1.

Obligation to Secure Transparency

With respect to the obligation to secure transparency, Article 31 of the AI Basic Act stipulates the obligation to (i) notify users in advance that certain operations use generative or high-impact AI (Paragraph (1), “advance notice obligation”), (ii) label that certain outputs were produced by generative AI (Paragraph (2), “output labeling obligation”), and (iii) notify and label deepfake outputs (Paragraph 3). However, unlike the Draft, the Bill exempts the output labeling obligation when an AI business operator has fulfilled its obligation to notify and label deepfake outputs. The specific methods for implementing the obligation to secure transparency are provided in Article 22 of the Enforcement Decree and the Transparency Guidelines, and regarding the output labeling obligation, the guidelines require particular attention as the specific method of labeling is provided in detail for each content type (i.e., image, video, audio and text).

Since the obligation to secure transparency is imposed on AI business operators that ultimately provide AI products or services to users, AI developers that directly provide AI products or services to users may also be subject to the same requirements.

However, as an exception, the obligation to secure transparency will not apply if (i) it is apparent that certain operations are based on high-impact or generative AI, or (ii) AI is used only for internal business purposes. It should be noted that to satisfy requirement (i) mentioned above, simply indicating the use of AI in the name of the product/service is not enough, as users should be able to clearly identify “which part” of the product/service uses generative AI.
 

2.

Determination of High-Impact AI

The AI Basic Act defines “high-impact AI” as “AI systems that may have a significant effect on, or pose risks to, human life, physical safety or fundamental rights,” and imposes more stringent obligations on business operators that provide such AI systems.

The Determination Guidelines introduce a two-step test assessment for classifying high-impact AI: (i) First, in order to be classified as high-impact AI, the AI system should be utilized in one of the sectors specified in each Item of Article 2, Subparagraph 4 of the AI Basic Act (i.e., energy, drinking water, healthcare, medical devices, nuclear energy, biometrics, employment, credit evaluation, transportation, public services, student evaluation, etc.); and (ii) next, in order to be classified as high-impact AI, the AI system should have a significant impact, or pose risks to, human life, physical safety or fundamental rights. The assessment of the impact or risks of the system should focus on negative impacts or risks and take into account the AI system’s intended purpose, function and context of use. Further, not only the direct users of the AI system but also those that are indirectly affected are taken into consideration.

Since high-impact AI is subject to various statutory obligations, it is necessary to thoroughly review whether an AI system will be classified as high-impact AI at the initial planning stage. As the Determination Guidelines set out sector-specific “high-impact evaluation criteria,” it is important to actively utilize the guidelines to conduct a self-review and retain written records that explain the rationale for that determination. In addition, as AI business operators may request an official confirmation from the Minister of Science and ICT on whether a particular system falls within the “high-impact AI” category, they may consider using such a confirmation process strategically.
 

3.

Obligation to Ensure Safety and Reliability of High-Impact AI

Business operators that provide high-impact AI are required to establish and operate risk management plans, maintain explainability of AI systems and their training data, and implement user protection measures.

The specific details of each obligation are explained in the Responsibilities Notification and Guidelines. For example, the establishment and operation of risk management plans, which are the core of the obligation to ensure safety and reliability of High-Impact AI (the “safety and reliability obligation”), are subdivided into: (i) establishment and implementation of risk management policies (establishment of plans → identification of risks → analysis and assessment of risks → handling of risks → improvement of policies), (ii) formation of a risk management organizational system, and (iii) cooperation with relevant organizations. In addition, since the Responsibilities Notification and Guidelines provide a self-inspection checklist for the safety and reliability obligation, each business operator should use the checklist to establish an internal compliance system.

Meanwhile, in order to prevent redundant regulations, the AI Basic Act provides that a person who has implemented safety measures under other laws and regulations that are equivalent to the safety and reliability obligation will be deemed to have met such obligation, and sets out the specific standards and procedures for recognizing such measures in Annex 1 of the Bill. Below are some representative examples.
 

4.

AI Impact Assessment for High-Impact AI

Under the AI Basic Act, AI business operators that offer a product or service using high-impact AI should make efforts to conduct an impact assessment. The Impact Assessment Guidelines explain the matters to be considered at each stage of an impact assessment: (i) the pre-assessment stage, (ii) the main assessment stage, and (iii) the post-assessment stage.

During (ii) the main assessment stage, the operators must record various potential risk scenarios that may arise during actual service operations, identify the fundamental rights that may be affected in each scenario and describe the impacts on those fundamental rights in detail. The Impact Assessment Guidelines not only present examples of affected fundamental rights and example scenarios of each right, but also provide examples of how to prepare an AI impact assessment. Therefore, it is necessary to conduct an impact assessment in good faith based on such examples.
 

5.

Obligation to Ensure Safety of “High-Performance” AI

The AI Basic Act imposes an obligation to ensure safety even for high-performance AI. This reflects an intent to apply rules similar to those for high-impact AI even when high-performance AI does not formally fall within the high-impact AI category, due to its potential influence.

Accordingly, AI business operators that provide high-performance AI must establish and implement a system to identify, assess, mitigate and manage risks throughout the AI lifecycle and submit the results thereof to the MSIT.

The Safety Notification and Safety Guidelines provide specific criteria for determining high-performance AI that are subject to such obligations. An AI system is deemed as “high-performance AI” if it (i) has a computational volume threshold of 1026 FLOPs or greater, (ii) incorporates the most advanced AI technologies available in light of the latest global AI developments, and (iii) poses significant risks of broadly affecting human life, physical safety or fundamental rights.

Alongside the criteria for determining high-performance AI, the Safety Notification and Safety Guidelines also provide guidance on specific risk identification, assessment and mitigation measures, the operation of risk management systems and procedures for submitting implementation results. Thus, AI business operators should review them carefully.

Besides the AI Basic Act, each relevant government agency is creating various guidelines for AI business operators in relation to its responsible duties and laws.