Shortly after midnight, the head of information systems at a Japanese manufacturer receives an alert from the AI agent monitoring the production network. The agent has detected behavior consistent with an unknown vulnerability. It proposes isolating the affected system and applying a fix. One button reads Approve.
This hypothetical scene illustrates a decision that organizations must allocate when they deploy agentic AI. Isolation could interrupt customer service. Delay could expose the business to a wider breach. The recommendation may be sound, but the person at the console must answer for the uncertainty.
Pressing Approve does not by itself make that person the legitimate decision-maker. Human involvement secures accountability only when the organization has already assigned authority, supplied usable evidence and time, defined stopping and escalation conditions, and specified the record that will survive the handoff. Without those conditions, approval becomes ratification of the system’s recommendation. A human-in-the-loop control identifies where a person appears in the process. It does not establish whether that person can make and own the judgment.
How Japan’s Second Artificial Intelligence Basic Plan reached its final form
Japan’s government moved the plan through two stages in July 2026. On July 10, the Artificial Intelligence Strategy Headquarters approved the draft at its fifth meeting. On July 14, the Cabinet adopted the final plan under Article 18(1) of Japan’s AI Act.
The authoritative Japanese text is titled 第Ⅱ期人工知能基本計画 ~日本AX、より強く、より豊かに~. The Cabinet Office has also published a provisional translation titled Japan’s Second Artificial Intelligence Basic Plan: Japan AI Transformation; A Stronger Nation. Greater Prosperity.. The translation directs readers to the Japanese original for accuracy. News reports published on July 10 concerned the draft; this article relies on the Cabinet-approved text dated July 14 and primary government materials.
What the plan advances
The plan treats artificial intelligence as a driver of AI transformation, or AX. It describes AI’s progression from a tool that supports work to an entity capable of undertaking organizational decision-making and execution. For agentic AI, the government commits to examining how responsibility should be allocated when risks materialize and people suffer rights infringements or damage. The plan also says people should retain responsibility for decision-making and places the capacity to fulfill that responsibility within its account of human agency.
Cybersecurity exposes both sides of the capability. The plan calls for highly capable frontier AI to accelerate vulnerability discovery and remediation, including checks of critical government systems. It also addresses autonomous AI-enabled attacks. The AI Safety Institute (AISI) is responsible for technical evaluation of AI models, and the plan calls for stronger capabilities in model evaluation, traceability, guardrails, and crisis information-sharing.
The government had already begun discussing the operational risk. On May 1, 2026, Minister of Economy, Trade and Industry Ryosei Akazawa met representatives from electricity, gas, chemicals, credit, and petroleum organizations. They discussed AI systems with advanced vulnerability-discovery capabilities, stronger executive leadership, faster handling of vulnerability information, and migration toward zero-trust architecture.
The plan’s responsible agile governance model integrates institutional, technical, and organizational responses and subjects them to continuing review. That direction merits support. The implementation question begins when a company or public body must convert the national principle of human responsibility into authority for a particular decision.
The gap between a principle and a specific decision
The principle that a person retains responsibility does not allocate that responsibility. In the opening scenario, one person appears to face one choice. The screen conceals several judgments: whether the vulnerability is real, whether isolation is proportionate, whether the proposed fix is safe, and whether the organization may interrupt production. Each judgment affects customers, employees, suppliers, and critical operations in a different way.
Bundling those judgments into one approval turns a sound principle into a formal control. Effective human involvement requires answers to specific questions. A named actor needs authority to decide. That actor needs admissible evidence, enough time and competence to assess it, power to stop the action, a viable escalation route, and responsibility for the explanation. The organization must also decide what the process records. Without those provisions, the interface displays human involvement while the system has already shaped the available decision.
What the AI Guidelines for Business contribute, and where they stop
The AI Guidelines for Business, Version 1.2, compiled by the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry on March 31, 2026, provide a closer view of meaningful human involvement. They build on a human-centric foundation and address automation bias, responsible business use of AI outputs, traceability, accountability, and role-specific responsibilities.
The guidelines identify themselves as non-binding soft law and ask businesses to undertake concrete measures voluntarily, using a risk-based approach. They do not create a universal human-in-the-loop obligation for every AI agent. Other laws or sector-specific rules may still govern a particular use case.
For AI business users, Version 1.2 calls for understanding the accuracy and risk of an AI output, examining relevant risk factors, and taking responsibility for the business decision to use that output. When an organization uses AI output to evaluate an individual or group, the guidelines call for reasonable human judgment that accounts for automation bias and for an explanation to the affected party on request. These provisions do not define every approval boundary, but they make clear that human involvement requires judgment rather than a click.
The guidelines distinguish the AI developer, AI provider, and AI business user. One company may occupy more than one role, but each role carries different responsibilities. An organization that blurs them will struggle to identify who supplied the system, who set its operating conditions, and who authorized the business judgment.
Why governance, digital transformation, automation, and AI ethics do not settle authority
Four familiar disciplines cover parts of this problem. Governance establishes oversight and accountability structures. Digital transformation redesigns work and value delivery. Automation allocates tasks between systems and people. AI ethics identifies values and principles that an organization should protect.
Each discipline can support authority design, but none guarantees it. An enterprise may have a governance committee, a transformed workflow, an automation policy, and sound ethical principles while leaving the on-call incident commander without a defined mandate. The organization must still translate those frameworks into a decision-specific allocation of authority, evidence, stopping power, escalation, and accountability.
When an organization assigns AI a role in a judgment, its leaders redistribute work and influence across systems and people. They must design the accompanying transfer of authority as deliberately as they design the technology and workflow.
Decision Design: structuring authority around a judgment
Decision Design treats judgment as an object of organizational design. Ryoji Morii proposes it as a Judgment Architecture framework: a structured arrangement of who may judge, on what basis, within which limits, and with what accountability. Decision Design complements law, governance, ethics, risk management, organizational design, automation, and technical controls. It is an author-proposed framework, not a legal requirement, public standard, or settled academic consensus. Decision Design is not about improving decisions alone; it is about designing the authority structure within which decisions become institutionally legitimate.
The framework makes explicit what staff often settle informally. It identifies the judgment, the authorized actor, the role assigned to AI, the evidence that may be used, the conditions for action or suspension, the escalation path, the required record, and the event that triggers review. In the opening scenario, the organization would separate vulnerability assessment, system isolation, remediation, and production shutdown. It would then assign authority and conditions to each judgment before an incident occurs.
Organizations use AI to extend, replace, or distribute parts of judgment across systems, individuals, and teams. They may gain capability while losing a clear account of who made the institutional decision. The Second Artificial Intelligence Basic Plan treats responsibility allocation as an issue for continuing examination at the national level. Decision Design addresses the corresponding operational question inside an organization: who may commit this institution to this action under these conditions?
The framework turns governance into authority for a specific judgment. It turns automation scope into permission to act or a duty to stop. It expresses ethical commitments through approval conditions and records. Those translations connect existing disciplines to the moment when an organization must decide.
Decision Boundaries: where legitimate authority sits
A Decision Boundary allocates each part of a judgment between an AI system and a named human or institutional actor. Decision Authority means the legitimate power to commit the organization to an action. The organization can authorize an AI agent to execute bounded, pre-approved actions while reserving other actions for a CISO, incident commander, system owner, or executive. Decision Boundaries are not operational thresholds; they are institutional demarcations of legitimate authority.
A Decision Boundary can differ across analysis, recommendation, execution, approval, exception handling, and explanation. The AI may analyze evidence and execute reversible containment within a pre-approved range. A named officer may retain authority over production shutdown or an irreversible change. One human checkpoint cannot settle accountability across all of those functions. The person who holds retained authority also needs time, relevant evidence, competence, stopping power, and access to escalation.
Designing the boundary before the approval screen
The manufacturer should begin by separating the judgments and identifying the affected parties. Vulnerability assessment, impact analysis, isolation, remediation, and production shutdown require different evidence and authority. Each action can affect customers, employees, suppliers, or critical operations. A single approval button hides those distinctions.
The organization then assigns roles. The AI may analyze logs, identify a suspected vulnerability, estimate impact, compare response options, and test a fix in a controlled environment. It may execute low-risk containment that the organization has approved in advance. Production shutdown, irreversible changes, broad access to personal data, and actions with serious customer impact require a named authority. The company should identify that authority by role or duty rotation, such as the CISO or on-call incident commander.
The boundary must specify admissible data and the conditions for action. The company can identify which logs, asset inventories, vulnerability feeds, and configuration records the agent may use. Pre-approved action might require a validated detection, limited and reversible impact, successful reproduction in a test environment, and corroboration from an independent source. The process should stop when the agent encounters unexpected personal-data access, expanding impact, conflicting evidence, missing logs, or a basis that the responsible operator cannot reconstruct. These are illustrative conditions; each organization must calibrate them to its systems and risk profile.
Escalation and standby authority complete the operational design. The organization should define when the incident commander must involve the system owner, CISO, legal or privacy counsel, or the executive responsible for crisis management. It also needs a response-time limit and a named deputy for nights, holidays, and non-response. If no alternate path exists, the person at the console cannot exercise authority the organization never assigned.
Decision Logs and Accountability Continuity
A Decision Log preserves the record needed to reconstruct an AI-assisted judgment. It should identify the evidence and data used, the agent’s recommendation and relevant confidence information, the authorized person’s reasons, the action taken, the outcome, any override, and the event that triggers review. Decision Logs do not merely record outputs; they preserve accountability continuity across distributed judgment processes.
Accountability Continuity means that responsibility remains traceable to a named actor at every handoff, from the system’s recommendation through authorization and execution to the final outcome. A Decision Log provides that chain of evidence.
AISI’s work and an organization’s Decision Logs operate at different levels. The plan assigns AISI a national role in model evaluation and technical controls. Decision Logs, as proposed here, document operational judgments inside an organization. The plan does not require Decision Logs in this form. The two mechanisms are complementary because technical evaluation cannot by itself show who authorized a particular business action or why.
The Decision Log should also record when the organization must revisit the boundary. Relevant triggers include an incident, a confirmed false positive, a model update, a change in law or guidance, and a material change in system use.
The authority map leaders should complete before deployment
Leaders should select one recurring judgment that an AI agent influences and complete an authority map before deployment. The first task is to name the role that holds Decision Authority: the legitimate power to commit the organization to an action. The organization must then define the role the AI may perform within that judgment, whether analysis, recommendation, testing, execution, or monitoring. It should distinguish bounded actions the AI may execute without further approval from consequential actions reserved for a named human or institutional authority.
The authority map must identify the evidence and data that may inform the judgment. It should state the conditions under which the authorized actor may adopt an AI recommendation and the conditions that require the process to stop. These conditions need to govern both autonomous execution and human-approved action. Without explicit adoption and stopping conditions, the organization leaves the boundary to whoever happens to face the system at the moment of uncertainty.
The organization must also assign an escalation target to each exception. For nights, holidays, and cases in which the primary decision-maker does not respond, it should name a deputy and set a response-time limit. A separate assignment should identify who owns the outcome and its explanation after the decision has been executed. Escalation authority and outcome ownership may sit with different roles, so the map should record both.
Finally, the organization should specify what enters the Decision Log. The record needs to preserve the evidence, the AI recommendation, the authorized actor’s reasons, the action, the outcome, and any override. The authority map should also identify the events that reopen the Decision Boundary, including incidents, model changes, legal developments, and material changes in how the organization uses the system.
The map should name an actor whenever authority changes hands. Depending on the judgment, that actor may be the CISO, incident commander, system owner, legal or privacy lead, executive crisis leader, AI provider, AI developer, or deploying organization. Labels such as “the business” or “a human reviewer” are too broad to allocate authority.
Human responsibility becomes real only through designed authority
Japan’s Second Artificial Intelligence Basic Plan makes an important institutional move. It treats AI deployment, technical control, and organizational governance as connected responsibilities, and it recognizes that people should remain responsible for decisions in a society built around agentic AI.
Companies and public bodies must now translate that principle into operational authority. They need to decide which judgments an AI agent may make or execute, which a named actor retains, when the process must stop, who can resolve an exception, and what record preserves responsibility across the handoffs. The government has established the policy direction. Each organization must design the boundary before someone faces the approval screen.
The button at midnight may look the same after that work. The person pressing it will occupy a different institutional position: authorized to decide, equipped to challenge the recommendation, and accountable for the result.
FAQ
Does Japan’s Second Artificial Intelligence Basic Plan require a human in the loop for every AI agent?
No. The plan is a national policy document, and it does not impose a universal human-in-the-loop rule on every AI agent. It says people should retain responsibility for decision-making and calls for continued examination of responsibility allocation. The AI Guidelines for Business are non-binding soft law. Other laws and sector-specific rules may impose separate duties for a particular use case.
What is the legal status of the AI Guidelines for Business, Version 1.2?
They are non-binding soft law. The Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry compiled Version 1.2 on March 31, 2026. The guidelines use a risk-based approach and ask AI developers, AI providers, and AI business users to undertake role-specific measures voluntarily. Applicable legislation remains binding regardless of the guidelines’ status.
What is a Decision Boundary?
A Decision Boundary is the institutional line that allocates each part of a judgment to an AI system or a named human or institutional actor. It defines authority for analysis, execution, approval, stopping, exceptions, and explanation. It also specifies the evidence, time, competence, and escalation access required for retained human authority to function.
How does Decision Design differ from governance, automation, and AI ethics?
Decision Design converts governance rules, workflow design, automation scope, and ethical commitments into authority arrangements for a specific judgment. Ryoji Morii proposes it as a Judgment Architecture framework that complements those disciplines. It does not replace them or serve as a compliance standard.
What should an organization design before deploying an AI agent in cybersecurity?
An organization should define the Decision Boundary before deployment. It must specify which actions the AI may execute, which actions require a CISO or on-call incident commander, the conditions for action and suspension, the escalation and standby authority, and the Decision Log that retains evidence, reasons, actions, outcomes, and overrides.
References
- Cabinet Office: Artificial Intelligence Basic Plan, publication page
- Cabinet Office: Japan’s Second Artificial Intelligence Basic Plan, provisional translation, July 14, 2026 (PDF)
- Cabinet Office: Artificial Intelligence Basic Plan, Cabinet-approved text, July 14, 2026 (PDF, Japanese)
- Cabinet Office: Artificial Intelligence Basic Plan, overview, July 14, 2026 (PDF, Japanese)
- Prime Minister’s Office: Artificial Intelligence Strategy Headquarters, fifth meeting, July 10, 2026 (Japanese)
- Prime Minister’s Office: Cabinet agenda, July 14, 2026 (Japanese)
- Ministry of Economy, Trade and Industry: AI Guidelines for Business, Version 1.2, publication page
- AI Guidelines for Business, Version 1.2, main text (PDF, Japanese)
- Ministry of Economy, Trade and Industry: Minister Akazawa’s exchange with critical-infrastructure operators on high-performance AI, May 1, 2026 (Japanese)
Decision Design is a judgment architecture framework proposed by Ryoji Morii, founder of Insynergy Inc., for structuring authority, accountability, and decision boundaries in AI-augmented organizations.