Has your chatbot policy expired?

China is already regulating autonomous AI. Is your company?

Hi, and happy Tuesday.

Is your company’s AI policy still fit for purpose?

Most corporate AI policies were introduced two or three years ago. At the time, AI was essentially a chatbot: employees typed questions into a box, received suspiciously confident answers and occasionally pasted in something they really should not have.

The policies reflected that reality. Do not share confidential information. Verify the output. Do not use ChatGPT to make important decisions. Try not to have the intern upload the customer database.

All sensible advice.

There is just one problem: the chatbot those policies were written for no longer exists.

AI systems can now conduct research, operate software, build tools, coordinate other agents and produce finished work. The policy is still governing what employees type into a text box. The text box, meanwhile, has acquired hands, a company login and several subcontractors.

Last week’s OpenAI announcements made that shift particularly clear.

  • OpenAI released its GPT-5.6 series - its answer to Anthropic’s controversial Fable-class models. What I find most interesting is not simply that the models are more intelligent. ChatGPT can now vibe-code the software it needs without waiting for the user to realize that software is required. 

  • ChatGPT Work is OpenAI’s answer to Claude Cowork. It can operate across websites and desktop applications, gather information from connected systems, and produce finished spreadsheets, presentations, documents and web applications.

  • Finally, there is GPT-Live, a voice model designed for more natural, low-latency conversation that can also delegate work to other models. I expect some version of this to be the workhorse for the OpenAI AI device you’ll be pondering whether to buy for yourself during this year’s holiday season.

With these ongoing shifts, the important policy question is no longer merely:

What information may employees give to AI?

It is increasingly:

What information, systems, decisions and actions may AI be given access to?

While most companies have not updated their policies to answer that question, one of the clearest attempts to do so is happening not in Silicon Valley, but in China.

1. AI can eliminate work, but not automatically eliminate the worker.

As AI improved, a company in China decided it needed less of a worker whose job was to check AI generated answers. Two courts found his dismissal unlawful - even though the company tried to find alternative employment for the worker.

This is not a national prohibition on AI-related layoffs. Chinese companies can still restructure, remove positions and negotiate redundancies. But “the robot is cheaper” is not, by itself, a legally complete transformation strategy.

The implication for employers is that an AI deployment plan increasingly needs a workforce-transition plan. Who will be retrained? How will roles change? What constitutes a reasonable alternative position? Who absorbs the cost of the transition?

2. Agents need a leash, not merely a company login.

China’s framework for AI agents says users should retain final authority over important decisions and the ability to stop an agent. Agents should not act beyond the permissions granted to them.

This is not an anti-AI framework. China is actively encouraging agents across manufacturing, finance, healthcare, education, transportation, public services and scientific research.

While China wants agents doing a great deal of work, it would like to know which agent did what, under whose authority and whether somebody can make it stop.

That principle applies equally well inside a company.

An AI agent with access to email, the CRM, procurement systems and a corporate credit card is no longer just a productivity tool. It is an operational actor.

Giving it a friendly name and single sign-on does not constitute an internal-control framework.

3. Some AI projects may require an ethics review.

The first indication that your company fully understands what AI is doing may be when the ethics committee starts meeting more frequently than the AI steering committee.

For many companies, the immediate reaction to another review committee is the groaning sounds of bureaucracy.

But when an AI system can affect hiring, lending, medical treatment, safety or employment, “the product team seemed comfortable with it” may no longer qualify as governance.

Along these lines, China has introduced trial rules for AI ethics reviews, supported by ten government departments and pilot programs across several major technology regions.

Companies, universities, laboratories and healthcare organizations may need to establish internal AI ethics committees or use regional review centers. Higher-risk projects can require expert review before proceeding, followed by periodic reassessment.

4. Digital humans must admit they are digital.

China has also proposed rules for digital humans: AI presenters, cloned executives, virtual influencers, sales representatives and customer-service avatars. Under the draft rules, digital humans would need to display a persistent and prominent label identifying them as digital. 

Businesses are experimenting with synthetic salespeople, AI financial commentators, virtual healthcare guides and digital replicas of senior executives. The attraction is obvious. A virtual executive is always available, always on-message and never accidentally shares a personal opinion on LinkedIn.

But it also creates a new set of disclosure, identity and reputational risks.

Who approved what the digital executive said? 

The advantage of a digital spokesperson is that it can represent your company 24 hours a day.

The disadvantage is that it can damage your company 24 hours a day.

5. An AI may assist you, but shouldn’t replace real relationships.

From this week - July 15 - restrictions come into place in China to limit AI products designed for sustained emotional interaction, including AI companions, virtual partners and such.

While they don't prevent adults having “AI friends,”  providers must not deliberately induce emotional dependency, damage users’ real-world relationships or manipulate users into making unreasonable decisions.

The restrictions are stronger for children, who cannot be offered simulated romantic relationships.

For business leaders, the broader issue is engagement design. Remember those service desk chatbots you deployed? At some point, “exceptional user retention” and “psychological dependency” may begin appearing in adjacent columns of the risk register.

The policy gap

If you’ve read this far, the gap between traditional AI policies and the considerations we are seeing come out of China is probably self-evident.

China is pushing on AI as productive infrastructure while limiting its impact as an uncontrolled social or operational actor.

This is not necessarily an endorsement of China, or to say China is creating the perfect system of AI governance. A government regulating emotional manipulation is still a government with considerable practical experience in emotional manipulation.

But it is asking questions that many corporate AI policies do not yet address:

  • What systems may an AI access?

  • What actions may it perform without approval?

  • Which decisions must remain human?

  • When must customers be told they are interacting with AI?

  • How should workers be treated when tasks are automated?

  • Which deployments require independent review?

  • Who is accountable when an agent does something nobody explicitly instructed it to do?

These are not questions for a theoretical future involving artificial general intelligence.

They are questions for the second half of 2026.

If your company’s AI policy begins and ends with “do not paste confidential information into ChatGPT,” it is not necessarily wrong.

It has simply expired.

Best,

Dino