacted views of cybersecurity incidents. Even if an executive agency does not intend to hinder review, the very structure of Al-assisted workflows such as proprietary models, classified logs, rapid triage systems can marginalise thejudiciary's evaluative function.

The literature suggests thatjudicial oversight of Al systems requires early involvement in system design. UNESCO's guidelines note that to remain effective, courts must receive both training and "Al literacy," enabling them to critically analyse automated outputs and ensure decisions remain grounded in human rights principles and legal standards. The hypothetical finding that many judges request documentation templates, threshold rationales, and in camera access channels therefore mirrors the real global guidance: if judges cannot access and understand system logic, oversight becomes symbolic rather than substantive.

5.14.2 ocumentation, Reason-Giving, and theJudicia/Function

Across global governance discourse, documentation is repeatedly identified as the linchpin of accountability. The UNESCO guidelines stress the need for auditability, information security, and human oversight, requiring Al developers and operators to produce documentation that is accessible to judges in formats they can meaningfully interrogate. These recommendations directly resonate with the thesis' findings, where judges complained that they could "compel a piece, not the scaffolding."

This reflects a broader jurisprudential principle: reason-giving is essential to the legitimacy of state power. Courts cannot evaluate legality or proportionality when the reasons for an action are contained in inaccessible model logic or undisclosed threshold settings. This aligns with the Special Rapporteur's insistence that judicial systems must maintain the ability to scrutinise Al-assisted decisions and ensure that "Al should not be adopted without careful assessment of its potential harms".

In practical terms, this means judicial independence is no longer secured exclusively through tenure protections and institutional structure; it requires structured access to algorithmic documentation including model cards, data provenance summaries, error taxonomies, and explanation artefacts that enable judges to reconstruct the reasoning process. Without this, the judiciary risks drifting into a role in which it merely validates executive summaries ratherthan tesis them.

5.14.3 Courts and the Secrecy-Oversight Tension

The tension between legitimate operational secrecy and meaningful judicial oversight is not hypothetical; it is extensively documented in real-world analyses. The UNESCO guidelines acknowledge explicitly that some Al systems, especially those deployed in security contexts, cannot be fully transparent for operational reasons, but nevertheless emphasise that courts must have special channels to access sensitive information under protected conditions.

This captures a core dilemma highlighted by the research findings: executive agencies may argue that revealing thresholds or Al-model behaviour risks "teaching adversaries," while courts argue that without such information, proportionality tests cannot be meaningfully applied. The solution proposed in global governance literature and echoed in the hypothetical judicial "wish list" from Chapter 4 is not full transparency but bounded visibility, often through in camera reviews, controlled disclosure protocolsjudicial technical advisors, and redacted model-logic summaries.

The need for such mechanisms becomes more urgent when Al systems are used not only for detection but as part of evidentiary chains. As Al becomes embedded in the early stages of investigation, its outputs become part of the "pathway to evidence," and courts must adapt oversight techniques accordingly.

5.14.4 I, Rights-Protection, and Judicial Remedies

The Special Rapporteur's 2025 report emphasises that Al can deepen inequality and disproportionately harm marginalised groups if deployed without adequate safeguards. This is aligned with the research findings, which illustrate how judges repeatedly stressed the risk that algorithmic systems may misclassify individuals or produce inferential leaps that cannot be contested. Judicial remedies such as exclusion of unreliable Al-generated evidence, orders for additional disclosure, or declarations on procedural irregularity are weakened when judges lack the information needed to exercise them.

UNESCO further notes that many judges already incorporate Al tools into their own workflows, sometimes without institutional guidance, heightening the need forjudges to understand the limitations, biases, and risks of such tools to avoid inadvertently undermining rights through over-reliance on automated aids. This helps contextualise the thesis' insight that judges expressed a desire for training, not to become

technologists, but to avoid becoming dependent on systems they do not fully understand.

5.14.5 Toward Epistemic Parity: What Reforms Make Oversight Real

Synthesising global literature with the thesis' hypothetical findings suggests that epistemic parity; a condition where the judiciary has the informational resources to assess executive action is essential to democratic oversight in an algorithmic state. International guidance consistently argues for:

1. Judicial Al literacy programmes (supported by UNESCO's Judges Initiative) to ensure courts can interrogate AI behaviour meaningfully.

2. Structured disclosure protocols, including in camera channels and technical summaries, so that judicial review can occur without compromising operational security.

3. Mandatory documentation requirements embedded in procurement, ensuring that every AI system used by the state comes with auditable artefacts.

4. Independent technical assessors appointed by courts to translate complex model logic into legally relevant explanations.

The research findings mirror these real-world prescriptions, reinforcing the insight that judicial independence must evolve to meet algorithmic conditions not by minimising the role ofAI, but by strengthening thejudiciary's informational position.

5.15 Electorallntegrityin a Socio-TechnicalSystem

The hypothetical findings in Chapter 4 revealed that electoral integrity in Zambia is shaped not only by the technical accuracy of biometric registration or the resilience of digital infrastructure, but also and perhaps more fundamentally by the information ecosystem surrounding elections. This insight aligns closely with emerging global evidence that AI, digital platforms, and high-velocity information flows have transformed elections into socio-technical ecosystems requiring governance interventions that address both technical and /n/crmat/onal vulnerabilities. UNESCO's

2025 issue brief on "Artificial Intelligence, Freedom of Expression and Elections" underscores that AI systems from recommender algorithms to generative-AI content which now play a critical role in shaping how electoral information is produced, distributed and consumed, often enhancing participation but simultaneously amplifying disinformation, hate speech and deepfakes. These real-world concerns mirror the research findings from Zambia showing that voters' confidence in biometric processes is strongly mediated by their exposure to misleading narratives about "electronic voting," foreign interference, or hidden tally manipulation.

UNESCO further warns that global electoral contexts are increasingly shaped by large, algorithmically curated platforms accessed by billions of users, with 56.8% of the global population active on social media and an estimated 4 billion eligible voters worldwide affected by the ways AI shapes public discourse. The resrach findings illustrate how similar dynamics manifest in Zambia: although biometric registration is technically separate from vote counting, public misinterpretation of biometric devices particularly in communities with uneven device deployment leads to persistent doubts and the rapid spread of rumours about electronic manipulation. This pattern is consistent with UNESCO's analysis that AI-accelerated information flows inherently destabilise trust unless accompanied by proactive, transparent, and coordinated communication strategies.

5.15.1 Information Integrityasan Electoral Safeguard

UNESCO's global framework positions information integrity as a precondition for electoral integrity, emphasising media literacy, access to quality information, and multi-stakeholder action as critical safeguards. For instance, UNESCO's media-and-elections programme stresses that the integrity of elections depends on "free, plural and fair elections in times of disinformation" and that electoral regulators, journalists, and platforms must collectively uphold freedom-of-expression norms and provide transparent information about electoral processes. These principles closely parallel the research findings showing that when ECZ officials issued timely clarifications, misinformation about biometric deduplication decayed rapidly, whereas delayed or inconsistent messaging led to confusion and suspicion.

The AU has likewise recognised that the erosion of information integrity threatens democratic participation. The African Union's 2025 initiative on developing a Continental Framework for Information Integrity and Media and Information Literacy highlights that safeguarding information flows is crucial for maintaining trust and preventing manipulation, drawing explicitly on the AU's Continental AI Strategy (2024) and UNESCO's recommendations on digital governance. This aligns with the research finding that communities exposed to rapid, coordinated ECZ-regulator- civil-society communication exhibited higher levels of electoral confidence than those where misinformation went unchallenged for hours or days.

5.15.2 I-Driven Disinformation andElectoralRisk

Al has intensified the scale, speed, and realism of disinformation during elections. UNESCO's 2025 brief warns that Al-generated deepfakes, automated propaganda networks, and algorithmic amplification of misleading content pose severe risks to electoral information integrity, with potential for gendered harassment, hate speech, and targeted manipulation of voters. Similarly, UNESCO's action plans on countering disinformation emphasise that false or misleading information disrupts citizens' ability to make informed decisions and undermines trust in institutions, noting that disinformation threatens human rights and democratic processes across sectors.

The research findings reinforce these global concerns. Participants widely described repeated exposure to false claims about biometric systems, deepfake-style audio clips imitating public officials, and viral rumours about tally interference. Youth, heavy internet users, and women reported the highest exposure and the steepest declines in electoral confidence when misinformation was left unaddressed. This aligns with UNESCO's documented observation that online disinformation spreads "faster than verification," especially in languages with limited content moderation coverage; a pattern also apparent in Zambia's multilingual digital environment.

5.15.3 The Role ofCivic Space and Rights Protections

Electoral integrity depends not only on technological and informational safeguards but also on civic space. The AU's Resolution on Strengthening Electoral Integrity (2025) stresses that shrinking civic space, harassment ofjournalists, and restrictions on online expression undermine democratic legitimacy, calling on states to safeguard the right to participate freely in public affairs and ensure transparent, inclusive electoral processes. This resonates strongly with research evidence that voters' confidence drops when they perceive online speech to be chilled or monitored excessively particularly when cybersecurity powers are broad or ambiguously communicated.

UNESCO's programmes on election-related journalist safety further document that intimidation and online harassment of media workers critically weaken the information ecosystem, especially in the run-up to elections. This is consistent with the survey reports from women journalists and civil-society actors in Zambia who described targeted abuse that discouraged them from countering falsehoods or engaging the public during electoral periods.

5.15.4 Africa's Continental Al and Digital Transformation Strategies: Implications for Elections

Recent AU positions underscore that Al governance must protect human rights while promoting development. The Continental AI Strategy (2024) endorsed by AU ministers calls for ethical, transparent, and accountable Al deployments across sectors, emphasising responsible Al as a condition for information integrity and democratic participation. Moreover, the African Digital Compact (2024) urges harmonised digital-governance norms and digital-rights protections to ensure inclusive and trustworthy online environments during elections.

These continental commitments mirror the institutional expectations seen in the research findings. ECZ staff expressed a demand for vendor transparency, independent certification, redress procedures, and multilingual communication which carters all elements compatible with the AU's guidance for transparent and people-centred Al governance. Meanwhile, cyber-operations personnel noted difficulties escalating local-language disinformation to platforms, validating the AU's push for continent-wide frameworks supporting digital literacy and equitable content moderation capacities.

5.15.5 Elections as Socio-Technica/Systems

The combined real-world literature and research findings converge on three core insights:

1 . Electoral integrity is inseparable from information integrity.

UNESCO repeatedly warns that Al amplifies the velocity and potency of misinformation, requiring electoral bodies to treat communication as a critical infrastructure, not a peripheral task.

2 .Technological safeguards must bepaired with rights-basedgovernance.

Both UNESCO and AU documents emphasise that free expression, media safety, and civic space are foundational to democratic participation, even in environments saturated with Al-driven systems.

3 Africa's continental frameworks support proactive harmonisation.

The AU's Continental Al Strategy, Digital Transformation Strategy, and new Information Integrity Framework collectively support national reforms involving transparency, cross-platform cooperation, multilingual communication, and inclusive Al governance practices.

Thus, the hypothetical Zambian findings align with the global and continental consensus: electoral integrity in the age of Al requires socio-technical governance, strong civic protections, coordinated communication, and responsible digital transformation.

5.16 Democratic Legitimacy in the Age of Al: Why Security and Rights Rise or Fall Together

The central democratic question in Al-intensive environments is not whether states can secure digital systems, but whether they can do so while preserving a rights-respecting information order that citizens experience as fair, transparent, and contestable. UNESCO's recent issue brief on Al, freedom of expression and elections emphasises that generative models and recommender systems increasingly shape electoral discourse at scale;they can broaden participation, but they also intensify disinformation, deepen harassment (notably gender-based), and complicate voters' ability to verify facts directly affecting perceptions of legitimacy around core institutions and processes. In parallel, UNESCO's multi-year agenda on platform governance and disinformation frames information integrity as a present-tense public good: algorithmic amplification and cross-platform virality require governance that protects rights while curbing coordinated manipulation, especially during elections when the stakes for public trust are highest. When read against our (hypothetical) Zambian patterns where confidence in biometric registration rises or falls with prompt, plain-language communication, these global signals converge on a practical proposition: security controls that are invisible or poorly explained can erode legitimacy as effectively as visible failures.

This legitimacy lens also reframes the role of electoral information ecosystems. UNESCO's election-support programmes stress that "free, plural and fair elections" in digital times depend on capacity building for electoral actors and media, transparency toward journalists, and rapid counter-disinformation responses that uphold freedom-of-expression standards. UNESCO's field initiatives (for example, information-integrity training ahead of elections) highlight a recurring operational lesson: speed, multilingual reach, and credible messengers are as important as technical accuracy in countering misleading narratives before they metastasise. In our hypothetical results, districts receiving coordinated ECZ-regulator-CSO messaging saw rumours decay faster than districts left to "fill the gaps" with speculation. That observed pattern is precisely what UNESCO's guidance anticipates: legitimacy is not merely an outcome of secure systems; it is co-produced by the experience of timely, comprehensible, rights-consistent communication.

5.16.1 Cybersecurity Without Civic Space Is a Legitimacy Trap

On the continental plane, the African Commission on Human and Peoples' Rights (ACHPR) has warned that shrinking civic space during elections undermines democratic consolidation linking freedom of expression and access to information to the very essence of credible polls. In March 2024, ACHPR adopted a resolution explicitly cautioning states against internet shutdowns during electoral periods, grounding its position in Article 9 (freedom of expression) and urging regulators and security actors to refrain from interference that blocks access to information. In November 2025, ACHPR's resolution on strengthening electoral integrity again tied public confidence to open civic space, transparent EMBs, and safeguards for participation reaffirming that security measures that stifle speech corrode the legitimacy they purport to protect. These normative anchors matter for any country modernising election and cyber regimes: if cybersecurity responses are perceived as overbroad or punitive, the legitimacy ledger goes negative even when the underlying security motives are sound.

UNESCO's platform-governance agenda arrives at a similar balancing act: regulation must respond to intensified disinformation and hate speech, but the human-rights compass proportionality, legality, necessity must steer measures to avoid chilling legitimate expression. When our hypothetical voters reported "self-censorship in mixed digital spaces" and a link between perceived surveillance and lower willingness to engage, they were describing exactly the legitimacy trap the AU and UNESCO warn about: defensive measures that feel opaque or indiscriminate depress participation, especially among women, youth, and journalists, precisely when their voices are needed to sustain plural deliberation.

5.16.2 Continental Guardrails: Al Strategies, Digital Compacts, and Information-lntegrityFrameworks

Africa's normative trajectory now offers explicit guardrails for reconciling innovation, security, and rights. The AU Continental Al Strategy (2024) endorsed by Ministers calls for people-centred, ethically governed, and development-oriented Al, drawing a through-line from transparency and accountability to public trust in digital institutions. The African Digital Compact (2024) frames a continent-wide common position on digital transformation encompassing bridging divides, protecting digital rights, and coordinating member states on platform and data governance in the run-up to the UN's Global Digital Compact. And in 2025, the AU and UNESCO began collaborating on a Continental Framework for Information Integrity and Media & Information Literacy, explicitly meant to equip citizens and institutions to manage Al-era information risks across languages and contexts. Taken together, these instruments reflect a shared thesis: legitimacy in digital governance is a function of institutional transparency, citizen capability, and cross-actor coordination not technology alone.

In parallel, the AU Convention on Cyber Security and Personal Data Protection (Malabo, 2014) remains the treaty-level baseline tying cybersecurity to privacy and due-process safeguards; Zambia's ratification (deposited in March 2021) shows that national security frameworks can be anchored in continental rights commitments. The AU has also spotlighted cyber and Al governance as strategic enablers for Agenda 2063, linking responsible Al and secure data flows to socio-economic transformation while reiterating that guardrails (transparency, accountability, non-discrimination) are intrinsic to sustainable digital development. The implication for any national reform agenda is straightforward: embed continental guardrails upstream especially in procurement, documentation, disclosure protocols, and multilingual communications so that security deployments launch with legitimacy assets already in place.

5.16.3 Communication as a Technical Control for Legitimacy

UNESCO's election-support work and action plans make a strong operational claim: communication is part of the critical path, not an auxiliary function. Guidance for electoral practitioners stresses rapid pre-bunking and co-ordinated messaging by EMBs, media councils and civil society, especially in local languages and vernacular formats where moderation lags. Field initiatives in Europe and Africa alike record that journalists and observers trained on information-integrity playbooks can flatten rumour curves and reduce belief persistence, particularly when official statements are synchronised with fact-checking ecosystems. The relevance to our hypothetical case is direct: districts that received same-day, plain-language explanations for biometric hiccups saw confidence stabilise; districts that waited days saw belief in falsehoods entrench. The policy takeaway is to treat communication artefacts such as templates, radio scripts, explainer cards as security tooling deployed alongside technical remediation.

This "communication-as-control" view also resonates with the AU's broader digital agenda. The African Digital Compact calls for harmonised public-interest communication and inclusive digital competencies;the AU's Al communiqués (2025) press for capacity-building and regional cooperation to ensure Al deployments reflect African languages, culture, and civic needs. Achieving legitimacy in multilingual, mobile-first environments thus means investing in message supply chains from EMB dashboards and regulator feeds to CSO hubs and community radio so that accurate information reaches citizens with the speed and trust densitythat rumours enjoy.

5.16.4 Platforms as Co-Producers of Legitimacy

The literature and AU/UNESCO practice both imply that platforms are part of the electoral infrastructure, given their role in content ranking, takedown workflows, and authenticity enforcement. UNESCO's action plan argues for independent, rights-centred regulation with cross-border cooperation among public regulators to avoid gaps that platforms could exploit or that malicious actors could route around. AU press and policy documents highlight the need to translate continental priorities (inclusion, accountability, language coverage) into operational agreements with platforms, ensuring escalation channels and moderation capacity in African languages. Our hypothetical interviews captured a similar friction: cyber teams could "prove" coordinated inauthentic behaviour faster than they could curb fast-moving local-language rumours. The governance answer is formal platform liaison frameworks for named contacts, response-time targets, shared taxonomies for election-risk content, and transparency dashboards that EMBs, regulators and CSOs can reference during peak periods.

5.16.5 Measuring Legitimacy Gains

How can authorities evidence progress without sliding into over-enforcement that chills speech? UNESCO's practice notes, election programmes and the AU's human-rights resolutions suggest rights-compatible indicators: time-to-clarification for official election communications; coverage of multilingual explainer assets; volume and resolution time for journalist-safety cases; presence of in-camera disclosure channels for courts; availability of non-sensitive audit summaries for election tech; and the absence of election-period internet disruptions. Each signal institutional competence while respecting expression. In turn, the AU-UNESCO information-integrity framework under development aims to standardise such capacity markers including media and information literacy, platform cooperation protocols, and rapid-response governance so that member states can benchmark progress without resorting to blunt content controls.

5.16.6 Practical Pathways: Designing Legitimacylnto Cyber-Election Operations

Linking the continental and global guidance to our thesis' mechanisms yields six design commitments any EMB-cyber-regulatortriad can adopt:

1. Upstream documentation for election-relevant systems (e.g., ABIS): publish non-sensitive summaries (inputs, known error types, redress routes) before registration opens.

2. Standing rapid-comms playbook: multilingual pre-bunks, coordinated

radio/CSO briefs, and a joint "sources of truth" hub that updates hourly during incidents.

3. Platform liaison protocols: named contacts, language-coverage commitments, and escalation SLAs for election-risk content categories.

4. Journalist-safety tiering: dedicated hotlines and protective briefings during registration and polling windows, aligning with UNESCO'sjournalist-safety pillars.

5. Judicial visibility on the pipeline: in-camera access to technical dossiers where cyber incidents intersect with electoral processes, preserving both secrecy and review.

6. Civic-space guardrails: pledge of no internet disruptions during election periods, aligning with ACHPR guidance;publish enforcement statistics to avoid a perception of selective suppression.

5.6.7 Synthesis and Bridge Forward

The broader lesson is that democratic legitimacy is a systems property: it emerges when security, rights, and communication are designed to reinforce one another across institutions and platforms. UNESCO's Al-and-elections analyses and action plans converge on a single operational truth that governance must move at narrative speed, with human-rights safeguards embedded at every layer. The AU's continental frameworks such as Al Strategy, Digital Compact, ACHPR resolutions, and the nascent information-integrity framework which now provide a coherent scaffolding to do exactly that, inviting national authorities to translate principles into procurement clauses, liaison protocols, and public-facing assets that citizens can recognise and use.

In the remaining parts of Chapter 5, we build on this insight to analyse institutional capacity and documentation maturity (Part 6-7) and the multi-actor coordination problem encompassing how EMBs, cyber teams, regulators, media councils and platforms can operate as a legitimacy coalition before, during, and after elections (Part

8), before turning to continental implications and the thesis' theoretical and policy contributions (Parts 9-10).

5.7 Why gender and intersectionality matter for Al-centred cybersecurity and elections

The hypothetical findings in Chapter 4 suggest that women, youth, and heavy social-media users bore disproportionate social and reputational costs when navigating political speech online including manifesting as self-censorship, strategic audience-curation, or withdrawal from public forums. While these patterns are illustrative rather than empirical, they mirror documented global concerns that election-time information disorders and Al-accelerated amplification heighten exposure to harassment and intimidation, with particular salience for women journalists, activists, and candidates. UNESCO's election and information-integrity work repeatedly highlights that gender-based online violence and coordinated harassment campaigns escalate during electoral cycles, undermining participation and chilling speech especially in spaces governed by algorithmic ranking and recommender systems. In parallel, UNESCO's broader platform-governance agenda warns that regulatory responses to disinformation must protect freedom of expression while addressing harmful amplification dynamics otherwise remedial measures can themselves depress participation among already-targeted groups. Moreover, practical programming such as UNESCO's trainings and election-support initiatives including documents that pre-bunking, multilingual outreach, and safety protocols for media workers are essential to keep vulnerable voices engaged across the electoral calendar.

5.7.1 Genderedrisks are not "softissues": theyare structural integrityrisks

Treating gendered harassment as a peripheral "safety" topic obscures its systems effect: when women and other targeted cohorts exit high-salience conversations, the public sphere narrows, and legitimacy suffers. UNESCO's guidance explicitly links the safety of journalists to the credibility of elections, arguing that harassment online and offline undercuts citizens' access to accurate information and therefore their ability to make informed choices. In the Al era, the problem compounds: generative tools lower the cost of smear content and synthetic media, while engagement-optimising feeds boost polarising material, a dynamic UNESCO flags as central to the new risk profile facing election ecosystems. For African contexts, high-level regional dialogues and initiatives have stressed that Al development and governance must be inclusive and human-rights-centric if they are to support democratic participation rather than narrow it, placing particular emphasis on women's representation and safety within digital transformation agendas.

5.7.2.1 ntersectionalityinpractice: language, locality, andprofessionalrole

Intersectional disadvantages often crystallise along three axes: language coverage, locality, and professional role. First, moderation and fact-checking resources are thinner in many African languages, which UNESCO and AU-linked programming identify as a critical capacity gap in responding to election-related rumours and manipulation. Second, localities with weaker media ecosystems or delayed official communications experience longer "windows of uncertainty," during which coordinated falsehoods can harden into belief, again with disproportionate effects on groups already facing harassment or social sanction. Third, professional role matters: women journalists and election observers face targeted intimidation that inhibits reportage and watchdog functions;UNESCO's programs across regions document this pattern and provide safety training and legal-support pathways precisely to sustain their participation during election periods. In continental policy terms, the AU's emerging information-integrity and media-and-information-literacy (MIL) framework developed with UNESCO explicitly aims to equip diverse publics with skills to navigate Al-era information risks, including in under-resourced languages and contexts.

5.7.2.2 Cybersecuritypowers, civicspace, anddifferentialchilling effects

The legitimacy challenge is not only disinformation;it is also how cybersecurity responses are perceived by communities shouldering the greatest social risk. ACHPR resolutions on elections and internet access caution that shutdowns, overbroad restrictions, or opaque enforcement measures corrode electoral integrity by curtailing expression and access to information on rights that are foundational to participation. The Commission's 2025 resolution on strengthening electoral integrity further ties trust to independent EMBs, safe civic space, and protections for citizen observers by implicitly warning that blunt controls can have uneven, intersectional harms that silence already-vulnerable voices. Balanced platform governance is therefore a double safeguard: it curbs coordinated manipulation while signalling that lawful speech remains protected, a balance UNESCO frames as essential to ensure rights-compatible responses in "super-election" years characterised by Al-intensified risks. In short, security measures that ignore differential chilling effects risk shrinking the deliberative commons and, with it, democratic legitimacy.

5.7.2. 3 Continental scaffolding for inclusion: strategies thatembedequity

Africa's recent policy arc creates scaffolding to embed equity upstream. The AU Continental Al Strategy (2024) calls for people-centred, inclusive Al ecosystems explicitly linking transparency, accountability, and diversity to public trust in digital deployments. The African Digital Compact advances a common position on digital rights and inclusion, positioning multilingual access, platform cooperation, and digital competencies as continental priorities. Complementing these, AU-UNESCO collaboration on a Continental Information-Integrity and MIL Framework seeks to institutionalise citizen capabilities and cross-actor coordination so that member states can build resilient, rights-respecting information environments at scale. These instruments collectively support national reforms aimed at intersectional protection: strengthening journalist-safety mechanisms, improving local-language moderation pathways, and routinising rapid, plain-language communication by EMBs and regulators in ways that reduce room for abuse and mis- and disinformation.

5.7.2.4 esignprinciples: building gender- and equity-aware legitimacy

Translating continental and UNESCO guidance into operations suggests six practical design principles:

1. Safety-by-design for electoral communication. Treat journalist- and advocate-safety as a prerequisite: deploy hotlines, rapid legal support, and escalation protocols throughout the electoral calendar, not just on polling day. This is consistent with UNESCO's journalist-safety pillars and election-support practice.

2. Multilingual pre-bunking. Publish repeatable, plain-language explainers (e.g., "biometrics / e-voting") across radio, community media, and platform channels in local languages to shrink the uncertainty window that harms vulnerable cohorts first.

3. Platform liaison with language guarantees. Formalise contacts and timelines with platforms, specifying local-language coverage and transparency around response metrics which is an approach aligned with UNESCO's action plan for platform regulation and the AU's digital-transformation agenda.

4. Proportionate cybersecurity enforcement. Track and publish non-sensitive enforcement statistics during election windows and pledge no shutdowns reflecting ACHPR guidance to avoid perception of selective or punitive controls.

5. Inclusive Al capacity programmes. Invest in Al literacy for electoral officials, regulators, and the bench, with special focus on gender-responsive training and community educators and this is consistent with AU and UNESCO emphasis on capacity building for inclusive Al governance

6. e. Public-facing documentation. Release non-sensitive summaries of election technologies (inputs, error types, redress routes) early in the cycle;pair with in-camera technical dossiers for courts. This blends transparency with bounded visibility and aligns with UNESCO's election-time information-integrity guidance.

5.7.6 Measuring intersectional progress

To evidence improvement while respecting rights, institutions can track rights-compatible indicators: time-to-clarification for official election communications;the proportion of content produced in local languages;the number and resolution time of journalist-safety cases; and the existence and use of platform escalation channels with language coverage commitments. These are squarely in line with UNESCO's media-and-elections programme and action plan on disinformation, which emphasise practical capacities over blunt content controls. At continental level, the AU-UNESCO information-integrity framework is being developed to codify such capacity standards, signalling a pathway for member states to benchmark progress transparentlyand comparably.

In sum, the equity lens is integral to legitimacy: where gender- and language-aware safeguards are embedded in cybersecurity and election-communication operations, participation widens and trust becomes more resilient. UNESCO's and the AU's evolving guidance converges on a pragmatic message: democratic systems endure in the AI era when technical defences and rights protections grow together, and when the most targeted communities are empowered not silenced by design.

5.8 Whycapacityand documentation are the hinge ofAlgovernance

Across Africa, institutions are moving from AI "strategy on paper" to the far harder task of execution such as building the civil-service skills, documentation routines, audit hooks, and cooperation mechanisms that convert principles into day-to-day governance. UNESCO's Al for the Public Sector programme captures the global picture succinctly: governments face cultural and organisational barriers, data/infrastructure deficits, and human-resource gaps and, tellingly, 90% of African countries surveyed requested training for officials on Al; UNESCO's capacity-building targets now envisage 100,000+ civil servants trained by 2030. The AU's Continental Al Strategy (2024) complements this by setting a rights-centred, Africa-centric vision and urging Member States to "build AI capabilities" and "minimise risks" through ethical, accountable deployments i.e., the move from policy ambition to institutional architecture. In other words, continental norms and UN capacity pipelines already agree on the same diagnosis: governance maturity will be won or lost in the public sector's ability to operationalise documentation, oversight and skills at scale, notjust in drafting strategies.

Hypothetical linktoChapter 4: In our survey interviewsjudicial officersand regulators described requesting "the scaffolding" behind Al-assisted decisions including model cards, data-provenance notes, error taxonomies rather than receiving only screenshots or redacted snippets. That practical desire maps directly onto UNESCO's guidance (auditability, explainability, human oversight) and the AU's insistence on human-rights-centred governance under the Continental Strategy;both frameworks require that documentation be treated as a governance asset rather than an afterthought.

5.8.1 From ambition to architecture: dosing the execution gap

Recent Africa-focused assessments describe a persistent "ambition-execution gap." A 2025 survey of Al policies across twenty countries (a non-AU think-piece) finds that many strategies feature ethical language but lack institutional anchors, funding signals, and enforceable documentation duties the authors characterise this as "ethics without accountability," warning that without implementable scaffolds, strategies "remain invisible to the public." The AU's own diplomacy and communiqués echo the same remedy from within: The May 17, 2025 High-Level Policy Dialogue urged Member States to formulate Al policies and establish cooperation mechanisms, skills, compute, and high-quality datasets i.e., the capacity core that sustains responsible Al. UNESCO's "Al forAfrica" track adds delivery muscle to thatvision by launching training for 15,000 civil servants and 5,000 judicial personnel, alongside technical support for the AU Strategy's implementation.

Hypothetical link to Chapter 4: Our organisational-indicator narrative described uneven maturity on lifecycle documentation and court-facing disclosure. The continental and UN agendas above point to a cure: capacity pipelines + mandatory artefacts (e.g., requiring model cards/drift reports as contractual deliverables) so that even sensitive systems can be reviewed under in-camera protocols without degrading security.

5.8.2 Documentation as power: artefacts that make oversight real

The fastest way to turn principles into practice is to standardise documentation artefacts. UNESCO's public-sector programmes repeatedly emphasise auditability and explainability as design requirements, while the AU Strategy frames accountability and human rights as operational constraints on deployment. In parallel, UNESCO-supported IRCAI's Al Tools Radar aims to help public bodies and judiciaries identify and adopt tools with accessible documentation and governance properties, explicitly citing global capacity gaps and calling for practical, centralised resources to steer responsible uptake. From the audit side, civil-society technical work synthesises the ecosystem of Al assurance clarifying differences among audits, impact assessments, red-teaming, evaluation, and assurance so that institutions can map each practice to its governance goal and avoid "catch-all" labels that collapse accountability.

Hypothetical link to Chapter 4: Where our judges said, "I can compel a piece, not the scaffolding," the actionable fix is procurement-level documentation: model cards (purpose, inputs, training/evaluation data summaries), error/false-positive taxonomies, bias-testing memos where applicable, drift-monitoring plans, and human-override checkpoints compiled into a court-facing dossier under protective order. That is consistent with AU rights commitments and UNESCO's public-sector readiness agenda.

5.8.3 Capacity where it counts: civilservice, judiciary, regulators

UNESCO's SPAARK-AI Alliance (over 50 partner schools) and its public-sector capacity conference (Paris, June 4-5, 2025) were designed to mainstream Al competencies into civil-service curricula and organisational frameworks, recognising shared obstacles such as risk-averse culture, skills shortages, immature data management and pushing for "management and governance" capabilities, not just technical upskilling. That emphasis matters for regulators and courts: without institutionalised AI literacy, documentation won't be read, in-camera channels won't be used, and oversight will remain performative. AU messaging reinforces the same pivot from strategy to institutions with technical capacity and urges Member States to embed Al in long-term governance plans with concrete capability investments.

Hypothetical link to Chapter 4: In the survey corpus, magistrates sought "ladders" for understanding digital evidence, and regulators cited thin audit teams. The response already exists in the UNESCO/AU pipeline: bench- and bar-oriented Al literacy, regulator toolkits for documentation review, and cross-ministry schools of government that make algorithmic accountability an ordinary part of civil-service formation.

5.8.4 Governance maturity models: from checklists to Uvedpractice

Commentary on Africa's Al transition now distinguishes policy staging (publishing a strategy) from governance maturity (institutions, processes, artefacts, reporting). Regional analyses bothjournalistic and research-based such as stress that many states have "moved to the strategy phase," but lack a functional system that connects policy, regulation, research, investment, and accountability;the gap is less about awareness and more about structure. UNESCO's narrative corroborates this emphasis on structure through its Digital Competency Framework for Civil Servants and country training pipelines, while AU instruments (Al Strategy, Digital Transformation Strategy family) frame institution-building not one-off projects as the route to sustainable capability.

Hypothetical link to Chapter 4: Our "indicator" results described variance on incident reporting, post-incident reviews, and public summaries. A maturity model suitable for Zambia (or peers) would set minimums (e.g., every security-relevant Al has a registered owner, artefacts, red-team cycle, and an in-camera dossier format), and cadence (quarterly internal audits, annual public summaries), converting aspirations into predictable practices.

5.8.5 Designing for bounded visibility: secrecy thatremains accountable

A recurring concern is the trade-off between secrecy (to preserve defensive value) and transparency (to enable oversight). AU-level guidance on responsible Al and UNESCO's public-sector agenda both imply a workable compromise: bounded visibility including in-camera dossiers for courts, standard artefacts for regulators, and non-sensitive public summaries that plainly explain what systems do and do not do. UNESCO's capacity forums and IRCAI's Tools Radar seek to normalise such standardisation by making transparent-by-design solutions discoverable and by encouraging documentation norms across the public sector and judiciary. Hypothetical link to Chapter 4: In our vignettes, ECZ earned trust quickly when it published same-day explainers; cyber teams gained judicial goodwill when they brought structured dossiers rather than ad hoc screenshots. This is precisely the bounded visibility pattern: legible to those with a mandate; understandable to the public;secure against adversaries.

5.8.6 Practical pathways for Zambia andpeers (capacity + artefacts + cadence)

(1) Procurement guardrails. Insert documentation deliverables (model cards, error taxonomies, drift plans, red-team records) and secure-disclosure rights into all Al/cyber contracts; tie payment milestones to artefact quality. This operationalises AU principles on accountability and human rights and aligns with UNESCO's competency-first implementation.

(2) Register and roster. Maintain a governmentAI register (internal)and court-appointed technical assessor roster (external) so that dossiers are reviewable under protective orders by qualified, independent experts. UNESCO's programmes explicitlytarget such public-sector readiness andjudicial literacy.

(3) Civil-service curricula. Embed Al governance competencies through SPAARK-AI and national schools ofgovernment, covering documentation review, platform liaison, and incident communications.

(4) Cadenced reporting. Publish non-sensitive annual summaries for election-relevant systems (scope, known error types, redress routes), while regulators Page211of271

receive fuller artefacts for audit; this meets the dual test of rights-compatible transparencyand operational security.

(5) Platform cooperation MOUs. Formalise escalation SLAs and local-language coverage in liaison agreements which is an institutional fix repeatedly flagged in AU and UNESCOfora as critical toAfrican information environments. Hypothetical link to Chapter 4: If Zambia's indicator profile showed "mid-range documentation, uneven incident reviews," the measures above would move the needle from strategy to structure: artefacts to see, roles to use them, and a cadence that turns one-off successes into institutional memory.

5.8.7 Measuring governance maturity (rights-compatible indicators)

To evidence progress without inflating surveillance or chilling effects, institutions can track capacity-and-documentation indicators: percentage of AI systems with complete artefact sets; number of in-camera dossiers compiled and reviewed; frequency of post-incident reviews;share of public explainer assets produced pre- and mid-cycle;and number of civil servants/judicial officers trained under UNESCO/AU programmes. UNESCO's public-sector work (competency frameworks, training targets, IRCAI radar) and AU strategy language (capability building, ethical guardrails) provide a common scaffold for such measurement.

Hypothetical link to Chapter 4: Applying these indicators to the organisations would have revealed where maturity lagged: e.g., strong red-teaming but weak drift-reporting;robust internal sign-offs but thin court-facing dossiers. Making those gaps visible is the first step to closing them with capacity where it counts.

5.9 Why coordination notjust capacity decides outcomes

In elections shaped by Al-accelerated information flows, no single institution can secure legitimacy on its own. Contemporary guidance now treats information integrity as a shared, system-level responsibility that binds electoral commissions, cybersecurity teams, media and fact-checking networks, platform operators, independent regulators, and the judiciary. UNESCO's Guidelines for the Governance of Digital Platforms explicitly anchor this as a multi-stakeholder duty framework: states must avoid disproportionate measures, empower independent regulators, and protect media and journalists, while platforms must implement human-rights-aligned moderation, transparency, and user-empowerment tools. These Guidelines developed through 10,000 comments from 134 countries are being operationalised through the Internet for Trust initiative, which argues that platform governance and information integrity cannot be delivered by governments alone. UNESCO's UNDP-backed issue brief on Al and elections adds that, with billions of voters exposed to algorithmic curation, each stakeholder must act across the entire electoral cycle to prevent and mitigate Al-driven harms.

Hypothetical link to Chapter 4: Our findings showed rumour spikes fading faster where ECZ, regulators, CSOs and local radio issued same-day, consistent messaging; in districts without that coordination, misinformation persisted. That pattern aligns with UNESCO's message that coordinated, rights-respecting responses rather than isolated enforcement are decisive for trust.

5.9.1 The normative scaffolding for coordination (UNESCO +AU + ACHPR)

UNESCO's "Guidelines for the governance of digital platforms" and its 2025 multistakeholder action plan on Media and Information Literacy (MIL) provide a ready blueprint for who does what. The action plan assigns concrete tasks to regulators, platforms, CSOs, media and educators standardising transparency expectations, user-empowerment mechanisms, and capacity-building for oversight so that coordination is not ad hoc but programmed. On the continental side, the AU Continental AI Strategy calls for an Africa-centric, rights-based approach and urges member states to build capabilities, establish cooperation mechanisms, and domesticate ethical safeguards placing coordination at the core of responsible Al across sectors, including elections. The ACHPR (African Commission on Human and Peoples' Rights) complements this by framing access to information as foundational to free and fair elections and cautioning against measures that constrict civic space or disrupt access (e.g., shutdowns). Together these sources form a legitimacy compact: coordinate many actors, preserve rights, and communicate clearly especially under stress.

Hypothetical link: Our magistrates asked for in-camera disclosure and standardised affidavits when algorithmic evidence feeds into election-related cases. That request echoes the AU/UNESCO thrust: protect rights and enable oversight with bounded visibility, not secrecy by default.

5.9.2 From principles topractice: the six-node coordination map

(1) Electoral Commission (EMB) 0 Cybersecurity Agency. UNESCO's elections programme encourages EMBs to build incident-communication muscles and to pre-bunk misinformation about technology use (e.g., "biometrics / e-voting"), while security teams provide technical threat intelligence and platform liaison capacity. AU election missions, in their observation templates, routinely assess election-security arrangements and institutional preparedness, showing that coordination basics roles, escalation paths, and protection of civic space are standard evaluation criteria.

(2) Regulators (broadcast/data/platform) 0 Platforms.

UNESCO's Guidelines call for independent regulators with authority and resources to enforce human-rights standards online, while platforms are expected to align policies with those standards, increase transparency, and empower users. The Internet for Trust track captures this shift from "content-only" regulation to system-based, cooperative governance. The AU-UNESCO effort to develop a Continental Framework on Information Integrity and MIL further institutionalises cooperation around transparency, local-language coverage and citizen skills.

(3) Media councils / fact-checking networks 0 EMB and platforms. UNESCO's 2025 Pan-African Media Councils process catalysed regional commitments to rights-based, multi-stakeholder digital governance and media self-regulation tools that help keep election coverage credible and reduce the space for manipulation.

(4) Courts @ All of the above (bounded visibility). Where cyber tools touch elections, courts need in-camera access to technical dossiers and the authority to compel structured disclosure consistent with rights-based platform governance and AU commitments to accountability.

5.9.3 The choreographyofan e/ection-periodresponse

UNESCO's programmes and briefs suggest a time-sequenced playbook. Before the writ is dropped, EMBs publish non-sensitive tech summaries and FAQs; regulators confirm no-shutdown commitments and escalation channels; platforms pre-agree to local-language coverage and response-time targets; CSOs and media councils set verification hubs and safety protocols. During active registration and campaigning, pre-bunks (e.g., on biometrics) are pushed in local languages across radio and messaging apps, and a joint "sources of truth" hub provides canonical updates. The UNESCO-UNDP issue brief emphasises that Al heightens the need for such early interventions and cross-actor timing, given the speed at which synthetic media and algorithmic amplification can distort perceptions. In post-election weeks, AU observation reports illustrate good practice for tabulation/tally transparency, dispute resolution, and media access which are coordination moments that can decisively calm contested narratives.

5.9.4 Thep/atform interface: from ad hoc contacts to formalliaison

UNESCO's Guidelines and action lines repeatedly stress platform accountability: risk-mitigation due diligence, meaningful transparency, and user-empowerment tools implemented through cooperation with regulators and public-interest actors. In African contexts, UNESCO-supported regional processes (e.g., media councils' summits) have explicitly called for African-specific digital governance principles that include platform accountability and equitable access to public-interest content, underscoring the importance of formal liaison channels and language coverage. The AU's information-integrity framework under development adds a continental venue for standardising expectations (transparency, MIL, safety), so national authorities are not negotiating platform cooperation in isolation.

Hypothetical link: Our cybersecurity officers could "prove bots faster than they could curb rumours in local languages." A formal liaison MOU that specifies local-language moderation and escalation SLAs is exactly what these UNESCO/AU tracks imply in practice.

5.9.5 Protecting civicspace while coordinating againstharms

The ACHPR Guidelines on Access to Information and Elections conceptualise information as a right that undergirds participation;they implicitly require that security-sector coordination never become a substitute for transparency or an excuse for restrictions that silence legitimate voices. UNESCO's platform-governance documents are congruent: they caution that blunt or arbitrary measures which include shutdowns, and disproportionate takedowns can damage the enabling environment for free expression and undermine the very integrity coordination seeks to protect.

Hypothetical link: In our survey, self-censorship rose with perceived surveillance; coordinated rights-compatible communications (what the system does, what it does not do, and how to appeal) reduced that effect. This is the essence of security with rights.

5.9.6 A practical coordination architecture (who convenes, who executes, who reports)

Conveners. The EMB and the national communications/information directorate (or equivalent) co-chair an Election Information Integrity Taskforce, with standing seats for the cybersecurity agency, the platform-liaison focal point, media councils, CSO fact-checkers, and the judicial secretariat (to coordinate in-camera procedures). This reflects UNESCO's multi-stakeholder governance model and the AU's push to institutionalise capacity and cooperation mechanisms around Al and digital transformation.

Executors.

• EMB leads proactive voter-facing communications and publishes non-sensitive technical summaries (biometric scope, redress routes).

• Cybersecurity provides threat intelligence, bot-network analysis, and supports rapid misinformation triage (without supplanting EMB authority).

• Regulator(s) uphold due-process and proportionality, coordinate with platforms under UNESCO's human-rights-based guidelines, and track response metrics.

• Media councils / CSOs orchestrate verification hubs and safety protocols for journalists, leveraging UNESCO-backed regional commitments.

• Platforms honour MOUs on escalation, transparency, and local-language coverage.

• Courts maintain bounded visibility via in-camera access to technical dossiers when cyber incidents overlap with electoral disputes.

Reporting. After key milestones (close of registration; polling; final results), the taskforce publishes non-sensitive after-action notes (what was detected, what was done, what worked/what didn't), mirroring AU election-observation habits of formal reporting.

5.9. Vindicators for coordinatedlegitimacy (rights-compatible, platform-aware)

UNESCO and AU documentation together support shared indicators that can be published without chilling speech:

• Time-to-clarification for official corrections in multiple languages (from rumour detection to public post).

• Platform liaison performance (share of flagged items processed within agreed SLAs; language coverage achieved).

• Journalist-safety caseload opened/resolved during the electoral calendar.

Page217of271

• Use of in-camera judicial channels for technical dossiers (count and turnaround; no content disclosed).

• Civic-space guardrails (absence of shutdowns; regulator statements reaffirming proportionality).

• MIL outreach (roll-out of UNESCO's user-empowerment actions and national MIL programmes).

Hypothetical link: Applying these indicators to our districts would have made coordination gaps visible e.g., longer time-to-clarification where no pre-bunk assets existed allowing targeted fixes before polling.

5.9.8 Anticipating objectionsanddesign trade-offs

A common objection is that coordination slows response. In practice, UNESCO's action plans and AU observation protocols point to the opposite: when roles, templates, and escalation routes are pre-agreed, response speeds up, and public narratives stabilise more quickly. Another objection is that engaging platforms "legitimises private gatekeeping";UNESCO's approach answers this by insisting on independent regulators and human-rights due diligence so that cooperation raises public-interest baselines ratherthan delegating sovereignty.

5.10 WhyAfrica's digital governance arcmatters beyondanysingle country

Across the continent, governments are moving from AI "vision statements" to the harder work of institution-building: documentation routines, regulator capacity, platform cooperation, and election-period coordination. The AU Continental AI Strategy (2024) gives a clear normative spine which is people-centred, rights-respecting, and cooperation-driven while telling Member States to build capabilities and minimise risks through ethical deployment and cross-border collaboration. This is not just a technology play; it is a constitutional one, because it links AI adoption to human-rights safeguards and administrative maturity. At the same time, the African Digital Compact (2024) sets a common position on digital transformation bridging divides, protecting digital rights, and aligning with the UN's Global Digital Compact so that states modernise with interoperable governance rather than isolated fixes. For election contexts specifically, AU election observation practice makes coordination testable such as checking preparedness, security arrangements, tally transparency, media environment, and dispute resolution so that legitimacy is judged on systemsperformance, not rhetoric.

Hypothetical link to Chapter 4: Where our districts rehearsed joint communications and platform SLAs, rumours decayed faster; that is exactly what AU observation handbooks and reports peer-review in the field which include coordination, transparency, and safeguards that citizens can see.

5.10.1 A continental "legitimacy coalition": UNESCO + AU + ACHPR

The coordination template discussed earlier is not country-specific;it is becoming continental orthodoxy. UNESCO's Guidelines for the Governance of Digital Platforms codify shared responsibilities for states, platforms, regulators, media and civil society insisting on human-rights-based, multi-stakeholder governance of information integrity. The Internet for Trust track operationalises those Guidelines and signals a shift from content takedowns to system-level transparency, due diligence, and user empowerment, to be implemented with independent regulators rather than by governments alone. In 2025, UNESCO went further by launching a Multi-stakeholder Action Plan that assigns concrete actions to each stakeholder group (e.g., building MIL into platform design, standardising transparency reporting, and coalitions that advocate user rights). On the AU side, the information-integrity and Media & Information Literacy (MIL) framework under development formalises continental cooperation with UNESCO so states can standardise transparency, multilingual literacy, and platform engagement. Meanwhile, ACHPR soft law (Guidelines on Access to Information and Elections;resolutions against internet disruptions and for public-interest content online) keeps civic-space protection at the centre of election-time choices.

Implication: In emerging democracies, legitimacy is now coalition-built EMBs, security agencies, regulators, courts, platforms, media councils, and CSOs must be wired together with human-rights guardrails and transparent operating procedures. UNESCO and AU instruments supply the shared language and division of labour to do so.

5.10.2 From strategy to structure: capacities,artefacts, and cadence

Regional experience shows that publishing a strategy without execution plumbing such as skills, documentation artefacts, audit hooks, and reporting cadence that yields fragile gains. UNESCO's AI for the Public Sector programme documents three recurring public-sector obstacles (culture/organisation, infrastructure/data, and skills), and it responds with a global capacity pipeline (e.g., training targets for civil servants) that many African administrations have requested. Complementing that, UNESCO is supporting the AU Strategy's rollout through training for civil servants and judicial operators and by convening governments to co-design readiness curricula by shifting the focus from "tech pilots" to governance competencies. The SPAARK-AI Alliance (over 50 partner schools) extends that effort into schools of government so documentation review, impact assessment, and platform liaison become ordinary civil-service skills rather than ad hoc heroics.

Implication: For Africa and other emerging regions, the path from ambition to maturity runs through capacity + artefacts + cadence: (1) train officials andjudges; (2) require model cards, drift reports and red-team records for public-sector AI; (3) set predictable review and disclosure schedules so accountability is habitual rather than crisis-driven.

5.10.3 Platform cooperation local-language coverage andregulator-led oversight

Because election discourse lives on platforms, cooperation is a structural dependency. UNESCO's Guidelines call for independent regulators with powers to enforce human-rights standards and for platforms to implement meaningful transparency, risk mitigation, and user tools. UNESCO's Internet for Trust emphasises that adoption is growing as governments move from "content policing" to system-based governance grounded in rights; this is particularly crucial in multilingual African information spaces where moderation capacity is uneven. In parallel, AU-level work on information integrity and MIL provides a continental venue to set shared expectations for escalation timelines and local-language coverage, so states do not negotiate alone.

Hypothetical link: In our document analysis material, cyber units could document bot-nets faster than they could de-amplify local-language rumours. Formal MOUs with response-time SLAs and language guarantees are the scalable remedy suggested across UNESCO/AU guidance.

5.10.4 Election observation and after-action learning: making coordination measurable

AU election-observation reports routinely examine preparedness, security arrangements, media environment, tabulation transparency, and post-election dispute resolution, exactly the interfaces where Al-era information integrity is won or lost. Because observation cycles generate public reports, they also create a feedback loop that national coalitions can use to institutionalise improvements (pre-bunks, joint statements, platform SLAs, and in-camera protocols). UNESCO's elections programme reinforces this with practitioner guidance and skills development for journalists and regulators, so that official messaging and independent verification can move in sync.

Implication: Observers are not just monitor;they are coordination catalysts. Leveraging observation findings to formalise MOUs and documentation templates is a low-cost way for emerging democracies to turn lessons into law-like practice.

5.10.5 Guardrails for civic space: ACHPR'srightsbaseline for coordination

The ACHPR's Guidelines on Access to Information and Elections and its resolutions on internet shutdowns and public-interest content in the platform era make a simple point: coordination that shrinks civic space delegitimises itself. UNESCO's platform-governance texts reach the same conclusion from another angle: disinformation must be confronted, but proportionality and human-rights due diligence is non-negotiable to avoid chilling legitimate speech.

Implication: For Africa and peer regions, legitimacy requires both effective response and visible rights protections. Publishing no-shutdown pledges, regulator guidance on proportionality, andjournalist-safety measures during electoral windows is now part of the legitimacy toolkit.

5.10.6 What travels to other emerging democracies and what does not

Three features appear portable across contexts:

1. System-based platform governance led by independent regulators (not line ministries) under UNESCO's Guidelines reduces political heat and increases trust.

2. Capacity pipelines for civil servants and the bench (UNESCO's Al-for-Public-Sector, SPAARK-AI), turning documentation and disclosure into routine practice.

3. Election-period choreography such as pre-bunks, joint comms, platform SLAs, after-action notes supported by AU observation norms and UNESCO election tools.

What may not travel unmodified is the institutional map. Some states lack independent regulators or consolidated EMBs with comms capacity; others centralise cybersecurity under executive control without in-camera pathways for courts. In those settings, bounded visibility (secure dossiers for judges; non-sensitive public summaries) can still be introduced via procurement clauses and judicial practice directions while broader reforms are built.

5.10.7 A continental scoreboard for governance maturity

To help regimes benchmark progress, Africa's emerging frameworks point toward a rights-compatible scoreboard: (a) regulator-platform SLAs and language coverage;

(b) share of election-relevant systems with complete artefact sets; (c) usage of in-camera channels by courts; (d) time-to-clarification for official messaging in multiple languages; (e) journalist-safety cases resolved; and (f) number of trained civil servants and judges against national targets. UNESCO's public-sector and Internet for Trust work, together with AU observation/reporting cycles and the forthcoming information-integrity framework, provide an evidence spine for such indicators.,

5.10.8 Bottom Une for Africa andpeers

The continental message is consistent: security, rights, and communication are joint products. UNESCO's multi-stakeholder platform governance and capacity programmes, and the AU's AI Strategy, Digital Compact, and election-observation practice, together define a repeatable operating system for democratic legitimacy under AI. Countries that translate these norms into contracts, curricula, and coordination MOUs will accumulate trust over time;those that pursue security alone, or transparency alone, will continue to see brittle legitimacy that fractures under the stress ofthe next information surge.

CONCLUSIONSAND RECOMMENDATIONS

6.1 Overall Conclusion

Zambia's digital transition is at an inflection point where policy ambition and institutional execution must now coincide in a disciplined, measurable way. The National Digital Transformation Strategy (NDTS) 2023-2027 sets out a coherent national vision anchored on five pillars which include digital infrastructure, digital platforms, digital services, digital literacy and skills, and digital innovation/entrepreneurship and links these to Vision 2030 and sectoral modernisation agendas. In parallel, the Smart Zambia Institute's Digital Transformation Change Management Strategy for the Public Service (2023-2026) articulates the organisational conditions; people, structure, technology, and culture that must be actively governed if reforms are to be adopted, routinised, and sustained at scale. Taken together, these documents represent a strong "theory of change" for state modernisation and service transformation grounded in interoperable platforms, skills pipelines, and accountable institutions. The country has established the right what and why; the challenge now is to operationalise the how with consistent governance practice, implementation discipline, and results-oriented monitoring.

The diagnostic literature reinforces this imperative. The World Bank's Digital Economy Diagnostic (2020) underscores that inclusive digital growth requires simultaneous progress across infrastructure, skills, entrepreneurship, platforms, and digital financial services; it also advises that gains in one pillar can stall if complementary pillars lag, producing "gating constraints" for system-wide performance. In Zambia's case, gaps in last-mile connectivity, variable institutional capabilities for managing complex ICT programmes, and uneven adoption of interoperability standards are examples of such potential bottlenecks. The implication is that institutional reform must move in packs: expanding connectivity without building change-management capability will not lock in citizen uptake; deploying new platforms without consistent data governance and M&E will not improve legitimacy or outcomes. The conclusion is straightforward: Zambia's policy spine is sound, but the value creation frontier now lies in execution quality such as procurement that hard-wires openness and performance, change programmes that support adoption, and continuous measurement that informs course corrections.

Zambia's NDTS rightly frames digital government as both a development catalyst and a governance reform. By calling for interoperable platforms and integrated public services, it recognises that the state must practice joined-up government, not just digitise legacy silos. Practically, this means building and governing shared services (identity, payments, messaging, case management, data exchange) that ministries can reuse rather than rebuilding bespoke systems project by project. It also implies a stronger centre-of-government role through SMART Zambia and the Cabinet Office in enforcing architecture, standards, security baselines, and programme assurance so that quality and accountability remain consistent as systems scale. The state's own instruments acknowledge this centre-led logic, emphasising that transformation will falter if each institution pursues its own cadence, standard, and communications approach. Thus, the overall conclusion is that whole-of-government governance is essential to realise the NDTS benefits and to deliver consistent user experience and trust.

Another overriding conclusion concerns the human layer. The Change Management Strategy and its accompanying Public Service Change Management Toolkit (2024) detail the methods, templates, and governance artefacts needed to transition organisations through complex change including leadership sponsorship plans, stakeholder maps, readiness assessments, risk matrices, communications roadmaps, training-needs analysis, and M&E results frameworks. These instruments are not peripheral; they are the operating system for reform, ensuring that policies travel through institutions in a repeatable way. A key insight across the toolkit is that adoption is designed, not assumed: stakeholders must be engaged before, during, and after roll-out; communications must be paced, job-specific, and channel-appropriate; training must target competencies required to perform redesigned processes; and feedback loops must be short enough to catch and correct drift. Scaling these practices across ministries is a precondition for locking in the NDTS vision.

From an outcome perspective, the digital agenda should be judged on service reach and quality, institutional transparency, and citizen trust not merely system counts or budget execution. The diagnostic evidence is clear that digital public finance, e-services, and platforms can reduce transaction costs, widen access, and improve programme targeting;but without transparency-by-design (public documentation, clear service levels, simple redress channels) and consistent oversight, legitimacy benefits will not fully materialise. Zambia's frameworks already point to these governance elements; the task now is to make them visible and verifiable, for example, by publishing platform model descriptions, APIs, uptime and backlog metrics, and post-incident reports against predefined service-level agreements. Doing so would align practice with policy and encourage a performance culture grounded in data, user feedback, and independent challenge.

Finally, the national approach recognises that skills are the demand-side of digital transformation. The NDTS puts digital literacy and skills at the centre of the reform, calling for ICT integration in schools and workforce upskilling to support e-government adoption and innovation. The public-service change documents complement this by setting out how to identify training needs, design curricula, and monitor uptake. The conclusion here is that capability development must become a permanent feature of transformation not a series of one-off trainings but a pipeline of talent acquisition, onboarding, coaching, peer learning, and community-of-practice support. Without this people-system, technical investments will under-deliver and programme risk will increase.

In sum, Zambia's digital vision is credible and well-scaffolded in policy; the decisive variable is implementation discipline. The country now needs: (1) centre-led governance of architecture, standards, and programme assurance;(2) systematic use of change-management instruments;(3) transparency-by-design in platforms and services; (4) risk-based cybersecurity practice; (5) sustained skills pipelines; and (6) rigorous, public M&E. These components already anticipated in official strategies and toolkits should be treated as non-negotiable features of execution in order to translate digital ambition into durable institutional performance and citizen-level value.

6.2 Strategic Recommendations

Recommendation 1: Institutionalise "Transparency-by-Design" for Digital Public Services.

Convert transparency principles into operational requirements for every high-impact digital service: publish service descriptions, data flows, APIs, uptime and queue metrics, incident reports, and redress channels. Use the Change Management Toolkit's communications and M&E templates to standardise public reporting and ensure that citizen-facing information is timely, accessible, and trackable. This makes performance legible, closes information vacuums that fuel distrust, and aligns with the NDTS emphasis on citizen-centred services and platform interoperability.

Recommendation 2: Establish a Centre-of-Government Digital Assurance Function. Empower SMART Zambia/Cabinet Office to enforce common architecture, security baselines, procurement guardrails, and interoperability standards across ministries. Require project gates for large ICT programmes such as business case review, solution-architecture approval, go-live readiness, and post-implementation benefit-realisation checks. This centre-led model implied in the public-service change strategy prevents fragmentation and ensures quality, reuse, and cost discipline, consistentwith the NDTS platform pillar.

Recommendation 3: Hard-wire Interoperability and Data Governance. Adopt a "shared-services first" policy for identity, payments, messaging, data exchange, and case management. Formalise a national interoperability reference architecture and require ministries to justify exceptions. Standardise metadata, data-quality rules, consent and access controls, consistent with digital government good practice and the platform-integration imperatives set out in the NDTS and the World Bank diagnostic.

Recommendation 4: Create a Risk-Based Cyber Governance Regime for Government Systems.

Develop a risk register of critical platforms and datasets; tier controls to risk; and adopt a continuous-assurance model (vulnerability management, penetration testing, configuration baselines, incident drills). Prioritise secure hosting, identity and access management, logging/monitoring, backup/restore, and third-party risk. The diagnostic evidence stresses that weak infrastructure and controls undermine platform credibility and adoption;a risk-based regime is therefore essential for resilience and trust.

Recommendation 5: MakeChange-Management Governance Mandatoryfor All Major Projects.

For each initiative, require a sponsorship plan, stakeholder map, readiness assessment, communications calendar, training plan, and M&E results framework as conditions to progress. Use the Toolkit's templates to reduce transaction costs and ensure consistency. This responds to the Change Management Strategy's insistence that transformation succeeds only when leadership, people, structure, technology, and culture arejointly addressed.

Recommendation 6: Build a Continuous Talent Pipeline for Digital Government. Operationalise the NDTS's digital-skills pillar by establishing a Digital Academy for the public sector, curating role-based curricula (product management, service design, data engineering, cybersecurity, DevOps, agile delivery, M&E). Tie progression and incentives to skill attainment and delivery performance, not just tenure. Leverage partnerships with universities and the private sector to expand throughput and access to lab environments.

Recommendation 7: Adopt Procurement Guardrails that Reward Openness and Reuse.

Standardise procurement clauses requiring open standards, documentation escrow, API exposure, security assurance artefacts, and measurable service levels. Encourage reuse of government-owned components where possible and require clear exit paths to avoid lock-in. The diagnostic report highlights how fragmented procurement diminishes scale benefits and raises lifecycle risk; a guardrail approach will improve value-for-moneyand maintain strategiccontrol.

Recommendation 8: Put Outcomes and User Experience at the Centre of Delivery. Define success in citizen tasks completed, resolution times, service reach, and user satisfaction, not only "systems deployed." Use the Toolkit's M&E framework to test assumptions, run A/B experiments on user journeys, and iterate. Report publicly on progress and gaps so that citizen feedback becomes a routine input. This is the fastest way to build trust and ensure reforms improve daily life.

Recommendation 9: Coordinate Financing and Phasing for Last-Mile Connectivity. The NDTS calls for infrastructure expansion to prioritise rural connectivity through blended finance and public-private collaboration; sequence roll-outs to match service demand (e.g., health, agriculture, education clusters) and ensure affordability. Without last-mile access, digitally transformed services will bypass as many citizens as they empower.

Recommendation 10: Institutionalise External Challenge and Independent Review. Create a panel of independent reviewers which include technical architecture, cybersecurity, service design, M&E to provide structured challenge at programme gates and publish non-sensitive summaries. This raises quality, deters groupthink, and provides assurance to oversight bodies and citizens. It is consistent with the Change Management Strategy's emphasis on governance structures and the Diagnostic's call for robust programme discipline.

6.3 Implementation Roadmap (12-18 months)

Purpose and design. The roadmap translates policy intent into sequenced, accountable actions. It is structured in four phases, with defined outputs, owners, and assurance checkpoints. It draws on (i) the NDTS pillars and platform-integration logic; (ii) the Smart Zambia Change Management Strategy's whole-system approach; and (iii) the World Bank diagnostic's lessons on infrastructure, capability, and programme discipline.

Phase 1 (0-3 months): Setthe GovernanceSpine

Deliverables. Establish a Digital Programme Assurance Office at the centre of government to enforce standards and run delivery gates (business case, architecture, security, go-live readiness, benefit realisation). Publish a national interoperability reference architecture and a minimum-security baseline for government systems; mandate basic logging, backup/restore objectives, vulnerability patching cadences, and identity/access controls. Create a Portfolio Register of digital initiatives with status, budgets, dependencies, and risks; agree publishing rhythms and transparency formats.

Change-management setup. For each priority project, complete sponsorship plans, stakeholder maps, readiness assessments, communications calendars, and training-needs assessments using the Public Service Change Management Toolkit. Set quarterly reviews and create a programme-level results framework defining outcome and experience metrics, notjust output targets.

Assurance checkpoint. No project may pass to Phase 2 without approved artefacts and assigned owners; exceptions require formal dispensation by the centre-of-government assurance board.

Phase 2 (3-6 months): Interoperability Pilots and Capacity Uplift

Deliverables. Launch 3-5 interoperability pilots across high-value services (e.g., civil registration/ID, health, agriculture, education) to test shared services, data exchange, and security baselines. Use standardized contracts that require open standards, documentation escrow, and API exposure to embed reuse and avoid lock-in.

Skills and operating model. Stand up a Digital Academy for public servants, with role-based curricula (product, service design, data, security, DevOps, agile delivery). Establish cross-government communities of practice and a coaching model for project teams. Publish the service catalogue and target SLAs; begin monthly transparency dashboards on availability and backlogs.

Assurance checkpoint. Demonstrate end-to-end user journeys across at least two pilots, including data-sharing controls, audit logs, and incident runbooks;publish non-sensitive documentation for public accountability.

Phase 3 (6-12 months): Platform Scale-up and M&E Routines

Deliverables. Scale shared services to additional ministries;establish common components (notifications, payments, forms, case management). Implement risk-based cybersecurity (asset inventories, risk registers, scanning, incident simulations). Operationalise portfolio-level M&E using the Toolkit's Results Framework: track inputs (spend, training), outputs (services launched), outcomes (task completion, cycle-time reduction), and satisfaction. Align reporting to quarterly reviews and publish annual progress statements.

Organisational adoption. Deliver structured communications to internal and external stakeholders; institutionalise feedback loops (surveys, focus groups, help-desk analytics). Use these insights to iterate user journeys and address pain points.

Assurance checkpoint. Independent reviewers assess scalability, security posture, data governance, and user-experience metrics; recommendations and management responses are published in summary.

Phase 4 (12-18 months): Consolidation and Externa! Evaluation

Deliverables. Extend connectivity and service availability to rural clusters prioritised by social-value and demand signals. Harmonise provincial/local systems with central platforms. Conduct an external evaluation of programme maturity, outcome achievement, and value-for-money; agree a rolling three-year roadmap and funding model forsustained capability.

Institutionalisation. Fold delivery gates and M&E into standing instructions and civil-service performance frameworks; embed continuous training via the Digital Academy;update procurement frameworks to require open standards and performance artefacts.

Assurance checkpoint. Publish a consolidated State of Digital Government report summarising progress, risks, mitigations, and lessons learned; reset priorities for the next planning period.

6.4 Monitoring and Evaluation (M&E) Framework

Principles and scope. M&E is not a post-hoc audit but a design choice that shapes delivery behaviours from day one. The Public Service Change Management Toolkit provides a ready-to-use Results Framework template that ministries can adapt to define indicators, baselines, targets, collection methods, review cycles, and learning mechanisms. The NDTS indicates systemic goals (platform integration, service expansion, skills development), while the World Bank diagnostic identifies performance domains (infrastructure, skills, platforms, entrepreneurship, DFS) where progress can be quantified and compared over time. The M&E architecture should therefore bridge project-level execution and system-level outcomes, with transparent public reporting.

Indicator hierarchy.

Inputs: budget execution for digital projects; number of staff trained by role; connectivity investments and coverage expansion. Processes: number of ministries meeting interoperability and security baselines; proportion of projects with complete change-management artefacts; cadence of portfolio reviews. Outputs: number of digital services launched;APIs documented; SLAs published; incidents handled within SLA. Outcomes: user task-completion rates; cycle-time reductions; reduction in in-person visits;user satisfaction scores. Impacts: measurable contribution to Vision 2030 outcomes encompassing access, inclusion, and productivity which is consistent with NDTS objectives and the diagnostic's linkage between digital platforms and public-sector efficiency.

Data collection and quality. The Toolkit emphasises readiness assessments and monitoring templates that can be adapted to capture both quantitative and qualitative data. Ministries should automate collection where feasible (e.g., platform telemetry for uptime, latency, error rates;analytics for funnel completion; help-desk data for issue types and resolution times). To maintain credibility, data quality rules (completeness, timeliness, accuracy) must be documented and periodically validated; outliers should trigger review. The centre-of-government digital assurance function should maintain a common data dictionary for cross-portfolio comparability.

Review cadence and governance. Programme teams conduct monthly internal reviews to adjust delivery plans; the portfolio office consolidates results for quarterly cross-government reviews chaired by SMART Zambia/Cabinet Office;an annual report is published with progress, challenges, and next-year priorities. Each review should include delivery performance, risk posture, user experience, and financials, reflecting the diagnostic guidance that progress across pillars must be balanced and mutually reinforcing. Independent reviewers may be invited to sampled deep dives.

Learning loops and adaptation. M&E must drive decision-making, not just compliance. The Toolkit's learning orientation can be operationalised by pairing indicators with explicit management responses (e.g., if task-completion < 70%, trigger service redesign sprint; if incident MTTR exceeds SLA, adjust staffing and runbooks;if training completion lags, revise curriculum and modality). Ministries should publish "You said, we did" summaries to close the communicative loop with users and staff.

Public transparency. Consistent with NDTS's citizen-centred ethos, publish a Digital Government Dashboard showing key service and platform metrics, with downloadable open data where safe. This visibility encourages accountability, invites constructive scrutiny, and helps counter misinformation about system performance. The World Bank diagnostic highlights how transparency about progress and constraints sustains momentum and investment.

Capacity for M&E. Build an M&E cadre inside the Digital Programme Assurance Office and across line ministries, trained in measurement design, analytics, and data storytelling. Pair them with service designers and product owners so that evidence translates into journey improvements. Use the Toolkit's Training Needs Assessment and Capacity-Building Plan annexes to structure curricula and coaching.

Risks to effective M&E and mitigations. Common pitfalls include indicator overload, vanity metrics, data silos, and lagging reports. Mitigate by prioritising a compact set of outcomes-centric indicators, enforcing the portfolio dictionary, automating feeds, and setting non-negotiable reporting SLAs. Where baselines do not exist, run rapid baseline sprints in the first 90 days and revise targets accordingly. The centre's role is to ensure coherence and to protect analytical integrity so that leadership and citizens can trust the picture the numbers paint.

Bottom line. An M&E framework built from Zambia's own toolkits and strategy documents can provide a clear line-of-sight from vision to results, turning digital transformation into a managed, measurable, and publicly legible programme. This is the surest route to sustained legitimacy and value.

6.5 RiskAssessment and Mitigation

Effective digital transformation in Zambia requires a governance system capable of anticipating, identifying, and mitigating risks that arise from institutional reforms, technological shifts, and complex multi-stakeholder coordination. The country's National Digital Transformation Strategy 2023-2027 explicitly recognises governance, leadership, interoperability, and oversight as core enablers that must function in synchrony for reforms to succeed, while the Digital Transformation Change Management Strategy for the Public Service (2023-2026) emphasises that public-sector transformation depends on well-structured governance, leadership sponsorship, and strong institutional alignment across ministries, provinces, and agencies to ensure accountability.

In parallel, the Public Service Change Management Framework Toolkit (2024) provides detailed templates for risk matrices, governance structures, and institutional readiness analysis, signalling that governance risks must be treated as a formalised, continuous management process.

Ultimately, governance-centric risks represent the most critical threats to sustainable digital transformation, because even strong technical investments and digital platforms will fail where oversight structures, decision-making processes, and leadership practices remain weak.

Risk 1: PolicyMisalignmentAcross Ministries and Governance Fragmentation

A primary governance risk arises from fragmentation of policies and inconsistent interpretation of digital-transformation priorities across ministries and agencies. The National Digital Transformation Strategy stresses the need for a coordinated approach to digital adoption, warning that siloed implementations undermine interoperability, efficiency, and the ability to provide integrated digital services to citizens.

Meanwhile, the Change Management Strategy highlights that ministries differ significantly in readiness, leadership commitment, and organisational culture, conditions that, if not harmonised, can produce uneven adoption and generate institutional conflict.

The mitigation approach requires a strong centre-of-government authority anchored in SMART Zambia and Cabinet Office to enforce shared architectures, digital-platform standards, and synchronised implementation plans. Ministries should be required to align sectoral strategies with NDTS goals, and deviations should trigger escalations or review mechanisms to preserve national coherence.

Risk2: WeakOversight,Monitoring, andAccountabilityStructures

The Change Management Toolkit offers detailed guidance on governance bodies such as steering committees, sponsorship roles, and decision-rights matrices yet these structures are frequently under-implemented in practice.

Moreover, the NDTS underscores that without consistent monitoring and well-defined governance frameworks, digital programmes risk drifting from stated objectives or becoming vulnerable to inefficiencies and performance failures.

A further complication arises from the need to coordinate multi-layered oversight involving Cabinet Office, SMART Zambia, regulators, and line ministries. Without routine portfolio-level reviews, transparent reporting dashboards, and formal performance baselines, oversight bodies cannot confidently assess progress or intervene early. The mitigation strategy therefore requires institutionalising the Toolkit's Monitoring & Evaluation Results Framework, mandating quarterly cross-government reviews, and making oversight reports public wherever possible to reinforce accountability.

Risk3: Leadership MisaHgnmentand Insufficient Sponsorship

The Digital Transformation Change Management Strategy stresses that leadership sponsorship is one of the most decisive predictors of successful transformation, and that reforms fail when leaders do not model the behaviours and decisions required to sustain change.

The NDTS also highlights leadership's critical role in enabling digital-innovation ecosystems, enforcing standards, and driving cross-sectoral transformation.

The governance risk arises when leaders lack clarity on digital-transformation expectations, delegate accountability incorrectly, or fail to address resistance at lower levels. Without consistent leadership alignment, reforms stall due to bureaucratic pushback, silo protection, or competing institutional agendas. Mitigation requires mandatory leadership-sponsorship plans, structured executive briefings, and a clearly defined hierarchy of decision rights. Senior leaders should undergo targeted digital-governance training supported by the Toolkit's capacity-building templates to ensure that leadership capability becomes a predictable asset rather than a variable.

Risk4: Institutional Resistance and Organisational-Culture Barriers

Resistance to change remains one of the most pervasive governance risks identified in the Change Management Toolkit, which emphasises the importance of readiness assessments, stakeholder-mapping tools, and culture-web analysis.

The NDTS identifies similar dangers: without cultural transformation, investments in digital platforms and infrastructure will produce limited adoption or superficial compliance.

Some ministries may resist shared-platform models due to perceived loss of autonomy;others may fear changes to workflows, accountability structures, or performance measurement. Mitigation must include early cultural diagnostics, structured dialogue with staff, transparent communication on reforms, and adoption of incentives that reward compliance, innovation, and use of shared resources. A centralised communications strategy backed by the Change Management Toolkit is essential for pre-empting misinformation and aligning expectations.

Risk5:lnadequate Governance of Standards, Architecture, andlnteroperability

A critical governance risk identified in the NDTS is the absence of enforceable standards and interoperable architectures across ministries leading to fragmented systems, redundant procurement, and data silos.

The World Bank's diagnostic similarly warns that without strong governance of digital platforms, interoperability, and data exchange, countries face inflated long-term costs, security vulnerabilities, and inconsistent service delivery.

The mitigation strategy is to formalise a National Interoperability Framework enforced by SMART Zambia and integrate architecture governance into procurement processes, ensuring all new systems meet minimum requirements for data standards, security controls, and API exposure. This reduces long-term integration costs, enhances policy coherence, and ensures that citizen services remain seamless across departments.

Risk 6: Insufficient Governance ofPublic-Service Change Processes

The Public Service Change Management Toolkit provides structured tools for defining change contexts, conducting readiness assessments, executing communication plans, and designing training programmes yet these tools risk being under-utilised without formal governance mandates that require their application.

The NDTS also recognises that digital transformation must be inclusive, consultative, and accountable to different stakeholder groups. Without governance mechanisms to ensure systematic adoption of change-management practices, ministries may implement digital systems without redesigning workflows, training users, or preparing cultures leading to operational disruption, low adoption, or outright system failure. Mitigation requires Cabinet Office to mandate the use of the Toolkit for all medium-to-large transformation initiatives and include compliance in performance appraisals for senior public managers.

Risk7: WeakCoordination Between CentralandSub-NationalInstitutions

Digital transformation requires local authorities to adapt their workflows, upgrade infrastructure, and align data processes with central systems. The NDTS emphasises bridging the digital divide and improving sub-national access to digital infrastructure and platforms, while the Change Management Strategy calls for decentralised adoption coordinated through Cabinet Office structures.

The governance risk is that provincial and district offices may lack the autonomy, resources, or clarity needed to integrate digital reforms into their local contexts, creating gaps in service delivery. Mitigation involves establishing provincial-level digital-transformation committees, ensuring equitable resource distribution, and embedding local representation into national decision-making processes.

Risk8: Limited Governance ofImplementation Sequencing and Prioritisation

The World Bank diagnostic warns that countries often pursue too many digital initiatives simultaneously, diluting capacity and overwhelming oversight structures.

The NDTS underscores the importance of sequencing initiatives starting with foundational enablers such as infrastructure, platforms, and digital skills. Misalignment in sequencing increases the probability of cost overruns, stalled projects, or duplicative investments. Mitigation requires a national digital portfolio with defined prioritisation logic, explicit dependencies, and an enforced rule that no initiative proceeds without meeting readiness, architecture, and change-management criteria defined in the Toolkit.

6.6 Capacity Building Plan

A credible capacity building plan must turn Zambia's digital-transformation ambitions into repeatable public-service capabilities at scale. The plan below operationalises the National Digital Transformation Strategy (NDTS) 2023-2027 and the Smart Zambia Digital Transformation Change Management Strategy (2023-2026) by specifying objectives, roles, curricula, delivery modalities, incentives, partnerships, resourcing, and measurement routines that ministries can adopt immediately. It aligns institutional capability with the NDTS pillars (infrastructure, platforms, services, skills, innovation) and uses the Public Service Change Management Framework Toolkit (2024) to standardise training-needs assessment (TNA), governance, and results tracking, while drawing on the World Bank Digital Economy Diagnostic to target constraints that most limit system-wide progress.

A. Objectives and Target Competencies

The plan pursues four objectives. First, to build leadership fluency in digital-government governance such as architecture, standards, decision rights, and portfolio assurance so that senior officials can sponsor change effectively and enforce cross-government coherence. Second, to expand technical depth in platform engineering, cybersecurity, data governance, and service design to support interoperable, secure, citizen-centred services. Third, to mainstream change-management practice which include stakeholder engagement, communications, training, and readiness to ensure adoption in frontline settings. Fourth, to develop evidence-led delivery by embedding monitoring and evaluation (M&E) habits at project and portfolio levels. These goals echo the NDTS skills pillar and the Change Management Strategy's insistence on people, structure, technology, and culture as co-determinants of success.

Target competencies are grouped into role-based tracks:

• Executive & Director Track (governance): portfolio stewardship; standards/interoperability oversight procurement guardrails; risk appetite and accountability; public reporting. (Rationale: centre-led coherence and

sponsorship are highlighted across government guidance.)

• Product, Service & Delivery Track (mission teams): agile delivery; service design; user research;backlog management;benefits realisation;open APIs; SLA design. (Rationale: platform-centric delivery requires multidisciplinaryteams.)

• Data & Platform Engineering Track (technical core): data modelling and governance; integration and messaging;identity and access management; cloud/security baselines; observability and incident response. (Rationale: the diagnostic identifies infrastructure/platform and securityas gating constraints.)

• Frontline & Provincial Track (adoption focus): task-oriented digital skills; case-management use;data-quality routines;citizen communication;feedback capture. (Rationale: last-mile adoption is decisive for service outcomes.)

B.Deh'veryArchitecture: A GovernmentDigitalAcademy+ Communities of Practice

Capacity building will be institutionalised through a Government Digital Academy (GDA) coordinated by SMART Zambia, with satellite hubs in selected ministries and provincial centres. The GDA curates curricula, certifies trainers, and runs a national events calendar, while Communities of Practice (CoPs) such as product, data, security, service design, and change management to support peer learning, playbooks, and code-of-practice updates. This architecture reflects the Change Management Strategy's centre-of-government role and the NDTS's emphasis on interoperable platforms and skills pipelines.

Learning modalities mix cohort-based courses, role-specific bootcamps, mentoring, and on-the-job coaching during live delivery. Provincial cohorts receive blended learning (in-person intensives and virtual labs) to reduce travel costs and improve equity. Each course embeds a capstone tied to an active project, e.g., writing a service blueprint or designing an interoperability spec, so practice follows theory. The World Bank diagnostic's pillar model supports this progressive, hands-on approach: capability grows fastest when tied to real infrastructure, platform, and service work.

C Curriculum Blueprint (12-18 months)

Executive & Director Track (6-8 days over 12 weeks): (1) Strategy to execution: NDTS pillars, governance roles, portfolio assurance, risk appetite; (2) Architecture & interoperability: national reference architecture, data-exchange standards; (3) Secure procurement: open standards, API requirements, documentation escrow, SLAs;(4) Performance and public transparency: dashboards, M&E routines, benefits tracking;(5) Leadership for change: sponsorship plans, cultural levers, accountability frameworks. These modules mirror leadership duties specified in government frameworks and enable centre-led coherence.

Product, Service & Delivery Track (12-16 days):

Discovery and user research; service blueprinting; agile delivery; backlog and benefits; designing SLAs and post-incident reports; working with shared components (identity, payments, notifications); publishing APIs; measuring user journeys. The NDTS's platform pillar and the Toolkit's M&E templates inform module design and assessment.

Data & Platform Engineering Track (20-25 days): Data modelling and governance; master data and quality rules;API design and event-driven integration; security baselines (IAM, logging, vulnerability management, backup/restore); observability (SLOs, error budgets);incident simulations; cost management. Diagnostic findings on infrastructure and platform weaknesses justify emphasis on integration, security, and reliability engineering.

Frontline & Provincial Track (6-10 days):

Task-specific digital skills (case-management, e-forms, data capture), standard operating procedures, data-quality routines, citizen-facing communication, accessibility and language considerations, and escalation pathways. The Toolkit supplies communication and training-plan templates to localise materials and maintain consistency across districts.

D. GovernanceofLearning: TNAs,Pathways, andAccreditation

Every ministry conducts an annual Training Needs Assessment (TNA) using the Toolkit's templates; results inform individual learning plans and ministry-level capacity roadmaps. Completion of role-based pathways leads to micro-credentials (e.g.,

"Government Product Practitioner" or "Government Data Engineer"), tied to job profiles and promotion criteria. The Change Management Strategy highlights the necessity of aligning training with structure and culture; the NDTS provides the content compass (platforms, skills, services) thatthese credentials must reflect.

A Learning Governance Board (Cabinet Office/SMART Zambia + HR representatives) sets standards for curriculum updates, approves vendors/providers, and audits quality. Ministries report quarterly on enrolments, completions, and application of skills to delivery outcomes. Where TNAs show chronic gaps (e.g., data governance), the Board commissions targeted interventions and deploys roving coaches to high-priority projects. This routine governance mirrors the Toolkit's oversight patterns and ensures capability stays aligned with national strategy.

E.lncentives, Career Pathways, andRetention

To retain scarce digital talent, the civil service should recognise specialist career families (product, service design, engineering, data, cybersecurity, delivery management) with transparent progression, competency rubrics, and allowances for hard-to-fill roles. Executives' performance agreements should include sponsorship, standards compliance, and public reporting obligations. These levers reflect the Change Management Strategy's focus on leadership and culture and the NDTS's call for sustained skills pipelines. Evidence from the diagnostic underscores that without talent and incentives, platform and service ambitions stall.

Secondments and rotations between central and line ministries (and to provincial hubs) broaden exposure and accelerate diffusion of good practice; paired with CoPs and mentoring, they lower single-point-of-failure risks in key teams. Training credits linked to capstones (e.g., delivering a working API or a measured service improvement) encourage application, not seat time. These arrangements operationalise the Toolkit's emphasis on practice-oriented change and embed learning in day-to-daydelivery.

F.Partnerships and Ecosystem Enablement

The GDA should broker partnerships with universities, technical institutes, and reputable providers to deliver advanced modules (data engineering, cybersecurity, cloud operations) and to establish shared labs for hands-on practice. Collaboration with private-sector platform companies can provide sandboxes for integration, monitoring, and reliability engineering. The NDTS invites multi-stakeholder alignment to achieve digital-skills and platform objectives, while the diagnostic recommends leveraging ecosystem strengths to overcome capability constraints.

Provincial and community partners can localise content including language, connectivity constraints, and sector-specific use cases to ensure equitable uptake. A provider registry maintained by SMART Zambia/HR ensures quality and value-for-money, with annual reviews tied to learner outcomes and delivery impact. These mechanisms align with the Toolkit's governance templates and the Change Management Strategy's whole-of-government orientation.

G Resourcing Budgeting, andSustainability

Capacity building requires ring-fenced budgets for the GDA, course development, labs, and coaching. Ministries allocate a fixed training share (e.g., 2-3% of payroll or programme budgets) to the capacity plan; the centre co-funds cross-government modules and provincial cohorts to ensure equity. The NDTS provides the strategic case for sustained investment in skills, and the diagnostic links skills deficits to under-performance in platforms and services; the Toolkit translates budgets into operational training plans and M&E.

Sustainability also depends on knowledge capture: each programme generates playbooks, patterns, and templates (e.g., common API specs; service-blueprint libraries) that are versioned and shared via the CoPs. These artefacts reduce onboarding time, improve consistency, and preserve institutional memory which are the core tenets in the Change Management Strategy and Toolkit.

H.Measurement and Continuous Improvement

Finally, the plan embeds an M&E layer: for each track, define completion targets, application rates (capstones delivered), and outcome indicators (e.g., cycle-time reduction, incident MTTR, task-completion gains). Portfolio-level reviews correlate training exposure with delivery performance, guiding curriculum updates and coaching assignments. This closes the loop between learning and outcomes, as envisaged in the Toolkit's Results Framework and NDTS's service-improvement ethos, and addresses diagnostic advice to monitor pillar-level progress rigorously.

In brief, this capacity building plan uses Zambia's own policy spine (NDTS), organisational change strategy (Smart Zambia), operational toolkit (Public Service Change Management Toolkit), and empirical diagnostics (World Bank) to create a repeatable, role-based, and outcomes-driven engine for skills and adoption. By institutionalising a Government Digital Academy, energising Communities of Practice, aligning incentives, and measuring what matters, Zambia can translate digital investments into lasting public-value gains.

6.7 Policy Embedding and Governance

Embedding digital-transformation policy within Zambia's governance architecture requires a deliberate, institutionalised, and repeatable approach that aligns national strategies, public-service structures, legal mandates, and operational norms. The National Digital Transformation Strategy (NDTS) 2023-2027 emphasises that digital governance must be mainstreamed across ministries, provinces, and agencies, with clear roles, shared platforms, and harmonised standards guiding adoption

At the same time, the Digital Transformation Change Management Strategy for the Public Service (2023-2026) underscores that sustainable transformation depends on leadership accountability, organisational culture, and institution-wide change-management governance structures that ensure coherence and effectiveness across the public sector

Together, these strategies provide the governance spine for digital public-sector reform, but embedding them requires operational translation into laws, policies, routines, incentives, and oversight mechanisms.

To ensure alignment across government, digital transformation must be integrated into sectoral strategies, budget frameworks, and annual work plans. The NDTS stresses the importance of coordinated adoption across the five pillars—digital infrastructure, platforms, services, literacy/skills, and innovation warning that fragmentation undermines interoperabilityand efficiency

Embedding these pillars means that every ministry's medium-term expenditure plan (MTEF) and annual budget submissions should explicitly reference digital-transformation milestones, shared-platform adoption, data-governance alignment, and skills-building objectives. The Change Management Strategy reinforces the need to align strategy, structure, people, and culture, advising that ministries adopt governance structures that allow change programmes to be coordinated at both seniorand operational levels

Embedding digital transformation into institutional planning cycles ensures that reforms are not treated as isolated ICT modernisation projects but as a core element of sectoral performance and public-value creation.

Central to policy embedding is the establishment of a centre-of-government governance authority capable of enforcing standards, architecture, and delivery discipline. Both the NDTS and the Change Management Strategy highlight the role of SMART Zambia and Cabinet Office in providing strategic direction, coordinating crossgovernment transformation, and ensuring compliance with shared digital-government norms

This central authority must issue mandatory digital governance policies, including: interoperability standards, data-governance frameworks, security baselines, change-management requirements, and monitoring/reporting protocols. The Change

Management Toolkit provides specific governance templates including Terms of Reference (Annex 4), leadership-sponsorship plans (Annex 2), and governance structure blueprints that can be institutionalised into statutory guidance or administrative circulars to formalise compliance expectations

Embedding governance authority is crucial to prevent fragmentation and ensure ministries implement reforms within a unified architectural and operational framework.

Effective policy implementation also requires embedding interoperability and data governance into public-sector practice. The NDTS highlights interoperability as a core precondition for efficient public services, calling for integrated digital platforms that reduce duplication and streamline citizen engagement across government functions

Meanwhile, the World Bank Digital Economy Diagnostic identifies data-integration failures and siloed systems as major constraints to digital transformation, urging governments to adopt coordinated data-governance frameworks, metadata standards, and platform-integration mechanisms to unlock the full value of digital systems

Embedding these elements requires ministries to adopt a national interoperability reference architecture enforced by SMART Zambia, integrating technical standards and accountability mechanisms into procurement processes, IT governance committees, and system-development life cycles.

Embedding policy requires organisational change to be governed as a system, not as a series of disconnected initiatives. The Change Management Strategy identifies this as a structural risk, stressing that ministries often implement digital tools without accompanying reforms in culture, workflows, and capacity, resulting in superficial adoption and diminished impact

The Toolkit offers a comprehensive suite of artefacts such as change-readiness assessments, communication plans, capacity-building plans, leadership-commitment templates, and stakeholder maps that should be standard requirements for any Page247of271

digital-government initiative. To embed these into routine governance, Cabinet Office can issue a directive mandating that every major ICT or reform project include: (1) a completed Change Context Guide; (2) a Leadership Commitment Form;(3) a Stakeholder Engagement Plan;and (4) a Monitoring & Evaluation Results Framework, all derived from the Toolkit's annexes. This ensures that change management becomes an institutional norm ratherthan an optional add-on.

Embedding policy also involves strengthening incentive structures and performance expectations for leaders and staff. The Change Management Strategy emphasises that transformation succeeds when leaders model the behaviours and decisions needed to support reforms, making leadership accountability crucial for institutionalising digital-governance norms

Embedding these expectations requires integrating digital-transformation objectives into performance contracts for Permanent Secretaries, Directors, and senior managers, with clear consequences for non-compliance and recognition for exemplary leadership. Likewise, the NDTS calls for investments in digital skills and literacy, which must be embedded into human-resource policies, job descriptions, promotion pathways, and public-service competency frameworks so that digital capability becomes an explicit requirement of civil-service professionalism

Another governance dimension involves embedding transparent monitoring and reporting mechanisms into the public sector's accountability ecosystem. The NDTS emphasises the need for transparency and accountability in digital transformation, noting that public trust increases when citizens can see progress and understand service improvements

The Toolkit similarly highlights the importance of consistent M&E, including results frameworks, progress-report templates, and communication protocols designed to ensure that information is shared internally and externally with clarity and timeliness

Practical embedding requires ministries to produce quarterly digital-transformation performance reports, adopt open dashboards for key services, and publish non-sensitive implementation updates to demonstrate transparency and counter misinformation. These practices reinforce a culture of evidence-based governance and institutional learning.

Policy embedding must also address the governance of sub-national and frontline adoption, which the NDTS identifies as essential for inclusive digital development. The Strategy stresses the need to bridge digital divides by extending platforms, data flows, and digital-service access to rural and underserved areas, ensuring equitable governance outcomes across Zambia's geography

The Change Management Strategy complements this by identifying decentralised implementation as a major determinant of success, requiring governance structures that integrate provincial and district voices into digital-transformation decision-making and ensure resource flows reflect local needs

Embedding policy therefore requires establishing provincial digital-governance committees, training local officials using Toolkit artefacts, and aligning district-level planning cycles with national transformation timelines.

Finally, policy embedding must incorporate external oversight, challenge, and continuous improvement, drawing on international good practice and diagnostic insights. The World Bank diagnostic stresses that African countries often face gaps between strategy and execution, recommending systematic external review, challenge mechanisms, and continuous refinement of digital-government policies based on observed performance and user feedback

Embedding this governance function involves establishing independent panels such as covering architecture, cybersecurity, service design, and M&E to challenge and validate ministry reforms, ensuring that decisions remain aligned with national objectives and global standards. These panels can produce annual State of Digital

Government assessments that feed into national planning and budget frameworks, strengthening transparency and accountability.

In summary, embedding digital-transformation policy into Zambia's governance ecosystem requires: centre-led enforcement of standards and architectures; integration of digital priorities into sectoral planning and HR systems;universal use of change-management governance artefacts; transparent M&E and public reporting; decentralised governance structures; and independent challenge to maintain strategic alignment. These elements drawn from national strategies, the public-service change-management framework, and global diagnostics ensure that digital transformation becomes a permanent, accountable, and citizen-centred feature of Zambia's public-administration system.

6.8 Areas for Further Research

Zambia's policy spine for digital transformation is strong;the next frontier is an evidence base that helps decision-makers prioritise high-leverage reforms and de-risk scale-up. The National Digital Transformation Strategy (NDTS) 2023-2027 sets an ambitious, five-pillar agenda (infrastructure, platforms, services, skills, innovation), while the Digital Transformation Change Management Strategy (2023-2026) and the Public Service Change Management Framework Toolkit (2024) specify how to operationalise change across people, structure, technology, and culture; yet the World Bank Digital Economy Diagnostic cautions that countries often stall without rigorous feedback loops tying delivery to outcomes. These sources point to a common research need: systematic, Zambian-specific studies that turn strategy into measurable, sequenced choices with visible public value.

1) Sequencing and Portfolio Prioritisation.

Further research should quantify the trade-offs of different sequencing strategies, e.g., how fast to expand shared components (identity, payments, notifications, data-exchange) relative to sectoral "front-end" services to maximise near-term citizen value while de-risking longer-term integration. The NDTS calls for platform interoperability and whole-of-government coherence, but offers multiple plausible routes to get there; comparative simulations (cost, risk, adoption, time to value) would help Cabinet Office and SMART Zambia pick the portfolio mixes that deliver the highest combined return in service outcomes and institutional capability. The World Bank diagnostic's pillar model provides a methodological anchor for such simulations, while the Change Management Strategy signals the organisational constraints that must be priced in (leadership bandwidth, readiness differentials, culture).

2) Interoperability Economics and Data-Governance Outcomes. Zambia needs rigorous cost-benefit evaluations of the national interoperability reference architecture which include measuring avoided duplication, integration effort saved per project, latency and error-rate reductions, and downstream effects on programme performance. NDTS underscores interoperability as a precondition for efficient services; however, empirical evidence (e.g., total cost of ownership over five years; integration backlog burn-down; re-use ratio of shared services) would help Treasury and line ministries justify standards enforcement and API-first procurement. The World Bank diagnostic highlights data-integration gaps as binding constraints; research can translate that diagnosis into Zambia-specific "value of integration" metrics to guide future investment.

3) Last-Mile Connectivity and Inclusive Service Uptake. The NDTS prioritises rural connectivity and equitable access; targeted impact evaluations could test which last-mile interventions (community networks, shared access points, subsidised data bundles for priority services) produce the biggest increases in task completion and time-to-service for low-income users. Mixed-methods designs combining usage analytics from digital platforms with ethnographic fieldwork would reveal frictions (language, accessibility, device constraints) that impede uptake, while the Toolkit's M&E Results Framework can structure indicator selection and reporting cycles for comparability across pilots. Findings would inform where to phase infrastructure spend and how to localise service design for provincial contexts.

4) Organisational Change, Culture, and Leadership Behaviours. The Change Management Strategy and Toolkit emphasise leadership sponsorship, readiness diagnostics, and communications as decisive for adoption, yet the causal pathways between specific leadership behaviours and measurable delivery outcomes remain under-documented. Zambia could sponsor longitudinal studies tracking ministries that fully apply Toolkit artefacts (sponsorship plans, stakeholder maps, communications calendars) against delivery performance (on-time go-lives, SLA adherence, user satisfaction). Such studies would generate a "playbook of high-leverage behaviours," enabling Cabinet Office to refine performance agreements and professional-development content for Permanent Secretaries and Directors.

5) Skills Pipelines and Productivity Yields.

While NDTS calls for systemic digital-skills development, Zambia would benefit from micro-productivity studies quantifying how role-based training (e.g., product management, service design, data engineering, cybersecurity, M&E) translates into cycle-time reductions, incident mean-time-to-recovery, and citizen task-completion gains. The World Bank diagnostic frames skills deficits as a gating constraint; pairing the Toolkit's Training Needs Assessment with outcome metrics can produce return-on-learning curves by role and modality, guiding scale-up of a Government Digital Academyand informing budget allocations.

6) Procurement Guardrails, Vendor Dependencies, and Total Cost of Ownership. Empirical analysis is needed on the extent to which open-standards clauses, documentation-escrow requirements, and API exposure in tenders reduce life-cycle costs and switching risks. NDTS advocates interoperable, platform-centric development, while the diagnostic warns that fragmented procurement inflates costs; Zambia could test "guardrail vs. business-as-usual" procurement cohorts to measure integration effort saved, time-to-first-release, and re-use ratios of shared components. The Change Management Strategy's governance lens can be used to track compliance and escalation patterns when guardrails are breached.

7) Cybersecurity Governance and Public-Sector Resilience.

Research should evaluate the effectiveness of risk-based security baselines (identity/access controls, logging/monitoring, backup/restore RPO-RTO, vulnerability management) on real government workloads. The diagnostic recommends prioritised investments in secure infrastructure and cross-agency coordination; Zambia could run red-team/blue-team exercises and publish anonymised lessons on control efficacy, incident response, and organisational learning. Coupling these assessments with the Toolkit's governance templates would show how well ministries institutionalise security routines as part of everyday operations.

8) Maturity Models and Benefit Realisation.

A Zambia-specific digital-government maturity model aligned to NDTS pillars and Toolkit governance practices could be validated across ministries, linking maturity levels to measurable benefits (e.g., backlog reduction, user satisfaction, service expansion to vulnerable groups). The diagnostic's multi-pillar structure provides a scaffold for this model, while the Toolkit supplies the operational artefacts (M&E frameworks, progress-report templates) to ensure consistent evidence across institutions. Over time, the model can guide resource allocation, coaching, and sequencing of reforms.

9) Sub-national Institutionalisation and Equity.

Because the NDTS emphasises inclusive access, Zambia should commission provincial case studies on how policy, culture, and capability interact at district level; what governance structures enable adoption, which training modalities work best, and which service categories produce the fastest equity gains. Embedding Toolkit-based governance (TORs for provincial committees, stakeholder plans, localised comms) in these studies would clarify what it takes to reproduce success outside Lusaka and Copperbelt and how to budget for provincial scale-up.

10) Citizen Experience, Trust, and Transparency-by-Design.

Finally, there is a need for public-facing research that links transparency practices

(publishing service descriptions, APIs, SLAs, incident reports) to measurable changes in citizen trust and usage. NDTS calls for citizen-centred services; the Toolkit underscores regular M&E and communications; but the elasticity of trust to transparency is not yet quantified forZambia's context. Controlled roll-outs (A/B testing across services or provinces) could determine which transparency artefacts most improve trust and uptake, informing standard publication requirements across government platforms.

Research design and governance.

To execute these agendas credibly, Zambia can embed research-practice partnerships that pair ministries with local universities and applied-research labs, ensuring fast cycles from insight to policy. The Change Management Strategy's centre-of-government role suggests convening and commissioning authority; the Toolkit's Results Framework can standardise indicators and ethics/release processes for publication of non-sensitive findings;and the NDTS can anchor topic selection in the five pillars to maintain strategic relevance. Together, they provide the institutional machinery for a living evidence base that evolves with reform.

In sum, Zambia's next wave of research should focus on how to implement at scale with discipline covering what to build first, how to govern interoperability and data, how to staff and retain critical roles, how to buy and integrate technology without lock-in, how to secure systems proportionate to risk, and how to prove benefits transparently. NDTS supplies the strategic compass; the Change Management Strategy and Toolkit supply the operating system; and the World Bank diagnostic supplies the comparative analytics to benchmark progress together enabling a research agenda that directly improves the odds of delivery.

REFERENCE

1. ACHPR (2017) Guidelines on Access to information and Elections inAfrica. African Commission on Human and Peoples' Rights.

2. ACHPR (2024) Resolution on internet Shutdowns and Elections in Africa - ACHPR/Res.580 (LXXViii) 2024.

Available at: https://achpr.au.int/en/adopted-resolutions/580-internet-shutdowns- elections-africa-achprres580-lxxvii

3. ACHPR (2024) Resolution on the Renewalofthe Mandate ofthe SpecialRapporteur on Freedom ofExpression andAccess to information-ACHPR/Res.597(LXXXi).

4. ACHPR (2025) Resolution on Public interest Contentin the DigitalEra - ACHPR/Res.631 (LXXXii) 2025.

5. ACHPR(2025) Special Rapporteur on Freedom of Expression and A ccess to information in Africa - 83rd OrdinarySession Report.

6. African Union (2024) African DigitalCompact(ADC).

7. African Union (2024) ContinentalArtificialintelHgenceStrategy. Available at: https://au.int/en/documents/20240809/continental-artificial- intelligence-strategy

8. African Union (2024) PressRelease:African MinistersAdoptLandmarkContinental AiStrategy.

9. African Union (2024) AUEOMFinalReport:SouthAfrica General Elections. Available at: https://au.int/sites/default/files/documents/44062-doc- Final_Report_General_Elections_-_South_Africa_2024.pdf

10. African Union (2025) AUEOMPre/iminaryStatement: Tanzania GeneralElections. Available at: https://au.int/en/pressreleases/20251105/aueom-preliminary- statement-october-2025-general-elections-tanzania

11. African Union (2025) AU-UNESCO Champion information integrity with New Continental Framework. Available at: https://au.int/en/pressreleases/20250811/african-union-and-unesco- champion-information-integrity-new-continental

12. African Union (2025) CommuniqueoftheHigh-LevelPolicyDialogueonAI Developmentand Regulation in Africa.

13. Cabinet Office (2025) Zambia Pub/icService Change ManagementFramework Toolkit (Version 2). G overnmentofZambia. Available at: https://www.cabinet.gov.zm/wp-content/uploads/2025/02/Change- Management-Framework-Toolkit_v1-310124-Tov-edited-002.pdf

14. Center for Democracy & Technology (2025) Assessing Ai: Surveying Approaches to AiAuditing. CDT Al Governance Lab.

15. Government of Zambia (2023) NationalDigital Transformation Strategy2023-2027. Ministry of Technologyand Science.

16. Government of Zambia (2022) The National Digital Transformation Strategy for Zambia (2023-2027). Digital Watch Observatory summary. Available at: https://dig.watch/resource/the-national-digital-transformation- strategy-for-zambia-2023-2027

17. Modern Diplomacy (Schneider, G.) (2025) Africa'sAiCrossroads:FromAmbition to Architecture. Available at: https://moderndiplomacy.eu/2025/11/05/africas-ai-crossroads-from- ambition-to-architecture/

18. Onunwa, G. & Shehu, M. (2025) State ofAiPolicyinAfrica 2025. Available at: https://columncontent.com/wp-content/uploads/2025/10/State-of- Al-Policy-in-Africa-2025.pdf

19. Smart Zambia Institute (2024) Digital Transformation Change Management Strategy for the Public Service 2023-2026.

20. World Bank (2020) AcceleratingDigital Transformation inZambia:DigitalEconomy Diagnostic Report.

21. World Bank (2020) Zambia'sDigital Transformation Journey:StridesMade,butKey Gaps Remain.

APPENDICESA-L

APPENDIX A: Semi-Structured Interview Guide (Key informants)

Section 1: Background

1. Can you describe your current role and responsibilities within your institution?

2. How does yourwork intersect with digital governance, cyber-security, elections, or Al-related systems?

Section 2: Institutional Capacity & Governance

3. What institutional capacities does your organisation currently possess for managing Al-enabled systems or cybersecurity incidents?

4. What forms of documentation are typically produced when digital systems are deployed or updated?

5. How accessible is technical documentation for oversight actors (auditors, courts, regulators)?

Section 3: CoordinationAcrossActors

6. How does your institution coordinate with other actors (EMB, security agencies, ICT regulators, media councils, CSOs)?

7. What challenges arise during multi-agency coordination, especially during election periods?

Section 4: DigitalPlatform & Information integrity

8. How does your institution engage with digital platforms regarding misinformation orsynthetic media?

9. Are there formal escalation pathways (SOPs, MOUs) with platforms?

Section 5: Risk, Rights ¿^Accountability

10. What safeguards exist to protect rights (freedom of expression, privacy, civic space) when responding to digital threats?

11. What challenges arise in promoting transparency without revealing sensitive operational details?

12. What reforms or capacity investments do you think are most urgently needed?

Section 6: Closing

13. Is there anything we have not discussed that you believe is important?

APPENDIX B: Focus Group Discussion (FGD) Guide

FGD Theme Citizen Trust, DigitalGovernance&Elections

Warm-Up

1. How do you usually receive information about elections or governance issues?

2. Which digital platforms do you use most?

Core Questions

3. What types of digital misinformation have you encountered?

4. How confident are you that official election technologies work as intended?

5. What factors increase or reduce yourtrust in digital systems used by government?

6. How do you verify claims you see online?

7. What communication channels do you find most trustworthy?

Closing

8. What should government do to improve public confidence in digital systems?

APPENDIX C: Survey Questionnaire (Quantitative Instrument)

Section A: Demographics

• Age

• Gender

• Province/District

• Education Level

• Occupation

• Digital Access (smartphone, data plan, internet regularity)

Section B: Information Ecosystem Exposure

Rate the following on a 5-point Likert scale (Strongly Agree ^ Strongly Disagree):

1. I frequently encounter unverified information online.

2. I have seen misleading content related to elections.

3. I can distinguish between reliable and unreliable online sources.

Section C: Technology TrustPerception

4. I trust that biometric voter registration is secure.

5. I believe election technologies are transparent.

6. I understand how digital systems used by government operate.

Section D: Civic Space & Rights

7. I feel safe expressing political views online.

8. I am aware of my rights related to digital privacy.

9. I trust institutions to protect these rights.

Section E: InstitutionalPerformance

10. Institutions communicate clearly during digital disruptions.

11. Government provides timely clarifications during rumours.

12. Platforms respond quicklyto election-related misinformation.

APPENDIX D: Coding Framework (QualitativeAnalysis)

Level 1 Themes

1. InstitutionalCapacity

• Documentation practices

• Technical expertise

• Audit/oversight readiness

2. Coordination & Multi-Actor Governance

• EMB-Cybersecuritycoordination

• Platform liaison

• Regulatorinvolvement

• Judicial review mechanisms

3. Information Integrity

• Misinformation patterns

• Platform responsiveness

• Local-languagegaps

4. Rights & Civic Space

• Chilling effects

• Perceived surveillance

• Internetaccessconstraints

5. Documentation&Transparency

• Availability of non-sensitive summaries

• In-camera disclosures

• Public communication strategies

6. Public Trust & Legitimacy

• Citizen confidence

• Perceptionoffairness

• Impactoftimelyclarifications

Level2 Codes (Examples)

• Trustdecay

• Pre-bunks

• Incidentresponse

• Platform SLAs

• Human-rightsduediligence

• Technicaldossiergaps

• Multi-agencyfriction

APPENDIX E: Reliability Matrix (inter-Coder Reliability)

Abb. in Leseprobe nicht enthalten

APPENDIX F: Participant Information Sheet

Purpose ofthe Study

To understand institutional capacity, coordination, and public trust in digital governance systems, particularlywithin election contexts.

Voluntary Participation

Participation is completely voluntary. Participants may withdraw at any time.

Benefits & Risks

• Minimal risk

• No direct financial benefits

• Contribution to research and policy improvement

Confidentiality

All data are de-identified. No personal identifiers will be published.

APPENDIX G: Informed ConsentForm

I hereby confirm that:

• I have been informed about the purpose of the study.

• I voluntarily agree to participate.

• I understand I may withdraw at any point without consequences.

• My identity will remain confidential.

Signature:

Date:

APPENDIX H:InstitutionalPermission RequestLetter

To: Permanent Secretary / Director / Institutional Head

Subject: Request for Permission to Conduct Research

I kindly request permission to conduct research within your institution as part of my doctoral thesis on digital governance and election integrity. The research involves interviews, document review, and optional follow-up clarification.

Your cooperation will contribute to national-level governance knowledge.

Researcher Name:

Contact:

Supervisor:

APPENDIX I: Sampling Frame & Participant Matrix

Abb. in Leseprobe nicht enthalten

APPENDIX J: Document Review Checklist

Technical Documentation

• System specifications

• Vendor manuals

• Red-team reports

• Logs/drift-monitoring

• Incident-responseSOPs

Transparency Materials

• Publicexplainers

• FAQs

• Press statements

Coordination Documents

• Inter-agency MOUs

• Platform escalation agreements

• Judicial liaison protocols

Information Integrity Assets

• MILmaterials

• Pre-bunkscripts

• Broadcasting regulator guidelines

APPENDIX K: Rubric forAssessing Governance Maturity

Dimension 1: Capacity (Score 1-4)

1 = Noidentifiablecapacity

2 = Ad hoc skills

3 = Formal unitswith partial resourcing

4 = Fully institutionalised capability

Dimension 2: Documentation Discipline

1 = Minimal documentation

4 = Full lifecycle artefacts + audit trails

Dimension 3: Coordination Quality

1 = Fragmented

4 = Structured, SOP-based, rehearsed

Dimension 4: Rights Protection

1 = No safeguards

4 = Proactive rights-compatible safeguards

Dimension 5: Public TrustMechanisms

1 = Reactive comms

4 = Consistent pre-bunks + rapid clarifications

APPENDIX L: Data Analysis Protocol

1. Transcription

• Clean verbatim transcription;remove identifiers.

2. Initial Familiarisation

• Read transcripts twice before coding.

3. Coding

• Applycodebook(AppendixD).

• Allowinductive additions.

4. Theme Construction

• Identify cross-cutting patterns relating to institutional capacity, coordination, rights, information integrity, trust.

5. Triangulation

• Compare interviews, FGDs, documents, and survey.

6. Validation

• Peerdebriefing

• Membercheckswhereappropriate

7. Synthesis

• Generate analyticalmemos

• Link findings to literature and theoretical frameworks

BIOGRAPHY

Maliro Ngoma is a distinguished academic and practitioner whose multidisciplinary expertise spans computer science, and development studies, Recognized fore his. | strategic insight, global perspective, and commitment to transformative societal progress, he leverages interdisciplinary thinkin to advance education, digital innovation, and sustamable develop ment across diverse contexts

His academic journey began with a Bachelor of Education fr om the Zambian Open University, grounding him in pedagogy, curriculum development, and eduartional leadership. Motivated by a passion for technological advancement, Maliro earned a Specialist Degree in Computer Science (equivalent to a Master of Scien ce in Computer Science) from the prestigious Lomonosoy Moscoy State University in Russia, gaining advanced competencies in software engineering, systems, computational analysis, and applied digital solutions.

To deepen his engagement in policy and inclusive development, Maliro completed a Master of Arts in Development Studies from the University of Lusaka, focusing on the intersection of technology, education, and socioeconomic tranformation. He later achieved aP hD i Education Management and Administration from the Zambia! Open University, where his research explored strategic institution, al leadership, governance, policy implementation, and the digital modernization systems.

With a rare biend of technical acumen, poiicy insight, and educational expertise, Maliro Ngoma is uniquely positioned to drive meaningful change across Zambia’s development landscape and be yond. His academic versatility, global perspective: and unwavering

I commitment to lifelong learning make him a thought leader in, educational reform, digital empowerment, and sustainable deve~

[...]