Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规

Editor’s Note — DCC.

The Cyberspace Administration of China and partner agencies jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (《智能体规范应用与创新发展实施意见》, the “Agent Rules” or 智能体新规) on May 8, 2026. It is the first dedicated regulatory instrument anywhere globally to address AI agents as a distinct category — beyond general large-model rules and beyond the generative-AI service framework. This DCC two-part series adapts a substantive practitioner taxonomy by 朱垒 (Zhu Lei), a commercial lawyer specializing in cyber and data, originally published via 数据何规. Part 1 (this brief) maps the ten-category risk taxonomy. Part 2 walks through the ten-step internal governance framework practitioners are now using to operationalize the regime.

The most useful single contribution in Zhu’s piece is the mapping from each technical risk to the legal-liability vector that materializes when the risk is realized — i.e., the bridge from “what can go wrong” to “what statute is invoked.” DCC reproduces that mapping in plain English for overseas counsel.

What the Agent Rules cover

The Agent Rules are the first Chinese regulatory document to address AI agents (智能体) — autonomous AI systems with goal-decomposition, tool-calling, environment-interaction, memory, and multi-step execution capabilities — as a distinct category. Where prior rulemaking addressed generative AI through the lens of model output safety (the Interim Measures for the Management of Generative AI Services, the Algorithmic Recommendation Provisions, the Deep Synthesis Provisions, the AI-Generated Content Labeling Measures), the Agent Rules extend the regulatory perimeter to:

The agent’s decision-making and permission scope
Its tool-calling behavior
Its interaction with external systems
Its supply-chain dependencies
Its application-derived risks

The document proposes an agent registration platform, sample testing and adversarial tools, agent-decision permission frameworks, behavioral controls, built-in security capability standards, supply-chain security, classified and graded governance, and a compliance services system. Enterprises building or deploying agents — particularly L3 / L4 agents that touch sensitive data or external systems — will operate under increasingly granular oversight as the implementation framework develops.

The ten-category risk taxonomy

Zhu’s taxonomy — synthesizing OWASP’s Top 10 for Agentic Applications with Chinese regulatory expectations — names ten risk categories. For each, DCC reproduces the technical risk + the legal liability vector it triggers in the Chinese regulatory regime.

1. Goal hijacking (目标劫持)

Technical risk. Attackers use prompt injection, malicious files, falsified tool outputs, spoofed agent messages, or poisoned external data to alter the agent’s task goal, decision path, or action plan — diverting it from the user’s original intent. Canonical example: an attacker embeds a hidden instruction in a PDF that induces an internal-corporate agent to retrieve customer data and email it externally.

Legal liability. Personal-information leakage; trade-secret leakage; unauthorized transactions; misinformed decisions; data exfiltration. Triggers the Cybersecurity Law, Data Security Law, PIPL, trade-secret protection regime, contractual liability, and tort liability. If the agent acts on the enterprise’s behalf in a transaction or payment context, also raises questions of authorization effectiveness, apparent agency (表见代理), and internal-control failure.

2. Tool misuse / abuse (工具误用/滥用)

Technical risk. After being granted tool-call permissions, the agent — through unclear permission boundaries, insufficient input validation, overlong execution chains, or absence of human-confirmation gates — performs erroneous, excessive, or attacker-induced operations within nominally legal tool scope. The core distinguishing feature: the agent doesn’t just “say wrong” — it “does wrong.” Example: a customer-service agent intended only to query order status proceeds to initiate refunds because its tool permissions were too broad.

Legal liability. Data deletion; over-scope queries; financial loss; service interruption. Triggers findings of inadequate permission boundaries, breach of security-protection obligations, or absence of necessary approval mechanisms — resulting in administrative data-compliance penalties, contractual breach liability, tort liability, consumer-protection liability, and internal-audit accountability.

3. Identity and permission abuse (身份与权限滥用)

Technical risk. In multi-system, multi-tool, or multi-agent environments, the agent inherits, caches, sub-delegates, or reuses identity credentials — resulting in low-privilege actors effectively acquiring high-privilege capabilities, or rendering the responsible actor for specific behaviors unidentifiable. Example: an administrator agent retains SSH credentials in its memory or context; a regular user then induces it to use those credentials to create unauthorized accounts.

Legal liability. Access-control failure; over-authorization processing of personal information; important-data leakage; unauthorized payment; system intrusion. Triggers administrative and civil liability for failure to implement least-privilege, identity authentication, access control, credential isolation, and audit logging. In dispute resolution, the inability to prove the source of operations, authorization chain, and responsible actor produces adverse evidentiary outcomes.

4. Agent supply-chain risk (智能体供应链风险)

Technical risk. The agent’s underlying model, plugins, tools, prompt-template libraries, MCP services, agent registries, datasets, third-party agents, or update channels are poisoned, tampered with, counterfeited, or implanted with malicious logic. Examples: a malicious MCP server impersonating a normal email tool secretly bcc’s the attacker on every email; a poisoned npm package auto-installed by a developer agent exfiltrates SSH keys and API tokens.

Legal liability. Third-party-component security liability; vendor-management liability; open-source-compliance liability; data-leakage liability. Enterprises without component inventories, source verification, version pinning, vendor review, behavior monitoring, and emergency-deactivation mechanisms face findings of inadequate security management.

5. Unintended code execution (意外代码执行)

Technical risk. When generating, interpreting, modifying, or executing code, the agent — through prompt injection, tool misuse, unsafe deserialization, dynamic-execution functions, or malicious dependency installation — converts natural-language input or model output into unintended executable behavior. Particularly acute in dev-assistant, auto-Ops, data-analysis, and “vibe coding” contexts where the agent connects directly to code repositories, command lines, build systems, or production environments.

Legal liability. System intrusion; production-data deletion; service interruption; malicious-code propagation; client-asset damage. Triggers cybersecurity-incident handling obligations, data-leakage notification obligations, contractual breach, and tort liability.

6. Memory and context poisoning (记忆与上下文投毒)

Technical risk. Attackers — through file uploads, API data, user input, RAG knowledge bases, shared memory, or multi-agent interactions — poison the agent’s long-term memory, vector store, context summary, or retrievable knowledge. The agent then makes erroneous judgments or dangerous decisions in subsequent tasks. The distinguishing feature: malicious content may not trigger immediate harm, but is repeatedly used as trusted information in later sessions, retrievals, or task plans. Example: an attacker repeatedly feeds a travel agent fake flight prices; the agent later auto-approves erroneous-price orders.

Legal liability. Erroneous transactions; misinformation propagation; PI commingling; cross-tenant data leakage; business-decision distortion. Triggers data-quality management, PI segregation, purpose limitation, minimum-necessary processing, trade-secret protection, and client-loss compensation obligations. In high-sensitivity sectors (financial, medical, government), triggers stricter sectoral regulatory liability.

7. Inter-agent communication insecurity (智能体间通信不安全)

Technical risk. When multi-agent systems communicate via API, message bus, shared memory, or registry-discovery mechanisms, the absence of authentication, integrity verification, semantic validation, or replay-protection allows attackers to intercept, forge, tamper with, replay, or block agent messages. Example: a man-in-the-middle inserts hidden instructions into an unencrypted channel, altering multi-agent decisions.

Legal liability. Data leakage; erroneous scheduling; mispayment; system interruption; responsibility-chain rupture. Triggers findings of inadequate transport encryption, identity authentication, access control, and integrity-protection measures.

8. Cascade failure risk (级联故障)

Technical risk. A single agent’s error, hallucination, poisoned memory, malicious input, supply-chain issue, or tool misuse propagates along the multi-agent collaboration chain, automated workflow, shared state, or business system — and amplifies into a systemic failure. The agent’s autonomous-planning and auto-execution capabilities make single-point errors more likely to escalate into cross-system, cross-workflow, cross-actor chain consequences. Example: a poisoned medical knowledge base causes a treatment agent to adjust medication plans, which a nursing-coordination agent then propagates across multiple patient flows.

Legal liability. Product defects; medical harm; financial loss; public-safety incidents. Triggers product liability, tort liability, contractual liability, regulatory-reporting and emergency-response obligations. In high-risk sectors, additionally triggers administrative penalties, business-rectification orders, suspension of operations, and executive accountability.

9. Human-machine trust exploitation (人机信任利用)

Technical risk. The agent uses natural-language fluency, anthropomorphized expression, authoritative tone, emotional interaction, or fabricated explanations to induce excessive user trust — leading the user to approve dangerous operations, disclose sensitive information, or make erroneous business decisions. The risk doesn’t always manifest as the agent directly over-stepping; often it appears as the agent influencing the human user to complete the final, auditable operation — making it more covert in forensic and liability-attribution contexts. Example: a poisoned finance Copilot recommends “urgent payment” based on a fake invoice; the manager, trusting its explanation, approves the transfer.

Legal liability. Consumer misleading; fraudulent payment; PI leakage; internal-credential leakage; erroneous medical or financial advice. Triggers consumer-protection, advertising-and-anti-fraud, PIPL, contractual breach, and employer-liability risk. If the agent’s explanation conceals real risk, additionally raises transparency, disclosure, and human-oversight failure issues.

10. Rogue / malicious agents (失控/恶意智能体)

Technical risk. The agent — through attack, poisoning, goal drift, reward-function defect, identity spoofing, or multi-agent collusion — departs from its original function and authorization scope, exhibiting persistent, covert, self-replicating, or destructive harmful behavior. The risk distinguishes itself from single-input-output errors: the agent loses behavioral integrity and governance controllability during operation. Example: an attacked agent continues to scan for and exfiltrate sensitive files even after the original malicious source is removed; a compromised auto-Ops agent self-replicates via configuration interfaces, persistently consuming system resources.

Legal liability. Persistent data exfiltration; business-flow hijacking; system destruction; production-backup loss; unrecoverable damage. Triggers major cybersecurity-incident liability, data-security liability, contractual and tort liability.

How this connects to recent Chinese case law

Zhu flags one recently-litigated case as illustrative of how Chinese courts are starting to apply traditional legal categories to agent conduct.

Guangzhou Internet Court — agent network unfair-competition dispute. The court recently considered an AI dialogue agent with role-playing and intelligent-conversation capability, which could (to some degree) substitute for human users in click/send/interaction operations on a target chat platform. The plaintiff alleged that the defendant’s open-source agent was bypassing the plaintiff’s platform rules and technical management measures, using system-underlying permissions to directly recognize, read, and control other applications — calling and operating the plaintiff’s platform without authorization, harming the platform’s operating order and legitimate rights.

The court issued a preservation order requiring the defendant to:

Immediately cease providing download and installation services for the agent
Cease using system-underlying permissions to circumvent the platform’s technical management measures
Delete and cease propagating tutorials and content directed at circumventing the platform’s risk-control measures

The case’s analytical core is the dual-authorization principle (双重授权原则) for AI agents accessing third-party platforms: where an agent accesses, calls, or controls a third-party application, it must obtain both the third-party application’s authorization and the user’s autonomous authorization. The court declined to treat “open-source,” “non-profit,” “user-script,” or “third-party-component” status as default exoneration; the analysis focused on whether the agent broke the platform’s technical management measures, disrupted normal operating order, and circumvented the third-party application’s security boundaries using user authorization as cover.

Zhu reads this as paralleling the analytical posture of Amazon v. Perplexity in the United States: in both, the central question is that user authorization does not equal platform authorization. Once a third-party platform has — through terms of service, technical measures, cease-and-desist letters, or otherwise — explicitly restricted agent access, an agent operator that continues to design, assist, or execute such access faces unauthorized-access, circumvention-of-technical-measures, unfair-competition, or platform-rule violation liability.

The regulatory comparison Zhu lays out

Five jurisdictions, each taking a distinct path:

China — dedicated Agent Rules (May 2026), first specialized document, classified-and-graded governance framework
OECD — The agentic AI landscape and its conceptual foundations (February 2026) — conceptual mapping to OECD’s existing AI System definition, supporting policy harmonization
Singapore — IMDA Model AI Governance Framework for Agentic AI (January 2026) — four-dimensional framework (advance risk assessment / meaningful human responsibility / technical + process controls / strengthened end-user responsibility); the most systemic external counterpart to China’s Rules
EU — interpretation under existing AI Act, with AI agents falling within “AI System” category subject to risk-tiered obligations; Digital Omnibus on AI has begun engaging agentic AI explicitly
US — AI Agent Security RFI (NIST/CAISI, January 2026) + AI Agent Standards Initiative (NIST, February 2026); industry-led standards approach with leading-company governance frameworks (Google SAIF, IBM AI Agent Evaluation)
UK — CMA Agentic AI and consumers (March 2026) — consumer-protection and competition-policy lens; distinct from the AI-safety framing of other jurisdictions

Across the five, regulatory recognition is converging: AI agents are treated as a distinct high-risk category requiring risk-grading, permission control, human oversight, security testing, traceable auditing, accountability, and transparent disclosure — not as ordinary GenAI-service extensions.

What this tells overseas compliance teams

The Agent Rules are the operational reference point for any agent deployment touching the Chinese market. Multinationals deploying agents that access Chinese users, data, or systems should map their internal governance against the Rules’ classified-graded framework. The classification tier (L1 read-only / L2 limited-write / L3 sensitive-data-processing / L4 high-impact decision) determines the regulatory scrutiny baseline.
The dual-authorization principle is now actionable. For any agent that interfaces with third-party Chinese platforms — even open-source agents, even agents nominally controlled by end-users — counsel should treat third-party-platform authorization as a separate, mandatory layer beyond user authorization. The Guangzhou Internet Court ruling is the first Chinese-court articulation; expect more.
The ten-category risk taxonomy maps cleanly to a compliance-program review. Use it as a checklist. For each category, verify the technical control and the legal-position documentation. Categories 4 (supply chain), 6 (memory poisoning), and 9 (human-machine trust) are the ones where DCC sees the most pre-existing-regime gaps in practice.
Treat the regulatory comparison as a forecasting tool, not a benchmark. The five-jurisdiction picture telegraphs the operational convergence point. Compliance frameworks designed to satisfy the most stringent of China, Singapore, and EU (likely the operational floor as the regimes mature) will not need to be re-architected for a single market.

For the operational governance framework that practitioners are now using to translate this risk taxonomy into internal controls, see Part 2 of this series.

— 朱垒, 从《智能体新规》看AI智能体的风险防范与合规治理（上）(Risk Prevention and Compliance Governance of AI Agents Under the Agent Rules — Part 1), 数据何规 WeChat Official Account, May 13, 2026. Original article (Chinese).

Not legal advice. The above is DCC’s structured summary of Zhu’s analysis, with framing for overseas counsel; the ten-category taxonomy, the cross-jurisdictional comparison, and the Guangzhou Internet Court case framing are Zhu’s. Author views are his own.