## Weekly signal

This week showed a clear shift from broad AI regulation toward agent-specific governance. The common regulatory question is no longer only whether a model is safe or transparent. It is whether an AI system can perceive context, plan steps, call tools, execute actions, delegate work to sub-agents, and affect users or infrastructure without continuous human approval.

That distinction matters for builders. A text model that answers a question creates information risk. An agent that can approve a refund, change a database, send an email, move money, file a form, or trigger an operational workflow creates legal, security, consumer-protection, and accountability risk. The latest policy activity is converging around the same control themes: identity, permissions, audit trails, human oversight, risk classification, third-party responsibility, and limits on autonomous action.

The most important development was China’s May 8 release of a national implementation policy for intelligent agents. This is one of the clearest government attempts so far to regulate agents as a distinct infrastructure and application layer. The EU also gave companies more timeline certainty on high-risk AI Act compliance through a provisional Digital Omnibus agreement. In the US, NIST’s CAISI expanded pre-release frontier-model testing to Google DeepMind, Microsoft, and xAI, strengthening a voluntary but increasingly important governance channel. Cyber agencies and standards groups, meanwhile, continued turning agent risk into operational security expectations.

## What changed

1. China moved first on a national agent policy framework.

On May 8, China’s Cyberspace Administration, National Development and Reform Commission, and Ministry of Industry and Information Technology jointly released the *Implementation Opinions on the Standardized Application and Innovative Development of Intelligent Agents*. The document defines intelligent agents as AI systems with autonomous perception, memory, decision-making, interaction, and execution capabilities. That definition is important because it treats agents as more than user interfaces on top of large models.

The policy has two tracks: accelerate adoption and build governance. On the development side, it calls for stronger agent toolchains, evaluation tools, agent interconnection standards, agent interoperability protocols, and what it describes as an “intelligent internet” architecture. That includes agent registration platforms, digital identity management, capability declarations, compliance certification information, and trusted interconnection between agents.

On the governance side, China’s policy is unusually specific. It calls for clearer decision-authority boundaries: decisions only a user may make, decisions an agent may make with authorization, and decisions an agent may make autonomously. It says users should retain knowledge rights and final decision rights over autonomous agent decisions, and that agents must not exceed user authorization. It also calls for embedded rules, behavioral guardrails, traceability mechanisms, security testing, supply-chain risk controls, and normal risk identification and intervention mechanisms.

The policy also describes classification-based governance. Sensitive fields and key industries may face filings, testing, and product recall measures. Lower-risk fields, such as entertainment or routine office scenarios, may rely more on assessment tools, self-checks, information reporting, platform management, and industry self-discipline. The priority application list spans scientific research, software development, manufacturing, energy, transport, agriculture, financial risk control, education, healthcare, employment services, online content management, government services, judicial services, public safety, city governance, and procurement.

For companies operating in or selling into China, this is now a serious roadmap item. It points toward future compliance expectations around agent identity, certification, risk classification, permitted autonomy, and sector-specific controls.

2. The EU agreed to simplify AI Act implementation and fix delayed high-risk dates.

On May 7, the European Commission welcomed a provisional political agreement between the European Parliament and Council on the Digital Omnibus AI simplification package. The agreement sets new application dates for high-risk AI rules: December 2, 2027 for stand-alone high-risk systems in areas such as biometrics, critical infrastructure, education, employment, migration, asylum, and border control; and August 2, 2028 for high-risk systems embedded in regulated products such as lifts or toys.

The Council’s release adds useful operational detail. The deal reinstates registration obligations for providers that consider their systems exempt from high-risk classification, keeps a strict-necessity standard for processing special-category personal data for bias detection and correction, and postpones the deadline for national AI regulatory sandboxes to August 2, 2027. It also clarifies parts of AI Office supervision for AI systems based on general-purpose AI models where the same provider develops both the model and the system.

For agentic AI, the delay is not a free pass. Agents will still be assessed through the AI Act’s categories: prohibited practices, transparency duties, general-purpose model obligations, and high-risk system rules where the use case qualifies. Agent providers should use the extra runway to map agent functions to EU risk classes, especially where agents are used in employment, education, finance, healthcare, public services, critical infrastructure, or biometric workflows.

3. US pre-deployment review expanded to more frontier model providers.

On May 5, NIST announced that CAISI signed agreements with Google DeepMind, Microsoft, and xAI. The agreements enable pre-deployment evaluations, post-deployment assessment, targeted research, classified-environment testing, and information-sharing on national-security-related capabilities and risks. NIST said CAISI has completed more than 40 evaluations to date, including on unreleased state-of-the-art models.

This is not a comprehensive federal AI statute. But it is becoming a de facto governance layer for frontier AI. For agent builders, the practical implication is indirect but important: the models powering high-autonomy products may increasingly come with government-tested risk findings, safeguard expectations, and security research outputs. Enterprises buying agent platforms should ask whether the underlying model provider participates in CAISI or similar evaluation programs, and what evaluation evidence can be shared under NDA.

4. Allied cyber guidance and standards work focused on agent identity and runtime control.

The Five Eyes cyber agencies’ *Careful Adoption of Agentic AI Services* guidance remained one of the most actionable agent-governance sources in circulation this week. It says organizations should align agentic AI risk with existing security models, avoid broad or unrestricted access, especially to sensitive data or critical systems, and use agentic AI only for low-risk and non-sensitive tasks where possible.

The guidance also makes governance concrete: define legal accountability and risk ownership, maintain AI literacy, use progressive deployment, constrain objectives, implement hard “do-not-do” rules, and use continuous evaluation to decide when to expand or roll back autonomy. It recommends fresh cryptographic proofs before privileged calls, signed commands, integrity checks for task definitions, attestation, and continuous runtime authorization through a centralized policy decision point.

CoSAI, operating under OASIS Open, added industry guidance on May 6 with research on agentic identity and access management and the future of agentic security. Its core argument is that each agent needs a trustworthy, machine-readable identity, scoped credentials, delegated permissions, and clear visibility into what is acting across enterprise systems. It also flags emerging gaps such as intent-based authorization and “semantic mosaic” data leakage, where agents synthesize sensitive insights from individually harmless sources.

5. UK regulators kept agentic AI in cross-regulatory focus.

The UK Digital Regulation Cooperation Forum’s annual report, published during the week, highlights agentic AI as a cross-regulatory theme for the CMA, FCA, ICO, and Ofcom. The report says agentic AI raises issues that cut across governance, data protection, cybersecurity, consumer protection, and market dynamics. It also notes stakeholder concerns around prompt and log governance, accountability for autonomous behavior, cybersecurity resilience, and market concentration.

## What to do with it

First, build an agent inventory. Track every agent or agent-like workflow by owner, model, tools, data access, permissions, deployment environment, user population, geography, and business function. Include internal agents, vendor agents, copilots with action rights, and workflow automations driven by LLMs.

Second, classify autonomy. For each agent, document whether it recommends, drafts, executes with approval, executes under standing authorization, or acts fully autonomously. Tie each level to allowed actions, spend limits, data limits, and escalation requirements.

Third, implement agent identity now. Give each agent a unique identity, scoped credentials, short-lived tokens, and least-privilege access. Do not let agents share human accounts or broad service accounts. Require signed or attributable actions for privileged operations.

Fourth, make legal accountability explicit. Policies should state who owns the agent, who approves scope changes, who reviews incidents, who handles consumer complaints, and who is responsible when a vendor-supplied agent causes harm.

Fifth, update vendor and customer contracts. Add clauses covering agent logs, audit rights, evaluation evidence, data use, prompt and memory retention, incident notification, sub-agent behavior, prohibited actions, rollback support, and allocation of liability.

Finally, treat agent governance as a release gate, not a policy memo. Before production, require threat modeling, red-team or misuse testing, human oversight design, logging, monitoring, rollback, and an incident playbook for agent compromise or unauthorized action. The regulatory frameworks are still developing, but the engineering pattern is already clear: agents need identities, limits, evidence, and accountable owners.