Japan’s AI Guidelines for Business: what it means for you

This blog post introduces the background, positioning, and overview of the AI Guidelines for Business, published in April 2024 by the Japanese government.

Background of the AI Guidelines for Business 

The AI Guidelines for Business (AI GfB) is a set of guidelines for using AI in business contexts, published by Japan’s Ministry of Internal Affairs and Communications (MIC) and the Ministry of Economy, Trade and Industry (METI). Let’s first examine the background of these guidelines.

The AI GfB was created in response to the “Interim Summary of Issues Related to AI” prepared by the AI Strategy Council on May 26, 2023 (chaired by Professor Yutaka Matsuo at The University of Tokyo).

This “Interim Summary of Issues Related to AI” report emphasized that AI developers and providers must follow laws and guidelines to address generative AI risks. It also stressed the need to consider necessary measures in areas where existing laws and guidelines are insufficient. For example, the following guidelines created by MIC and METI until then had not mentioned generative AI:

• “Draft AI Development Guidelines for International Discussions” (MIC)
• “AI Utilization Guidelines: A Practical Reference for AI Utilization” (MIC)
• “Governance Guidelines for Implementation of AI Principles Ver. 1.1” (METI)

Therefore, the AI Guidelines for Business were established to provide unified guidance on AI governance, building upon previous guidelines.

(https://www.meti.go.jp/shingikai/mono_info_service/ai_shakai_jisso/pdf/20240419_9.pdf Page 3, Figure 1）

The AI Guidelines for Business have been created based on two additional considerations beyond previously established guidelines:

First, they were developed in the context of international cooperation. The guidelines mention international initiatives such as the “Hiroshima AI Process”, incorporating a global perspective. At the same time, they acknowledge regional differences in approaches to AI and note the need to comply with local laws.

Second, the authors paid close attention to new technological trends, including generative AI. The AI GfB was created based on generative AI technology as of April 2024, but technologies related to generative AI continue to progress rapidly. As a result, the document declares that it “will be updated as a living document as needed, also in response to international discussions, with the multiple stakeholder engagement while reflecting the agile governance philosophy to continuously improve AI governance”.

As such, the AI Guidelines for Business build on past developments while addressing current risks of generative AI and remaining adaptable to future technological advancements.

Impact of the AI Guidelines for Business

Having reviewed the background of the AI Guidelines for Business, we’ll now discuss its impact on businesses.

AI Guidelines for Business as Soft Law

The AI Guidelines for Business are just “guidelines” and do not have binding force. Therefore, adopting these guidelines is optional, and there are no penalties for non-compliance. The AI Guidelines for Business are intended to function as “soft law” and are implemented through individual business contracts (such as outsourcing contracts in service development or service usage contracts) that reference the guidelines. This is in contrast to the EU AI Act, which is a “hard law” that includes specific penalties for non-compliance.

Given the nature of these guidelines, their implementation is expected to be similar to that of information security guidelines. To facilitate this, checklists and worksheets (only available in Japanese) for verifying compliance with the guidelines will also be provided by METI. However, it’s important to note that these checklists are meant to be customized for individual services, and many of the items have ambiguous judgment criteria.

Target Audience of the Guidelines

The AI Guidelines for Business target all AI-related stakeholders. This includes not only businesses developing AI services but also AI service providers and users.

The AI Guidelines for Business define three main actors in AI business activities: AI developers, AI providers, and AI business users.

(https://www.meti.go.jp/shingikai/mono_info_service/ai_shakai_jisso/pdf/20240419_9.pdf Page 5, Figure 3)

AI developers are businesses that develop AI systems. This category also includes businesses conducting AI research and development. Their specific role is defined as follows:

They develop AI models as well as algorithms and contribute to the construction of AI systems including AI models, base system, as well as I/O functions via data collection (including purchase), data preprocessing, training with data.

AI providers refer to businesses that incorporate AI systems into services and provide them to AI service providers or business operators. For example, this includes businesses providing services that incorporate existing AI systems, such as the OpenAI API. AI providers have a wide range of activities:

They verify AI systems, integrate AI systems with other systems, provide AI systems and services, offer operation support for AI business users on AI systems for normal operations, or perform the AI service operation itself. Communication with various stakeholders might be required during the provision of AI services.

AI business users refer to businesses that use AI services. Their role is stated as follows:

Their role is to use an AI system or AI service in an appropriate way intended by the AI provider, share information such as environmental changes with the AI provider, continue the normal operation, and operate the provided AI system as necessary. In addition, when nonbusiness users might be affected by AI use in some ways, AI business users are also responsible for making efforts to prevent AI from incurring unexpected disadvantages for those non-business users and maximize benefits from AI.

It might seem surprising that the guidelines extend to AI business users (excluding individual users). However, just as taxi drivers or truck drivers are expected to use vehicles appropriately for business purposes, it seems reasonable to expect appropriate use of AI in business contexts.

Separately, a category called “AI Business actors involved in advanced AI systems” is defined. This refers to all stakeholders involved with “the most advanced AI systems, including cutting-edge foundation models and generative AI systems”. Similarly to the “Common Guiding Principles”, this category includes AI developers, providers, and business users.

Overall, the AI Guidelines for Business targets a wide range of stakeholders involved in the business use of AI.

AI Governance

AI governance is defined in the AI Guidelines for Business as follows:

The design and operation of technological, organizational, and social systems by stakeholders for the purpose of managing risks posed by the use of AI at levels acceptable to stakeholders and maximizing their positive impact (benefit).

AI governance refers to the collective efforts of AI service stakeholders to keep AI service risks within acceptable limits while maximizing the benefits obtained. Therefore, it’s not just about creating an AI system or launching an AI service; effective governance requires continuous operation and evaluation after deployment.

Rather than meticulously pre-defining an AI governance system, the practice of “agile governance” that flexibly responds to market changes is considered important. As shown in the following figure, agile governance consists of a cycle of operation, evaluation, and feedback loops, including improvements to the governance system itself.

(https://www.meti.go.jp/shingikai/mono_info_service/ai_shakai_jisso/pdf/20240419_9.pdf Page 26, Figure 6)

One notable point is that the guidelines address not only the responsibilities of those who operate the systems and services but also those at the management level. It is stated that management has a significant responsibility to make AI governance an effective initiative. Therefore, if one plans to provide AI-related services as a business in Japan, the management level must also understand the AI Guidelines for Business.

Action Items Required by the AI Guidelines for Business

Key Considerations Beyond Common Guiding Principles

The action items required by the AI Guidelines for Business are summarized in the following table. Additional action items are defined for “AI Business actors involved in advanced AI systems”, which we’ll review later.

(https://www.meti.go.jp/shingikai/mono_info_service/ai_shakai_jisso/pdf/20240419_9.pdf Page 22, Table 1)

As seen in the table, the action items are divided into “common guiding principles” in Part 2 and “important matters for each AI business actor in addition to common guiding principles” in Parts 3 to 5. Common guiding principles that are important for all stakeholders are described from 10 perspectives. Additionally, items specific to AI developers, AI providers, and AI business users are described individually from the same 10 perspectives.

A brief summary is provided for each perspective:

1. Human-centric: Respect human dignity and individual rights, address the undue investigation of decision-making and misinformation, and make it a sustainable effort.
2. Safety: Ensure appropriate learning with suitable data and proper use to avoid harm to stakeholders’ lives, bodies, and property.
3. Fairness: Be careful not to discriminate unfairly against specific groups, and strive to make bias acceptable after evaluation.
4. Privacy protection: Strive for privacy protection in the development, provision, and use of AI systems.
5. Ensuring security: Strive to ensure security so that unauthorized operations do not cause unintended changes or stoppages in AI system behavior.
6. Transparency: Provide reasonable information to stakeholders to the extent necessary and technically possible while ensuring verifiability of AI services.
7. Accountability: Establish systems to fulfill de facto and legal responsibilities, taking into account the degree of risk associated with AI services.
8. Education/literacy: Provide necessary education to ensure correct understanding and proper use of AI systems.
9. Ensuring fair competition: Strive to maintain a fair competitive environment surrounding AI.
10. Innovation: Strive to contribute to the promotion of innovation in society as a whole.

It should be noted that accountability is a unique category in the AI Guidelines for Business. Accountability refers to action items related to clarifying responsibility, such as “designating responsible persons”, “clarifying who takes the responsibilities through contracts or social promises”, and “documenting and storing information on the items described”. Accountability is sometimes conflated with “explainability”, but this is organized under “6. Transparency” above.

Examining each perspective in detail would be too lengthy to include here, but overall, the descriptions are abstract, so that they are widely applicable to AI services. The descriptions regarding AI governance, in particular, allow for a wide range of interpretations.

Defining specific AI service measures requires understanding the AI Guidelines for Business and adapting them to individual service contexts.

Common Guiding Principles for AI Business actors involved in advanced AI systems

For AI Business actors involved in advanced AI systems, in addition to the previous items, the following items are strongly requested to be “complied with”. As a reminder, “advanced AI systems” refers to “the most advanced AI systems, including cutting-edge foundation models and generative AI systems”, quoting the definition from the Hiroshima AI Process.

1. Take appropriate measures throughout the development of advanced AI systems, including prior to and throughout their deployment and placement on the market, to identify, evaluate, and mitigate risks across the AI lifecycle.
2. Identify and mitigate vulnerabilities, and, where appropriate, incidents and patterns of misuse, after deployment including placement on the market.
3. Publicly report advanced AI systems’ capabilities, limitations and domains of appropriate and inappropriate use, to support ensuring sufficient transparency, thereby contributing to increase accountability
4. Work towards responsible information sharing and reporting of incidents among organizations developing advanced AI systems including with industry, governments, civil society, and academia.
5. Develop, implement and disclose AI governance and risk management policies grounded in a risk-based approach – including privacy policies, and mitigation measures, in particular for organizations developing advanced AI systems.
6. Invest in and implement robust security management, including physical security, cyber security and security measures against internal threats, throughout the AI lifecycle. 
7. Develop and deploy reliable content authentication and provenance mechanisms, where technically feasible, such as watermarking or other techniques to enable users to identify AI-generated content.
8. Prioritize research to mitigate societal, safety, and security risks and prioritize investment in effective mitigation measures.
9. Prioritize the development of advanced AI systems to address the world’s greatest challenges, notably but not limited to the climate crisis, global health, and education.
10. Advance the development of and, where appropriate, adoption of international technical standards.
11. Implement appropriate data input measures and protections for personal data and intellectual property.
12. Promote and contribute to trustworthy and responsible use of advanced AI systems.

The “Guidelines Common to AI Business actors involved in advanced AI systems” are mainly aimed at AI developers creating cutting-edge foundation models and generative AI, requiring them to pay sufficient attention and conduct evaluations during development. The Guidelines also demand the establishment of an adequate system for AI governance. AI providers and users should comply with these 12 items and others as appropriate.

Market Response

The AI Guidelines for Business were established after going through a period of public comments. To understand the market response, in this section, we will review the themes in these published comments.

While the AI Guidelines for Business are comprehensive, they are created as non-binding soft law, unlike the EU’s AI Act, and this approach is generally well-received. Public comments include participation from businesses categorized as AI developers or AI providers in the guidelines, such as Microsoft and Google, as well as organizations representing end-users, such as the Japan Association of Consumer Affairs Specialists. Although there are opposing opinions, it is noteworthy that these organizations agree with the guidelines themselves.

However, several issues have been pointed out.

Firstly, it’s noted that some measures in the AI provider guidelines may be impractical or resource-intensive for developers to implement (page 25). Addressing all points in the “Common Guidelines for AI Business actors involved in advanced AI systems” requires significant human and financial resources. This could pose a major barrier to entry for startups focusing on technological innovation and research organizations tackling new areas.

Moreover, while the approach was well-received, AI developers/providers and content creators have vastly differing stances.

For instance, some parties are concerned with significantly stricter limitations on data used for machine learning model training, “only permitting data that meet specific conditions” (page 48 of public comment). While considering such proposals is crucial for protecting creators’ rights, it requires careful deliberation. For example, if strict constraints on data usage for training are implemented solely for Japanese content, it could hinder the development of generative AI capabilities in Japanese. This illustrates the stark difference in stance between AI service developers/providers and content creators regarding data handling.

Lastly, attention should be paid to consistency with international regulations. For example, the definitions of AI and “advanced AI systems” are unique to Japan. While legal developments in other countries are currently ongoing and it may be somewhat premature to discuss consistency, having guidelines unique to Japan is not desirable for either Japanese or global businesses. Currently, references to international guidelines are provided in Appendix 9, but updates on interoperability are expected in the future.

Implementing the AI Guidelines for Business

In this section, we’ll examine the necessary actions for AI actors to implement the AI Guidelines for Business. However, there’s no need for excessive concern. The guidelines generally outline the basics required for operating machine learning services, and the recommended measures can be flexibly chosen based on the nature of each service.

We can consider both short-term actions and medium to long-term organizational initiatives. If you’re part of a team operating machine learning services, start with the “short-term actions”. For management members, legal staff, or HR personnel, focus on the “medium to long-term initiatives”.

Short-term Actions

An immediate action that can be taken in response to the AI Guidelines for Business is to fill out the “Worksheet for Considering Specific Approaches” in the appendix.

As previously mentioned, the AI GfB is soft law and lacks inherent binding force. They become effective when contracts based on these guidelines are established. For instance, when signing a service agreement, a business might request that the AI provider demonstrates compliance with the AI GfB, perhaps in the form of a checklist. By comprehensively reviewing your adherence to these guidelines using a worksheet, you can prepare for such scenarios. This proactive approach ensures you’re ready to provide evidence of compliance when required by potential clients or partners.

The more specific procedure for filling out the “Worksheet for Considering Specific Approaches” might be as follows:

1. Confirm whether your organization falls under “AI Developer”, “AI Provider”, or “AI Business User” (the following description uses “AI Developer” as an example)
2. Fill out “Appendix 7C. Worksheet for Considering Specific Approaches (Related to ‘AI business users’)” while referring to “Appendix 3. For AI Developers” in the appendix
3. Check if you fall under “AI Business actors involved in advanced AI systems”, and if so, fill out “Appendix 7C. Worksheet for Considering Specific Approaches (Related to ‘AI Business actors involved in advanced AI systems’)”
4. Fill out “Appendix 7C. Worksheet for Considering Specific Approaches (Related to Common Guidelines)” to the extent possible while referring to the main text
5. Fill out “Appendix 7C. Worksheet for Considering Specific Approaches (Related to ‘Establishment of Governance’)” to the extent possible

The teams directly operating machine learning services will likely be able to immediately start implementing the AI Guidelines for Business. In many cases, the scope that can be filled out by the machine learning team alone will probably be up to step 2, so this should be the initial goal. The common guidelines and “Building AI Governance” sections may require organizational efforts and might not be immediately completable. In that case, it’s good to fill in the parts that can clearly be filled now and identify areas that need confirmation or future action.

As a point of caution, don’t try to forcibly fill out the entire “Worksheet for Considering Specific Approaches”. Unlike typical checklists, this worksheet is designed to be customized for use. You should customize it to individual AI services.

Finally, it’s worth noting that you don’t need to adopt all the methods mentioned in “Appendix 3. For AI Developers“. Some of the methods listed as “specific techniques” in the appendix are only applicable to certain machine learning models. Choose which to adopt based on the characteristics of your machine learning system and service.

A word of caution for those outsourcing AI services or AI business users: When outsourcing development or signing contracts for AI services, it’s not appropriate to demand that service providers comply with every item in the “Worksheet for Considering Specific Approaches”. Instead, you should customize the requirements to a reasonable scope by focusing only on essential items for the contract, or by tailoring the points to fit your specific use case. This approach ensures that the compliance requirements are both relevant and manageable for all parties involved.

Also, when outsourcing AI service development or concluding a usage contract, avoid including phrases like “all ‘specific techniques’ mentioned in Appendix 3. For AI Developers must be complied with“. Each “specific technique” listed has its constraints, and it’s technically impossible to adopt all methods. Instead of specifying concrete techniques, it’s better to specify at the level of “items necessary for consideration”.

Medium to Long-term Actions

The most significant change brought about by the AI Provider Guidelines is the increased importance of legal staff, management members, and HR personnel as stakeholders in machine learning services. Legal professionals are now crucial for maintaining consistency between the guidelines and individual development contracts or terms of service. Management members play a key role in implementing and operating AI governance. HR personnel become essential in providing education for proper understanding and appropriate use of AI systems. This shift highlights the need for a more holistic, cross-functional approach to AI service development and management, involving expertise beyond just technical teams.

Legal Staff

Legal staff are required to have a deep understanding of both the AI Guidelines for Business and AI services. As the AI Guidelines for Business are soft law and become effective through individual contracts, it’s necessary to incorporate the desired AI guidelines into contractual agreements. In particular, unlike before, legal staff need to be deeply involved even if their organization is an AI business user rather than an AI developer or provider. It is recommended to document information about the AI systems used in your organization and their risks in collaboration with the machine learning team.

Furthermore, caution is necessary regarding the fluid nature of AI in high-risk operations or the use of generative AI. Global legal frameworks for these AI services are currently in development, and new technologies are rapidly evolving. It will be crucial to gather comprehensive information on related legal developments and international standards, such as ISO. This ongoing vigilance is essential to stay compliant and competitive in the fast-changing landscape of AI regulation and innovation.

Management

In the AI Guidelines for Business, management has a significant responsibility for establishing an appropriate level of AI governance. To implement effective AI governance, it’s necessary to understand and analyze the benefits and risks brought by the use of AI services provided or used for business in your company, clarify the scope of responsibility, and build a system that can provide information to appropriate stakeholders within a reasonable range. Additionally, agile governance is needed to continuously evaluate the system for AI governance and appropriately operate or redesign the system.

AI governance is not just an internal organizational effort but requires engagement across the entire value chain, including external stakeholders. Therefore, the goals of AI governance need to align with management goals, and in some cases, an organizational redesign may be necessary.

Thus, there are very complex and significant expectations placed on management regarding AI governance. Before building an AI governance system, the following actions are recommended:

1. Gain detailed information about AI services being developed or used in your company from the machine learning team
2. Receive systematic training on the background technology of AI services being developed or used in your company
3. Understand the examples of AI governance goal setting and systems mentioned in the AI Guidelines for Business

Regarding point 1, it’s better to focus on understanding the business flow, including data collection, and grasping the benefits and risks, rather than the technical details of AI services. The knowledge gained here can be used for analyzing value chains and risk chains. Compared to conventional information processing systems, AI tends to involve a wider range of stakeholders. It often takes more time than expected to grasp all related parties. Start with the machine learning team and work towards understanding all stakeholders.

Regarding point 2, as AI technologies adopted in services vary widely, gaining an accurate understanding of the technologies used in your organization is crucial for communication about AI services. Trying to manage with just hearsay knowledge can make it difficult to gather information from stakeholders including the machine learning team, making smooth decision-making impossible. It’s worth considering receiving a half-day to full-day training tailored for management on the technologies used in your organization.

Regarding point 3, by reviewing the examples in the Business Operator Guidelines, you can see that the implementation of AI governance can take various forms. While examples include large-scale organizations like the NEC Group, initiatives from startups like ABEJA are also included. It can also be seen that some set group-wide policies, while others set individual policies for each business. Thus, there are various ways to realize AI governance depending on business characteristics. Before considering initiatives for your organization, it’s worth reviewing the different ways to implement them. This can help you weigh your options more effectively.

Generally, management involvement and organizational culture are the keys to AI utilization from the context of MLOps. Additionally, now that the AI Guidelines for Business have pointed out the significant responsibility in building AI governance, it can be said that management is being asked more than ever about their skills in machine learning utilization.

HR Staff

HR staff need to provide training to ensure employees have a correct understanding on the proper use of AI.

AI and machine learning technologies, due to their underlying technical complexity, were previously technologies that only a small number of researchers and developers needed to understand. However, with the advent of generative AI that many people now utilize on a daily basis, almost all employees are now required to have AI literacy. Therefore, AI utilization and literacy education for all employees is necessary. Educational programs need to be developed not only on technical backgrounds but also on related legal systems such as personal information protection laws and copyright laws.

Training programs on AI utilization and literacy will likely require continuous revision for the foreseeable future. As mentioned several times, the landscape of AI-related legislation, international standards, and technological developments is highly dynamic, making it extremely challenging to predict the situation even a year from now. It’s crucial to regularly update these training programs based on global trends and the technologies you’ve adopted. This ongoing adaptation ensures that your team remains current with the latest AI advancements and compliance requirements in this rapidly evolving field.

Given that AI governance encompasses a wide range of activities both within and outside an organization, potentially everyone in the organization may bear some responsibility related to AI. Moreover, as the adoption of new technologies can have disruptive impacts on the market, it becomes crucial for organizations to understand the benefits and risks as AI users. Therefore, providing comprehensive training programs is essential to maximize benefits and minimize risks. These programs should aim to equip all members of the organization with the necessary knowledge and skills to navigate the complex landscape of AI implementation, ensuring that the organization can leverage AI’s potential while effectively mitigating its associated risks.

Conclusion

We’ve examined the implications of the AI Guidelines for Business on the use of AI in Japanese businesses, from short-term actions to long-term organizational initiatives. As mentioned at the beginning, these guidelines largely formalize well-known practices in MLOps rather than introducing radically new concepts, so there’s no need for excessive concern. Complying with these guidelines not only improves the quality of AI service operations but also serves as an external demonstration of your commitment to quality.

We hope that addressing these guidelines will be seen not as a cost, but as an organizational effort to enhance the quality of your AI services.

Citadel AI is trusted by world-leading organizations such as the British Standards Institution. At this critical period of time when AI standards and regulation are maturing, we believe that we can help you streamline compliance, improve AI reliability, and navigate this evolving landscape.

Contact us if you’re interested in learning more.