Japanese companies have entered the awkward middle age of generative AI. The board wants productivity. Employees want help. Sales teams want faster emails. Engineers want code assistance. Legal teams want drafts and summaries. But information systems, security, legal and audit departments want something else: to know what is leaving the company, who sent it, where it went, and whether the company can explain it later.
That conflict has a name: shadow AI. It is the use of unapproved AI services by employees outside formal company control. In 2023, generative AI felt experimental. By 2026, it has become a daily office habit. That is exactly why unmanaged use has become a business risk.
In July 2026, Tokyo-based Elith launched GENFLUX Security, a SaaS platform for countering shadow AI. The first version is offered as a browser extension, with desktop and agent versions planned. This is not just another security product. It is a sign that corporate AI in Japan is moving from excitement to operations, from pilots to controls, and from “Can we use it?” to “Can we prove we used it safely?”
The basic idea: do not ban AI — put it under management
GENFLUX Security’s core idea is simple. Do not respond to generative AI by forbidding it everywhere. Instead, give companies a way to let employees use permitted AI tools while blocking dangerous inputs, logging activity and preserving accountability. Elith’s release describes unauthorized AI discovery, AI-use logs, DLP inspection before prompts are sent, warnings, blocking, masking, policy management, dashboards and audit-ready evidence.
The product is also framed around two different users. Regular employees should be able to use approved AI services normally, with warnings or blocks only when an operation is risky. Administrators, CISOs and IT teams need the opposite view: a dashboard of overall usage, unapproved services, DLP alerts, policy status, logs and reports.
GENFLUX Security and Elith in numbers
Before Security came GENFLUX: quality, hallucination and evaluation
The July launch does not come out of nowhere. In August 2025, Elith formally released GENFLUX as a generative-AI quality evaluation platform. The original product focused on checking AI responses and behavior in real time and proposing improvements. Its announced functions included hallucination detection, RAG quality evaluation, regulation checks, internal-rule validation and toxicity/bias detection.
The sequence matters. The first corporate AI question was: “Is the answer good?” The next one is: “What are employees sending into AI systems?” Companies deploying generative AI have to manage both model behavior and human behavior. GENFLUX Security expands the quality story outward into the browser, logs, DLP, policies and audit trails.
Why shadow AI is dangerous
The danger of shadow AI is not only malicious behavior. In many cases, employees are trying to work better. They summarize meeting notes, rewrite customer emails, analyze contracts, debug source code, polish design explanations, or draft medical and pharmaceutical documents. The problem is not the intention. The problem is the input.
Elith’s release lists examples of information that GENFLUX Security is designed to detect before it is sent to AI services: names, addresses, phone numbers, email addresses, My Number identifiers, driver’s license numbers, health insurance numbers, credit card numbers, API keys, passwords, M&A information, customer lists, unreleased products and internal terminology.
That makes shadow AI different from a traditional file leak. A user may not think they are exporting a file. They may think they are simply explaining a task to a helpful AI. The leak happens in the middle of ordinary work.
The new corporate risk office
Corporate risk used to be divided among legal, compliance, IT, security, internal audit, privacy and quality assurance. AI blurs those borders. If a model hallucinates, the issue is quality. If an employee enters customer records, it is privacy and confidentiality. If generated output resembles copyrighted material, it is legal. If an agent takes action without proper approval, it becomes a systems and operational risk.
That is why the 2026 enterprise needs something like an AI risk office. It may be called the CISO office, AI governance committee, DX office or internal audit function. The work is similar: define permitted AI use, set policies, log activity, preserve evidence, evaluate quality, and make incidents traceable.
Elith’s product line aims at that new tool kit. GENFLUX is for quality evaluation. GENFLUX Security is for usage control. Elith’s AI Security services include red teaming and dynamic guardrails. Put together, the message is that AI is no longer just something a company “tries.” It is something a company operates.
Historical context: Japan’s AI guidelines and the global regulatory turn
This is not only a Japanese startup story. Japan’s Ministry of Economy, Trade and Industry and Ministry of Internal Affairs and Communications compiled the AI Guidelines for Business in April 2024, and the guidance has since been updated. The 2026 version frames AI governance around both innovation and risk reduction across the AI lifecycle.
Internationally, NIST’s AI Risk Management Framework has influenced practical risk programs since 2023, while the EU AI Act entered into force in August 2024 and is moving toward broad applicability in August 2026. For Japanese firms with European customers, American customers or global supply chains, being able to explain AI use is becoming part of competitiveness.
Information security followed a similar path. It started with antivirus software, then moved into firewalls, endpoint detection, zero trust, DLP, logging, audit and incident response. AI security is beginning the same journey. The first stage was an internal memo about whether employees could use ChatGPT. The next stage is a control plane for every AI prompt that might contain corporate risk.
Risk by industry
| Industry | Likely AI input | Why it matters |
|---|---|---|
| Finance | Screening documents, customer data, account information | Credit, privacy and confidentiality risks converge. |
| Manufacturing / construction | Drawings, design data, unreleased products | Competitive advantage can leak through ordinary prompts. |
| SaaS / IT | Source code, API keys, system architecture | Technical details can become attack paths. |
| Staffing / local government | Resumes, resident records, My Number data | Identity and administrative information require strict handling. |
| Pharma / healthcare | Clinical trial data, patient data, prescription information | Regulated and ethically sensitive data may be involved. |
| Infrastructure | Facility drawings, invoices, design specifications | Operational and national-security concerns may overlap. |
Elith: from research group to implementation partner
Elith was founded in December 2022. Its PR TIMES company profile lists its representative as Motoki Inoue and its headquarters in Hongo, Bunkyo-ku, Tokyo. The company describes its business as AI research, development, design, planning, education, sales, maintenance and consulting.
On its AI Security page, Elith divides the problem into two layers. AI Safety is the technical wall against malicious inputs and AI lies, supported by red teaming and dynamic guardrails. AI governance is the organizational control layer: rules, operations and management systems aligned with Japanese policy guidance. That distinction is useful because enterprises need both. A policy document without technical controls is fragile. Technical controls without governance become a black box.
The risk of over-control
Governance tools have their own dangers. If controls are too strict, employees will stop using AI. If logging feels intrusive, employees will feel watched. If policy blocks too many tools, shadow AI simply reappears somewhere else. AI governance can accidentally kill the productivity it is supposed to protect.
That is why the user experience matters. Elith’s framing — allow normal use, warn only on risky operations, explain blocks, mask sensitive information when possible, and give administrators a governance view — is the right shape. A good AI control system should feel less like a police checkpoint and more like a seatbelt.
Japan.co.jp view
Elith’s story is not the flashiest AI story in Japan. It is not a new foundation model, a robot, a semiconductor factory or a giant data center. But this quieter layer may be what determines whether Japanese companies actually use AI every day. AI history is not only the history of models getting smarter. It is also the history of organizations becoming confident enough to rely on them.
For Japanese enterprises in 2026, the question has moved from “Should we introduce AI?” to “How do we govern it?” Generative AI is already inside sales, law, engineering, accounting, healthcare, manufacturing and local government work. The question is not whether employees are using it. The question is whether the company knows.
GENFLUX Security symbolizes a maturing phase of AI. The magic box is becoming an auditable business system. Shadow AI is not only something to ban. It is a mirror showing companies where their real workflows have already gone.
Reader takeaways
| Question | Answer |
|---|---|
| What happened? | Elith launched GENFLUX Security, a SaaS product for countering shadow AI. |
| How is it offered? | The Web extension is available first. Desktop and agent versions are planned. |
| What does it do? | Detects unauthorized AI, applies DLP, warns or blocks risky actions, masks sensitive data, logs use and supports audit reporting. |
| Why now? | Generative AI has moved into daily work, but many companies still lack visibility and governance. |
| Why does it matter? | It helps shift enterprise AI from prohibition to controlled, explainable use. |
Sources and references
This article is based on Elith / GENFLUX Security announcements, the earlier GENFLUX quality-evaluation launch, Elith’s AI Security page, Japan’s AI Guidelines for Business, the EU AI Act and the NIST AI Risk Management Framework.
- PR TIMES: Elith launches GENFLUX Security, July 2026.
- PR TIMES: Elith formally releases GENFLUX, August 18, 2025.
- Elith: AI Security services supporting AI Safety and AI Governance.
- Elith: GENFLUX AI Agent Platform.
- METI: AI Guidelines for Business Ver.1.0 Compiled.
- European Commission: AI Act application timeline.
- NIST: AI Risk Management Framework.
