---
title: "TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations"
author: "DCC Editorial"
published: 2026-07-02T04:00:00.000Z
url: https://datacompliancechina.com/posts/tc260-ai-agent-deployment-security-guidelines/
description: "On July 1, 2026 the National Cybersecurity Standardization Technical Committee (TC260) issued the Cybersecurity Standards Practice Guide — Security Guidelines for the Deployment and Use of AI Agents (网络安全标准实践指南——智能体部署使用安全指引), covering the full lifecycle of high-permission, LLM-based personal-assistant agents across five stages: assessment, preparation, deployment, use, and decommissioning, plus a star-rated security checklist (Appendix A) and an organizational management framework including shadow-agent discovery (Appendix B). This DCC brief adapts the HexCode reading published on 数据何规 — itself generated, the account notes, by its own AI agent — which maps each stage onto hard-law anchors: PIPIA duties under PIPL Article 55 and DSL Article 27 risk monitoring at assessment; the GenAI Measures' filed-model requirement and the ban on unverified API relays at preparation; least privilege, directory isolation, CSL Article 21 log retention, and high-risk-operation confirmation lists at deployment; minimum-necessary provision of personal information and long-term-memory management in use; and credential revocation and data disposal at decommissioning. Practice guides are soft law — but in Chinese enforcement practice they calibrate what 'necessary measures' means, and this one is the first lifecycle baseline for the agent era."
tags: ["ai-agents", "ai-governance", "tc260", "standards", "genai"]
laws_cited: ["genai-services-interim-measures", "pipl", "dsl", "csl"]
domains: ["ai-governance", "data-security"]
account: "data-he-gui"
original_title: "《智能体部署使用安全指引》要点"
original_author: "HexCode"
original_publication: "数据何规 WeChat Official Account"
original_url: "https://mp.weixin.qq.com/s/SgxkE4xbWZqD4aSw9Mbs7A"
source_language: "zh"
---

> **Source: Data Compliance China** — https://datacompliancechina.com/posts/tc260-ai-agent-deployment-security-guidelines/ · China data law, translated and annotated for overseas counsel. Cite as: Data Compliance China, "TC260's Practice Guide on AI-Agent Deployment: A Five-Stage Lifecycle Checklist, Read Against PIPL, DSL, and CSL Obligations", https://datacompliancechina.com/posts/tc260-ai-agent-deployment-security-guidelines/
> *Editor's Note — DCC.*
>
> On **July 1, 2026** the **National Cybersecurity Standardization Technical
> Committee (全国网络安全标准化技术委员会, TC260)** secretariat issued the
> **Cybersecurity Standards Practice Guide — Security Guidelines for the
> Deployment and Use of AI Agents
> (网络安全标准实践指南——智能体部署使用安全指引)**. This brief adapts the
> same-day reading by **HexCode** on the **数据何规** account — which the
> account flags was produced by **its own AI agent** ("以下为数据何规智能体的解读"),
> an agent annotating the rules for agents. The stage-by-stage legal mapping
> below is the author's; DCC's framing is added.
>
> For the regulatory layer above this document — the May 2026 Agent Rules —
> see DCC's briefs on the
> [ten-category agent risk taxonomy](/posts/ai-agent-rules-risk-taxonomy/) and
> the [agent governance framework](/posts/ai-agent-rules-governance-framework/).

## What the document is — and what "practice guide" means

The guide belongs to TC260's **网络安全标准实践指南** series: a standards-adjacent
technical document, not a mandatory national standard. It provides security
guidance for deploying and using AI agents and doubles as a reference for
**selecting commercial agent services**.

The author's threshold point is about its real-world weight. When a regulator
assesses whether an enterprise took the "**necessary technical measures**"
required by the [Cybersecurity Law](/laws/csl/), the
[Data Security Law](/laws/dsl/), and the
[Personal Information Protection Law](/laws/pipl/), practice
guides of this kind are routinely the benchmark for whether those measures
were adequate. An enterprise that ignored a guide's reasonable requirements
and then suffered an incident risks a finding that it **failed its security
protection obligations**. Soft law, hard consequences.

## Scope: high-permission, LLM-based personal assistants

The guide defines three terms. An **agent (智能体)** is an intelligent system
with autonomous perception, memory, decision-making, interaction, and
execution capabilities — and the document expressly narrows itself to
**personal-assistant-scenario, high-permission, large-model-based agents**. A
**tool (工具)** is the standardized interface through which an agent calls
external capabilities; a **skill (技能)** is a standardized instruction set
for a specific task.

The narrowing does real work: simple automation scripts and low-permission
lightweight apps are out of scope. The regulatory attention is on systems
whose failure modes are **system-level**, because the agent holds elevated
permissions and acts autonomously.

## The five-stage lifecycle

The guide divides the agent lifecycle into **assessment → preparation →
deployment → use → decommissioning** (chapters 6–10), with security guidance
for each stage. The author pairs each stage with its hard-law anchor.

### 1. Assessment (评估)

Before adopting an agent: clarify the purpose of use, understand the agent's
technical characteristics, and choose cautiously. Do **not** select agents
that are long unmaintained, carry unpatched high-severity vulnerabilities, or
lack basic mechanisms such as audit logging; check for red flags like
automatically opened public-network interfaces.

*Author's mapping:* this is ex-ante risk control in the mold of the **PIPIA
duty under PIPL Article 55** and the **risk-monitoring duty under DSL
Article 27**. The project-maintenance check is aimed squarely at the
open-source "zombie project" problem — free does not mean exempt from
supply-chain review.

### 2. Preparation (准备)

Obtain installation materials from official channels and verify authenticity;
apply environment-appropriate hardening for local, virtualized, or cloud
deployments; **select a large model that has completed generative-AI service
filing**; preferably add security tooling.

*Author's mapping:* supply-chain control plus **model-compliance
front-loading**. The filed-model requirement tracks **Article 17 of the
[Interim Measures for the Management of Generative AI Services](/laws/genai-services-interim-measures/)**
— filing is the legality precondition for the model layer. The guide's ban on
**unverified API relay/proxy endpoints (中转站)** answers a live practice
risk: reverse proxies that can intercept data without authorization.

### 3. Deployment (部署)

No one-click deployment scripts of unknown provenance; check plugin sources;
do not run with administrator privileges; restrict accessible directories;
configure services as localhost-only; enable full logging; and **establish a
high-risk operation list in advance**, with secondary confirmation or
outright blocking for operations on the list.

*Author's mapping:* least privilege and directory isolation are elementary
OS-level controls that agents in the wild routinely violate. Full logging
connects to the **CSL Article 21** requirement to retain logs for at least
six months. The high-risk list — disk formatting, batch deletion, payments
and transfers — is the guide's most practical device: a pre-committed
human-in-the-loop gate against malicious instructions and misfires.

### 4. Use (使用)

Re-verify configuration; use skills from reliable sources; provide personal
information to the agent on the **minimum-necessary** principle; do not feed
the agent third-party data or IP-protected content you lack rights to;
periodically check public-network interfaces, back up, and **manage long-term
memory**; track security bulletins.

*Author's mapping:* this stage plugs directly into **PIPL's
minimum-necessary principle (Article 6)** and notice-and-consent
(Article 14). The bar on feeding unauthorized business data speaks to the
everyday scenario of employees pasting company data into external agents —
trade-secret and data-security exposure in one move. The long-term-memory
requirement is the sleeper: agent memory silently accumulates sensitive
information, and enterprises need a periodic review mechanism for it.

### 5. Decommissioning (停用)

Stop the main program and all processes; take disaster-recovery backups of
data that must be retained; execute environment-appropriate cleanup —
**revoke credentials and third-party authorizations**, confirm services are
terminated.

*Author's mapping:* deletion duties under **PIPL Article 47** and secure
disposal of data and storage media on processing termination. The commonly
missed step is credential revocation — stale API keys and lingering OAuth
grants are the classic source of post-decommissioning charges and leaks.

## Appendix A: the star-rated checklist

Appendix A converts the lifecycle guidance into a **security checklist**
covering all five stages, each item graded by importance (★★★ / ★★ / ★). The
author's advice: adopt it as the reference framework for an internal
agent-management baseline, fold it into the **ISMS** as an internal-audit and
self-assessment instrument, and use the star ratings to allocate security
resources by risk.

## Appendix B: managing agents inside an organization — including the ones you didn't approve

Appendix B is an organizational governance framework: internal rules
(prohibited conduct, use boundaries, approval workflows); an **agent asset
register** (agent identity, deployment location, developer, model, tool
components, access controls, authorizations, review records); logging, risk
analysis, and periodic re-checks for approved agents; and — the standout —
**discovery capabilities for unapproved agents**: port scanning, traffic
analysis, API-endpoint identification, process inspection. Employee training
should cover prompt-injection attacks, supply-chain security, credential
leakage, and data leakage.

*Author's mapping:* this is the management-system layer required by **CSL
Article 21** (internal security management under the Multi-Level Protection
Scheme) and **PIPL Article 51**. The shadow-agent point deserves the
emphasis: employees privately deploying agents is the new **shadow IT**, and
a governance regime that only sees approved deployments is blind exactly
where agent risk concentrates. Run the discovery tooling continuously and tie
it to network access control and endpoint management.

## DCC's read

Three structural observations for overseas teams:

- **The lifecycle is now the unit of compliance.** The May 2026 Agent Rules
  set the policy frame; this guide supplies the operational baseline that
  auditors and regulators can hold deployments against, stage by stage. An
  enterprise agent program should be able to produce evidence at each of the
  five stages — the checklist is effectively the audit script.
- **The filed-model requirement domesticates the stack.** Building agent
  workflows on a large model that has completed generative-AI filing is
  presented as a preparation-stage security measure — but its effect is to
  make **domestic regulatory status of the model layer** a compliance
  precondition for agent adoption in China, including for multinationals
  weighing headquarters-hosted models.
- **Memory and credentials are the new perimeter.** The two most
  forward-looking requirements — periodic long-term-memory review and
  decommissioning-stage credential revocation — target exactly the
  persistence mechanisms that make agents different from apps. Policies
  written for applications will miss both.

---

— *HexCode, 《智能体部署使用安全指引》要点 (Key Points of the Security
Guidelines for the Deployment and Use of AI Agents), published via the
数据何规 WeChat Official Account, July 1, 2026.
[Original article (Chinese).](https://mp.weixin.qq.com/s/SgxkE4xbWZqD4aSw9Mbs7A)*

*Not legal advice. Chapter and article references follow the author's
account of the guide; the TC260 original is authoritative.*
