AI 시대 사이버 리스크 거버넌스와 이사의 감시의무: 금융권 ‘책무구조도’의 일반 기업 확장 논의를 중심으로

With the acceleration of the 4th Industrial Revolution and digital transformation, artificial intelligence (AI) and cybersecurity risks have transcended the realm of tactical IT management to become ‘Mission Critical Risks’ that determine a corporation’s survival. Recent South Korean Supreme Court precedents (e.g., Union Steel and Daewoo E&C cases) have strengthened the standard for a director’s duty of oversight, shifting it toward a ‘System-Based Liability’ that requires the proactive establishment and operation of reasonable internal control systems. Notably, the 2025 amendment to the Commercial Code expanded the director’s duty of loyalty to include both the ‘company and its shareholders,’ creating a legal environment where failures in cyber risk management can directly result in breaches of shareholder interests. However, unlike the financial sector, general enterprises face intensified legal uncertainty and regulatory asymmetry due to the absence of explicit statutory provisions regarding internal control obligations. To effectively reconstruct the duty of oversight in the AI and cyber risk environment, this study conducts a comparative analysis of regulatory models in the U.S., EU, U.K., Singapore, and Japan. The analysis confirms that while the U.S. emphasizes market discipline through case law and disclosure, the EU adopts mandatory norms including individual sanctions on management, and the U.K. and Singapore utilize the ‘Responsibility Map’ system to clearly allocate accountability among senior executives. Based on these findings, this study proposes a ‘Korean Hybrid Governance Model’ for the AI-era cyber compliance framework. From a legislative perspective, the obligation to establish internal control systems should be codified in the Commercial Code. In terms of policy, the ‘Responsibility Map’ currently implemented in the financial sector should be expanded to non-financial enterprises providing core national services, such as data center operators and large-scale platforms, to structuralize the accountability of executives including the CISO, CPO, and CAIO. Judicially, the study suggests clarifying the criteria for ‘Procedural Immunity’ (derived from the Business Judgment Rule) to exempt directors from liability for consequential failures if they have followed reasonable procedures, such as consulting experts and conducting regular risk assessments, thereby harmonizing corporate innovation with legal stability. This research is significant in that it integrates the legal principles of internal control from the financial sector into the risk management of general tech enterprises, incorporating AI technology risks into the core agenda of corporate governance and presenting legislative alternatives for an effective risk management system.