Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ 074 · AI-AGENTS

TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations

On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era.

Editor’s Note — DCC.

On July 1, 2026 the National Cybersecurity Standardization Technical Committee (全国网络安全标准化技术委员会, TC260) secretariat issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引). This brief adapts the same-day reading by HexCode on the 数据何规 account — which the account flags was produced by its own AI agent (“以下为数据何规智能体的解读”), an agent annotating the rules for agents. The stage-by-stage legal mapping below is the author’s; DCC’s framing is added.

For the regulatory layer above this document — the May 2026 Agent Rules — see DCC’s briefs on the ten-category agent risk taxonomy and the agent governance framework.

What the document is — and what “practice guide” means

The guide belongs to TC260’s 网络安全标准实践指南 series: a standards-adjacent technical document, not a mandatory national standard. It provides security guidance for deploying and using AI agents and doubles as a reference for selecting commercial agent services.

The author’s threshold point is about its real-world weight. When a regulator assesses whether an enterprise took the “necessary technical measures” required by the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, practice guides of this kind are routinely the benchmark for whether those measures were adequate. An enterprise that ignored a guide’s reasonable requirements and then suffered an incident risks a finding that it failed its security protection obligations. Soft law, hard consequences.

Scope: high-permission, LLM-based personal assistants

The guide defines three terms. An agent (智能体) is an intelligent system with autonomous perception, memory, decision-making, interaction, and execution capabilities — and the document expressly narrows itself to personal-assistant-scenario, high-permission, large-model-based agents. A tool (工具) is the standardized interface through which an agent calls external capabilities; a skill (技能) is a standardized instruction set for a specific task.

The narrowing does real work: simple automation scripts and low-permission lightweight apps are out of scope. The regulatory attention is on systems whose failure modes are system-level, because the agent holds elevated permissions and acts autonomously.

The five-stage lifecycle

The guide divides the agent lifecycle into assessment → preparation → deployment → use → decommissioning (chapters 6–10), with security guidance for each stage. The author pairs each stage with its hard-law anchor.

1. Assessment (评估)

Before adopting an agent: clarify the purpose of use, understand the agent’s technical characteristics, and choose cautiously. Do not select agents that are long unmaintained, carry unpatched high-severity vulnerabilities, or lack basic mechanisms such as audit logging; check for red flags like automatically opened public-network interfaces.

Author’s mapping: this is ex-ante risk control in the mold of the PIPIA duty under PIPL Article 55 and the risk-monitoring duty under DSL Article 27. The project-maintenance check is aimed squarely at the open-source “zombie project” problem — free does not mean exempt from supply-chain review.

2. Preparation (准备)

Obtain installation materials from official channels and verify authenticity; apply environment-appropriate hardening for local, virtualized, or cloud deployments; select a large model that has completed generative-AI service filing; preferably add security tooling.

Author’s mapping: supply-chain control plus model-compliance front-loading. The filed-model requirement tracks Article 17 of the Interim Measures for the Management of Generative AI Services — filing is the legality precondition for the model layer. The guide’s ban on unverified API relay/proxy endpoints (中转站) answers a live practice risk: reverse proxies that can intercept data without authorization.

3. Deployment (部署)

No one-click deployment scripts of unknown provenance; check plugin sources; do not run with administrator privileges; restrict accessible directories; configure services as localhost-only; enable full logging; and establish a high-risk operation list in advance, with secondary confirmation or outright blocking for operations on the list.

Author’s mapping: least privilege and directory isolation are elementary OS-level controls that agents in the wild routinely violate. Full logging connects to the CSL Article 21 requirement to retain logs for at least six months. The high-risk list — disk formatting, batch deletion, payments and transfers — is the guide’s most practical device: a pre-committed human-in-the-loop gate against malicious instructions and misfires.

4. Use (使用)

Re-verify configuration; use skills from reliable sources; provide personal information to the agent on the minimum-necessary principle; do not feed the agent third-party data or IP-protected content you lack rights to; periodically check public-network interfaces, back up, and manage long-term memory; track security bulletins.

Author’s mapping: this stage plugs directly into PIPL’s minimum-necessary principle (Article 6) and notice-and-consent (Article 14). The bar on feeding unauthorized business data speaks to the everyday scenario of employees pasting company data into external agents — trade-secret and data-security exposure in one move. The long-term-memory requirement is the sleeper: agent memory silently accumulates sensitive information, and enterprises need a periodic review mechanism for it.

5. Decommissioning (停用)

Stop the main program and all processes; take disaster-recovery backups of data that must be retained; execute environment-appropriate cleanup — revoke credentials and third-party authorizations, confirm services are terminated.

Author’s mapping: deletion duties under PIPL Article 47 and secure disposal of data and storage media on processing termination. The commonly missed step is credential revocation — stale API keys and lingering OAuth grants are the classic source of post-decommissioning charges and leaks.

Appendix A: the star-rated checklist

Appendix A converts the lifecycle guidance into a security checklist covering all five stages, each item graded by importance (★★★ / ★★ / ★). The author’s advice: adopt it as the reference framework for an internal agent-management baseline, fold it into the ISMS as an internal-audit and self-assessment instrument, and use the star ratings to allocate security resources by risk.

Appendix B: managing agents inside an organization — including the ones you didn’t approve

Appendix B is an organizational governance framework: internal rules (prohibited conduct, use boundaries, approval workflows); an agent asset register (agent identity, deployment location, developer, model, tool components, access controls, authorizations, review records); logging, risk analysis, and periodic re-checks for approved agents; and — the standout — discovery capabilities for unapproved agents: port scanning, traffic analysis, API-endpoint identification, process inspection. Employee training should cover prompt-injection attacks, supply-chain security, credential leakage, and data leakage.

Author’s mapping: this is the management-system layer required by CSL Article 21 (internal security management under the Multi-Level Protection Scheme) and PIPL Article 51. The shadow-agent point deserves the emphasis: employees privately deploying agents is the new shadow IT, and a governance regime that only sees approved deployments is blind exactly where agent risk concentrates. Run the discovery tooling continuously and tie it to network access control and endpoint management.

DCC’s read

Three structural observations for overseas teams:

  • The lifecycle is now the unit of compliance. The May 2026 Agent Rules set the policy frame; this guide supplies the operational baseline that auditors and regulators can hold deployments against, stage by stage. An enterprise agent program should be able to produce evidence at each of the five stages — the checklist is effectively the audit script.
  • The filed-model requirement domesticates the stack. Building agent workflows on a large model that has completed generative-AI filing is presented as a preparation-stage security measure — but its effect is to make domestic regulatory status of the model layer a compliance precondition for agent adoption in China, including for multinationals weighing headquarters-hosted models.
  • Memory and credentials are the new perimeter. The two most forward-looking requirements — periodic long-term-memory review and decommissioning-stage credential revocation — target exactly the persistence mechanisms that make agents different from apps. Policies written for applications will miss both.

HexCode, 《智能体部署使用安全指引》要点 (Key Points of the Security Guidelines for the Deployment and Use of AI Agents), published via the 数据何规 WeChat Official Account, July 1, 2026. Original article (Chinese).

Not legal advice. Chapter and article references follow the author’s account of the guide; the TC260 original is authoritative.

— Not legal advice.


§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.