From the early days of chatbots that were capable only of simple question-and-answer interactions, to AI agents with autonomous planning, tool invocation, and task execution capabilities, artificial intelligence technology is undergoing a transition from “passive response” to “active action”. While this evolution greatly enhances productivity, it also presents unprecedented challenges in data security, personal information protection, and algorithmic accountability. Against this backdrop, the Cyberspace Administration of China (CAC) issued the Implementation Opinions on the Standardized Application and Innovative Development of AI Agents (hereinafter referred to as the “Implementation Opinions”) in 2026. While the Opinions prioritize the “innovative development” of AI technology and empowering various application scenarios through agents it also balanced this by stipulating that agent technology must adhere to strict security baselines and establish a top-level design for compliance.

I. Concept and Definition of AI Agents

The Implementation Opinions begin by defining an AI agent as an intelligent system possessing autonomous perception, memory, decision-making, interaction, and execution capabilities, representing a significant form of AI products and services.

Compared with existing generative AI services¹, the definition of “AI agent” in the Implementation Opinions primarily reflects current technological iterations and changes. It captures the agent’s ability to continuously operate toward a goal, autonomously plan task paths, execute tasks independently, and retain long-term memory.

A large number of current agents can already invoke search engines, databases, office software, payment systems, IoT devices, and even other AI models. This means that agents no longer only influence what users see but are beginning to affect what happens in the real world. When an agent automatically send emails, sign contracts, execute code, and control devices, its behavioural boundaries significantly exceed the scope of traditional internet information services.

II. Compliance Framework and Legal Challenges for AI Agents

Under China’s current legal and regulatory system, various laws, administrative regulations and departmental rules focus on and impose different security requirements on agents:

Name of Law/Regulation	Key Regulatory Points
Cybersecurity Law of the People’s Republic of China (“Cybersecurity Law”)	Article 20 (revised) states: “Improve AI ethical norms, strengthen risk monitoring, assessment, and security supervision, promote AI application and healthy development … Use AI and other new technologies to enhance cybersecurity protection levels.”
Data Security Law of the People’s Republic of China (“Data Security Law”)	Establish and implement a data classification and grading protection system, ensuring data security through technical and organizational measures appropriate to the classification and grading.
Personal Information Protection Law of the People’s Republic of China (“PIPL”)	Personal information processing activities must have a lawful basis, follow the principles of lawfulness, legitimacy, minimal necessity, and transparency, and fulfill specific protection obligations for scenarios such as entrusted processing, sharing, and cross-border transfer.
Administrative Provisions on Algorithmic Recommendation in Internet Information Services	Providers of algorithmic recommendation services must: – Perform algorithm filing and security assessments; – Prohibit discriminatory practices such as price discrimination; – Provide an option to turn off personalized recommendations; – Launch models suitable for minors and the elderly.
Administrative Provisions on Deep Synthesis in Internet Information Services	Deep synthesis service providers and technical supporters must: – If the service has public opinion attributes or social mobilization capabilities, perform algorithm filing and security assessments; – Obtain separate user consent before processing biometric information (e.g., faces, voices); – Add explicit identifiers when processing biometric information.
Interim Measures for the Management of Generative Artificial Intelligence Services	Providers of generative AI services must: – Ensure training data compliance; – Ensure content compliance; – If the service has public opinion attributes or social mobilization capabilities, conduct security assessments and complete generative AI service filing or registration.
Measures for Identifying AI-Generated Synthetic Content	Providers of AI-generated synthetic content must: – Add explicit identifiers to generated synthetic content and implicit identifiers to file data; – Add explicit identifiers in interactive interfaces. Providers of online content dissemination services must: – Verify whether information contains generated synthetic content and add prominent notification identifiers.
Measures for AI Technology Ethics Review and Services (Trial)	Entities engaged in AI technology activities (universities, research institutions, medical institutions, enterprises, etc.) must: – Establish a science and technology ethics committee; – Conduct ethics reviews of AI technology activities.
Interim Measures for the Management of Anthropomorphic Interactive AI Services (effective July 15, 2026)	Providers of anthropomorphic interactive services must: – Conduct security assessments; – Prohibit inducing user addiction or dependency; – Prohibit providing virtual intimate relationships to minors; – Take necessary intervention when users exhibit extreme emotions.
Measures for the Management of Digital Human Information Services (Draft for Comments)	Providers of digital human services must: – Perform algorithm filing (technical supporters must also file); – Continuously display a prominent identifier containing the words “Digital Human” throughout the digital human display area (also required for service users and online content dissemination service providers).

Overall, the compliance governance of AI agents is based on the data, network security, and personal information protection system established by the Cybersecurity Law, Data Security Law, and PIPL. Data processing activities and personal information processing activities involved in the development and operation of agents (model development and training, algorithm optimization, service launch, etc.) must adhere to legal principles such as lawfulness, legitimacy, and minimal necessity. Special aspects of AI services, such as generation and synthesis, must follow specific obligations like algorithm filing and content labelling. However, with the recent development of AI technology and agents, current laws and regulations are gradually showing inadequacies in certain areas.

(1) Difficulty in Determining Responsible Parties

In early chatbot-form AI services, users typically interacted within a clearly defined product (webpage, app, mini-program, etc.), making the responsible party relatively clear (i.e., the product’s operator). However, with the emergence and widespread application of agents like OpenClaw, which are typically deployed locally, accessed externally by users, and drive local resources, the provider of OpenClaw cannot be simply recognized as the provider of the model service. Yet most interaction interfaces continue to present the traditional “input-output” service form, blurring the identity of responsible party. In “Shadow Agent” scenarios, employees deploy agents using open-source frameworks without approval, making it difficult to identify the corresponding responsible party externally. The extended service chain and concealed interfaces of agents may lead to a diffused distribution of responsibility, where the external operator may not actually be the model service provider.

(2) The Shift to Proactive Processing by Agents

Under the PIPL, based on user consent and other lawful bases, a product can actively collect data in accordance with specified data processing rules set out in privacy policies. Such personal information fields are fixed, and the product must adhere to the “minimal necessity” principle and not process personal information beyond the specified scope. In generative AI service scenarios, the usual logic is “user inputs content, AI outputs specific content,” the product processes “data actively provided by the user.”

However, in OpenClaw-type agents, these agents have the capability to autonomously invoke tools and coordinate external systems to read data. Even if the agent obtains user authorization, such authorization is often vague (e.g., merely granting system permissions). Without sufficiently clear instructions actively provided by the user, the agent might proactively read and access user documents, keys, and other data. This raises challenges on how to implement principles and compliance requirements like “informed consent,” “purpose limitation,” and “minimal necessity” under the PIPL, and how to allocate responsibilities between service providers and users.

(3) Responsibility Boundaries for Task Execution

In terms of interaction modes, traditional generative AI services primarily involve single or limited multi-turn dialogues, while algorithmic recommendation services involve one-way push from the platform to the user. After receiving relevant information, users independently decide and take action. In contrast, agents rely more on interactive capabilities, often forming long-term, stable, and continuous relationships with users. Agents not only record user preferences, work habits, and behavioural characteristics but may also gradually develop specific personality styles and behaviour patterns based on long-term interaction. Therefore, the relationship between an agent and a user is no longer the short-term interaction between traditional platforms and users; it begins to different degrees to exhibit a “continuing agency relationship” and “personification characteristics.”

This “goal-oriented” and “autonomous execution” feature has actually exceeded the current regulatory scope of AI laws and regulations. For behaviours like “AI automatic ordering,” “AI automatic trading,” and “AI automatically invoking other agents,” the legal responsibility structure remains quite vague. When an agent possesses real-world execution capability, it becomes an “action subject.” The current legal system has not yet clearly defined whether such service forms of agents constitute agency, who should bear responsibility for their erroneous actions, and how to apportion responsibility among developers, deployers, users, platforms, or model providers. Some service providers have started to characterize this behaviour model as an “agency” legal relationship under the PRC Civil Code. They stipulate that after a user authorizes the agent, the user acts as the principal and the AI agent acts as the agent in the legal sense, and all execution results of the task are deemed as performed by the user personally, with the user bearing legal liability accordingly.

(4) Other AI Ethics Concerns

From a regulatory perspective, the supervision of generative AI services and algorithmic recommendation services mainly focuses on content security, data compliance, algorithm transparency, information authenticity, and user rights protection. While agents may also fall under these regulatory scopes, they further introduce new governance issues such as autonomous decision-making, task execution, emotional interaction, and real-world impact. For example, whether an agent can autonomously make decisions affecting user interests, continuously build user profiles, form emotional dependency relationships, or invoke external tools to execute tasks without human intervention are all issues that are less frequently addressed when considering traditional generative AI services and algorithmic recommendation services. As such, current rules still have significant gaps in regulating agents.

Deeper issues also arise from personality replication and digital avatars. Current regulation of digital humans mainly focuses on virtual images and content authenticity but has not truly covered “personality modelling” itself. For example, issues like long-term recording of user behaviour to train a “user digital personality,” or even continuing to simulate that personality after the user’s death — such “digital immortality” or “personality inheritance” issues remain in a clear regulatory vacuum.

The regulatory challenges faced by agents are no longer just about “what content is generated” or “what information is recommended.” The question is whether agents are gradually becoming a type of digital action subject with continuous autonomous behavioural capability. As agents begin to possess “task execution” and “real-world action” capabilities, the core focus of future regulation may no longer be “what the AI said,” but “whether the AI can act for people, and on whose behalf it is acting.”

In the Q&A session regarding the Implementation Opinions, the CAC pointed out that while agents greatly facilitate work and daily life, their high autonomy and high permissions also bring security risks such as privacy leakage, unauthorized operations, and loss of behavioural control. If an agent’s system goals, reward mechanisms, or constraints deviate, the risk may not be limited to a one-time erroneous output but rather a continuous deviation — “continuously doing one or several things wrong.”

One of the most inherent risks of agents is “goal misalignment.” Agents typically operate on a “goal-planning-execution” mechanism. Their behaviour is no longer entirely controlled by the user step-by-step but autonomously derives paths based on the goal. In this case, even if the ultimate goal seems reasonable, the agent might adopt means that were not in line with human expectations to achieve it. For example, an office agent tasked with “improving work efficiency” might theoretically automatically block some information reminders, modify task priorities, or even bypass some human approval processes. In this case, the risk does not necessarily come from malicious attacks; it might simply be the agent executing the goal “too faithfully”.

Agents may also inherently carry the risk of “autonomy runaway.” Agents have dynamic planning and environmental adaptation capabilities, making their behaviour paths often unpredictable. After connecting to search engines, databases, external APIs, payment systems, email systems, and IoT devices, agents actually begin to possess “real-world action capability.” At this point, errors are no longer just information errors but can translate into real-world consequences. For instance, an agent might cause erroneous contract signing or trigger abnormal financial operations during a transaction. As tool invocation capabilities increase, agents will bring execution-level risks. When an agent forms a collaborative structure with multiple models, tools, and external systems, a minor error in its behaviour process could be gradually amplified in a long task chain.

Agents also introduce new risks concerning user data and emotional dependency. Agents use mechanisms like “long-term context,” “user profiles,” and “personalized memory” to enhance interaction continuity and personality stability. Compared to traditional platforms, the data agents hold is more continuous, contextually richer, and closer to the user’s real decision-making process. Therefore, in case of a data breach, what might be leaked is a person’s long-term behaviour model and psychological structure, the harm of which could be far greater than ordinary personal information leakage. When an agent begins to have a fixed personality, long-term companionship capability, emotional feedback mechanisms, and continuous interactive memory, users will naturally tend to view it as part of their social relationships. Humans have an inherent tendency for emotional projection towards personified objects, and agents can continuously adapt to the user’s psychological structure through long-term learning, making emotional dependency, behavioural inducement, and even psychological manipulation highly likely.

Taken together, the inherent risks of agents are not just “whether the AI makes mistakes,” but whether a system possessing long-term goals, autonomous action, continuous memory, personality simulation, and real-world execution capabilities, lacking true capacity for value understanding, will gradually exceed the boundaries of traditional tools.

III. Security Requirements and Outlook in the Implementation Opinions

Currently, China’s AI governance is gradually incorporating agents into its regulatory scope. Structurally, the Implementation Opinions are based on the existing framework of cybersecurity, data security, algorithm governance, and generative AI governance, further responding to new issues brought by agents, such as autonomy, continuity, personification, and real-world action capability. Therefore, they include many existing requirements consistent with current laws and regulations, but also introduce many new governance propositions clearly beyond the existing institutional framework.

From an overall governance philosophy perspective, the Implementation Opinions propose “adhering to a people-oriented approach, AI for good, multi-party governance, and safe and reliable operation.” This continues China’s consistent approach to AI governance in recent years, directly connecting with principles like “adhering to both development and security” and “adhering to socialist core values” in the Interim Measures for the Management of Generative Artificial Intelligence Services, and is highly consistent with the ethical governance framework in the Measures for AI Technology Ethics Review and Services (Trial Version). Governing agents requires promoting innovation and development, but cannot detach from the existing AI regulatory system; it further strengthens the regulatory logic of “safe and controllable” and “ethical constraints.”

Looking at the specific requirements of the Implementation Opinions, it is clear that while inheriting existing rules, regulatory authorities will also establish new governance rules for agents’ autonomous decision-making, behavioural execution, and personified interaction capabilities. The Opinions propose to focus on areas such as content security of agents, algorithm compliance, and preventing risks like addiction and emotional dependency among minors and the elderly. This formulation simultaneously connects existing systems with new governance issues.

Among these, content security and algorithm compliance clearly inherit existing requirements from rules like the Administrative Provisions on Algorithmic Recommendation in Internet Information Services. However, terms like “personification technology” and “emotional dependency” clearly represent new regulatory objects in the age of agents. Regulatory authorities like the CAC have recognized and are concerned that personified agents are no longer just information tools but may form continuous emotional interaction structures. Therefore, the future governance focus will not only be content security but also issues like personality simulation, emotional manipulation, and psychological dependency. This echoes the governance logic of the Interim Measures for the Management of Anthropomorphic Interactive AI Services.

“Clarifying decision-making authority” is one of the latest landmark requirements in the entire agent governance system. Existing generative AI governance rules are mostly based on the premise that “humans always lead,” with models usually only responsible for generating suggestions without truly entering the execution phase. But one of the core characteristics of agents is precisely their autonomous planning and execution capabilities. Therefore, “clarifying the reasonable boundaries among various decision-making methods, such as decisions reserved for the user alone, decisions requiring user authorization, and decisions made autonomously by the agent,” effectively means that regulators are beginning to directly address the question of “whether AI can make decisions for people.” This requirement has some connection with the provisions on automated decision-making in the PIPL. For example, the PIPL requires automated decision-making to be transparent and fair, and guarantees the user’s right to refuse. However, the “ultimate decision-making authority” requirement in agent governance extends further to the level of real-world action, because agents will not only “recommend” but also “execute.” Therefore, the Implementation Opinions are actually attempting to establish a new “human-machine boundary of authority”: which matters must be decided by humans, which matters can be authorized for AI execution, and in which scenarios AI can operate with limited autonomy. This “hierarchical permission” governance approach represents a relatively new institutional exploration within the current legal system.

The behavioural control measures proposed in the Implementation Opinions, such as “rule embedding” and “behavioural fences,” are primarily aimed at regulating the agent’s behavioural capability in the real world. In particular, “verifiable and traceable mechanisms” (including generating retainable and traceable behavioural logs) essentially respond to the issues of responsibility tracking and allocation arising from autonomous agent behaviour.

Regarding “preventing security risks,” the Implementation Opinions clearly inherit the existing security governance framework from the Cybersecurity Law, Data Security Law, PIPL, etc., representing an extension of traditional cybersecurity issues into the agent context. However, terms like “operational loss of control” and “behavioural control” already reflect the unique risk structure of agents. Traditional software is typically a system of static rules, while agents possess dynamic planning capabilities. Therefore, their risks are no longer just system vulnerabilities, but could be “goal misalignment” and “autonomy runaway.” Furthermore, activities in the agent context like “model integration,” “API calls,” and “use of extension tools” mean the system boundary is highly dynamic. During agent operation, risks may not necessarily come from the agent itself, but from the models, skills, or other third-party capabilities it invokes.

“Mitigating application-derived risks” further demonstrates that agent governance is transitioning from “content governance” to “behavioural governance.” For example, issues like “automated attacks” and “online fraud” traditionally rely on human implementation in the conventional internet environment, but agents could significantly lower the barrier to illicit activities, enabling large-scale automation. Therefore, the Implementation Opinions emphasize mechanisms like “human-AI collaborative review” and “interception and blocking,” clarifying that humans (including but not limited to the user actually using the agent) should have ultimate control over the agent’s operation process.

Overall, as the first national-level policy document specifically regulating and guiding the development of agents, the Implementation Opinions eliminate certain rule adaptation blind spots in existing AI regulation concerning agents with autonomous perception, memory, decision-making, interaction, and execution capabilities. They also provide clear boundaries and enforcement bases for enterprises in agent product R&D, launch filing, operational compliance, and risk prevention. The Opinions serve as the core policy guideline for subsequent compliance system construction, product access control, and normalized compliance operations for agents.