DCC catalogue entry — summary, not full text.
Why this document matters for the data field
The Implementation Opinions on the Standardized Application and Innovative Development of AI Agents (智能体规范应用与创新发展实施意见, released 8 May 2026 by CAC, NDRC, and MIIT jointly) is China’s first dedicated policy document on AI agents (智能体) — systems the Opinions define as having “autonomous perception, memory, decision-making, interaction, and execution capabilities.” It implements the State Council’s broader “AI+” Action opinion and is structured as 38 initiatives across six parts: basic principles, development infrastructure, safety governance, application promotion, ecosystem building, and implementation safeguards.
Most of the document is industrial policy, not data-compliance rule-making. Part Two (infrastructure — agent identity systems, trusted interconnection, compliant payment, security protections), Part Four (18 sector-by-sector use-case initiatives spanning research, industry, consumer, public services, social governance, and public procurement), and Part Five (industry ecosystem-building, including encouraging firms to build overseas compliance capacity as agents expand internationally) read as promotion and coordination language rather than obligations, and DCC’s sourcing filters would ordinarily screen this kind of AI-industry-strategy document out entirely. It earns a catalogue entry for one reason: Part Three, “Guarding the Safety Bottom Line” (守牢安全底线), items 5 through 14, is the first governance-specific text to address data handling and decision authority for AI agents, and it previews where CAC’s next binding agent-specific rule is likely to land.
The data-relevant clauses — Part Three, Items 5–14
Part Three has three subsections: product norms (items 5–7), risk prevention (items 8–10), and governance-system building (items 11–14).
Decision-authority boundaries (Item 6). The Opinions instruct developers to draw clear lines among three modes of decision-making — matters reserved exclusively to the user, matters requiring user authorization, and matters an agent may decide autonomously — and to size each mode’s permissions accordingly. Critically, it states that users must retain the right to know about, and the final say over, an agent’s autonomous decisions (知情权和最终决策权), and that an agent’s executed actions may not exceed the scope of the user’s authorization. This is the closest the document comes to a consent-and-scope rule for agentic AI, and it maps naturally onto PIPL’s consent and minimum-necessary-processing principles when an agent is handling personal information on a user’s behalf.
Behavioral controls (Item 7). Developers are told to build “rule embedding” and “behavioral fencing” (行为围栏) technology so that agent conduct in public spaces, private spaces, and other designated settings stays lawful, and to explore blockchain-based mechanisms to make agent behavior in important application scenarios verifiable and traceable.
Agent-specific security duties (Item 8). The Opinions call for research into agent data security, personal information protection, cryptographic protection, attack detection, permissions management, and behavioral control technologies, aimed specifically at agent-native risk categories: data poisoning, privacy leakage, algorithmic tampering, system vulnerabilities, and loss of operational control. It also calls for exploring an agent-specific security assessment system — a precursor, plausibly, to a dedicated agent security-assessment regime analogous to the Data Export Security Assessment or the algorithm security assessment.
Supply-chain security (Item 9). Full-lifecycle security norms are called for across an agent’s development, deployment, application, and maintenance, with particular attention to model access, API calls, and the use of extension tools — the plug-in and tool-calling architecture that distinguishes agents from standalone generative AI models — plus an information-sharing and early-warning mechanism for agent supply-chain security risk.
Derivative-risk mitigation (Item 10). Regulators are directed to strengthen routine risk identification, early warning, and intervention mechanisms, including human-machine collaborative review and interception capabilities, aimed at preventing agents from being used for automated attacks, privacy violations, disinformation generation and spread, and telecom/online fraud.
Tiered, risk-based governance framework (Item 11). This is the document’s most consequential structural signal for compliance planning. Agents are to be governed under a classified and tiered system (分类分级 治理) calibrated to application scenario and potential impact:
- For sensitive fields and key industries, the cyberspace administration will work with the relevant industry regulator to define which scenarios may open up, and will apply filing, testing, and defective-product recall requirements based on applicable law and sector security-protection standards.
- For lower-risk scenarios — everyday life, entertainment, routine office use — the emphasis shifts to lighter-touch tools: improved agent evaluation and testing tools, compliance self-assessment, information reporting, distribution-platform management, and industry self-regulation.
Items 12–14 round out the governance-system section: building out professional compliance services (risk monitoring, testing and evaluation, consulting, certification — Item 12); pushing agent development platforms, distribution platforms, and service providers to adopt fair platform rules, user agreements, and privacy policies that clarify each side’s rights and obligations (Item 13); and exploring a credit-based evaluation and blacklisting mechanism for technology misuse, induced consumption, false advertising, and concealment of known defects (Item 14).
Item 5, which opens the product-norms subsection, is a catch-all instruction to keep policy, regulation, and ethical review in step — guarding against agents using data advantages or personification techniques to spread harmful values or engage in “algorithmic exploitation,” and against addiction, over-attachment, or emotional dependency risks for minors and the elderly.
How it fits with related DCC-tracked instruments
The Opinions sit above, and anticipate, several rules DCC already tracks. The decision-authority and user-consent language in Item 6 extends PIPL’s consent and automated-decision-making principles into agentic contexts. The supply-chain and tool-calling security duties in Items 8–9 build on the model-level obligations already set by the Interim Measures for the Management of Generative Artificial Intelligence Services, extending them to the plug-in/tool layer that sits on top of a model. The tiered governance framework in Item 11 echoes the classification-and-grading logic used elsewhere in Chinese data law — including the Opinions on Building the Fundamental Data System — and previews a filing/testing/recall regime that, if formalized, would give agents their own version of the algorithm-filing mechanism under the Provisions on the Administration of Algorithmic Recommendation Services. As a set of “Implementation Opinions” rather than a departmental rule, this document carries no penalty clauses of its own; its significance for counsel is predictive — it is the clearest public signal yet of what a future binding CAC rule on AI agents will likely require.
Briefs on this law
DCC briefs that turn on the AI Agent Implementation Opinions are linked
from this page’s “Briefs on this law” section (any post whose laws:
references this entry).