AI
Japan AISI updates AI attack taxonomy ahead of METI liability rules
The second-edition taxonomy sets the vocabulary METI will apply when allocating civil liability to deployers in April 2026 — making red-team scoping against its categories a procurement prerequisite, not a best-practice option.
2026-04-25 · 2 min
Japan's AI Safety Institute published the second edition of its Known Attacks and Their Impacts on AI Systemshttps://aisi.go.jp/assets/pdf/KnownAttacksandTheirImpactsonAISystemsEN.pdf taxonomy, cataloguing model-layer attack vectors for foundation-model providers, system deployers and red-team practitioners.
The taxonomy classifies attacks by lifecycle stage: training-time interventions such as data poisoning, and inference-time exploits such as model extraction. Theft of model weights through ordinary network intrusion sits outside the document's scope, on the basis that it does not touch the training or inference process. Conventional cybersecurity controls are assumed as a baseline.
The second edition deepens impact mapping for each attack class — covering interpretability malfunctions, computational waste and training-data leakage — and widens the catalogued examples of poisoning attacks that insert crafted samples into training datasets to induce malfunction or leakage during operation.
Not a policy shift in itself — but the vocabulary it sets will be drawn on by METI's April 2026 civil-liability interpretation when allocating tortious exposure to deployers who fail to verify model behaviour, a point covered in Priya Desai's 20 April note citation needed. The document does not by itself trigger obligations.
Read alongside J-AISIhttps://aisi.go.jp/'s August 2025 evaluation guidance and its October 2025 report on socio-technical influences on AI safety — including generative-AI-enabled phishing aimed disproportionately at Japanese targets — the taxonomy slots into a distinctly Japanese instrument mix: evaluation guidance plus reference taxonomy plus liability interpretation.
That posture differs from the UK AI Safety Institute's evaluations-first model, which centres on a live evaluation capability against frontier systems, and from Singapore's AI Verify, which is built around an assurance framework that deployers run against their own systems. Three different instrument types, three different theories of how to operationalise model safety.
For a regulated product using a foundation model in Japan, the document functions as a checklist for red-team scoping and for the model-card disclosure calibration that downstream deployers will increasingly demand. Practitioners running adversarial-robustness testing against GPAI-class models should expect procurement questionnaires from Japanese enterprise customers to begin referencing the second-edition categories within the next two quarters — the consultation has not disclosed the affected licensee population size.
J-AISI has not committed a date for a third edition. The document cites alignment work with international counterparts; the relevant feed-through point is ISO/IEC JTC 1/SC 42https://www.iso.org/committee/6794475.html, where Japanese contributions on AI security threats are expected to inform the standards process that the EU AI Act's harmonised standards will eventually reference. The next dated milestone on the Japanese side is METI's anticipated update to its AI business guidelines, which compliance teams should track for any cross-reference back into this taxonomy.