South Korea AI Basic Act (AI Framework Act): 2026 Compliance Guide

South Korea is the second jurisdiction in the world - after the European Union - to enact a comprehensive horizontal AI statute. The National Assembly passed the Act on Promotion of Artificial Intelligence Development and Establishment of a Foundation for Trust (often translated as the "AI Basic Act" or "AI Framework Act") on December 26, 2024. President Yoon Suk-yeol's office promulgated the law on January 21, 2025, and the statutory effective date is January 22, 2026 - one year after promulgation, in line with the law's transition clause. Implementing presidential decrees and Ministry of Science and ICT (MSIT) notifications are being finalised through 2025 and into the early months of 2026.

The Korean statute is positioned as a hybrid: it borrows the risk-tiered structure familiar from the EU AI Act but stops well short of the EU's prescriptive obligation set, and it preserves significant ministerial discretion to fill in operational detail through subordinate legislation. Where the EU AI Act enumerates Annex III high-risk use cases in statute, the Korean Act defines a category of "high-impact AI" in broad statutory terms and delegates specific scoping to MSIT.

Three features make the Korean Act especially relevant for cross-border enterprises. First, the law applies to AI products and services used in Korea, including those provided by foreign developers without a Korean establishment - a Korea-effects standard that mirrors the Personal Information Protection Act (PIPA). Second, foreign businesses without a Korean place of business are required to designate a domestic representative in Korea to receive regulatory communications. Third, the Korean Act is the first national AI law to impose explicit generative-AI output marking duties as a stand-alone statutory obligation, rather than as a derivative of consumer-protection law.

Areebi is built for the operating model the Korean Act describes: identity-aware policy enforcement, content guardrails, watermarking and disclosure surfaces, audit trails, and continuous monitoring that map directly to the high-impact AI, transparency, and generative-AI marking duties the statute imposes. At Areebi, we treat the Korean Act as a first-class framework in our compliance hub - cross-mapped to the EU AI Act, NIST AI RMF, and Japan AI Guidelines - rather than as an afterthought.

The Korean AI regulatory architecture has one horizontal statute, a growing set of subordinate instruments, and a small constellation of adjacent laws and standards that supply enforcement infrastructure. Understanding which instrument applies to a given activity matters: the Basic Act is the headline rulebook, but personal data, telecommunications, and product safety overlays often govern the practical risk.

The AI Basic Act applies along three axes: the activity being regulated, the entity performing the activity, and the territorial nexus to Korea.

Regulated activities

The Act applies to the development, provision, and use of AI systems. "AI" is defined broadly as a system that performs tasks such as recognition, reasoning, learning, prediction, and decision-making at a level comparable to or exceeding human capability. The definition is intentionally technology-agnostic and captures both classical machine learning and contemporary foundation-model architectures.

Regulated entities

• AI Operators (the umbrella term in the statute): Persons engaged in development, provision, or use of AI in the course of business. The Act distinguishes between developers, providers, and users where specific obligations attach to particular activities (notably the generative AI marking duty, which sits primarily with providers).
• High-impact AI Operators: Operators whose AI systems fall within the high-impact category - subject to the most stringent obligations (Article 33).
• Foreign Operators without a Korean establishment: Required to designate a domestic representative in Korea.
• Public sector entities: Government agencies and public institutions are subject to additional restrictions, including procurement diligence duties and constraints on certain AI use cases (notably real-time biometric identification in public spaces under specific conditions).

Territorial scope

The Act applies to AI systems that are provided to or used by persons in Korea, regardless of where the developer or provider is located. This Korea-effects standard parallels PIPA's extraterritorial reach. The practical consequence for foreign technology providers: if your AI product is accessible to Korean users, the AI Basic Act applies even if your operations are entirely offshore. The Korean Act is one of the first national AI statutes to make this scope explicit, and prospects should expect MSIT to assert jurisdiction broadly in early enforcement.

Exclusions and carve-outs

• National security and defence: AI systems used for national defence and military purposes are largely outside the Act's scope, subject to separate Ministry of National Defence governance.
• Research and development: Pre-commercial R&D activities benefit from a lighter touch, although the Act encourages voluntary adoption of risk-management practices during development.
• Small enterprises: Unlike Colorado, the Korean Act does not include a categorical small-business exemption from high-impact AI duties, but the Presidential Decree is expected to include some sized-tiered obligations for smaller operators.

Article 33 of the AI Basic Act imposes the most substantive obligations on operators of high-impact AI systems. The statute defines high-impact AI as AI systems used in areas that may have a significant impact on human life, safety, or fundamental rights. The Presidential Decree will provide the operational scope, but the statutory list and accompanying legislative debate make clear that the following sectors are squarely in scope:

• Healthcare (diagnosis, treatment recommendations, medical device AI)
• Financial services (credit scoring, underwriting, fraud detection)
• Employment (hiring screens, performance evaluation, workforce decisions)
• Education (admissions, grading, learning analytics where consequential)
• Public services (welfare eligibility, immigration screening, criminal justice support)
• Energy and critical infrastructure
• Law enforcement and security applications

Article 33 obligations for high-impact AI operators

The operative duties for high-impact AI operators include:

1. Risk management: Establish and operate a risk management plan covering identification, evaluation, mitigation, and continuous monitoring of AI-related risks throughout the system lifecycle.
2. User information provision: Provide users with clear information about the high-impact AI's intended use, limitations, decision criteria where applicable, and human-review pathways.
3. Safety and reliability assurance: Implement technical and organisational measures to ensure that the AI system performs reliably and safely within its intended operating envelope.
4. Human oversight: Ensure that the AI system's decisions can be reviewed by a human where appropriate, and that high-stakes decisions are not made by the AI alone where the impact warrants human judgement.
5. Documentation: Maintain documentation sufficient to demonstrate compliance with the foregoing duties, available to MSIT on request.
6. Post-deployment monitoring: Monitor the AI system's performance after deployment for drift, anomalies, and emerging risks, and update controls accordingly.

These duties are substantively similar to the deployer and provider obligations under the EU AI Act for high-risk systems, but the Korean Act expresses them at a higher level of generality. The Presidential Decree and MSIT notifications are expected to specify what risk management documentation looks like in practice - and KAISI's published red-teaming and safety-evaluation guidance is likely to be a key reference.

Areebi mapping for Article 33

Article 31 of the AI Basic Act establishes one of the world's first explicit statutory marking duties for generative AI output. The duty has three components.

1. User notification for generative AI interactions

Where a user interacts with a generative AI system - including chatbots, conversational assistants, and AI-powered content generation tools - the provider must inform the user that the interaction is with generative AI rather than a human. The notice must be clear and conspicuous; buried disclosures or post-hoc notices are unlikely to satisfy the duty.

2. Marking of generative AI output

Generative AI providers must mark outputs in a way that makes it discernible that the output was generated or substantially edited by AI. The statutory language allows the Presidential Decree to specify technical formats; MSIT has signalled in public consultation that it will accept multiple technical approaches (visible labelling, metadata-based marking such as C2PA-compatible content credentials, cryptographic watermarking) provided that the marking achieves the underlying transparency goal.

3. Synthetic media disclosure

The Act gives particular emphasis to synthetic audio, image, and video content that could be confused with authentic human-generated material - so-called "deepfake" content. Providers must apply marking or other measures to make the synthetic nature of such content discernible to recipients. This duty intersects with Korea's election-related AI law (the 2024 amendment to the Public Official Election Act, which restricts deepfake use in campaign content) and with PIPC enforcement against the misuse of biometric data in synthetic media.

Exclusions and edge cases

• Clearly creative or fictional contexts: The marking duty applies where confusion is reasonably likely, not where the synthetic nature is contextually obvious.
• Internal use only: Outputs that are not disclosed to third parties may be excluded from the marking duty, but providers should retain the ability to apply marking if outputs leave the internal context.
• Interaction between marking and intellectual property: Marking must not be used as a substitute for copyright clearance; AI-generated content that incorporates copyrighted material remains subject to Copyright Act constraints.

Areebi mapping for Article 31

• User notification: Areebi's policy engine supports configurable in-product notices triggered by generative AI use, satisfying the clear-and-conspicuous standard.
• Output marking: Areebi applies configurable watermarking and metadata-based marking to generative AI outputs, with format options that align to C2PA and other emerging technical standards.
• Synthetic media disclosure: Areebi's content-classification pipeline identifies synthetic audio, image, and video generation events and applies the configured marking automatically.
• Audit trail: Every generative interaction emits a structured audit fact recording the marking applied, the user notified, and the output disposition - exportable as evidence for MSIT inquiries.

Foreign businesses without an establishment in Korea that provide AI products or services to Korean users are subject to the AI Basic Act and must designate a domestic representative. The requirement closely tracks the analogous provision under PIPA for cross-border data controllers.

What the domestic representative does

• Receives regulatory communications from MSIT on behalf of the foreign operator.
• Cooperates with MSIT investigations, including providing requested documentation and evidence.
• Serves as the point of contact for affected Korean users and other regulators.
• May be held administratively responsible for some compliance failures, depending on the structure of the representative agreement and the nature of the failure.

Who can serve as the domestic representative

The Presidential Decree will specify eligibility criteria. Based on the analogous PIPA model and MSIT's public consultation materials, eligible representatives are expected to include:

• Korean subsidiaries or affiliates of the foreign operator.
• Korean law firms or compliance consultancies appointed under written agreement.
• Korean nationals or permanent residents acting under written delegation.

The representative must have a Korean address and be reachable for service of process in Korean. Foreign operators should not assume that a generic global compliance contact satisfies the requirement; the representative must be locally accessible.

Foreign operator obligations beyond the representative

• High-impact AI compliance: Foreign high-impact AI operators are subject to the same Article 33 duties as domestic operators.
• Generative AI marking: Foreign generative AI providers must apply the Article 31 marking duties to outputs delivered to Korean users.
• Cooperation with investigations: Foreign operators must cooperate with MSIT investigations, including responding to information requests and submitting documentation.
• Personal data overlay: Where AI use involves personal data of Korean data subjects, PIPA's separate domestic representative requirement applies in parallel. The two representatives can be the same person but the underlying duties are separate.

For foreign technology providers, the practical implication is that early designation of a domestic representative - in advance of any MSIT inquiry - is a low-cost insurance policy. Areebi customers operating in Korea typically build the representative designation into their initial deployment plan and add the representative to the audit-trail recipient list so that regulatory correspondence is captured alongside other compliance evidence.

The AI Basic Act establishes a multi-layered enforcement architecture centred on MSIT, with technical support from KAISI and parallel jurisdictional overlap with PIPC and KCC.

MSIT enforcement powers

• On-site investigation: MSIT may conduct on-site investigations of AI operators to verify compliance with the Act, including review of risk management documentation, training data records, and operational logs.
• Information requests: MSIT may request submission of documentation, including technical specifications, risk assessments, and safety evaluation results.
• Corrective orders: Where MSIT identifies non-compliance, it may issue corrective orders requiring the operator to take specified action within a defined timeframe.
• Suspension of operations: In serious cases, MSIT may order temporary suspension of an AI system's operation pending remediation.
• Administrative fines: MSIT may impose administrative fines for breaches of the Act's substantive duties.

Penalty tiers

The headline KRW 30 million ceiling looks modest compared to EU AI Act maxima, but the practical exposure is materially larger when (a) PIPC penalties under PIPA stack on top for personal data overlap, (b) sectoral regulators (FSC, MFDS, MOEL) add domain-specific exposure, and (c) MSIT's corrective orders and suspension powers can interrupt commercial operations. The KRW 30 million figure should be read as the per-violation administrative fine ceiling, not the total exposure of a serious incident.

Korea AI Safety Institute (KAISI)

KAISI was launched on November 27, 2024, as the technical secretariat for the AI Basic Act's safety functions. KAISI sits within the Electronics and Telecommunications Research Institute (ETRI) and is led by Dr. Kim Myuhng-joo. Its remit includes:

• Publishing technical guidance on red-teaming, safety evaluation, and high-impact AI scoping.
• Conducting safety evaluations of foundation models and high-impact AI systems on request or by referral from MSIT.
• Coordinating with international AI safety institutes (the UK AISI, US AISI, Singapore Digital Trust Centre, EU AI Office) under the bilateral and multilateral AI safety agreements signed during 2024-2025.
• Supporting MSIT enforcement through technical analysis of contested cases.

For Korean and foreign operators alike, KAISI guidance is the practical specification of what "good" risk management and safety evaluation look like under Article 33. Operators that have not yet familiarised themselves with KAISI publications should treat that as a near-term action item.

PIPC parallel jurisdiction

The Personal Information Protection Commission has its own AI-relevant enforcement track under PIPA, including:

• Administrative fines up to 3% of total revenue (capped at KRW 5 billion for the most serious violations) under PIPA's general fine schedule.
• Specific enforcement under the 2023 PIPA fully-automated-decisions provisions (Article 37-2), which include transparency duties and the right to request human review.
• Cross-border data transfer enforcement against foreign generative AI operators - PIPC issued administrative fines and corrective orders against several global generative AI providers in 2024 for cross-border transfer compliance failures.

The practical implication: AI compliance in Korea is a two-regulator problem. Operators should expect parallel scrutiny from MSIT and PIPC, with sectoral regulators adding additional exposure for regulated industries. Areebi's compliance evidence packages are designed to satisfy MSIT and PIPC simultaneously, with cross-mapping to PIPA Article 37-2 fully-automated-decisions duties.

Organisations that have not yet begun Korean AI compliance work should treat the Act as effective today and work backward from the enforcement risk. The following roadmap is calibrated for organisations that already have AI in production touching Korean users.

Weeks 1-2: Inventory and Korea-nexus mapping

• Inventory all AI systems that are provided to or used by Korean users - including shadow AI tools adopted without IT approval.
• For each system, document the Korea nexus: are Korean users material to the user base, what data flows are involved, and what sectoral overlay applies (finance, healthcare, employment, public service).
• Flag any system that could plausibly fall within "high-impact AI" once the Presidential Decree scope is finalised.

Weeks 3-4: Foreign operator readiness

• Designate a domestic representative in Korea. Document the appointment in writing and ensure the representative is reachable in Korean during business hours.
• Notify the representative to the relevant MSIT registration channel as soon as the registration process opens.
• Confirm that the same or a separate representative satisfies PIPA's domestic representative requirement.

Weeks 5-6: Generative AI marking and transparency

• Deploy clear-and-conspicuous in-product notices for generative AI interactions with Korean users.
• Implement output marking (visible label, metadata-based marking, or watermarking) for generative AI outputs delivered to Korean users.
• For synthetic audio, image, and video, apply additional marking that makes the synthetic nature discernible.
• Update terms of service and privacy notices to reflect Korean disclosure expectations.

Weeks 7-9: Article 33 risk management for high-impact AI

• For each in-scope high-impact AI system, establish a written risk management plan covering identification, evaluation, mitigation, and continuous monitoring.
• Document safety and reliability assurance measures - test results, evaluation methodology, performance metrics.
• Implement human oversight pathways for high-stakes decisions.
• Align documentation with KAISI's published guidance on red-teaming and safety evaluation.

Weeks 10-12: PIPA Article 37-2 alignment and audit trail

• For AI systems that make fully automated decisions affecting Korean data subjects, satisfy PIPA Article 37-2: disclose decision criteria where applicable, provide a human-review pathway, and respond to data-subject requests within statutory timelines.
• Stand up an audit trail that captures Article 31 marking events, Article 33 risk management actions, and PIPA Article 37-2 data-subject interactions in a single evidence stream.
• Conduct a tabletop exercise simulating a coordinated MSIT/PIPC inquiry.

Ongoing: KAISI guidance tracking and Presidential Decree adoption

• Track KAISI publications and incorporate new guidance into the risk management programme.
• Adopt Presidential Decree refinements as they are finalised, particularly around high-impact AI scope and marking technical formats.
• Maintain continuous evidence collection through Areebi's compliance dashboards - not periodic snapshots. MSIT can request evidence at any time, and continuous evidence is materially easier to defend.

Organisations seeking to accelerate Korean AI Basic Act implementation can request a demo to see how Areebi automates the underlying controls that anchor Article 31, Article 33, and the PIPA Article 37-2 overlay.

The Korean AI Basic Act sits within a maturing global AI regulatory landscape. Organisations subject to the Korean Act will typically also be subject to one or more of the following frameworks, and a single evidence-based governance programme can satisfy most of the cross-overlap.

• EU AI Act: The closest structural analogue. Both laws use a risk-tiered approach with sharper obligations for higher-risk systems. The EU AI Act is more prescriptive (Annex III enumerates high-risk use cases; technical documentation requirements are detailed in Annex IV); the Korean Act is more delegating (Presidential Decree fills in scope). Organisations subject to both should design to the EU AI Act's higher specification and rely on Areebi's EU AI Act evidence packages as the spine.
• Japan AI Guidelines: Soft-law cousin. Japan opted for voluntary guidance rather than statutory obligations, but the underlying conceptual structure (Developer / Provider / Business User tiers, ten common principles, agile governance) overlaps significantly with the Korean Act's structure. The Hiroshima AI Process G7 Code of Conduct - finalised under Japan's 2023 G7 Presidency - is also voluntary but is increasingly referenced in Korean public consultation materials.
• NIST AI Risk Management Framework: US voluntary framework that supplies much of the operational vocabulary (GOVERN, MAP, MEASURE, MANAGE) that KAISI's guidance materials draw on. NIST AI RMF compliance is not a Korean safe harbour the way it is under Texas TRAIGA, but NIST-aligned governance materially reduces the effort to satisfy Article 33's risk management duty.
• ISO/IEC 42001: International AI management system standard. ISO 42001 certification is increasingly referenced by MSIT and KAISI as evidence of substantive risk management practice, and Korean operators are starting to pursue certification as a way to demonstrate Article 33 compliance.
• OECD AI Principles: Korea is an OECD member and the OECD AI Principles supply much of the cross-border principles vocabulary (human-centricity, transparency, accountability) reflected in the Korean Act.
• Singapore Model AI Governance Framework / IMDA AI Verify: Adjacent voluntary framework with technical-evaluation tooling that Korean operators can borrow for Article 33 safety evaluation.
• UK AI Safety Institute (AISI) and US AI Safety Institute (USAISI): KAISI has signed cooperation agreements with both. Foundation-model evaluations conducted under those agreements may inform Korean enforcement, and operators should expect findings to flow across institutional borders.

Smart organisations build a single, framework-agnostic AI governance programme that produces evidence packages repurposable for the Korean Act, the EU AI Act, NIST AI RMF, ISO 42001, and the Japanese Guidelines. Areebi's Compliance Hub provides cross-mapped templates for all of these frameworks.

Some elements of the Korean AI legal landscape remain fluid, and good governance practice is to track these closely:

• Final Presidential Decree: The Enforcement Decree was in public consultation as of mid-2026 and is expected to be finalised before or shortly after the Act's January 22, 2026 effective date. The Decree will materially shape the operational meaning of "high-impact AI", the technical formats for generative AI marking, and the procedural specifics of MSIT enforcement.
• KAISI technical guidance pipeline: KAISI is rapidly publishing technical guidance. The pipeline as of mid-2026 includes red-teaming methodology, foundation-model safety evaluation criteria, and high-impact AI scoping criteria. New publications are likely throughout 2026 and 2027.
• MSIT-PIPC coordination: The practical division of labour between MSIT (under the AI Basic Act) and PIPC (under PIPA) is still being worked out. Coordination protocols are expected, but the early enforcement period may see overlapping or conflicting guidance.
• Early enforcement actions: The first wave of MSIT enforcement actions will shape how the statute's broad terms are interpreted in practice. Operators should monitor MSIT announcements and KAISI advisories closely through 2026 and 2027.
• Domestic representative operationalisation: The exact registration process for foreign-operator domestic representatives is still being finalised. Foreign operators should be prepared to register promptly once the process opens.
• Effective-date interpretation: The statute's January 22, 2026 effective date corresponds to the one-year transition from promulgation on January 21, 2025. Some commentators have referenced "January 2026" generally; the specific date should be confirmed against the official Korean government gazette publication and the final text of the law.
• Future amendments: The 22nd National Assembly's term continues into 2028, and AI-related amendments to the Basic Act are possible based on early enforcement experience. Monitor MSIT and the National Assembly's bills database for updates.

For organisations that prefer not to track legislative developments themselves, Areebi maintains a compliance hub with status tracking and last-updated dates for every framework we support.