Who this is for: Compliance officers, legal counsel, AI system operators serving Korean markets, and GRC architects responsible for meeting South Korea's AI governance requirements.
In effect since January 22, 2026. The AI Basic Act (AI Framework Act) was passed by the National Assembly in January 2025 and took effect January 22, 2026. The Personal Information Protection Commission (PIPC) serves as the primary enforcement authority, with additional oversight from the Ministry of Science and ICT (MSIT). High-impact AI systems face mandatory impact assessments and transparency obligations. High-performance AI systems (trained with 1026 or more FLOPs) have mandatory safety obligations. MSIT is operating at least a one-year grace period on fines and investigations through 2026, except for cases involving serious harm.
Contents
1. Overview 2. Key Obligations 3. Obligation-to-Procedure Mapping 4. Detailed Procedure Cards 5. Quick Reference 6. Quick Start 7. References1. Overview
South Korea's AI Basic Act establishes a risk-based regulatory framework for artificial intelligence systems. The Act classifies certain AI systems as "high-impact AI" -- a designation similar in intent to the EU AI Act's high-risk category -- and imposes graduated obligations on developers and operators based on the potential societal consequences of their systems.
The framework centers on six core regulatory pillars:
- AI impact assessments for high-impact systems, documenting risks to fundamental rights, safety, and fairness before deployment
- Transparency and explainability obligations requiring disclosure of AI involvement in consequential decisions and provision of understandable explanations
- Fairness and non-discrimination requirements prohibiting algorithmic bias in areas such as employment, credit, education, and public services
- Human oversight for consequential decisions ensuring meaningful human review of automated outcomes that affect individuals' rights or interests
- Data governance and quality standards addressing training data provenance, representativeness, and ongoing quality assurance
- Incident reporting and monitoring requiring operators to detect, document, and report AI-related safety incidents to PIPC
High-impact AI includes systems used in hiring, credit scoring, criminal justice, medical diagnosis, autonomous vehicles, and critical infrastructure. Operators of these systems must conduct impact assessments and maintain records demonstrating compliance with the Act's requirements.
2. Key Obligations
| Obligation | Article | Timeline |
|---|---|---|
| High-Impact AI Classification | Art. 27-28 | Before deployment; reassess on substantial modification |
| AI Impact Assessment | Art. 29-30 | Before deploying high-impact AI; periodic reassessment required |
| Transparency Disclosure | Art. 22-23 | At point of interaction; continuous for automated decisions |
| Explainability of Decisions | Art. 24 | Upon request by affected individuals; within reasonable timeframe |
| Fairness and Non-Discrimination | Art. 25-26 | Continuous monitoring; pre-deployment bias testing |
| Human Oversight | Art. 31-32 | Continuous for high-impact AI; documented override capability |
| Data Governance | Art. 33-34 | Throughout AI lifecycle; documented training data provenance |
| Incident Reporting | Art. 40-41 | Within prescribed period after discovery; ongoing monitoring required |
3. Obligation-to-Procedure Mapping
Each obligation under the AI Basic Act maps to SWT3 witness procedures that produce cryptographically anchored evidence of compliance.
| Korean AI Act Obligation | SWT3 Procedure | What It Witnesses | Evidence Produced |
|---|---|---|---|
| Fairness and Non-Discrimination | AI-FAIR.1 | Bias detection and fairness metric attestation | Factor A: protected attribute tested, Factor B: metric result, Factor C: threshold applied |
| Human Oversight | AI-HITL.1, AI-DEL.1, AI-AUTO.3 | Human-in-the-loop verification, delegation tree provenance, autonomy level transitions | HITL.1: decision type, reviewer hash, override authority. DEL.1: scope hash, delegation depth, TTL. AUTO.3: from/to level, trigger, direction. |
| Explainability of Decisions | AI-EXPL.1 | Explanation generation and delivery | Factor A: explanation method, Factor B: confidence score, Factor C: factors cited |
| Incident Reporting | AI-AUDIT.1 | Audit log integrity verification | Factor A: log source, Factor B: integrity hash, Factor C: retention period |
| Data Governance | AI-DATA.1 | Training data provenance attestation | Factor A: dataset identifier, Factor B: provenance hash, Factor C: quality score |
| Transparency Disclosure | AI-INF.1 | Inference provenance and model identification | Factor A: model identifier, Factor B: provider, Factor C: clearing level |
| AI-Generated Content Labeling | AI-MARK.1 | Content provenance marking at generation time | Factor A: content type, Factor B: marking method, Factor C: verification status |
| AI Impact Assessment | AI-DPIA.1 | Impact assessment completion and findings | Factor A: assessment scope, Factor B: risk rating, Factor C: review authority |
| High-Impact AI Classification | AI-RISK.1 | Risk identification and categorization | Factor A: risk category, Factor B: severity, Factor C: mitigation status |
4. Detailed Procedure Cards
Impact Assessment Completion
AI Basic Act requires: Operators of high-impact AI systems must conduct impact assessments before deployment, evaluating risks to fundamental rights, safety, and fairness. Assessments must be documented and made available to PIPC upon request.
How SWT3 addresses it: The witness_dpia() call captures the assessment scope, the resulting risk rating, and the review authority who approved the assessment. Each impact assessment generates a timestamped anchor that proves the assessment was completed before the system was deployed. Factor B records the risk rating assigned, creating a longitudinal record of how risk classifications evolve across assessment cycles.
Filter the witness ledger for AI-DPIA.1 anchors. The anchor timestamp must predate the first AI-INF.1 anchor for the same model, proving the impact assessment was completed before deployment. Factor A identifies the assessment scope. Factor C identifies the approving authority. Cross-reference with AI-RISK.1 anchors to show that high-impact classification triggered the assessment.
Bias Detection and Fairness Attestation
AI Basic Act requires: AI systems must not discriminate on the basis of gender, age, disability, race, region, or other protected attributes. Operators must test for and mitigate algorithmic bias, particularly in high-impact domains such as hiring, credit, and public services.
How SWT3 addresses it: The witness_fairness() call records which protected attribute was tested, the fairness metric result (e.g., demographic parity, equalized odds), and the threshold applied. Each test produces an anchor that documents both the testing methodology and the outcome, creating an auditable record of bias monitoring over time.
AI-FAIR.1 anchors should appear at regular intervals, demonstrating continuous bias monitoring. Factor A identifies the protected attribute (e.g., gender, age). Factor B contains the metric result. Factor C shows the threshold applied. A gap in AI-FAIR.1 anchors may indicate a period without fairness testing.
Human-in-the-Loop Decision Verification
AI Basic Act requires: High-impact AI systems must provide for meaningful human oversight. Individuals affected by automated decisions have the right to request human review, and operators must maintain documented override capabilities.
How SWT3 addresses it: The witness_hitl() call records the decision type, a hash of the reviewer's identity, and the override authority level. Each human review produces an anchor that proves a qualified human examined the automated decision and had the authority to override it.
AI-HITL.1 anchors prove that human review occurred for consequential decisions. Factor A identifies the decision type (e.g., credit decision, hiring recommendation). Factor B contains a hash of the reviewer, demonstrating accountability without exposing personal data. Factor C confirms the reviewer had override authority. The ratio of AI-INF.1 to AI-HITL.1 anchors shows oversight coverage.
Explanation Generation
AI Basic Act requires: Individuals affected by AI-driven decisions have the right to receive understandable explanations of how the decision was made, including the key factors that influenced the outcome.
How SWT3 addresses it: The witness_explanation() call records the explanation method used (e.g., SHAP, LIME, counterfactual), the confidence score of the explanation, and the factors cited as influential. This creates an immutable record that explanations were generated and delivered when requested.
AI-EXPL.1 anchors demonstrate that explanation capability exists and is functioning. Factor A identifies the method (ensuring technical rigor). Factor B records confidence, showing whether the explanation is reliable. Factor C lists the factors cited, which can be cross-referenced with the actual model inputs to verify accuracy.
Training Data Provenance
AI Basic Act requires: Operators must ensure training data quality, document data provenance, and maintain records of data sources used to train or fine-tune AI systems. Data governance standards apply throughout the AI lifecycle.
How SWT3 addresses it: The witness_data_provenance() call captures the dataset identifier, a SHA-256 hash of the dataset, and a quality score derived from completeness and representativeness checks. This creates verifiable evidence that data governance processes were followed before model training.
AI-DATA.1 anchors should predate AI-INF.1 anchors for the corresponding model, proving data governance was completed before the model entered production. Factor B (provenance hash) allows verification that the training data has not been altered post-assessment. Factor C (quality score) documents the data quality standard applied.
5. Quick Reference
| Examiner Question | Where to Look |
|---|---|
| Is this system classified as high-impact AI? | AI-RISK.1 anchors. Factor A identifies the risk category. Factor B shows severity. AI-DPIA.1 anchors confirm that an impact assessment followed the classification. |
| Was an impact assessment completed before deployment? | AI-DPIA.1 anchor timestamp must predate the first AI-INF.1 anchor for the same model. Factor C identifies the approving authority. |
| How do you ensure fairness and non-discrimination? | AI-FAIR.1 anchors at regular intervals. Factor A identifies the protected attribute tested. Factor B contains the metric result. Gaps indicate periods without fairness monitoring. |
| Can affected individuals obtain an explanation? | AI-EXPL.1 anchors prove explanation capability is operational. Factor A identifies the method (SHAP, LIME, counterfactual). Factor C lists the factors cited in each explanation. |
| Is there meaningful human oversight? | AI-HITL.1 anchors document each human review. Factor C confirms override authority. The ratio of AI-INF.1 to AI-HITL.1 anchors demonstrates oversight coverage for high-impact decisions. |
| What is the provenance of training data? | AI-DATA.1 anchors. Factor A identifies the dataset. Factor B (provenance hash) proves the dataset has not been modified. Factor C documents the quality standard applied. |
| How are AI incidents detected and reported? | AI-AUDIT.1 anchors prove audit logging is active. Factor B (integrity hash) demonstrates log integrity. Cross-reference anchor timestamps against incident reports submitted to PIPC. |
6. Quick Start
pip install swt3-ai
# Initialize with the NIST AI RMF profile (covers all AI Basic Act obligation areas)
swt3 init --profile nist-ai-rmf --tenant YOUR_TENANT
# Run the demo to see witness anchors generated
python -m swt3_ai.demo
# Or use TypeScript
npm install @tenova/swt3-ai
npx swt3-init --profile nist-ai-rmf
Full SDK documentation: sovereign.tenova.io/docs
Create a free account: sovereign.tenova.io/signup
7. References
- South Korea AI Basic Act (AI Framework Act) -- National Assembly, passed January 2025, effective January 2026
- Personal Information Protection Commission (PIPC) -- Primary enforcement authority for AI governance in South Korea
- Ministry of Science and ICT (MSIT) -- Supporting oversight role for AI innovation and governance
- SWT3 UCT Registry -- 103 AI procedures across 51 namespaces
- SWT3 Bidirectional Framework Crosswalks -- machine-readable JSON mapping 103 procedures to 28 frameworks
- EU AI Act Crosswalk -- comparable risk-based framework
- SDK Documentation -- Python, TypeScript, and 5 additional language SDKs