Three Jurisdictions, One Quarter: What Japan, the EU, and the US Building AI Governance at Once Means

Japan made it three.

The Artificial Intelligence Basic Plan, formally issued under Article 18 of Japan’s 2025 AI Promotion Act, activated a centralized governance structure, the AI Strategic Headquarters, chaired by the Prime Minister. That’s an apex statutory body, not an advisory committee. The Prime Minister’s Office confirms the Headquarters held its inaugural meeting under Prime Minister Ishiba in September 2025. In April 2026, the Cabinet moved to advance the plan’s implementation phase. Japan now has statutory AI governance with a government body at the top of it.

That’s the third major jurisdiction to build or substantially restructure statutory AI governance since late 2023. The EU AI Act entered into force in August 2024, with tiered compliance obligations activating in phases. The US AI Executive Order framework established agency-level AI governance obligations across the federal government starting in 2023, with implementation running through 2025 and 2026. Japan’s 2025 AI Promotion Act and now its Basic AI Plan add the third structural layer.

Three frameworks. Three institutional architectures. Three different approaches to the same set of underlying problems. Here’s what compliance teams need to understand about each.

The Architecture: Who Sits at the Top

Governance structure shapes everything downstream, what gets regulated, how, and when.

Japan centralized authority in the Prime Minister’s office. The AI Strategic Headquarters is not a sector regulator or a standards body. It sits at the apex of the executive branch. That’s a design choice that signals AI is being treated as a national strategic priority, not a consumer protection or market regulation problem. The Future of Privacy Forum’s analysis characterizes the 2025 AI Promotion Act as innovation-first with a light regulatory touch, the Headquarters’ mandate reflects that emphasis.

The EU distributed AI governance across existing sectoral regulators, with the European AI Office providing coordination for general-purpose AI models. No single body sits above the others. The EU AI Act‘s enforcement structure assigns responsibility based on system type and sector, financial services AI answers to financial regulators, medical device AI answers to medical device regulators, with the AI Office and national competent authorities handling cross-cutting obligations. Distributed enforcement means more doors for compliance teams to walk through.

The US has no single federal AI regulator. The Executive Order framework assigned AI governance obligations to individual agencies, NIST for standards and risk management frameworks, sector agencies for their domains, the Office of Management and Budget for federal procurement rules. That creates a patchwork that reflects US administrative law traditions and also reflects the political difficulty of creating a new federal regulator. The result is authority spread across bodies with different mandates, different cultures, and different enforcement priorities.

The Risk Classification: What Gets Regulated

Japan’s “high-impact” designation is the key variable. The framework establishes the category, a placeholder for future oversight of frontier AI models, but the technical definition of what qualifies as “high-impact” has not been officially published. That definition process is underway; the timeline for completion has not been officially confirmed. Until it is, the “high-impact” category is a known unknown: companies building frontier models for the Japan market know the category exists but can’t yet assess whether they’re in it.

The EU’s approach is more explicit. Annex III lists specific sectors and use cases that trigger high-risk classification, employment, critical infrastructure, education, law enforcement among them. The US EO framework focuses on compute thresholds as a proxy for frontier model capability, creating obligations for models trained above 10^26 FLOP.

These are not equivalent approaches. A system that triggers high-risk classification under the EU AI Act may or may not trigger obligations under the US framework, and may or may not fall into Japan’s eventual “high-impact” category. Compliance mapping across all three requires treating each framework as a distinct analysis, not as variations on a common theme.

The Enforcement Gap: Teeth vs. Intent

This is where Japan’s framework diverges most sharply from the other two. Japan’s current framework does not appear to include monetary penalty provisions. The innovation-first design of the 2025 AI Promotion Act was deliberate, Japan’s policy community explicitly framed it as a softer entry point that prioritizes AI adoption alongside emerging governance norms. Compliance is, for now, voluntary in the sense that there are no fines attached to non-compliance.

The EU AI Act has teeth. Penalty provisions under Chapter V reach up to €35 million or 7% of global annual turnover for the most serious violations, the scale that makes compliance a board- level conversation rather than a legal team project. Those provisions are in force.

The US framework’s enforcement depends on which agency is doing the enforcing and for what type of system. There’s no equivalent of the EU’s unified penalty structure. Some agency-level AI governance rules carry meaningful enforcement authority; others are effectively guidance.

Japan’s soft enforcement won’t stay soft indefinitely. The establishment of a statutory Headquarters under the Prime Minister is infrastructure that enables harder enforcement later. The “high-impact” model category is designed to be filled with substantive obligations once the technical definition is set. The innovation-first framing gives Japan’s regulatory community the flexibility to tighten as the technology and the political environment evolve. Compliance teams treating Japan’s current softness as a permanent condition are reading the architecture wrong.

What Compliance Teams Should Do Now

The three-framework convergence creates a specific operational challenge: companies that built compliance programs around one or two of these frameworks now need to assess coverage for the third.

For Japan specifically, the near-term checklist is short but important.

First, assess Japan market exposure. If your company develops, deploys, or distributes AI systems in Japan or to Japanese customers, you’re within scope of the Basic AI Plan’s governance architecture even before the “high-impact” definition is set. Know which of your systems would be candidates for that designation based on capability profile, you don’t want to be mapping this when the definition drops.

Second, monitor the “high-impact” definition process. The AI Strategic Headquarters and the Cabinet Office are the primary sources to watch. Legal and policy teams covering Japan should be tracking this, not waiting for the definition to appear in trade press.

Third, map your existing EU and US compliance programs to Japan’s framework. The structural elements are known: a centralized apex body, a frontier model category, a voluntary compliance architecture that will evolve. Many of the documentation and governance controls you’ve built for EU or US compliance will transfer to Japan’s framework with adaptation rather than reconstruction.

The broader point: three statutory AI governance frameworks, each with distinct institutional architecture, distinct risk classification approaches, and distinct enforcement trajectories, are now running simultaneously. The compliance teams that map all three now, before the thresholds are set and the enforcement mechanisms are activated, will spend less time in reactive mode when the definitions come.