Abstract illustration of a glowing compliance framework around an AI agent, a four-stage deployment lifecycle loop, navy and teal palette, no humans, no humanoid figures, no robots

China's TC260 ships the first AI agent security standard

AIntelligenceHub
··5 min read

TC260 published a four-stage lifecycle guide for AI agent deployment on July 4, the playbook the Cyberspace Administration will use to enforce the July 15 Anthropomorphic AI Measures.

China's National Information Security Standardization Technical Committee (TC260) released the country's first cybersecurity practice guide for AI agent deployment and use on July 4, framing agents as integrated systems with memory, tool use, and operational privileges rather than lightweight application-layer components. The standard lands ten days before the Interim Measures for Anthropomorphic AI Interaction Services take effect, and major platforms including Doubao and Tongyi Qianwen have already begun stripping features to comply.

The TC260 lifecycle: pre-use, deployment, operations, decommission

According to the Geopolitechs translation of TC260-PG-20266A, the document organizes its requirements around a four-stage agent lifecycle. Before an agent is put into use, it must undergo a security assessment covering software and model source integrity, supply-chain provenance, and a documented risk profile. The deployment stage adds a hardening pass: least-privilege permission assignment, attack-surface reduction, and explicit configuration baselines that operators can audit. During operations, agents must run under strict runtime controls including full audit logs of every action, scope checks on high-risk operations such as file deletion, code execution, outbound network calls, and financial transactions, and enhanced safeguards on any data the agent stores in long-term memory. The decommission stage requires secure data erasure across all persistent stores the agent touched, including vector indexes, scratch storage, and any cached model context.

Six practical security requirements recur across every stage. Operators must ensure the integrity and trustworthiness of software and model sources, enforce least privilege at every integration point, minimize network exposure by default, maintain full audit logs of agent activity, implement controls over high-risk operations, and apply enhanced safeguards to sensitive data and long-term memory. None of these are novel at the framework level, but the document is the first time a Chinese regulator has bound them together as a single mandatory practice guide for agents specifically rather than for general AI services.

What the standard does and does not cover

The practice guide is descriptive rather than punitive. It does not specify fines, license revocation procedures, or audit timelines, and it does not apply to agents that are deployed entirely outside China or that do not serve Chinese users. The companion piece is the Interim Measures for the Administration of Anthropomorphic AI Interaction Services, issued jointly by the Cyberspace Administration of China and four other government agencies, which takes effect on July 15, 2026 and gives the standard teeth by setting the compliance perimeter for any service that presents an anthropomorphic interface to Chinese users. The Measures are the binding rule; the TC260 practice guide is the playbook regulators will use to evaluate whether a deployment meets the Measures.

The early-July feature cuts at Doubao and Tongyi Qianwen are the first visible compliance move. Multiple media reports say the discontinued features are the ones with ambiguous regulatory boundaries under the new framework, not core agent capabilities. That distinction matters: the standard is not aimed at restricting agent technology as such, it is aimed at forcing platforms to remove or modify the specific product surfaces where the regulatory category is unclear. For enterprise teams building agents for the Chinese market, the practical implication is that the next two months will produce a steady drumbeat of feature removals and interface changes at the major Chinese consumer AI platforms, with the enterprise-side compliance work following once the dust settles on the consumer side.

The descriptive-versus-binding split is the most important architectural decision in the document. TC260 has spent the last five years producing practice guides for cryptography, cloud computing, and industrial control systems, and the consistent pattern is that the practice guide carries the technical detail while a separate legislative or administrative measure carries the enforcement. Here, the Interim Measures for the Administration of Anthropomorphic AI Interaction Services are the enforcement vehicle, the TC260 standard is the technical specification, and the two documents have to be read together to understand the compliance surface. The Measures define who is regulated, the standard defines what compliance looks like, and the gap between the two is the space where enterprise security teams will spend the next six months.

The Doubao and Tongyi Qianwen feature cuts are the first signal of how Chinese platforms are interpreting that gap. Both platforms have publicly notified users that certain AI agent features will be discontinued during the early-July period, and both notifications frame the changes as a compliance alignment with the new regulatory framework. The discontinued features are described in third-party media coverage as the agent capabilities with the most ambiguous regulatory boundaries: features that can route user data to external services without explicit per-call consent, features that let agents take persistent actions on behalf of a user across multiple sessions, and features that integrate with third-party tools without a registered integration contract. The platforms are not discontinuing their core agent products; they are removing the specific surfaces where the new rules create unclear liability, and the pattern is likely to repeat across the rest of the Chinese consumer AI market between now and the July 15 effective date.

The standard also signals where TC260 thinks the next round of agent risk will land. By treating agents as integrated systems with memory, tool use, autonomous decision-making, and operational privileges, the document pulls agent governance out of the model-governance bucket and into the system-governance bucket, alongside industrial control systems and critical infrastructure software. That move implicitly raises the bar for any agent deployment that touches production systems, regulated data, or anything with real-world side effects, and it gives Chinese regulators a framework to point at when the next agent incident lands on a national news cycle.

For non-Chinese platforms, the TC260 standard is not directly applicable, but it is the second major agent-governance document of 2026 after the Warner AI AGENT Act moved through the US Senate, and it is the most detailed one published anywhere. Enterprise security teams that operate across jurisdictions will end up reading the TC260 document as a reference taxonomy even if they are not directly subject to it, much as they read the Enterprise AI Governance Checklist for 2026 and the EU AI Act's high-risk annex as a reference for what serious agent governance looks like. The cross-border convergence is the story: the US, the EU, and China are now each producing agent-specific governance text within a year of each other (see the US Cyber Agencies access-controls push for the parallel US track), and the pressure on platform engineering teams to unify their agent compliance work is going to compound with every new release.

For enterprise teams, the immediate reading is that any agent deployment serving Chinese users, or any agent deployment that ships to a Chinese platform as an embedded feature, will need to demonstrate the six recurring security requirements in an audit-ready form. The TC260 document is the most detailed published checklist of what that looks like in 2026, and the practice guide is now the de facto reference taxonomy for the kind of internal control framework an enterprise should be building regardless of jurisdiction.

Weekly newsletter

Get a weekly summary of our most popular articles

Every week we send one email with a summary of the most popular articles on AIntelligenceHub so you can stay up-to-date on the latest AI trends and topics.

One weekly email. No sponsored sends. Unsubscribe when you want.

Comments

Every comment is reviewed before it appears on the site.

Comments stay pending until review. Posts with more than two links are held back.

Related articles