Japan’s AI Governance Framework Explained

Japan's AI governance picture changed materially in 2025. For years, Japan operated through what regulators and commentators called a "soft law" model: principles, guidelines, and inter-ministerial coordination rather than statute. That description is no longer accurate. The AI Promotion Act passed by the Diet on 28 May 2025 and fully in force from September 2025 is Japan's first AI-specific law, and the AI Basic Plan adopted by Cabinet on 23 December 2025 sets the country's medium-term direction. Both sit alongside the updated AI Guidelines for Business (Version 1.1, March 2025) and the Act on the Protection of Personal Information (APPI), creating a layered framework that is still innovation-first but is now anchored in legislation.

The defining characteristic of Japan's model remains its choice not to follow the EU AI Act's prescriptive, penalty-based architecture. The AI Promotion Act is a "framework law" that sets principles and creates institutional structures rather than imposing direct compliance obligations on businesses. There are no administrative fines under the Act itself. The government's main enforcement tools are investigation, advice, information requests, and a "name and shame" disclosure mechanism for serious infringements. Binding obligations on businesses come from existing sectoral laws (APPI, Copyright Act, Product Safety Act, Competition Act) and from the AI Guidelines for Business operating as a "comply or explain" standard.

The strategic context: Society 5.0 and Human-Centric AI

Japan's AI governance philosophy is anchored on two foundational concepts. Society 5.0 is Japan's vision for a "super smart society" integrating cyberspace and physical space through AI, robotics, and IoT, articulated by the Cabinet Office. Human-Centric AI, articulated in the 2019 Social Principles of Human-Centric AI, requires that AI systems respect human dignity, diversity and inclusion, and sustainability.

Both concepts shape how the AI Promotion Act and the AI Guidelines for Business are interpreted. Where the EU asks "what risks does this AI system pose, and which compliance regime applies," Japan asks "how does this AI deployment serve human well-being, and what guardrails make that work."

Key institutions

AI Strategy Headquarters (in force from 1 September 2025)

Established under the AI Promotion Act, the AI Strategy Headquarters is the central inter-ministerial body for AI policy, chaired by the Prime Minister. It held its first meeting on 13 September 2025 at the Prime Minister's Office and is responsible for drafting and updating the AI Basic Plan, coordinating cross-ministerial AI initiatives, and overseeing implementation of the Act.

Cabinet Office and CSTI

The Cabinet Office continues to coordinate national science and technology strategy through the Council for Science, Technology and Innovation (CSTI). CSTI develops strategic recommendations across emerging technologies including AI, and the AI Institutional Study Group (formed July 2024) produced the policy work that fed into the AI Promotion Act.

METI and MIC

The Ministry of Economy, Trade and Industry (METI) leads industrial AI policy and co-issues the AI Guidelines for Business. The Ministry of Internal Affairs and Communications (MIC) leads on data governance, telecommunications, and digital infrastructure aspects of AI policy and co-issues the AI Guidelines.

Personal Information Protection Commission (PPC)

The PPC enforces the APPI. Where AI deployments process personal data, the PPC's enforcement framework applies regardless of the AI Promotion Act's lighter touch.

Sector regulators

The Pharmaceuticals and Medical Devices Agency (PMDA) handles AI in medical devices. The Financial Services Agency (FSA) addresses AI in financial services. The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) oversees autonomous vehicle deployment, including the Level 4 autonomous driving programme being supported in 50 regions nationwide. The AI Promotion Act explicitly preserves sectoral rule-making rather than centralising it.

The AI Promotion Act

The AI Promotion Act (full title: Act on Promotion of Research and Development and Utilization of Artificial Intelligence-Related Technologies) was submitted by Cabinet on 28 February 2025, passed by the House of Representatives on 24 April 2025, and approved by the House of Councillors on 28 May 2025. Most provisions entered into force on 4 June 2025, with the chapters establishing the AI Strategy Headquarters and the AI Basic Plan taking effect on 1 September 2025.

Structure and approach

The Act is short and abstract by design. Most provisions set out general principles for the national government, local governments, businesses, and citizens to follow, and outline the duties of the government in general terms. It does not contain detailed prescriptions, prohibitions, or penalty schedules.

The Act rests on four core principles:

AI as a strategic asset for Japan's economy, society, and national security
Promotion of industrial use across sectors
Risk mitigation through transparency and cooperation
Active contribution to international AI norms

Government authority and enforcement

Article 16 of the Act authorises the government to gather information on AI research, development, and use; analyse cases where citizen rights have been infringed by AI; conduct surveys; and provide guidance, advice, and information to research institutions, businesses, and other persons. The government can publicly disclose the names of businesses found to have caused infringements ("name and shame"), but the Act does not establish administrative fines or criminal penalties for AI-specific violations.

Following the Act's passage, both chambers of the Diet adopted a non-binding supplementary resolution urging the government to consider stronger measures against deepfakes and other harmful generative AI applications. Pressure for binding rules in specific high-risk sectors continues, particularly in healthcare, autonomous transportation, and finance.

Business obligations under the Act

The Act stipulates a duty for AI-utilising businesses to "cooperate" with national policies and initiatives. There are no penalties for non-compliance directly under the Act. In practical terms, "cooperation" means alignment with the AI Basic Plan, the AI Guidelines for Business, and the AI Utilization Guidelines (December 2025).

The AI Basic Plan (approved 23 December 2025)

The Cabinet approved the first AI Basic Plan on 23 December 2025. The Plan sets medium-term goals organised around four pillars:

Adoption of AI in government services and across the economy
Domestic AI development through investment in research, data, and computing infrastructure
Trustworthy AI through safety, security, and ethics measures
International cooperation and standard-setting

The fiscal year 2026 AI-related budget reflects these priorities, with significant allocations to AI infrastructure development, accelerated AI utilisation across government, and (smaller but defined) implementation of AI governance and societal transformation. The Cabinet Office is also leading a JPY 22 billion investment in generative AI for medical diagnostic support, signalling sectoral focus areas.

AI Guidelines for Business (Version 1.1, March 2025)

The AI Guidelines for Business, jointly issued by METI and MIC in April 2024 and updated to Version 1.1 on 28 March 2025, are the operational compliance reference for businesses. They are non-binding "soft law" but are treated as a "comply or explain" standard by regulators, customers, and international partners.

Three-tier structure

Foundational values: human dignity, diversity and inclusion, sustainability.
Ten cross-sector principles: human-centred development, education and literacy, privacy protection, security, fairness, transparency, accountability, innovation, and others.
Tools and case studies: tailored expectations for AI developers, providers, and users, with checklists and worked examples.

Role-specific expectations

The Guidelines distinguish three roles in the AI lifecycle:

AI developers: design and build AI systems. Expected to address data governance, bias mitigation, safety testing including red-teaming, documentation, and stakeholder disclosure.
AI providers: deploy and offer AI systems to users. Expected to provide transparency, monitor outputs, handle incidents, and maintain documentation through the lifecycle.
AI business users: use AI in their own operations. Expected to apply human oversight, conduct risk assessments, and align with the Guidelines' principles in deployment decisions.

A key feature of the Guidelines is the call for executive-level responsibility. Senior leadership is expected to own AI governance rather than delegate it to compliance teams.

The AI Utilization Guidelines (19 December 2025)

Pursuant to Article 13 of the AI Promotion Act, the AI Strategy Headquarters published Guidelines for Ensuring the Appropriateness of Research and Development and Utilization of AI-Related Technology (the "AI Utilization Guidelines") on 19 December 2025. They recommend a general policy for all subjects of the Act:

A risk-based approach
Active stakeholder involvement in AI governance
Holistic AI lifecycle governance addressing risks across development and deployment
Agile response to evolving AI risks

The Utilization Guidelines elaborate on practices for the government, AI business actors, and the public, and operate alongside the AI Guidelines for Business as the operational layer below the Act.

Data protection: APPI

The Act on the Protection of Personal Information (APPI) is the primary data protection law in Japan and applies to AI systems that process personal data. Recent amendments have strengthened cross-border transfer rules, breach notification requirements, and penalties for serious violations. AI deployments processing personal data must address APPI alongside any AI Promotion Act obligations. The PPC continues to issue sector-specific guidance on AI use cases including generative AI.

Where AI training uses copyrighted material, Article 30-4 of the Copyright Act provides a relatively permissive treatment of text and data mining for non-enjoyment purposes, but the boundaries of the exception in the generative AI context remain contested. The Cultural Council's Legal Subcommittee has issued a General Understanding on AI and Copyright in Japan, and pressure for amendments is growing as creative-industry concerns mount.

International cooperation: the Hiroshima AI Process

Japan's most significant international contribution to AI governance is the Hiroshima AI Process, launched during Japan's G7 Presidency in 2023. The process produced the Hiroshima Process International Guiding Principles for Organizations Developing Advanced AI Systems and a related Code of Conduct, both adopted by G7 leaders in October 2023. These outputs continue to shape OECD work on AI and have influenced both the EU AI Act's general-purpose AI rules and Japan's domestic AI Guidelines for Business.

Japan also participates in the OECD AI Principles, the Global Partnership on AI (GPAI), and the Japan AI Safety Institute (AISI) network alongside the UK and US AISIs.

A practitioner's compliance plan

Step 1: Map AI systems against the AI Guidelines for Business roles

For each AI system, determine whether your organisation acts as developer, provider, or business user (sometimes more than one), and apply the Version 1.1 expectations accordingly. Document the role determination, risk assessment, and governance approach.

Step 2: APPI compliance for personal data processing

Where AI ingests, processes, or produces personal data, ensure APPI compliance: lawful basis, purpose limitation, security measures, breach notification, and special protections for sensitive data. Update privacy notices to address AI use clearly.

Step 3: Sectoral compliance

For medical AI, address PMDA medical device requirements. For financial AI, address FSA expectations and any financial sector AI guidance. For autonomous transport, address MLIT rules. The AI Promotion Act explicitly preserves sectoral rule-making rather than overriding it.

Step 4: Build governance documentation aligned with the AI Utilization Guidelines

Develop a deployment dossier with risk logs, model cards, bias and safety testing records, user notices, feedback channels, and incident response procedures. The Guidelines treat governance as a living document, so plan to update as AI Strategy Headquarters guidance evolves.

Step 5: Track AI Strategy Headquarters output

The AI Basic Plan and follow-up guidance from the Strategy Headquarters set the practical compliance bar. Subscribe to METI, MIC, and Cabinet Office announcements, and align internal standards with each update. International alignment with ISO/IEC 42001 and the NIST AI Risk Management Framework reduces transition cost when binding rules are introduced for specific sectors.

Compliance FAQ

Does Japan now have a binding AI law?

Yes, in name, but it is a framework law rather than a prescriptive regulatory regime. The AI Promotion Act passed in May 2025 and fully in force from September 2025 establishes principles, the AI Strategy Headquarters, and the AI Basic Plan, but does not impose direct administrative fines or criminal penalties on businesses. Binding obligations come from the APPI, the Copyright Act, the Competition Act, sectoral laws, and (as a "comply or explain" benchmark) the AI Guidelines for Business.

What happens if my company does not "cooperate" with the AI Promotion Act?

The Act allows the government to investigate, request information, provide guidance, and publicly disclose the names of businesses found to have infringed citizen rights. There are no fines under the Act itself, but APPI fines, sectoral penalties, and reputational consequences can apply. The Diet's supplementary resolution on deepfakes signals appetite for stronger measures if voluntary compliance proves insufficient.

How do the AI Guidelines for Business v1.1 differ from earlier guidance?

Version 1.1 (March 2025) consolidates earlier METI and MIC guidance into a single document with a three-tier structure (foundational values, ten cross-sector principles, tools and case studies) and role-specific expectations for developers, providers, and business users. It reflects the outputs of the Hiroshima AI Process and the AI Institutional Study Group's policy work.

How does Japan's framework compare to the EU AI Act?

Japan and the EU have taken explicitly different paths. The EU AI Act is a prescriptive, risk-classified regime with detailed obligations and substantial penalties. Japan's AI Promotion Act is a framework law that promotes innovation and uses guidelines and existing sectoral law for binding effect. A multinational AI deployment serving both EU and Japanese users must comply with both regimes; the Japanese framework does not satisfy EU AI Act obligations and vice versa.

What about generative AI specifically?

Japan does not currently have a generative-AI-specific statute. Generative AI deployments are governed by the AI Promotion Act, the AI Guidelines for Business, the APPI for personal data, the Copyright Act for training data and outputs, and the Cabinet Office's policy on deepfakes following the Diet's supplementary resolution. The PPC has issued generative AI guidance for personal data handling. Expect more sector-specific rules as deepfake enforcement and copyright reform progress.

What should businesses prioritise now?

APPI compliance, alignment with the AI Guidelines for Business v1.1, sectoral rules where applicable, and a documented internal AI governance framework that maps to NIST AI RMF or ISO/IEC 42001. Track AI Strategy Headquarters announcements and the evolving AI Basic Plan.

The bottom line

Japan has moved from a fully soft-law model to a hybrid: legislated framework plus binding sectoral law plus authoritative guidelines. The AI Promotion Act, the AI Strategy Headquarters, the AI Basic Plan, and the AI Guidelines for Business v1.1 together give Japan real institutional capacity to shape both domestic AI deployment and global standards. The model remains innovation-first and does not impose EU-style penalties on businesses for AI-specific violations, but the institutional infrastructure now exists to escalate if voluntary measures prove insufficient. For businesses operating in or with Japan, the durable compliance posture is a single governance programme aligned with the AI Guidelines for Business, the APPI, sectoral rules, and an internationally recognised AI management framework. Track AI Strategy Headquarters output, watch the deepfake and copyright workstreams, and update internal standards as Japan's framework continues to develop.

Last updated: April 2026. This article is educational content and is not legal advice. Japan's AI governance framework is evolving with new guidelines from the AI Strategy Headquarters and ongoing sectoral rule-making. Consult qualified counsel before making compliance decisions.

Last updated April 25, 2026. This article is educational content and is not legal advice. Consult qualified counsel before making compliance decisions in your jurisdiction.