China’s AI Agent Guidelines Point to an Intelligent Internet

China’s new AI agent guidance moves beyond chatbot rules toward registration, identity, interoperability, permissions, traceability, and an intelligent internet.

AI 요약

What happened: China’s CAC, NDRC, and MIIT published AI agent implementation opinions on May 8, 2026.
- The official Xinhua report defines agents as intelligent systems with autonomous cognition, memory, decision-making, interaction, and execution capabilities.
The shift: The regulatory object is expanding from generated content to digital actors that can take actions.
- Registration, digital identity, capability declaration, AIP, IPv6, compliant payments, and conflict resolution appear in the same policy frame.
Developer impact: Agent products for China will need permissioning, logs, risk tiers, and sector validation before model performance becomes the main question.
Watch: The opinions set direction; the real operating cost will come from follow-on standards and sector-specific supervisory rules.

China has moved AI agents into their own policy category. On May 8, 2026, the Cyberspace Administration of China, the National Development and Reform Commission, and the Ministry of Industry and Information Technology issued implementation opinions for the standardized application and innovative development of AI agents. The English-language Xinhua report published through China’s State Council describes the document as part of the country’s “AI plus” action plan and as a guide for growing AI agents as a core form of AI product and service.

At first glance, this can look like another Chinese AI regulation story. The interesting part is where the center of gravity moves. Earlier generative AI rules were mostly about what AI says: content, data, algorithm filings, labeling obligations, and prevention of harmful information. Agent governance asks a different question: what can AI do? Agents call tools, assist decisions, move across systems on behalf of users, and in some cases touch physical devices or public services.

The official report defines an agent as an intelligent system with capabilities for “autonomous cognition, memory, decision-making, interaction and execution.” Those five capabilities are the heart of the news. A chatbot mostly responds to an input. An agent remembers state, chooses a next action, interacts with other systems, and produces an execution result. Once AI crosses that line, the regulatory questions change. Who delegated authority? Which actions must remain human decisions? Which actions can be delegated? Who stops an agent that exceeds its scope? Where is the failure recorded?

Summary of the intelligent internet layers implied by China’s AI agent guidelines

China Is Starting to Treat Agents as Infrastructure

The State Council report summarizes the guideline’s basic principles in four phrases: safety and controllability, order and standardization, innovation-driven development, and application-led deployment. That combination fits the familiar language of Chinese industrial policy. It acknowledges risk, but the answer is not to halt deployment. The answer is to build standards, controls, and industrial adoption paths around the technology.

The four action areas point in the same direction. First, strengthen the development foundation by building technical infrastructure, standards, and protocols. Second, ensure safety and security. Third, push representative application scenarios across scientific research, industrial development, consumption, public welfare, and social governance. Fourth, develop the innovation ecosystem, industrial collaboration, and broader application.

Those phrases can read like ordinary policy text. The translated policy detail is more concrete. It brings together agent registration platforms, digital identity, discovery and search, capability declaration, compliance certification, an agent interoperability protocol, IPv6-based communication, compliant payments, and conflict resolution. This is not just “manage AI apps better.” It imagines a network where agents can find one another, declare what they can do, receive permission, pay for services, resolve conflicts, and remain traceable while acting.

That is why the document can be read as an early “intelligent internet” agenda. Today’s internet is a network of people, servers, apps, APIs, payments, authentication, domains, and browsers. If agents become major users of that network, the same questions reopen. What identity does an agent have? Which APIs may it call? How does it pay another agent or service? Who is responsible: the developer, deployer, user, or platform? China’s guidance raises those questions to the level of national standardization.

Why AIP and IPv6 Appear in the Same Conversation

For developers, the most notable part is interoperability. The translated text says China will promote national and industry standardization of interconnection technologies such as an agent interoperability protocol, or AIP, and create interface standards between agents, software tools, application services, and hardware peripherals.

That is the same problem discussed in the West around MCP, A2A, and agent interoperability standards, but expressed in different policy language. Agents need tools to do real work. Tool use requires interfaces, authentication, permissions, input and output schemas, failure handling, and audit logs. If each vendor builds those layers in isolation, the agent ecosystem fragments quickly.

The IPv6 reference matters too. IPv6 itself is not new. But bringing it into a discussion of end-to-end agent communication, identity, discovery, and capability declaration suggests a view of agents as network actors, not just SaaS features. Most current agent products still live inside a specific app, IDE, or cloud environment. China’s guideline asks the next question. If agents act across platforms, what common structure should their address, identity, permissions, and history use?

This is not only a China problem. AWS AgentCore bundles identity, gateway, observability, and payments. Microsoft Agent 365 is trying to register and govern organizational agents. Fiserv agentOS wants to manage bank agents on top of core banking systems. OpenAI Codex and Claude Code are productizing long-running execution, approval, remote control, logs, and sandboxes. These are different products, but they point toward the same reality: agent competitiveness is moving from a single model answer to the infrastructure around action.

Risk Tiers Will Shape Market Entry Costs

The practical message for teams is straightforward: if you are building AI agents for China, start with the risk tier. The document says governance should be hierarchical and classified according to application scenario and potential impact. Sensitive areas and core industries may face stronger measures such as filing, testing, and product recall. Lower-risk fields such as everyday entertainment or office work may rely more on self-assessment, information reporting, platform governance, and industry self-regulation.

That distinction changes product planning. A general office agent may mostly need user approval, privacy controls, logs, and administrator settings. A financial risk-control agent, medical diagnosis assistant, transport safety agent, government approval assistant, judicial support agent, or public safety agent belongs to another category. In those domains, the market-entry requirement is not a polished demo. It is safety architecture, test documentation, third-party evaluation, certification, recall procedures, and the ability to work with sector regulators.

Category	Lower-risk office and consumer agents	Higher-risk industrial and public agents
Examples	Office work, shopping assistance, schedule and document automation	Finance, healthcare, transportation, energy, government, judiciary, public safety
Control model	Self-assessment, information reporting, platform rules, user approval	Filing, testing, certification, sector supervision, possible recall
Engineering burden	Permission scope, privacy, logs, cost controls	Action tracing, audit evidence, safety evaluation, recovery, responsibility separation

From that angle, the agent market may become far more localized than the model API market. A model can often be swapped by changing an API provider. But an agent’s permission model, log schema, risk classification, filing procedure, and certification path are tied to national and sector rules. A global company that wants to operate agents in China cannot stop at Chinese-language performance. It must reflect China’s requirements for agent registration, identity, data, content, and social governance in the product architecture.

Human Final Decision Rights Become Product Requirements

Another core theme is decision authority. The translated guidance says products should clarify the boundary between actions users must decide themselves, actions that may be delegated to AI after user approval, and actions agents may perform autonomously. It also says users’ right to know and final decision rights should be protected, and agents should not exceed the authorized scope.

That is not abstract ethics language. It is a UI and backend requirement. If an agent can send email, the product must decide whether it can send every email automatically or whether specific recipients, topics, amounts, or sensitivity levels require approval. If it can make payments, it needs per-transaction limits, cumulative budgets, refund processes, and restrictions on purchase categories. If it can delete files, recovery and confirmation paths matter. If it handles public services or financial operations, human final approval and audit logs become more important.

Recent product moves make the pattern clearer: OpenAI Codex mobile approvals, GitHub Copilot code-review billing, AWS AgentCore Payments, Fiserv agentOS. As agents take more actions, approval UX stops being an add-on. It becomes a security layer. Products need to record who approved what, where the approval happened, which information the user saw before approving, and which tools ran afterward. China’s guideline expresses that same principle in state policy language.

Security Is Wider Than Model Safety

The document does not treat agent security as only model safety. It references data security, personal information protection, cryptographic protection, attack detection, permission management, behavior control, data contamination, privacy leakage, algorithm tampering, system vulnerabilities, and loss of operational control. Supply-chain security is also called out separately, including model access, API calls, extension tool use, risk warnings, information sharing, and full-lifecycle security standards.

That list explains why agent security is hard. Chatbot security usually brings prompt injection, data leakage, and harmful content to mind. Agent security adds execution authority. Bad tool calls, malicious MCP servers, contaminated plugins, excessive OAuth scopes, vulnerable browser sessions, prompt-based permission bypass, automated payment misuse, and supply-chain vulnerabilities all become part of the same problem.

The Chinese state-media discussion of OpenClaw-related security warnings and agent vulnerabilities fits this pattern. The point is less about one product than about the expanded attack surface that appears when agents combine browsers, files, APIs, payments, and code execution. That is why the guidance emphasizes a governance toolchain capable of discovering, intervening in, blocking, and recovering from risky behavior.

The Strategic Meaning of a Chinese Agent Ecosystem

The document also carries an industrial strategy. According to the full translation and analysis, China wants domestic open source AI communities to focus more on agents and wants agents to be compatible with open source chips, operating systems, and foundation models. That is not just a technical preference. It is a geopolitical choice. If agents become the future software execution layer, China does not want that layer to depend fully on foreign models, foreign clouds, or foreign protocols.

At the same time, the document says China will participate actively in international standard setting. That balance matters. China wants domestic controllability, but agents are inherently cross-border and cross-platform. In global supply chains, finance, travel, research, and software development, agents will need at least some shared standards to communicate. If the United States and China build incompatible systems for agent identity, permissioning, logging, and interoperability, the result could look like a fragmented internet for automated actors.

For developers, that is not distant diplomacy. The agent framework, tool schema, audit log, and permission model being written today may later need to align with an industry standard or regulatory requirement. A schema originally created for internal integration convenience can become a market-access issue.

What We Still Do Not Know

The implementation opinions do not settle every detail. First, the legal and operational form matters. The document sets direction, but what companies must do and when they must do it will become clearer only through follow-on standards, sector rules, filing procedures, and certification systems.

Second, it remains to be seen how far AIP and the intelligent internet idea become real technical standards. Agent registration platforms, digital identity, and capability declaration are powerful concepts. Designed poorly, they could raise gatekeeping costs more than they help innovation. Designed too loosely, they may fail to solve trust and security problems.

Third, the boundary between lower-risk and higher-risk products will be messy in practice. Is a scheduling agent still a consumer tool if it books travel and makes payments? When does a medical-document summarizer become a medical agent if it mentions diagnostic possibilities? Can an office-document agent remain “low risk” if it is used in HR evaluation or termination workflows? Every country trying to regulate agents will face similar boundary problems.

What Development Teams Should Watch Now

China’s AI agent guidance will not immediately change every developer’s code. But the direction is clear. As AI agents move into real work and public systems, product requirements expand beyond prompt quality. Agent identity, permission scope, action logs, risk tiering, human approval, certification, evaluation, recall, and supply-chain security become part of the product.

This will probably not remain only a China-specific regulatory story. Europe will approach the same problem through the AI Act and sector rules. The United States will use CAISI-style evaluations, NIST frameworks, and private platform controls. Large clouds will turn it into operational layers such as AgentCore and Agent 365. The language differs, but the question is the same: when an agent acts, who can trust, stop, and explain that action?

China is answering with a larger structure: an intelligent internet. Whether that structure becomes an open and interoperable ecosystem or a stronger instrument of state control and industrial protection is still unknown. One point is already clear. AI agent regulation is not merely an extension of chatbot regulation. Once agents become actors in the digital world, governance moves from content to action infrastructure.

The lesson for AI product teams is simple. When designing an agent, ask not only “what can it do?” Ask “under which authority, with which record, and under which stop condition?” The more capable the model becomes, the more important that question gets. China’s new guidance is one of the clearest policy documents yet to state that reality openly.