A Blueprint for AI Governance: Understanding Korea’s AI Framework Act

Introduction

On December 26, 2024, Korea’s National Assembly passed the Artificial Intelligence Framework Act (the “Act”). This marks a significant milestone in the country’s regulatory framework for artificial intelligence (“AI”) technologies. Designed to guide the development and deployment of AI, the Act comes into effect in January 2026. It is expected to lay the groundwork for AI innovation while protecting individuals and businesses in high-impact areas such as public safety and individual rights.

Previous AI regulations

Prior to the passing of the Act, AI regulation was fragmented across various sectors of the law:

GENERAL ACT ON PUBLIC ADMINISTRATION (Act 20)

•  “An administrative authority may impose a disposition using a fully-automated system (including systems in which artificial intelligence technologies are employed): Provided, That the same shall not apply to dispositions imposed at its discretion.”

PERSONAL INFORMATION PROTECTION ACT (Article 37-2)

•  “(1) If a decision (excluding an automatic disposition by an administrative authority under Article 20 of the Framework Act on Administration; hereafter in this Article referred to as “automated decision”) made by processing personal information with a completely automated system (including a system to which artificial intelligence technologies are applied) has a significant effect on his or her right or duty, a data subject shall have the right to file with the relevant personal information controller an objection against the relevant decision”

ELECTRONIC GOVERNMENT ACT (Article 18-2)

•  “(2) The Minister of the Interior and Safety may provide administrative, financial, technical, and other necessary support to help the head of an administrative agency, etc. efficiently utilize technologies, such as artificial intelligence.”

ACT ON FACILITATION OF SMART MANUFACTURING INNOVATION OF SMALL AND MEDIUM ENTERPRISES (Article 2)

•  “The term “smart manufacturing innovation” means activities for improving product development, manufacturing process, distribution management, business management practices, etc. through convergence of information and communications technology, artificial intelligence, etc. in order to enhance the manufacturing competitiveness of small and medium enterprises.”

Core Attributes of the AI Framework Act

The Act is organized into four parts: Definitions, High-impact AI, Generative AI, and AI Business Operations. The definitions outlined in the AI Framework Act are significant, as they may be applied to future amendments and revision of other statutes. The Act defines AI as “electronic implementation of human intellectual abilities such as learning, reasoning, perception, judgment, and understanding of language”. It establishes a framework that mandates all AI product and service providers to comply with its legal principles.

High-impact AI refers to AI systems that may “significantly affect or pose risks to human life, physical safety, or fundamental rights”—such as in the areas of energy, water, public health/medical, law enforcement, education, nuclear facilities, and more. Generative AI is defined as “an artificial intelligence system that generates text, sound, images, videos, and other various outputs by mimicking the structure and characteristics of the input data”, according to Article 2-1 of the Framework Act On the Promotion of Data Industry and Data Utilization. Lastly, AI business operations are defined as “industries engaged in the development, manufacturing, production, or distribution of products utilizing artificial intelligence or AI technologies or providing services related to these products.” The Act sets forth guidelines and legal obligations for businesses engaged in AI operations, ensuring both the advancement of the technology and the protection of public interests.

Obligations for AI Operators

The Act mandates the following primary obligations for AI operators:

Obligation to Secure Transparency (Article 31)

•  AI businesses must notify the users in advance, that the contents are AI-powered when providing a product or a service utilizing a High-impact AI, or a Generative AI.

•  AI businesses must indicate the fact that the product has been produced by Generative AI when providing a product or a service utilizing a Generative AI.

•  If an AI system produces outcomes such as virtual sounds, images, or videos that are difficult to distinguish from reality, the AI operator must clearly notify users that the outcomes were generated by an AI system.

* Exception: If the outcomes qualify as artistic or creative expressions, notification may be given in a manner that does not hinder their display or appreciation.

Obligation to Secure Safety (Article 32)

•  AI operators using AI systems with cumulative computational power exceeding thresholds set by Presidential Decree must implement the following measures to ensure safety:

1. Identify, assess, and mitigate risks throughout the AI lifecycle.

2. Establish a risk management system to monitor and respond to AI-related safety incidents.

•  AI operators must submit the results of these safety measures to the Minister of Science and ICT.

Obligation for High-impact AI Operators (Articles 33, 34)

•  AI operators providing AI-based products or services must review in advance whether the AI in question qualifies as High-impact AI. If necessary, they may request confirmation from the Minister of Science and ICT regarding whether the AI qualifies as high-impact.

•  (The Minister of Science and ICT may establish and distribute guidelines concerning the criteria and examples of high-impact AI.)

•  AI operators offering High-impact AI or AI-based products or services must take the following actions as specified by the Presidential Decree to ensure the safety and reliability of the High-impact AI:

1. Establishment and operation of risk management measures

2. Establishment and implementation of an explanation plan regarding the final results derived by the AI, the main criteria used in deriving the final results, and an overview of the training data used in the development and application of the AI, within technically feasible limits

3. Establishment and operation of user protection measures

4. Human management and supervision of High-impact AI

5. Preparation and storage of documents that confirm the actions taken to ensure safety and reliability

6. Other matters necessary to ensure the safety and reliability of High-impact AI, as deliberated and resolved by the committee

•  AI operators using High-impact AI to provide products or services must make efforts to assess the potential impact on human rights in advance.

AI Impact Assessment (Article 35)

•  If an AI operator provides products or services utilizing High-impact AI, they must make efforts to assess the potential impact on fundamental human rights in advance.

•  When national institutions or related parties intend to use products or services utilizing High-impact AI, they must prioritize products or services that have undergone an impact assessment.

Obligations of the Government

The Act outlines several key obligations of the government to ensure the effective application of the law in both business and public sectors:

•  Securing Specialized Personnel: The Minister of Science and ICT may train specialized personnel for AI developments and the promotion of its industry and may implement various policies to secure overseas expertise (Article 21).

•  Designation of AI Complexes: The national and local governments may promote the concentration of businesses, organizations, and institutions engaged in AI and AI technology research and development, enhancing competitiveness in the development and utilization through functional, physical, and regional integration (Article 23).

•  Certification of Safety and Reliability: The Minister of Science and ICT may support businesses, organizations, and institutions in voluntarily conducting verification and certification activities aimed at ensuring the safety and reliability of AI systems (Article 30).

•  Expansion of AI Industry Promotion Funds: The government is tasked with securing funds for basic plans and related initiatives, and national and local governments are encouraged to actively attract private investments and ensure efficient management of investment funds (Article 37).

•  Support and Standardization: The Minister is authorized to investigate domestic and international trends, support the commercialization of technologies, and research and development efforts. The Minister may also promote standardization of AI technologies, including the establishment of standards (Articles 13 and 14).

Regulatory Oversight and Sanctions

The Act requires that foreign AI operators, even without a physical presence in Korea, designate a domestic representative if their products or services impact Korean users (Article 4). Under this provision, any violations committed by the domestic representative are treated as though they were committed by the foreign operator and may be subject to penalties (Article 36). In particular, failure to notify AI usage in advance, neglecting to appoint a domestic representative, or disregarding corrective orders can result in fines of up to 30 million Korean Won (Article 43). Except for matters specified in the Basic Act, the provisions of the Framework Act on Administrative Investigations apply. If, as a result of the investigation, it is found that an AI business has violated this law, the relevant AI business may be ordered to take necessary measures (“Cease and Correct Order”) to halt or rectify the violation (Article 40, Paragraph 3).

Conclusion

The enactment of Korea’s AI Framework Act underscores a global movement toward AI regulation, particularly in areas intersecting with data privacy and public safety. For foreign businesses, compliance will not only require adherence to these new provisions but also proactive engagement with domestic advisors and regulators.

To support this transition, The Ministry of Science and ICT has established a task force to develop guidelines on the criteria, examples, and obligations of high-impact AI. Participating in the seminal task force of Korea’s AI experts is a member of Jipyong’s AI practice team dedicated to providing tailored strategic advice in relation to the AI Framework Act.

Given the multijurisdictional nature of AI governance, international businesses must remain vigilant in monitoring regulatory developments. A unified framework—similar to data privacy agreements like the EU-U.S. Data Privacy Framework (DPF)¹—may be essential in addressing the challenges posed by differing AI laws globally.

1 U.S. Department of Commerce. “EU-U.S. Data Privacy Framework Program Overview”. Given previous attempts, including the Safe Harbor Agreement (2000–2015) and Privacy Shield (2017–2020), the EU and U.S. finally established the Data Privacy Framework (DPF), which is currently in effect between the parties. This development highlights the importance of collaborative frameworks in navigating multijurisdictional challenges regarding electronically transferred data and services, such as those posed by differing AI laws globally. https://www.dataprivacyframework.gov/Program-Overview.