Editor’s Note: This paper is part of a research project, “Countering AI Disinformation and Implications for the US-ROK Alliance,” conducted by the Stimson Center’s Korea Program and generously sponsored by the Korea Foundation. For additional papers in this series, click here. Seungmin Helen Lee is the director of Intelligent Cyber Research (ICR) and a senior engagement manager for cyber risk at Next Peak. As the Director of ICR, she leads the company’s geopolitical cyber risk offerings and engagements and oversees research on cybersecurity risks, AI, national cyber strategy, and more. As a senior engagement manger, she manages cyber risk consulting engagements from proposals to stakeholder management to deliverables. She also leads the Blue Force Tracker Initiative, recording and analyzing international technological defense assistance provided to Ukraine since the onset of the war in 2022, for Cyber Defense Assistance Collaborative (CDAC).
Previously, Helen was a 2025 #ShareTheMicInCyber Fellow with New America, researching cyber secure AI data centers. She has published pieces with Aspen Digital, CSO Online, Columbia University, The Diplomat, Stimson 38 North, Tech Policy Press, and World Politics Review. She received her Master’s in International Affairs at Columbia University’s SIPA in May 2022 and Bachelor of Arts at Columbia University’s Columbia College in May 2021. Helen is fluent in English, Korean, Spanish, Japanese, and Chinese.By Jenny Town, Senior Fellow and Director, 38 North
In an information environment where, according to a 2023 survey, more than half of South Koreans rely on YouTube as their primary news source, the spread of misinformation and disinformation has been a growing concern. Generative AI has exacerbated this problem, making content creation easier, quicker, and more compelling. This was especially evident during South Korea’s 2025 presidential election, following former president Yoon Suk Yeol’s impeachment, with the spread of false claims about the voter registration system allowing Chinese nationals to participate in the election and AI-generated photos of then-candidate Lee Jae Myung depicted as subservient to China, such as bowing to a Mao Zedong statue or wearing a face mask with a Chinese flag on it. Both narratives played on growing anti-Chinese public sentiments to influence election results and discredit the opposition candidate. The proliferation of generative AI tools has caused other social risks as well, such as the abusive language used by the iLuda chatbot in 2021, which led to its suspension within two weeks of launch, and 2024 scandal where Korean Telegram users leveraged AI to generate sexually explicit content, mostly of underage females.
South Korea’s Basic Act on the Development of Artificial Intelligence (AI) and the Establishment of Foundation for Trustworthiness (“AI Basic Act”) was the world’s first official national comprehensive AI legal framework, following the one passed by the European Union for its member states in March 2024. It went into effect on January 22, 2026, and attempts to regulate the AI industry in ways that mitigate these social risks while still fostering AI innovation. However, after a nearly 13-month preparation and development period, numerous implementation challenges remain and raise questions about the Act’s ability to achieve its goals and keep pace with a rapidly evolving technological landscape.
2025: Year of Preparation
When the ROK National Assembly passed the AI Basic Act in December 2024, the Act called for a number of lower-level laws, groups, committees, and processes to be established in advance of its implementation date of January 2026. Despite some progress made in 2025 to establish these foundations, preparations were insufficient.
For example, the Act called for the Minister of Science and ICT (MSIT) to establish, designate, or operate an AI Policy Center to support AI policy development, an AI Safety Institute (AISI) to research and analyze AI safety-related risks and cooperation, and a National AI Committee under the president to oversee AI policy development. Korea’s AISI had already been established in November 2024, prior to the signing of the bill, and progress was made in 2025 toward developing a national AI committee. The establishment of an AI Policy Center remains unaddressed.
However, the MSIT did launch the National AI Strategy Committee in September 2025 to discuss national AI policy, ministerial coordination, and implementation. The first plenary meeting discussed the direction of the Korea AI Action Plan’s implementation, the promotion plan for the National AI Computing Center to build the AI highway, the approach to lower-level legislation supporting the AI Basic Act, and the rules and procedures for the National AI Strategy Committee. The Committee held its second plenary session in February 2026 and finalized an AI action plan with 99 action tasks and 326 policy recommendations.
The MSIT also announced plans to release draft versions of Enforcement Decrees for the AI Basic Act by the end of June 2025 for public comment and alignment across companies, users, and the government. However, the MSIT missed this deadline and only released the first draft of the Enforcement Decree on September 8, 2025. That draft included 34 provisions, further detailing the Act’s tasks such as the obligation for businesses to label the use of high-impact AI or generative AI, to label generative AI-created outputs with watermarks or other labeling, and to assess the impacts on fundamental rights by high-impact AI systems’ services or products.
Despite these provisions, the definition of “high-impact AI systems” — a critical concern since 2024 — remains unclear. The decree essentially tasks MSIT to determine such systems based on the system’s extent of usage, severity and frequency of risks to fundamental rights, and the characteristics of the system’s application. Businesses deemed as utilizing high-impact AI systems are required to post on their websites their risk mitigation plans, measures for protecting users, and contact information of supervisors or managers of the relevant high-impact AI systems.
Adding to the confusion, the decree introduces a new term — “high-performance” AI — and defines it as a system with a computational capability of 10 to the power of 26 floating-point operations per second (FLOPs).1FLOPs is the unit used to quantify computing power of a computer or a processor and measures the number of floating-point calculations performed in one second. High-performance AI systems are required to have safety measures outlined in Article 32 of the Act while high-impact systems are covered in Articles 33-35 of the Act. Under this structure, AI systems could be both high-performance and high-risk, subjecting them to two sets of regulatory requirements.
The September version of the Enforcement Decree also outlined future plans. For example, the MSIT planned to finalize the Decree by December 2025 with examples of high-impact AI, further guidelines regarding criteria and responsibilities for businesses leveraging high-impact AI, further guidelines on the AI Impact Assessment, and more. As a part of these plans, the September draft mentioned a potential guidance period or regulatory grace period after the initial implementation of the AI Basic Act to limit the confusion and burden on companies.
On November 12, 2025, the mandatory 40-day legislative preview period for the Act began, and the MSIT published an updated draft of the Enforcement Decree which detailed that the enforcement grace period — a period in which fines will not be imposed — will last at least a year after implementation of the Act.
Gaps and Continuing Concerns
Despite the intentions of the AI Basic Act, it continues to draw criticism from industry for being too burdensome for Korean businesses, and from civil society groups for still providing insufficient consumer protections from AI-related risks.
Lawmakers tout that 80-90% of the AI Basic Act emphasizes industry promotion rather than restriction, and South Korea’s general emphasis on developing domestic AI and technology for national competitiveness is evident. In early 2026, South Korea announced the first Science and Technology Innovation Fund of ₩763.2 billion (US$502.8 million) aimed at supporting companies in AI, semiconductor, displays, and technology sectors. In March 2026, South Korea’s MSIT announced the 2026 Implementation Plan for the 1st Basic Plan for Fostering National Strategic Technologies (2024-2028), which includes an ₩8.6 trillion (US$5.66 billion) R&D investment to foster and secure national strategic technologies. However, despite these separate efforts to support AI and technology industries, the requirements in the AI Basic Act draw concerns about stifling domestic industry due to persistent uncertainty around the ambiguities of the Act, its one-size-fits all approach, and the short implementation timeline.
As previously mentioned, the definition of “high-impact AI systems” remains unclear despite numerous calls for clarification. Additionally, the Act applies equally to all domestic businesses, regardless of size, creating an unequal burden for small and medium-sized businesses that do not have the legal and compliance teams to meet the Act’s expectations. In December 2025, a survey conducted by Startup Alliance revealed that 98% of 101 local AI startups did not feel ready to comply with the AI Basic Act. Critics and companies emphasize that strict reporting obligations through exhaustive compliance processes, lengthy documentation, and extensive assessment can be burdensome to businesses and operations. Finally, concerns around the short implementation timeline have also been voiced since at least early 2025, with businesses calling for additional time to accommodate such revisions and at least one lawmaker proposing the implementation be delayed until January 2029. In response to this request and the fact that even the EU AI Act has faced delays in implementation despite its phased and longer enactment timeline, South Korea decided to include the regulatory grace period.
At the same time, civil society groups continue to raise alarms that the AI Basic Act does not sufficiently protect users from AI risks due to ineffective thresholds and requirements as well as a general lack of consequences and accountability and a focus on individuals.
Not only is the standard for “high-performance” AI models not yet clear, but critics also highlight that the AI Basic Act needs to be more risk and performance based and address sector-specific expertise and risks. The assessments, documentation, and reporting requirements focus on processes but give little regard to ensuring the security and safety of the resulting AI systems or outputs. South Korea’s human rights commission also warned that the decree’s lack of clarity will likely lead to regulatory gaps and loopholes.
In terms of consequences and accountability, the new regulatory grace period voids fines or consequences for noncompliance. Even before the announcement of the grace period, the Act only outlined four instances, such as the leaking of sensitive information by AI commission members or the failure of an AI company to register a domestic agent or address, which would trigger the fine of up to ₩30,000,000 (about US$20,163).
Despite the AI Basic Act and following Decrees requiring clear disclosure and labeling of deepfakes and generative AI-produced content, human rights lawyers noted that the Act does not protect individual users from AI risks such as AI-enabled impersonation or fraud. For example, in January 2026, xAI’s model, Grok, offered capabilities to turn normal photos into sexually explicit ones. The AI Basic Act would not protect victims of such AI-generated photos and would only require a watermark on the AI-generated content and fine xAI up to ₩30,000,000 (about US$20,163) for lacking the labeling.
Recommendations for Increased Effectiveness
As lower-level laws, definitions and criteria details, groups and committees, and processes associated with the AI Basic Act are being developed, there are opportunities for strengthening the Act and its effectiveness. The following three recommendations can help address some of the existing gaps.
1. Prioritize defining “high-impact AI systems”
MSIT needs to work with sector-specific ministries and organizations to adequately define “high-impact AI systems” based on use cases and their specific risks and impact. A high-impact risk created by an AI system leveraged in a news agency may be misinformation, but a high-impact risk in an AI-enabled highway or traffic light may be erroneous decision-making leading to traffic accidents. Thus, there is a need for public and private actors to make these determinations. The use case-specific approach will allow mitigation measures to be more effective.
2. Ensure alignment with existing regulations and mechanisms
South Korea has been passing additional legislation to start regulating AI-related risks as the Basic AI Act was being developed and passed. The 2024 Amendment to the Public Official Election Act banned election-related deepfakes within 90 days of an election, and the 2024 law criminalized the viewing of sexually explicit deepfakes. The 2025 amendment of the Act on Promotion of Information and Communications Network Utilization and Information Protection controversially broadens the definition of “false information,” penalizes the intentional spread of false information, and suggests that large internet platforms remove or limit false content promotions and creators. In early 2026, South Korean Prime Minister Kim Min-seok also announced that there will be zero tolerance for election-related deepfakes and disinformation ahead of the nationwide local elections in June 2026.
As lower-level laws for regulating AI risks are created, they need to refer to and align with existing legislation to avoid confusion, duplication, loopholes, and contradictions. A fragmented regulatory “patchwork” of lower-level regulations can make accountability more difficult, stifle innovation, and create inefficiencies as highlighted by the patchwork of state AI laws in the United States.
Aligning with existing legislation can also increase protection of individual users and victims as seen with the regulations around sexually explicit deepfakes. The AI Basic Act requires watermarks on AI-generated content — whether sexually explicit or not. The Sexual Violence Prevention and Victims Protection Act includes a fine of up to around ₩50,000,000 (about US$33,000) and five years in prison for creating sexually explicit deepfakes with the intention of distribution. Together, the two laws align and coordinate to encompass labeling AI-generated deepfakes, keeping creators accountable and criminalizing viewing as well.
3. Implement a phased enforcement timeline with increased penalties
The EU AI Act incorporated a phased implementation timeline by applying general-purpose AI rules in August 2025, enforcing the majority of the Act in August 2026, and implementing rules for high-risk AI in August 2027. In a similar manner, instead of extending the regulatory grace period, South Korea should begin developing a phased implementation timeline to enforce its AI Basic Act with penalties. Currently, the maximum fine from South Korea’s AI Basic Act is ₩30,000,000 (about US$20,163), which would not be meaningful to most medium to large-sized companies. In comparison, the maximum fine in the EU AI Act is EUR 35 million (US$41.1 million). South Korea’s penalties for noncompliance should be increased to create greater incentives for compliance.
In the next phase of the AI Basic Act, its effectiveness will rely on whether MSIT is able to provide more clarity and properly enforce its requirements and whether the regulatory grace period will be further extended past January 2027.

Community Adaptation for a Water Festival Without Clean Water