日本語 
The 2025 Digital Cliff has come and gone. Most Japanese companies did not fall off it. But they did not walk away clean either. What it left behind is a messy security landscape. Old systems patched just enough to survive. New cloud tools layered on top. And security teams trying to hold it all together.
The old castle and moat model does not fit anymore. Back then, once you were inside the network, you were trusted. In 2026, work is everywhere. Homes. Partner offices. Cloud platforms. That idea of a clear inside and outside is gone.
This is why Zero Trust in Japan is changing shape. It is no longer about slicing networks into smaller pieces. It is about identity. Who is accessing systems. What they are. Human or machine. And whether that access still makes sense.
The pressure is real. AI agents and non-human identities are exploding across Japanese workplaces. Fujitsu’s 2026 technology forecast points to cybersecurity, AI agents, and resilience as core drivers of business strategy. Many enterprises already feel the strain. VPNs creak. Cloud access feels bolted on. The struggle to move from legacy access to something truly cloud native is shared across the market.
Also Read: Private 5G in Japan: How Enterprises Are Building Faster, Safer, On-Prem Networks
The Japanese Market Context and Why It Matters Now
Japan is kind of at a digital crossroads right now. The Active Cyber Defence Law passed in May 2025 and it basically forced companies to stop just reacting to threats. You can’t just wait for something bad to happen anymore. Companies have to watch who is accessing their systems and notice if something feels off. It is not enough to just check login credentials anymore. This matters a lot because many Japanese companies are still running old systems and security habits are slow to change.
At the same time, Japan does not have enough cybersecurity people. Some estimates say there is a shortage of more than 110,000 experts. That leaves security operations teams stretched thin. There is no way they can do everything by hand anymore. Automation and identity-centric security are really the only practical solution. Companies need to continuously check who and what is accessing their systems. That way, even if there aren’t enough people, the system can stay secure.
It is not just the big companies feeling the pressure. In April 2025, METI came out with security procedures for small and medium-sized manufacturers. They want every part of the supply chain to meet certain identity and security standards. You cannot ignore this because if one small factory is weak; it can put the whole network at risk. The government is making it clear that everyone needs to be responsible for their part of security.
METI also laid out a bigger plan in March 2025. They want to more than triple Japan’s cybersecurity industry sales from about ¥900 billion to over ¥3 trillion in the next ten years. The idea is to make the country stronger and push companies to adopt modern, identity-focused security. Security is not just about protection anymore. It is also a business opportunity.
For Japanese companies, this is a wake-up call. Identity-centric security is no longer a nice-to-have. It is something you need to do if you want to survive. The combination of law, not enough skilled people, and supply chain rules is changing the way Japan thinks about security. The companies that get this will have an advantage in the next decade.
The Death of the VPN and the ‘Identity Perimeter’
For years, VPNs were treated like a safety net. If you were inside the network, you were trusted. That logic worked when work happened in offices and systems stayed put. But by 2024 and 2025, that model cracked. Ransomware groups figured out that VPN concentrators were a single, juicy target. Hit one weak credential, one unpatched gateway, and suddenly the entire internal network was open. Security teams felt it first. VPN alerts. VPN outages. VPN workarounds. People were tired. VPN fatigue became real.
The bigger problem was not just attacks. It was over-access. A VPN did not care why you logged in. Once connected, users often saw far more than they needed. One role. One login. Too much reach. In a world of cloud apps, remote work, and contractors, that setup simply stopped making sense.
That is where ZTNA stepped in. Zero Trust Network Access flipped the idea completely. Instead of connecting users to a network, it connects them to a specific application. Nothing more. Nothing extra. In 2026, access is not about where you sit or which IP you use. It is about who you are, what device you are on, and which app you actually need to do your job. No lateral movement. No broad internal visibility. Just enough access to get the work done.
But even that is not enough anymore. Checking identity only at login is outdated. People change behavior during a session. Devices get compromised mid-workday. AI agents behave differently than humans. That is why continuous verification matters. Systems now watch behavior while the session is active. What are you accessing. How fast. From where. Does this look normal for this identity. Trust is no longer permanent. It adjusts in real time.
Think of it like this.
- VPN
- User logs in
- Full network access
- Trust stays the same
- ZTNA
- User logs in
- Single app access
- Trust keeps getting checked
This shift is not just technical. It is philosophical. The network is no longer the security boundary. Identity is. And once companies accept that, VPNs stop looking like protection and start looking like risk.
The New Threat Landscape Identity Attacks and AI Agents
The threat landscape in 2026 does not look like it used to. Most attacks are no longer about breaking in. They are about logging in. The credentials are valid. The access looks normal at first glance. That is exactly why traditional IAM stops being enough. This is where ITDR comes in. Identity Threat Detection and Response is not about giving access or denying it. It is about watching what a trusted identity does after it gets in and stepping in when something feels wrong.
ITDR matters because attackers are patient now. They do not rush. They move slowly. They use real accounts. They copy normal behavior and then push just a little further each time. A valid identity downloading data at the wrong hour. A service account suddenly touching systems it never touched before. IAM cannot see intent. ITDR is built to catch that gap.
Then there are non-human identities. AI agents. Bots. APIs. Service accounts. In many Japanese tech companies today, these identities already outnumber employees. And they do not behave like humans. They do not log out. They do not get tired. They move fast and at scale. When one of these gets compromised, the damage spreads quietly and quickly. This is the new frontier. Securing people without securing machines pretending to be people is pointless.
What makes this harder in Japan is trust? Japanese businesses are built on it. Hierarchy. Respect. Assumption of good intent. That culture is now being tested by AI driven identity fraud. Deepfake voices. Fake video calls. Executives asking for urgent transfers. Instructions that look real and sound familiar. These attacks do not break systems. They break judgment.
The World Economic Forum highlighted this clearly in October 2025. AI optimized cybercrime in Japan is rising. Ransomware and data extortion are hitting harder. Even large companies like Asahi have been impacted. The message is simple. Stronger identity and threat defenses are no longer optional.
This is why ITDR sits at the center of modern security. It connects identities, behavior, and response. It treats every identity as something that can go bad at any time. Human or non-human. Senior or junior. Trusted or automated.
In 2026, the biggest threat is not an unknown attacker. It is a familiar identity doing unfamiliar things.
A Strategic Roadmap for Japanese CISOs
If you are a CISO in Japan right now, the path forward is actually clearer than it looks. It is not about buying ten new tools. It is about fixing the basics first and doing them properly.
Start with the directory. This sounds boring, but it is where most problems hide. Old user accounts. Former employees. Test IDs that never got deleted. Service accounts nobody remembers creating. In many legacy Japanese IT environments, these are everywhere. You cannot protect identities if you do not even know which ones exist. Clean it up. Audit it. Remove what no longer serves a purpose.
Next comes authentication. SMS one time passwords are no longer good enough. Everyone knows this, but many companies still use them because change feels hard. Move to phishing resistant MFA. FIDO2. Passkeys. Something that cannot be replayed or socially engineered. This single step shuts down a huge number of attacks before they even start.
Then comes the hardest part. Culture. Zero Trust often gets misunderstood in Japan. It sounds like you do not trust your employees. That framing will fail in the boardroom. The conversation needs to shift. This is not about distrust. This is about safety. Digital safety. Anzen and Anshin. Protecting people from mistakes, from impersonation, from invisible threats they cannot see.
There is already a blueprint for this mindset. Hitachi’s Sustainability Report 2025 talks about group wide security management, personal data protection, and layered risk controls aligned with METI’s cybersecurity guidelines. That is not theory. That is execution.
The roadmap is simple. Know your identities. Protect access properly. Align security with culture. Everything else builds on that.
Future-Proofing for 2030
If you zoom out for a second, the pattern is obvious. Identity has quietly taken over the job the firewall used to do. Not because someone declared it that way. Because everything else stopped holding.
In 2026, security is not about building higher walls. That mindset already failed. People do not sit in one office anymore. Systems do not live in one place. Access happens all the time, from everywhere, by humans and by things that are not human at all.
What matters now is knowing who is actually inside. Not in theory. In reality. Who logged in. What they touched. Whether that behavior makes sense for that identity or not. If you cannot answer that, the rest of the controls do not matter much.
If there is one place to start, it is not another tool or another framework. It is an audit. A real one. Look at your non-human identities. Service accounts. Bots. AI agents. Accounts that never log out and never complain. List them. Ask why they exist. Ask what breaks if they disappear. You will find risk faster than you expect.
The companies that get identity right now will still be around in 2030. Not because they predicted the future. But because they understood what was already changing.
English