Introduction: The Question from Two Months Ago Has Already Become Reality
In the article published in February — “The ‘Will AI Take Our Jobs’ Debate Is Missing the Point” — I wrote: what is happening is not fundamentally a contest over jobs, but a redefinition and reallocation of roles. AI’s internals are composed of complex parameter spaces, and even their creators cannot fully read the internal behavior that leads to results.
Two months later, concrete developments on both the technology and regulatory fronts have corroborated this view. This article examines three events from late March to April 2026, confirming that “role reallocation” is not an abstract prediction but a phenomenon actively in progress.
1. Mythos: “The Limits of Control” Materialize at the National Level
On April 7, 2026, Anthropic released “Claude Mythos Preview” on a limited basis. Notably, this release was not public but restricted to defensive cybersecurity use (Project Glasswing) by 12 partner organizations including Amazon, Apple, Microsoft, and CrowdStrike.
The reason: the model’s capabilities were too powerful. Mythos reportedly discovered thousands of undisclosed vulnerabilities (so-called zero-days) within weeks, many of them critical. Some vulnerabilities found had existed for 10 to 20 years.
Internal Anthropic documents were leaked beforehand, reportedly stating that Mythos significantly outperformed the company’s previous models and noting cybersecurity risks if malicious users repurposed it for bug discovery and exploitation.
The “limits of control” I described in February materialized in precisely this form. When AI’s capabilities surpass human security researchers’ discovery speed by orders of magnitude, it simultaneously means the same capability could reach the offensive side. The very decision to release Mythos on a limited basis is itself a question of role reallocation — “how do we manage this technology?”
Security researchers’ jobs haven’t disappeared. Rather, AI discovers vulnerabilities while humans handle remediation and judgment. Roles have been reallocated.
2. Amended Personal Information Protection Act: Redrawing Data Boundaries
On April 7, 2026, the government approved cabinet amendments to the Personal Information Protection Act. This reform simultaneously addresses both data utilization in the AI era and individual protection.
This aligns with the SPA-IT philosophy — that security, privacy, and AI governance must be considered in an integrated manner rather than separately.
On the relaxation side, for cases where personal data is used solely for creating statistical information, third-party provision and acquisition of publicly available sensitive personal information was organized to not require individual consent under certain conditions. The Personal Information Protection Commission explained that “creation of statistical information” includes AI development. However, this does not mean AI development broadly becomes consent-free — it conditionally permits exceptions within the scope classifiable as statistical creation.
On the strengthening side, a surcharge system for violating companies is newly introduced. Additionally, for personal information of individuals under 16, requirements for obtaining consent from legal representatives and notification were codified, strengthening data discipline for children.
This “simultaneous relaxation and strengthening” is precisely a redrawing of boundaries. How much human data can be given to AI — the law has begun concretely drawing that line.
3. METI “Civil Liability Guidelines”: The Law Begins Answering “Whose Responsibility?”
On April 9, 2026, the Ministry of Economy, Trade and Industry published “Guidelines on the Interpretation and Application of Civil Liability in AI Utilization.” These indicate how current law may be interpreted and applied when AI-powered services or systems contribute to incidents.
The guidelines examine hypothetical cases including delivery route optimization AI, legal practice support AI, transaction screening AI, visual inspection AI, and autonomous mobile robots (AMR), organizing two categories based on how AI is used: “auxiliary/support AI” and “reliance/substitution AI.” A supplementary section also addresses civil liability when AI agents are used.
My February article concluded that “the design of who is responsible for what will be questioned.” These guidelines have begun concretely answering that question through legal interpretation. When humans judge based on AI output versus when operations are conducted in reliance on AI judgment — the liability differs. This organization was presented alongside hypothetical cases.
Of course, much regarding AI agent treatment remains “under consideration” within the guidelines. However, the very fact that such issues are being organized in official government documents is evidence that role reallocation is progressing at the institutional level.
Conclusion: Will You Stand on the Design Side, or Receive the Designed Outcome?
The “role reallocation” I described in February has begun moving visibly from three directions in just two months.
Mythos demonstrated that as AI capabilities begin exceeding human supervisory abilities, new role divisions are needed for managing the technology itself. The amended Personal Information Protection Act showed that the law has begun concretely redrawing the boundary between human data and AI. And METI’s civil liability guidelines began answering how to allocate responsibility between AI and humans through legal interpretation.
All of these are not questions of whether to use technology, but of how to design the roles between technology and humans. Whether we stand on the side that participates in this design, or become the side that receives the designed outcome — we believe we are at that inflection point now.