In 2019, the OECD adopted its AI Principles. It updated them in 2024. In the same period, Japan and the EU took different paths on AI governance. The key question is where to draw the line between self-governance and legal intervention.

TL;DR

• This matters because enforcement risk can rise without fines, unlike the EU AI Act’s fine-based structure.
• If you operate in Japan, review risk tables, evaluation logs, and incident response approvals first.

Example: A company deploys a general-purpose model in Japan. An output harms a user. The legal text matters, but the first questions may concern logs, approvals, and response steps.

Current status

This distinction deserves care. Japan’s earlier approach was often read as closer to the OECD and NIST. The OECD AI Principles are value-centered principles. They were adopted in 2019 and updated in 2024. The NIST AI RMF supports risk management across design, development, use, and evaluation. It assumes voluntary use. Both frameworks place more weight on organizational self-governance and internal processes.

Firm conclusions should still be avoided. The reviewed materials did not confirm claims about a 2025 near-term amendment. They also did not confirm penalty plans for high-risk AI development. Based on this review, one point is supportable: Japan strengthened enforcement tools, but the law itself did not include penalty provisions.

Analysis

From a decision-making perspective, Japan’s structure looks like a compromise. It can expand intervention while avoiding an immediate fine-centered regime. One possible benefit is implementation speed. Investigations, guidance, information disclosure, and name disclosure can be added first. That can happen without fully defining risk tiers, prohibited conduct, and exceptions in detail. Startups and large enterprises may face less abrupt change than under an EU-style regime.

There is also a trade-off. Without penalties, standards may remain less clear. Questions can arise about what counts as “malicious.” Similar questions can arise about “serious incidents.” Safety expectations may also remain less defined. In that setting, companies may act more cautiously. This does not mean the law is weak. It suggests investigation and disclosure standards may be interpreted broadly. By contrast, the EU-style structure can be more burdensome. However, it can offer more predictable links between prohibited conduct and sanctions.

This difference matters in practice. Under an EU-style structure, risk-tier decisions and statutory mapping are central. Under the Japanese structure, records that can be explained later may matter more. Teams should be able to show how the model was evaluated. They should show what usage restrictions were set. They should show when incident signals were reported. They should also show who approved deployment. In some cases, operational records may become the first line of defense.

Practical application

Developers and adopting companies should fix operations before focusing only on legal wording. With generative AI, deployment context often shapes incidents. The same model can create different risks across customer support, hiring, medical consultation, and internal search. The duty to explain can also change with the use case. As a result, saying only, “We use a general-purpose model,” is unlikely to be enough.

When a service for Japanese users produces a harmful output, three records may matter first. One is a pre-deployment risk classification table. Another is pre-deployment testing records. The third is post-incident response logs. Without these records, response readiness may become the first issue. With them, a company may respond more steadily during investigations and guidance.

Checklist for Today:

• Create a one-page risk classification table for each service, including purpose and prohibited use cases.
• Set logging for model evaluations, prompt policies, filter adjustments, and deployment approval history.
• Document who can stop a service during a serious incident and who handles external communications.

FAQ

Q. Should we assume Japan is moving toward a strong fine-centered model like the EU?

It is difficult to conclude that from this review. The reviewed materials support a narrower point. Japan strengthened its enforcement structure. The law itself did not include penalty provisions. That differs from the EU AI Act structure cited here.

Q. If there are no penalties, can companies respond more loosely?

That would be risky. Even without fines, investigations, guidance, information disclosure, and name disclosure can create real burdens. Reputational risk may increase. Counterparty review risk may also increase.

Q. What document should the development team prepare first?

The risk classification table and evaluation logs should come first. They should show the AI’s purpose, anticipated risks, and pre-deployment checks. After that, document the incident response procedure and approval structure.

Conclusion

Japan’s AI law is not easy to describe as either self-governance or strong regulation. It moved beyond a principles-centered framework by adding enforcement tools. It did not move directly to an EU-style fine-centered system. For companies, the immediate focus should not be only statutory wording. Operational records that can withstand investigation and disclosure may matter more in practice.

Further Reading

• AI Resource Roundup (24h) - 2026-06-22
• Apertus And The Real Test Of Sovereign AI
• AI Competition Shifts From Models to Workflows
• Why Internal AI Feels Better Than Public Chatbots
• AI Coding Needs Review More Than Speed Gains

References

• AI Risk Management Framework | NIST - nist.gov
• AI principles | OECD - oecd.org
• Regulation - EU - 2024/1689 - EN - EUR-Lex - eur-lex.europa.eu