The enforcement of the AI Basic Act is significant as it represents the world’s first full-scale implementation of a national AI framework law. The EU has enacted its own AI Act and in the US, AI regulation remains fragmented, limited largely to state-level initiatives. So against this backdrop, South Korea’s move to enforce a comprehensive AI law is seen as a proactive step on the global stage.
The AI Basic Act, spearheaded by the Ministry of Science and ICT, was shaped through an extensive preparatory process. Starting in January last year, more than 80 private-sector experts formed a dedicated task force to refine the law’s subordinate regulations. The enforcement decree alone went through over 70 rounds of stakeholder consultations, but to ease the transition following the law’s rollout, the government has published five sets of guidance documents and established an AI Basic Act support desk to underscore its commitment to hands-on assistance.
Still, industry reaction has been mixed. AI remains an unfamiliar technology for many, and the introduction of a new regulatory framework has prompted sharply divergent views. Critics argue the Act is too lenient, while supporters see it as a pragmatic starting point that strikes a realistic balance with industrial needs.
To find out what IT leaders and corporate executives should prepare for, experts let their voices be heard.
What’s needed right now
Eunseong Kang, a professor of intelligent information security at Seoul Women’s University, says the structure of the AI Basic Act deserves close attention. “It’s built around sound development of AI, and establishment of a foundation for trustworthiness,” he says. “It follows a familiar Korean legislative approach that seeks to promote technological advancement and mitigate potential side effects.”
At the same time, Kang describes the Act as a law that inevitably has limitations common to technology regulation. “Most laws are, by nature, reactive,” he adds. “In the case of AI, regulation can only be introduced after the technology has raced ahead.”
Still, he’s careful to distinguish between acknowledging those limitations and questioning the need for the Act itself. Given that AI extends far beyond a mere technology, affecting life, physical safety, fundamental rights, and society at large, leaving it entirely unregulated would pose serious risks.
“In that sense, the Act occupies a middle ground between a fully proactive law and a purely reactive one,” Kang says. “It carries the inherent constraints that legislation faces in keeping pace with technological change, but it was nonetheless a law we needed. However, it’s easy to misread the Act as either too lax or overly restrictive. Rather than imposing heavy sanctions from the outset, it should be seen as a law that first establishes a minimum framework for managing AI as a society.”
Open to interpretation
Kang also highlights a clear gap in how businesses and advocacy groups perceive the Act, especially in regard to uncertainty. “Companies are expected to determine for themselves whether they fall under its scope and what obligations apply,” he says. “This is especially confusing for organizations that don’t develop AI themselves but deploy it, so they may not even know if they’re subject to regulation at all.”
From a corporate standpoint, ambiguity revolves around criteria for high-risk AI, boundaries of gen AI, and the level of responsibility placed on AI service users. “For companies, regulatory risk ultimately boils down to ambiguity,” Kang adds. “When it’s unclear what constitutes non-compliance, firms tend to act conservatively or overreact.”
Advocacy groups, on the other hand, argue the Act is too lenient and lacks meaningful enforcement. “They tend to view AI through the lens of potential violations of fundamental rights,” he says, “which leads them to feel the current framework doesn’t provide adequate safeguards.”
As it stands, administrative fines are largely confined to violations of transparency obligations — specifically, failures to provide required disclosures. Penalties are set at about USD$3,500 and rise sharply with each additional violation.
By comparison, the EU AI Act allows for fines of up to 7% of a company’s global annual turnover or roughly USD$38 million, whichever is higher, for violations of prohibited practices. “Compared to the EU AI Act, South Korea’s AI Basic Act has a relatively narrow scope and a lower level of sanctions,” Kang says. “From that perspective, it’s understandable that advocacy groups question whether the regulation goes far enough.”
Kang also flags potential blind spots in how regulated AI systems are classified. Obligations to implement safety measures apply only when two conditions are met simultaneously: cumulative computational usage exceeding 10²⁶ FLOPs, and a significant impact on life, physical safety, public safety, or fundamental rights. The problem is this computational threshold is so high that realistically only a handful of companies or state-level projects can reach it. And because these criteria are applied conjunctively, there’s a strong concern that AI systems with tangible impacts on fundamental rights, but lower computational footprints, could slip through the regulatory net.
Despite these concerns, Kang expresses a positive view of the government’s commitment to supporting the Act’s rollout. “Publishing five detailed sets of guidelines immediately upon the law’s entry into force is something we’ve rarely seen before,” he says. “When you consider the release of high-risk AI assessment guidelines, the launch of a support desk, and the establishment of an expert advisory system, it’s clear the government is serious about making this work.”
A sound risk-based approach, but vague standards
Attorney Ted Koo highlights how the AI Basic Act adopts a risk-based approach and offers a positive assessment of its framework. “You can’t apply medical device–level regulation just because someone built a chatbot,” he says. “The idea of focusing on high-risk areas is inherently reasonable.” In a landscape where AI has become routine, blanket regulation would inevitably stifle industry growth, he says.
He also underscores the significance of principles such as AI impact assessments, explainability, and transparency obligations being written into law. Provisions that previously existed only as voluntary guidelines now carry legal force. And while endorsing the overall direction, Koo stresses the current framework reveals several limitations, like overly abstract criteria to determine what qualifies as high-risk AI.
Although the Enforcement Decree lists factors such as severity and frequency of risks posed, it remains unclear which AI systems actually fall into this category. In practice, businesses must make their own determinations, or request case-by-case confirmation from the Ministry of Science and ICT.
“Services like AI-based loan screening may end up setting standards through complaints or civil petitions,” Koo says, adding that how consistently the government maintains its criteria during the early stages of implementation will be crucial. Sectors with outsized social impact, such as finance, recruitment, healthcare, and education, will also inevitably draw heightened scrutiny, and he urges relevant stakeholders to watch early corporate cases closely.
Koo likened this dynamic to a university admissions cutoff score, where it’s difficult to know in advance whether you’ve crossed the line, and early decisions may become the benchmark for all future judgments.
Another limitation he sees is a blurred line between self-regulation and legal obligation. While operators of high-risk AI systems are required to conduct impact assessments, either internally or through third parties, there’s no direct government evaluation or prior approval process. As a result, provisions that are formally mandatory may function in practice more like self-assessments, with compliance potentially reduced to filing reports that assert appropriate management is in place.
Plus, there are concerns about alignment with the global regulatory landscape. As major jurisdictions such as the EU, the US, and China establish distinct AI regulatory frameworks, Korean companies are increasingly forced to navigate different national rules on their own. While global enterprises may simply align with the strictest standards, SMEs and startups face a far heavier burden in interpreting and complying with multiple legal regimes.
Koo then says preparation for next-gen tech remains insufficient. The current AI Basic Act is designed around technologies already in commercial use, but next-stage developments like physical AI and AGI already loom. “Given the pace of change, it’s hard to rule out the possibility that the law itself could become outdated sooner than expected,” Koo says.
A readiness checklist, not just regulation
So how does the AI Basic Act look from an industry perspective? Gartner senior executive partner Youn Choi says it’s a law that emphasizes guidance and preparedness over punishment. “While the EU AI Act is closer to an enforcement-driven regime centered on sanctions and penalties, Korea’s AI Basic Act places greater weight on guidance and readiness,” he says. “It’s a law positioned at the starting line rather than a finished product.”
In practice, the Korean law adopts a relatively moderate structure built around administrative fines, and the government plans to operate a one-year grace period during the early phase of implementation.
That said, this doesn’t mean companies can afford to be complacent. Choi identifies four key areas that enterprises should begin assessing now: data quality, data governance, security, and data pipelines.
“Over the long term, companies that internalize the standards early will gain a competitive edge over those that merely try to avoid regulation,” he says. “The AI Basic Act is closer to a questionnaire asking companies how prepared they really are.”
More specifically, he advises companies to focus on ensuring transparency and explainability. “If proper logging and traceability are in place so companies can explain how models were trained and how outputs were generated, issues can be verified through audits when problems arise,” Choi says. “It’s equally fundamental to apply masking or de-identification to prevent personal data from being exposed during training, and to manage fairness and bias so AI systems don’t disadvantage particular groups.”
He adds that companies using gen AI in particular shouldn’t take labeling and disclosure obligations lightly. Clearly indicating content generated by AI through watermarks or metadata isn’t just a legal requirement, but a factor directly tied to corporate trust and brand reputation.
“When GDPR was first introduced, many companies dismissed it as excessive regulation, but it ultimately became a catalyst to raise data management maturity,” Choi says. “There’s a strong possibility the AI Basic Act will follow a similar trajectory.” Companies that already have robust data governance and security frameworks, he adds, will face lower compliance costs and be better positioned to adapt.
“In the end, it’s not the companies trying to dodge AI regulation but those that internalize the standards early that will gain a lasting competitive edge,” he says. “The AI Basic Act is essentially a prompt asking companies how ready they are.”
From ownership to action
Analysts and legal professionals say the starting point for responding to the AI Basic Act is to designate an internal lead responsible for overall compliance, ideally at the executive level.
“Just as companies have executives responsible for information security, AI also requires an executive who oversees overall quality and governance,” says Choi. “But it’s not realistic for a single individual to shoulder all these responsibilities.”
In practice, many functions implicated by the AI Basic Act, like data quality management, access controls, personal data protection, and log management, are already things companies do to some degree. Choi says that because AI ultimately runs on data, the key question is whether existing data governance is functioning properly. “The transparency and explainability required by the AI Basic Act will be ultimately determined by the maturity of a company’s data management,” he adds.
So Choi recommends building a structure that brings together multiple stakeholders. The key isn’t creating a new organization but connecting existing ones and aligning decision-making processes. If the CIO, security, legal, and data teams remain siloed, responding effectively to the AI Basic Act will be difficult.
“The Act isn’t a signal to start AI over from scratch,” Choi says. “It’s closer to a message asking companies to review what they’ve already been doing in data, security, and governance, but this time through an AI lens.” Framing it this way, he adds, can help companies avoid perceiving compliance as an excessive burden in terms of headcount or organizational restructuring.
More concretely, Choi proposes forming a steering committee involving senior leaders such as the CEO, CFO, CIO, and heads of legal. Such a structure is necessary, he says, to assess business risks and opportunities, impacts on customers and partners, and potential effects on brand reputation.
Kang shares a similar view, saying the team leading AI Basic Act compliance may differ depending on a company’s size and structure. For companies that develop AI directly, the development or AI-dedicated teams may take the lead, while firms with strong regulatory experience may rely on legal or compliance departments. In practice, however, Kang says the requirements of the Act — safety, reliability, and regulatory compliance — significantly overlap with the responsibilities traditionally handled by security and information protection teams, making it likely that security organizations will serve as the primary operational point of contact in many companies.
“The important issue isn’t which department takes the lead,” Kang says, “but whether development, security, and legal teams are organically connected and able to explain how AI systems operate and where responsibility lies.” He adds that responding to the Act should be viewed not as a task for a single department, but as an exercise in coordinating roles across existing teams.
“The AI Basic Act may look like a set of principles today,” Kang says. “But if disputes or incidents arise down the road, explainability could become a key benchmark for determining corporate liability.”
He puts particular emphasis on internal preparedness. “The duty to explain can’t be satisfied by posting boilerplate language on a website,” he says. “From the development stage onward, teams must be able to articulate in their own words what criteria and logic their AI uses to reach decisions.” Even if those explanations aren’t technically perfect, companies need a framework that can reasonably describe how decisions are made.
Koo also emphasizes that response strategies should vary by company size. “Large enterprises are more likely to already have a baseline level of preparedness,” he says. “But startups need to begin building these systems now.” While obligations such as labeling and disclosure can often be addressed through relatively simple technical measures, Koo says impact assessments and safety assurance are difficult to implement without proper internal governance.
So Koo recommends taking a proactive stance. “Rather than leaving matters ambiguous, companies, especially those operating AI systems in biometrics, recruitment, credit evaluation, healthcare, or education, should consider requesting confirmation from the Ministry of Science and ICT in advance,” he says. “The government is required to respond within 30 days, and if companies simply assume it doesn’t apply to them and move on, they may find themselves without enough time to respond when issues actually arise.”
Read More from This Article: What IT leaders need to know about the world’s first national AI law
Source: News