【News--based Insights】
【News-based Insights】While AI applications are growing rapidly across the globe, the risk of lagging regulation is accumulating fast. On June 25, 2026, the Japanese company FullFact released its "Internal AI Usage Regulation Manual," directly aligning with the EU AI Act (which took effect in August 2024 and carries fines of up to €30 million or 6% of global turnover) as well as the AI Business Guidelines issued by Japan's Ministry of Economy, Trade and Industry (METI) and the Ministry of Internal Affairs and Communications (MIC). The manual categorizes governance into five key areas: risk assessment, usage scope, data-handling, copyright, and violation response. It also provides department-specific operational guidelines and a three-tier data management framework (personal information, company secrets, and client data). FullFact is currently offering a free three-month advisory service limited to the first ten companies to assist with the practical implementation of compliance.
On another front, the United Nations' latest AI Risk Report (released July 5, 2026) indicates that AI technologies are evolving beyond simple instruction-following toward autonomous agency—capable of planning tasks, writing code, and making complex decisions with minimal human intervention. The report highlights positive outcomes, such as the prediction of over 200 million protein structures to accelerate drug and vaccine development, AI-assisted early detection of breast cancer, and AI-powered health consultations in local languages in low-resource countries. However, it simultaneously warns of the surge in deepfakes and AI-generated child sexual abuse material (CSAM), as well as the use of AI by bad actors for cyberattacks and social engineering scams.
The report also highlights the environmental impact: large data centers consume approximately 200 TWh of electricity annually, contributing to rising greenhouse gas emissions. Resource concentration is equally stark—the US controls 75% of the world's AI supercomputing capacity, while China holds 15%, together accounting for nearly 90% (UN Independent International Scientific Panel on AI Report 2026). Despite the existence of over 40 AI governance frameworks and ethical guidelines globally, many remain fragmented, lack empirical validation, and rely on self-assessments by developers rather than independent oversight. In response, the UN established a panel of 40 independent experts in 2025, which will be closely monitoring the "Global Dialogue on AI Governance" in Geneva on July 6, 2026, to discuss standardized regulations and international cooperation mechanisms.
【Winners Insights】
【Winners Insights】Our primary audience is the corporate Chief Information Security Officer (CISO), because when AI governance fails, information security risks directly impact company operations, reputation, and financial stability. Failure to comply with Article 61 of the EU AI Act can result in fines of up to €30 million or 6% of annual turnover (approximately NTD 110 million to 240 million based on 2025 average exchange rates). Similarly, violations of Japan's Personal Information Protection Act can lead to significant fines. Companies risk massive compensation claims and litigation simply for data leaks or the unauthorized use of AI-generated content.
In our experience, two major blind spots frequently emerge during AI implementation: ① Lack of cross-departmental risk assessment, where business units deploy Large Language Models (LLMs) independently without integrating data governance, algorithmic bias checks, or compliance protocols into the IT governance framework; ② Neglecting AI security due diligence in the supply chain, particularly when using cloud-based AI services without verifying the vendor's compliance with ISO/IEC 42001 or EU AI Act high-risk model requirements. These gaps were clearly illustrated in the June 2026 FullFact case: several companies were fined by Japanese regulators for failing to be closely monitoring LLM inputs, which included sensitive client data. These companies had relied on internal self-assessments and were subsequently ordered to undergo immediate remediation.
A real-world warning comes from a major US retail chain: in 2025, its customer service AI chatbot generated racially discriminatory responses on a public platform. The resulting social media backlash caused the company's stock price to drop by 6% in a single week. The company ultimately paid a $250 million settlement and was mandated to undergo annual AI compliance audits. If your company has not yet established a governance framework, you are vulnerable to the same financial and reputational damage.
Winners Consulting Services Co., Ltd. (Winners) is a practitioner-led consultancy specializing in process optimization, legal compliance, and information security. We help clients build AI governance frameworks aligned with ISO/IEC 42001, conduct EU AI Act compliance assessments, and create AI risk maps to prevent the pitfalls described above.
【Actionable Recommendations】
【Actionable Recommendations】To prevent becoming the next AI governance failure case, companies should take the following seven steps immediately:
1. Establish a cross-departmental AI Governance Committee (comprising Legal, Information Security, Business, and R&D) to implement internal regulations based on the five pillars of the FullFact manual. Prioritize risk assessment and data-handling protocols. This will create a unified approval process and reduce compliance violations.
2. Conduct a high-risk model classification test according to the EU AI Act. If your AI applications involve sensitive personal data or high-impact decision-making, you must be prepared for independent third-party safety assessments to avoid the maximum €30 million fine.
3. Deploy an AI Management System (AIMS) compliant with ISO/IEC 42001, covering the entire AI lifecycle—from development and deployment to monitoring and decommissioning. This proactively addresses the UN's call for independent safety assessments.
4. Implement a tiered data protection mechanism. Categorize data into three levels—personal information, company secrets, and client data—with corresponding encryption and access controls, as outlined in the FullFact framework. This minimizes the risk of data-leak-related fines under the Japanese Personal Information Protection Act.
5. Establish an AI-generated content (AIGC) review pipeline. Utilize both proprietary and third-party deepfake detection tools to filter for harmful content, including misinformation and CSAM, as highlighted in the UN report.
6. Perform regular energy and carbon footprint assessments. AI model training and inference consume significant electricity; tracking this usage is essential for ESG reporting and preparing for future environmental taxes or regulations.
7. Partner with experienced consultants like Winners Consulting Services Co., Ltd. to be closely monitored on AI governance, EU AI Act compliance, and AI risk-mapping. Our free diagnostic mechanism can quickly locate regulatory gaps and create a prioritized improvement roadmap.
By taking these steps, companies can mitigate the risk of fines and litigation while transforming AI from a liability into a sustainable competitive advantage.
FAQ
- 什麼是EU AI Act的罰則上限?
- 最高可罰30 百萬歐元或全球營業額6%,以較高者為準(EU AI Act 第61條)。
- FullFact提供的AI治理手冊包括哪些核心領域?
- 風險評估、使用範圍、資料處理、著作權與違規應對五大領域。
- UN報告中指出AI在哪些方面加劇了社會危機?
- 深度偽造、假訊息散播、性虐待內容生成以及網路攻擊與詐騙。
- 企業導入AI時最常見的合規盲點是什麼?
- 缺乏跨部門風險評估流程及未審查第三方供應鏈的AI安全性。
- 為什麼選積穗科研?
- 積穗科研股份有限公司(Winners Consulting Services Co., Ltd.)是實戰派顧問,專長於流程優化、法律遵循與資安技術,提供AI治理、ISO 42001、EU AI Act合規評估等全方位服務。
Was this article helpful?
Related Services & Further Reading
Want to apply these insights to your enterprise?
Get a Free Assessment