Japan's AI Governance: What Foreign Companies Must Know About the AI Promotion Act (2026)

Part of our guide to Japan’s cybersecurity and technology regulation. For the data-protection foundation that underpins it, see Japan’s Cybersecurity Laws & Guidelines.

If you are deploying AI in Japan and waiting to find the “Japan AI Act” with its risk tiers and fines, stop waiting — that is not how Japan did it. In 2025 Japan passed its first AI law, and it deliberately contains no penalties at all. For foreign companies trained on the EU AI Act, this is genuinely disorienting: it looks like there are no rules. There are — they are just a different shape.

I work in information security inside a Japanese enterprise (CISSP, CCSP, and a Registered Information Security Specialist in Japan). This is the map of Japan’s AI governance I give foreign teams before they either over-comply to an EU template or under-comply to a Japanese one.

Japan’s AI Promotion Act (2025)

The headline instrument is the Act on the Promotion of Research and Development and Utilization of AI-Related Technologies — the “AI Promotion Act.” It passed Japan’s Diet on 28 May 2025, with most provisions effective 4 June 2025 and the remainder by September, and came into full effect in late 2025 (White & Case).

Three facts define it:

• It is a fundamental law — it sets high-level principles and national policy direction, not prescriptive rules for private actors.
• It imposes no direct fines or penalties. Where the government acts, it may issue advice, request information, or publicly disclose non-compliance (FPF).
• It is innovation-first: the explicit aim is to promote R&D and adoption while building the capacity to respond to risks later, through a whole-of-government AI Strategy Headquarters led by an AI Minister.

In other words, the Act is a direction-setter and an enabler, not a rulebook. Its teeth, for now, are reputational and the option it creates to legislate harder later.

The soft-law stack: guidelines and the Safety Institute

Because the Act itself is thin on specifics, the operational expectations live in soft law:

• The AI Guidelines for Business, issued jointly by METI and the Ministry of Internal Affairs and Communications (MIC) — currently v1.1 (March 2025). These set out expected governance practices and are treated as a comply-or-explain standard when you deal with customers, partners, and regulators (IBA).
• The Japan AI Safety Institute (J-AISI), established in February 2024 by ten ministries and five government-affiliated organizations. It runs safety research and evaluation, develops standards, and coordinates internationally — notably with the US AI Safety Institute and NIST, and through the Hiroshima AI Process (J-AISI). J-AISI co-hosts the study group behind the AI Guidelines for Business with METI.

The pattern should feel familiar from the rest of Japan’s regulatory style: a light statutory frame, with the real expectations expressed as guidelines that are technically voluntary but functionally the baseline.

Who governs AI in Japan

There is no single “AI regulator.” Responsibility is distributed:

The last two rows are the ones foreign teams forget: Japan’s soft AI law sits on top of its existing binding laws, which do the actual enforcing.

Japan vs the EU AI Act vs the US

This is the comparison that orients most foreign teams fastest:

Japan and the US sit closer together (principles and frameworks); the EU is the outlier with hard, risk-tiered law (Bird & Bird). If your AI governance program is built to the EU AI Act, you are over-built for Japan’s AI law specifically — but not for the Japanese laws underneath it.

What “soft law” actually means for foreign companies

Here is the trap, and I want to be blunt about it: soft law is not the absence of obligation. Three things remain true in Japan regardless of the AI Promotion Act’s missing penalties:

1. The APPI still binds. An AI system that processes personal data of people in Japan is squarely inside the APPI — including its breach-notification clocks and cross-border transfer rules. The AI law’s leniency does not touch this.
2. Comply-or-explain is a real bar. The AI Guidelines for Business are the standard your Japanese customers, partners, and regulators will measure you against. “We follow our global policy” is an answer; “we do nothing because there’s no penalty” is not.
3. Reputational and disclosure risk is the enforcement. Public disclosure of non-compliance, in a market where trust and relationships carry enormous weight, is not a soft consequence.

My practitioner’s read: treat Japan’s AI governance as governance you must be able to evidence, not compliance you can be fined for. Document your AI risk practices against the AI Guidelines for Business, keep your APPI obligations airtight, and you will satisfy both the soft expectation and the hard law beneath it.

For the deeper, system-level risks of the AI you deploy under this regime, see the spokes:

• Generative AI Security for Enterprises: Prompt Injection, Data Leakage & Controls
• Governing AI Agents: Least Privilege for Autonomous AI

References

• Japan’s first AI legislation becomes law — focus on promoting R&D; no monetary penalties (White & Case, confirmed 2026-06-11)
• Understanding Japan’s AI Promotion Act: An “Innovation-First” Blueprint (Future of Privacy Forum, confirmed 2026-06-11)
• Japan’s emerging framework for responsible AI: legislation, guidelines and guidance (International Bar Association, confirmed 2026-06-11)
• Japan AI Safety Institute (J-AISI) (J-AISI official, confirmed 2026-06-11)
• Japan’s new AI Act: innovation-first vs the EU’s comprehensive risk framework (Bird & Bird, confirmed 2026-06-11)
• Act on Promotion of R&D and Utilization of AI-Related Technology now in full effect (Government of Japan, confirmed 2026-06-11)