South Koreas AI Basic Act for recruiters: what changed on 22 January 2026

South Korea moved first in Asia

South Korea's Act on the Development of Artificial Intelligence and Establishment of Trust took effect on 22 January 2026. The shorter name everyone uses is the AI Basic Act. With this, Korea became the second jurisdiction after the European Union with a comprehensive horizontal AI law on the books, and the first in Asia-Pacific. For recruitment agencies placing into Korean clients or operating Korean entities, this matters.

I have spoken to several agency owners who told me Korea was on their "watch this space" list and they had not started looking at the detail. The grace period the Ministry has granted gives you a little time. It does not give you forever.

What the Act covers

The AI Basic Act applies to two categories of business. AI development business operators, which is the vendors who build AI systems. And AI utilisation business operators, which is the organisations that use those systems in their operations. A recruitment agency that uses any AI tool to source, screen, or score candidates falls into the second category by default.

The Act sits on top of Korea's existing Personal Information Protection Act, which already covers automated decision-making in some detail. The AI Basic Act adds a layer specifically about how the AI itself is governed, in addition to the data going through it. For hiring, this means you potentially have to think about both layers.

The practical translation is that if you run a Korean ATS, use a candidate matching tool that scores applicants, or have any sourcing software that uses AI to surface candidates against a role, you are an AI utilisation business operator under the Act. The threshold for being caught is low. Most agencies operating in Korea already are; they just have not labelled themselves that way yet.

High-impact AI: where the real obligations sit

The Act introduces a category called "high-impact AI". This is the equivalent of the EU's "high-risk" classification, with a different name. Operators of high-impact AI systems carry a heavier set of obligations than operators of routine AI.

The headline obligations the Ministry of Science and ICT (MSIT) has set out include four things. First, the operator must provide a meaningful explanation of the high-impact AI's outcomes to affected individuals. Second, the operator must create and deploy a user protection plan. Third, the operator must implement a mechanism for human intervention and supervision over the AI's decisions. Fourth, the operator must document the actions they have taken to secure trust and safety in the system.

Whether your specific use of AI for hiring counts as high-impact will depend on the enforcement decree and the sector-specific guidance MSIT issues over the next year. As a working assumption, if your AI is making consequential decisions about a person's employment, it would be unwise to assume it falls outside the high-impact bucket. Plan as if it does.

The one-year grace period

MSIT has publicly said it will grant subject businesses a one-year grace period before administrative fines are imposed. The grace period exists to give companies time to prepare and to give MSIT itself time to publish more detailed enforcement guidance.

That gives you until roughly January 2027 before financial penalties kick in. Two things to be careful about. First, the grace period is on the fines, not on the obligations. The duties came into force on 22 January 2026. A candidate or regulator can still complain or investigate during the grace period; the only thing you are protected from is the cash penalty. Second, MSIT has not said the grace period is universal. It applies to administrative fines under the Act; other regulators (Personal Information Protection Commission, for example) are not bound by it.

Treat the grace period as breathing room for execution, not as an extension of when the law applies. It applies now.

How Korea compares to the EU

The two regimes are similar in shape and different in detail. Both classify AI into tiers based on potential harm. Both put obligations on developers and on deployers. Both have extraterritorial reach. Both back enforcement with administrative fines.

Where they differ matters for hiring. The EU's high-risk classification list in Annex III is specific and names recruitment explicitly. Korea's high-impact category is broader and less prescribed in legislation; MSIT will fill in the detail through enforcement decrees and sector guidance over the next year. That means Korean compliance is, for now, a moving target. EU compliance is a known shape, even if it is heavy.

The other practical difference is timing. The EU's high-risk obligations under Article 6(1) do not apply until August 2027. Korea's obligations are live now, with a one-year grace period only on fines. An agency operating in both markets has more EU runway than Korean runway, even though the headlines made it look the other way around.

Who this catches outside Korea

The AI Basic Act has extraterritorial reach. If your AI system or its outputs are used inside Korea, or affect Korean nationals, the Act can apply to you regardless of where your office is. This mirrors the approach in the EU AI Act and increasingly looks like the default model for AI regulation worldwide.

For UK, EU, US, Australian and Middle East recruitment agencies that place into Korean employers, this means the question is no longer "do Korean rules apply to me?" but "which of my workflows touch Korea, and what do I need to change?" The honest answer for most agencies is: not as much as you fear, but more than nothing.

What I see agencies getting wrong

Treating Korea like Japan. Japan has the AI Promotion Act, which is much lighter touch. Korea has a horizontal law with real teeth. If you are extrapolating from your Japan compliance posture, you will be under-prepared for Korea.

Thinking the existing data protection regime covers it. Korea's Personal Information Protection Act is one of the strictest data laws in the world, and most agencies operating there already comply with it. The AI Basic Act is additive, not redundant. Compliance with one does not automatically give you compliance with the other.

Waiting for English-language guidance. MSIT publishes most detailed enforcement material in Korean first. Law firm summaries in English typically lag by three to six months. If you are serious about the Korean market, get someone on your team who can read the Korean source documents directly.

Outsourcing the whole problem to the vendor. Your vendor is responsible for their AI. You are responsible for how you use it. The Act puts obligations on both sides. Make sure the contract with your AI vendor includes a clear statement about who handles which obligation. If the contract is silent, you carry the obligation by default.

Confusing "high-impact" with "user-facing". A back-end ranking model that quietly reorders your candidate pool before a recruiter ever looks at the list is just as in-scope as a chatbot that talks to candidates directly. Visibility does not determine status. Consequence does.

Assuming the grace period covers everything. It does not. It covers administrative fines under the AI Basic Act. It does not cover candidate civil claims, complaints to the Personal Information Protection Commission, or reputational fallout if a story breaks about your AI rejecting candidates unfairly. The grace period is a narrow shield, not a blanket one.

What to do this quarter

Map your Korean exposure. Which placements involve Korean clients? Which use Korean candidate data? Which run candidates through AI tooling? You cannot prepare for the Act without an honest inventory of how much of your workflow touches Korea.

Identify the human reviewer. For any high-impact AI use, the Act expects a named human to oversee the decisions. Pick that person. Train them. Make sure they know they are the human in the loop, not the AI's rubber stamp.

Write your meaningful explanation template. If an AI tool contributes to a hiring decision in Korea, the candidate has a right to a meaningful explanation. Draft what that explanation looks like before you need it. A candidate complaint is not the time to start writing the response.

Document your trust and safety actions. The Act expects written records. Bias testing, accuracy monitoring, post-deployment review. Even informal notes count. The point is that you can show MSIT what you did. The same discipline I covered in the GDPR guide applies here. Document the process; the process is what regulators look for.

Read the rest of the series. Korea is one of seven jurisdictions covered in this guide. The full picture, including the EU AI Act, the US state patchwork, and the simpler rules in places like Ontario, is in the parent guide.