Problem
China’s AI policy is moving past the chatbot.
On May 8, the Cyberspace Administration of China published implementation opinions on the standardized application and innovative development of AI agents. The document defines agents as intelligent systems with autonomous perception, memory, decision-making, interaction and execution capabilities. That is the important part. Beijing is no longer only managing models that answer prompts. It is preparing for software that plans, calls tools, acts across systems and touches the physical world.
The official Chinese text is written like a policy checklist. The State Council’s English summary says the guidelines were jointly issued by CAC, the National Development and Reform Commission and the Ministry of Industry and Information Technology, and that they identify 19 typical application scenarios across scientific research, industrial development, consumption, public welfare and social governance.
That structure is the signal. China is treating agents as the next operating layer for AI adoption. The market still does not have stable product definitions. The state is already writing the control surface.
Analysis
The guidelines sit on top of China’s broader “AI plus” push. That matters because the document is not a narrow safety notice. It is both a development agenda and a governance map. It tells firms to build agent capabilities, tells industries to open deployment scenarios, and tells regulators to keep autonomy inside a controlled perimeter.
The foundation section starts with technical plumbing. CAC calls for stronger base models, domain-specific models, higher-quality training data, and agent capabilities around task understanding, planning, tool use, long-term memory, interoperability and multi-agent coordination. That is a more precise list than generic model quality. It is a product roadmap for systems that can do work.
Then the document moves quickly into standards. It calls for an agent standards system covering key technologies, products, data exchange, application scenarios, quality evaluation, safety assurance and trusted certification. It also names agent interconnection protocol work, including AIP, and encourages interface standards between agents and software tools, application services and hardware peripherals.
That is where this becomes infrastructure policy. A chatbot can be governed mainly through content controls, data rules and model-registration requirements. An agent needs identity, permissions, logging, interoperability, tool access, conflict resolution and recovery. CAC’s document explicitly explores an “intelligent internet” architecture with agent registration, digital identity management, search and discovery, capability declarations, deployment information, interface protocols and compliance certification.
That reads like an app store, a protocol registry and a compliance ledger sharing one trench coat. Dry, yes. Also directionally correct.
The safety section shows why. CAC wants decision boundaries between actions that only the user can decide, actions requiring user authorization and actions an agent may take autonomously. It says users should have knowledge of, and final decision rights over, autonomous decisions. It also calls for embedded rules, behavioral guardrails and traceability mechanisms for important scenarios.
This is the agent problem in one paragraph. Once software can execute, governance shifts from “what did it say?” to “what was it allowed to do, why did it do it, and can anyone prove the sequence after the damage?”
That is a harder problem than chatbot moderation. A bad answer can mislead. A bad agent can transfer money, file a form, operate equipment, alter records, place orders, schedule transport, or generate a chain of downstream actions no one fully intended. China is not alone in facing that problem. But its policy style is unusually explicit about turning it into pre-deployment architecture.
The document also separates high-risk and low-risk governance. Sensitive fields and key industries would be managed through filing, testing and product recall-style measures, coordinated by cyberspace authorities and industry regulators. Lower-risk fields, including some entertainment and daily office uses, would rely more on assessment tools, compliance self-testing, reporting, distribution-platform management and industry self-discipline.
That split is important. It suggests China wants deployment velocity without letting agent autonomy spread as an unmanaged platform layer. It also gives regulators a way to push pilots in visible sectors while reserving heavier controls for finance, healthcare, transport, public security, media and government services.
The scenario list shows the ambition. The guidelines encourage agents for scientific discovery, software development, intelligent manufacturing, energy resources, transport, agriculture, finance, consumer devices, tourism, commerce, education, healthcare, human resources, information services, government approval, judicial services, public safety, city governance and bidding. Finance gets a specific mention: agents for risk control, credit approval, transaction monitoring, account security, compliance auditing, credit-card fraud blocking and anti-money-laundering monitoring.
That breadth creates a tension. China wants agents everywhere. It also wants them legible before they spread. The guidelines are trying to solve both at once: seed demand, standardize interfaces, police behavior, and build a domestic agent stack that can scale through public-sector and industry procurement.
The overlooked part is the supply-chain section. CAC calls for lifecycle safety rules for development, deployment, use and maintenance, including model access, API calls and extension tools. That is agent governance with the vendor chain included. It recognizes that an agent’s risk is not contained inside a model provider. It sits across plugins, data connectors, cloud services, APIs, device interfaces and the developer who glued them together at 1 a.m. with optimism.
Implications
China’s agent guidelines are not proof that the country’s agent market is mature. They are proof that policymakers think the agent layer will matter enough to regulate before maturity arrives.
That sequencing changes the competitive environment. Chinese developers will build inside a more defined compliance vocabulary: standards, identity, registration, evaluation, certification, application scenarios and traceability. That may slow some consumer experiments. It may also make industrial and government buyers more willing to deploy agents because the state has already described the acceptable shape of the thing.
For foreign AI companies, the document is another reminder that “agent” will not travel cleanly across regulatory systems. A product built around open-ended tool use in one market may need stricter permission boundaries, identity metadata, audit logs and local certification in another. The agent export problem will be less about translation and more about execution rights.
For China, the risk is over-specification. Standards written too early can freeze weak assumptions into infrastructure. Agent identity, interconnection protocols and tool permissions are still moving targets. If regulators define them too tightly, developers will optimize for paperwork instead of reliability. If they define them too loosely, the controls become slogans with numbered headings.
The most useful read is that Beijing is not waiting for a dominant agent platform to emerge. It is trying to shape the platform layer while it is still wet concrete.
That is why this policy is more important than another chatbot rule. Chatbots made AI visible. Agents make AI operational. Once AI can plan and execute, the question is not whether the model sounds compliant. The question is whether the system knows who it is, what it may touch, when it must ask, and how to unwind the mess when it gets clever in the wrong direction.
China is writing those questions into the agent market early. Everyone else will have to answer them too, just with different forms.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.