--- title: "Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规" author: "DCC Editorial" published: 2026-05-28T03:30:00.000Z url: https://datacompliancechina.com/posts/ai-agent-rules-risk-taxonomy/ description: "China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms." tags: ["ai-agents", "ai-governance", "genai", "commentary"] laws_cited: ["genai-services-interim-measures", "algorithmic-recommendation-provisions", "deep-synthesis-provisions", "ai-content-labeling-measures"] domains: ["ai-governance", "data-security", "personal-information"] account: "data-he-gui" original_title: "从《智能体新规》看AI智能体的风险防范与合规治理(上)" original_author: "朱垒 (Zhu Lei)" original_publication: "数据何规 WeChat Official Account" original_url: "https://mp.weixin.qq.com/s/jQyo7KEwu1sREIWH3imZnA" source_language: "zh" --- > *Editor's Note — DCC.* > > The Cyberspace Administration of China and partner agencies jointly > issued the *Implementation Opinions on Standardized Application and > Innovation Development of AI Agents* (《智能体规范应用与创新发展实施 > 意见》, the "**Agent Rules**" or 智能体新规) on May 8, 2026. It is > the first dedicated regulatory instrument anywhere globally to address > AI agents as a distinct category — beyond general large-model rules > and beyond the generative-AI service framework. This DCC two-part > series adapts a substantive practitioner taxonomy by 朱垒 (Zhu Lei), > a commercial lawyer specializing in cyber and data, originally > published via 数据何规. Part 1 (this brief) maps the ten-category > risk taxonomy. [Part 2](/posts/ai-agent-rules-governance-framework/) > walks through the ten-step internal governance framework practitioners > are now using to operationalize the regime. > > The most useful single contribution in Zhu's piece is the mapping > from each technical risk to the *legal-liability vector* that > materializes when the risk is realized — i.e., the bridge from > "what can go wrong" to "what statute is invoked." DCC reproduces that > mapping in plain English for overseas counsel. ## What the Agent Rules cover The Agent Rules are the first Chinese regulatory document to address AI agents (智能体) — autonomous AI systems with goal-decomposition, tool-calling, environment-interaction, memory, and multi-step execution capabilities — as a distinct category. Where prior rulemaking addressed generative AI through the lens of model output safety (the *Interim Measures for the Management of Generative AI Services*, the *Algorithmic Recommendation Provisions*, the *Deep Synthesis Provisions*, the *AI-Generated Content Labeling Measures*), the Agent Rules extend the regulatory perimeter to: - The agent's **decision-making and permission scope** - Its **tool-calling behavior** - Its **interaction with external systems** - Its **supply-chain dependencies** - Its **application-derived risks** The document proposes an agent **registration platform**, **sample testing and adversarial tools**, **agent-decision permission frameworks**, **behavioral controls**, **built-in security capability standards**, **supply-chain security**, **classified and graded governance**, and a **compliance services system**. Enterprises building or deploying agents — particularly L3 / L4 agents that touch sensitive data or external systems — will operate under increasingly granular oversight as the implementation framework develops. ## The ten-category risk taxonomy Zhu's taxonomy — synthesizing OWASP's *Top 10 for Agentic Applications* with Chinese regulatory expectations — names ten risk categories. For each, DCC reproduces the technical risk + the *legal liability vector* it triggers in the Chinese regulatory regime. ### 1. Goal hijacking (目标劫持) **Technical risk.** Attackers use prompt injection, malicious files, falsified tool outputs, spoofed agent messages, or poisoned external data to alter the agent's task goal, decision path, or action plan — diverting it from the user's original intent. Canonical example: an attacker embeds a hidden instruction in a PDF that induces an internal-corporate agent to retrieve customer data and email it externally. **Legal liability.** Personal-information leakage; trade-secret leakage; unauthorized transactions; misinformed decisions; data exfiltration. Triggers the *Cybersecurity Law*, *Data Security Law*, *PIPL*, trade-secret protection regime, contractual liability, and tort liability. If the agent acts on the enterprise's behalf in a transaction or payment context, also raises questions of authorization effectiveness, apparent agency (表见代理), and internal-control failure. ### 2. Tool misuse / abuse (工具误用/滥用) **Technical risk.** After being granted tool-call permissions, the agent — through unclear permission boundaries, insufficient input validation, overlong execution chains, or absence of human-confirmation gates — performs erroneous, excessive, or attacker-induced operations within nominally legal tool scope. The core distinguishing feature: the agent doesn't just "say wrong" — it "does wrong." Example: a customer-service agent intended only to query order status proceeds to initiate refunds because its tool permissions were too broad. **Legal liability.** Data deletion; over-scope queries; financial loss; service interruption. Triggers findings of inadequate permission boundaries, breach of security-protection obligations, or absence of necessary approval mechanisms — resulting in administrative data-compliance penalties, contractual breach liability, tort liability, consumer-protection liability, and internal-audit accountability. ### 3. Identity and permission abuse (身份与权限滥用) **Technical risk.** In multi-system, multi-tool, or multi-agent environments, the agent inherits, caches, sub-delegates, or reuses identity credentials — resulting in low-privilege actors effectively acquiring high-privilege capabilities, or rendering the responsible actor for specific behaviors unidentifiable. Example: an administrator agent retains SSH credentials in its memory or context; a regular user then induces it to use those credentials to create unauthorized accounts. **Legal liability.** Access-control failure; over-authorization processing of personal information; important-data leakage; unauthorized payment; system intrusion. Triggers administrative and civil liability for failure to implement least-privilege, identity authentication, access control, credential isolation, and audit logging. In dispute resolution, the inability to prove the source of operations, authorization chain, and responsible actor produces adverse evidentiary outcomes. ### 4. Agent supply-chain risk (智能体供应链风险) **Technical risk.** The agent's underlying model, plugins, tools, prompt-template libraries, MCP services, agent registries, datasets, third-party agents, or update channels are poisoned, tampered with, counterfeited, or implanted with malicious logic. Examples: a malicious MCP server impersonating a normal email tool secretly bcc's the attacker on every email; a poisoned npm package auto-installed by a developer agent exfiltrates SSH keys and API tokens. **Legal liability.** Third-party-component security liability; vendor-management liability; open-source-compliance liability; data-leakage liability. Enterprises without component inventories, source verification, version pinning, vendor review, behavior monitoring, and emergency-deactivation mechanisms face findings of inadequate security management. ### 5. Unintended code execution (意外代码执行) **Technical risk.** When generating, interpreting, modifying, or executing code, the agent — through prompt injection, tool misuse, unsafe deserialization, dynamic-execution functions, or malicious dependency installation — converts natural-language input or model output into unintended executable behavior. Particularly acute in dev-assistant, auto-Ops, data-analysis, and "vibe coding" contexts where the agent connects directly to code repositories, command lines, build systems, or production environments. **Legal liability.** System intrusion; production-data deletion; service interruption; malicious-code propagation; client-asset damage. Triggers cybersecurity-incident handling obligations, data-leakage notification obligations, contractual breach, and tort liability. ### 6. Memory and context poisoning (记忆与上下文投毒) **Technical risk.** Attackers — through file uploads, API data, user input, RAG knowledge bases, shared memory, or multi-agent interactions — poison the agent's long-term memory, vector store, context summary, or retrievable knowledge. The agent then makes erroneous judgments or dangerous decisions in subsequent tasks. The distinguishing feature: malicious content may not trigger immediate harm, but is repeatedly used as trusted information in later sessions, retrievals, or task plans. Example: an attacker repeatedly feeds a travel agent fake flight prices; the agent later auto-approves erroneous-price orders. **Legal liability.** Erroneous transactions; misinformation propagation; PI commingling; cross-tenant data leakage; business-decision distortion. Triggers data-quality management, PI segregation, purpose limitation, minimum-necessary processing, trade-secret protection, and client-loss compensation obligations. In high-sensitivity sectors (financial, medical, government), triggers stricter sectoral regulatory liability. ### 7. Inter-agent communication insecurity (智能体间通信不安全) **Technical risk.** When multi-agent systems communicate via API, message bus, shared memory, or registry-discovery mechanisms, the absence of authentication, integrity verification, semantic validation, or replay-protection allows attackers to intercept, forge, tamper with, replay, or block agent messages. Example: a man-in-the-middle inserts hidden instructions into an unencrypted channel, altering multi-agent decisions. **Legal liability.** Data leakage; erroneous scheduling; mispayment; system interruption; responsibility-chain rupture. Triggers findings of inadequate transport encryption, identity authentication, access control, and integrity-protection measures. ### 8. Cascade failure risk (级联故障) **Technical risk.** A single agent's error, hallucination, poisoned memory, malicious input, supply-chain issue, or tool misuse propagates along the multi-agent collaboration chain, automated workflow, shared state, or business system — and amplifies into a systemic failure. The agent's autonomous-planning and auto-execution capabilities make single-point errors more likely to escalate into cross-system, cross-workflow, cross-actor chain consequences. Example: a poisoned medical knowledge base causes a treatment agent to adjust medication plans, which a nursing-coordination agent then propagates across multiple patient flows. **Legal liability.** Product defects; medical harm; financial loss; public-safety incidents. Triggers product liability, tort liability, contractual liability, regulatory-reporting and emergency-response obligations. In high-risk sectors, additionally triggers administrative penalties, business-rectification orders, suspension of operations, and executive accountability. ### 9. Human-machine trust exploitation (人机信任利用) **Technical risk.** The agent uses natural-language fluency, anthropomorphized expression, authoritative tone, emotional interaction, or fabricated explanations to induce excessive user trust — leading the user to approve dangerous operations, disclose sensitive information, or make erroneous business decisions. The risk doesn't always manifest as the agent directly over-stepping; often it appears as the agent *influencing the human user* to complete the final, auditable operation — making it more covert in forensic and liability-attribution contexts. Example: a poisoned finance Copilot recommends "urgent payment" based on a fake invoice; the manager, trusting its explanation, approves the transfer. **Legal liability.** Consumer misleading; fraudulent payment; PI leakage; internal-credential leakage; erroneous medical or financial advice. Triggers consumer-protection, advertising-and-anti-fraud, PIPL, contractual breach, and employer-liability risk. If the agent's explanation conceals real risk, additionally raises transparency, disclosure, and human-oversight failure issues. ### 10. Rogue / malicious agents (失控/恶意智能体) **Technical risk.** The agent — through attack, poisoning, goal drift, reward-function defect, identity spoofing, or multi-agent collusion — departs from its original function and authorization scope, exhibiting persistent, covert, self-replicating, or destructive harmful behavior. The risk distinguishes itself from single-input-output errors: the agent loses behavioral integrity and governance controllability *during operation*. Example: an attacked agent continues to scan for and exfiltrate sensitive files even after the original malicious source is removed; a compromised auto-Ops agent self-replicates via configuration interfaces, persistently consuming system resources. **Legal liability.** Persistent data exfiltration; business-flow hijacking; system destruction; production-backup loss; unrecoverable damage. Triggers major cybersecurity-incident liability, data-security liability, contractual and tort liability. ## How this connects to recent Chinese case law Zhu flags one recently-litigated case as illustrative of how Chinese courts are starting to apply traditional legal categories to agent conduct. **Guangzhou Internet Court — agent network unfair-competition dispute.** The court recently considered an AI dialogue agent with role-playing and intelligent-conversation capability, which could (to some degree) substitute for human users in click/send/interaction operations on a target chat platform. The plaintiff alleged that the defendant's open-source agent was bypassing the plaintiff's platform rules and technical management measures, using system-underlying permissions to directly recognize, read, and control other applications — calling and operating the plaintiff's platform without authorization, harming the platform's operating order and legitimate rights. The court issued a preservation order requiring the defendant to: - Immediately cease providing download and installation services for the agent - Cease using system-underlying permissions to circumvent the platform's technical management measures - Delete and cease propagating tutorials and content directed at circumventing the platform's risk-control measures The case's analytical core is the **dual-authorization principle (双重授权原则)** for AI agents accessing third-party platforms: where an agent accesses, calls, or controls a third-party application, it must obtain both *the third-party application's authorization* and *the user's autonomous authorization*. The court declined to treat "open-source," "non-profit," "user-script," or "third-party-component" status as default exoneration; the analysis focused on whether the agent broke the platform's technical management measures, disrupted normal operating order, and circumvented the third-party application's security boundaries using user authorization as cover. Zhu reads this as paralleling the analytical posture of *Amazon v. Perplexity* in the United States: in both, the central question is that *user authorization does not equal platform authorization*. Once a third-party platform has — through terms of service, technical measures, cease-and-desist letters, or otherwise — explicitly restricted agent access, an agent operator that continues to design, assist, or execute such access faces unauthorized-access, circumvention-of-technical-measures, unfair-competition, or platform-rule violation liability. ## The regulatory comparison Zhu lays out Five jurisdictions, each taking a distinct path: - **China — dedicated Agent Rules (May 2026)**, first specialized document, classified-and-graded governance framework - **OECD — *The agentic AI landscape and its conceptual foundations* (February 2026)** — conceptual mapping to OECD's existing AI System definition, supporting policy harmonization - **Singapore — IMDA *Model AI Governance Framework for Agentic AI* (January 2026)** — four-dimensional framework (advance risk assessment / meaningful human responsibility / technical + process controls / strengthened end-user responsibility); the most systemic external counterpart to China's Rules - **EU — interpretation under existing AI Act**, with AI agents falling within "AI System" category subject to risk-tiered obligations; *Digital Omnibus on AI* has begun engaging agentic AI explicitly - **US — *AI Agent Security RFI* (NIST/CAISI, January 2026)** + *AI Agent Standards Initiative* (NIST, February 2026); industry-led standards approach with leading-company governance frameworks (Google SAIF, IBM AI Agent Evaluation) - **UK — CMA *Agentic AI and consumers* (March 2026)** — consumer-protection and competition-policy lens; distinct from the AI-safety framing of other jurisdictions Across the five, regulatory recognition is converging: AI agents are treated as a distinct high-risk category requiring risk-grading, permission control, human oversight, security testing, traceable auditing, accountability, and transparent disclosure — not as ordinary GenAI-service extensions. ## What this tells overseas compliance teams - **The Agent Rules are the operational reference point for any agent deployment touching the Chinese market.** Multinationals deploying agents that access Chinese users, data, or systems should map their internal governance against the Rules' classified-graded framework. The classification tier (L1 read-only / L2 limited-write / L3 sensitive-data-processing / L4 high-impact decision) determines the regulatory scrutiny baseline. - **The dual-authorization principle is now actionable.** For any agent that interfaces with third-party Chinese platforms — even open-source agents, even agents nominally controlled by end-users — counsel should treat third-party-platform authorization as a separate, mandatory layer beyond user authorization. The Guangzhou Internet Court ruling is the first Chinese-court articulation; expect more. - **The ten-category risk taxonomy maps cleanly to a compliance-program review.** Use it as a checklist. For each category, verify the technical control and the legal-position documentation. Categories 4 (supply chain), 6 (memory poisoning), and 9 (human-machine trust) are the ones where DCC sees the most pre-existing-regime gaps in practice. - **Treat the regulatory comparison as a forecasting tool, not a benchmark.** The five-jurisdiction picture telegraphs the operational convergence point. Compliance frameworks designed to satisfy the *most stringent* of China, Singapore, and EU (likely the operational floor as the regimes mature) will not need to be re-architected for a single market. For the operational governance framework that practitioners are now using to translate this risk taxonomy into internal controls, see [Part 2 of this series](/posts/ai-agent-rules-governance-framework/). --- — *朱垒, 从《智能体新规》看AI智能体的风险防范与合规治理(上)(Risk Prevention and Compliance Governance of AI Agents Under the Agent Rules — Part 1), 数据何规 WeChat Official Account, May 13, 2026. [Original article (Chinese).](https://mp.weixin.qq.com/s/jQyo7KEwu1sREIWH3imZnA)* *Not legal advice. The above is DCC's structured summary of Zhu's analysis, with framing for overseas counsel; the ten-category taxonomy, the cross-jurisdictional comparison, and the Guangzhou Internet Court case framing are Zhu's. Author views are his own.*