China's AI Compliance Shift: From Framework to Enforcement—What Professional Services Must Do Now

For years, international businesses operating in China could reasonably treat AI regulation as an evolving framework to monitor rather than an immediate operational obligation. That period is over. Spring 2026 marked a decisive turning point: China has moved from publishing rules to enforcing them, and the consequences for professional services firms that have not aligned their AI operations accordingly are now concrete and severe.

This briefing sets out what has changed, what regulators are targeting, and what international organisations must do to protect their position.

The New Governance Architecture: Ethics Review as Standard Practice

In spring 2026, the Ministry of Industry and Information Technology (MIIT), alongside ten co-issuing departments, published the Administrative Measures for the Ethics Review and Services of Artificial Intelligence Science and Technology (Trial). These measures introduce a dual-track governance model that pairs formal ethics review with ongoing compliance services—and they carry direct operational implications for any entity developing or deploying AI within Chinese jurisdiction.

The central obligation is structural. Companies are now explicitly required to establish internal AI Technology Ethics Committees. This is not a paper exercise. For high-risk applications—including human-machine integration systems affecting human psychology, algorithms capable of mobilising public opinion, and autonomous decision-making systems in health or safety-critical environments—regulators additionally mandate an independent expert recheck before deployment. The burden of proof sits with the organisation, not the regulator.

Safety requirements have also been tightened at the data level. Companies must maintain extensive keyword libraries to filter prohibited content, and all annotated training data must undergo rigorous manual review. For firms that treat data annotation as a back-office function, this signals a fundamental reclassification: it is now a regulated compliance activity.

Enforcement Is Active: The Qinglang Campaign and What It Targets

On 30 April 2026, the Cyberspace Administration of China (CAC) and the Ministry of Public Security launched a four-month enforcement campaign under the "Qinglang" banner. The campaign is comprehensive in scope and unambiguous in intent.

Regulators are specifically targeting:

• Unregistered large language models (LLMs): Operating an unfiled model is now an enforcement risk, not merely an administrative oversight.
• Failures in mandatory AI content labelling: Content generated by AI must be identifiable as such; non-compliance is being actively audited.
• Deepfake fraud and AI-facilitated harms to minors: These carry the highest political salience and will attract disproportionate regulatory attention.
• Data poisoning attacks: Notably, regulators are now auditing the technical integrity of training pipelines—meaning the inspection of AI systems extends well beyond outputs into the methodology of how models were built.

This last point deserves emphasis for technology and professional services firms. If your AI systems have been developed using third-party datasets, open-source models, or outsourced annotation pipelines, you face genuine exposure under a regulatory framework that is now actively examining training provenance.

Geopolitical Risk Is Shaping the Compliance Landscape

The regulatory tightening is not occurring in isolation. In April 2026, Chinese authorities ordered the cancellation of Meta's $2 billion acquisition of domestic agentic AI startup Manus, citing national security concerns and prohibitions on foreign investment in sensitive AI projects. This is a clear signal: the boundary between commercial AI activity and national security scrutiny has shifted, and international firms must treat it accordingly.

Simultaneously, US lawmakers launched a joint investigation into the cybersecurity and supply-chain risks of deploying low-cost, PRC-origin AI models—including DeepSeek and Alibaba's Qwen—in critical infrastructure. For global enterprises operating across both jurisdictions, this creates a compounding compliance problem. The same AI tools that raise concerns in Washington may be embedded in the systems of your Chinese operations or those of your clients.

International professional services firms are caught between two regulatory gravitational fields, and attempting to satisfy both with a single, undifferentiated AI stack is no longer tenable.

The Dual-Stack Challenge for International Firms

China's regulatory framework enforces strict data sovereignty, requires mandatory training corpus audits to protect intellectual property, and demands alignment with socialist core values in AI outputs. These requirements are structurally incompatible with the AI governance frameworks being developed in the EU, UK, and US, where different definitions of transparency, bias, and accountability apply.

The practical consequence is what compliance professionals are beginning to call the "dual-stack" challenge: global firms must carefully segregate or tailor their AI supply chains to operate lawfully within the Chinese market without accumulating regulatory liability in other jurisdictions—or vice versa. A single global AI deployment model is no longer operationally viable for firms with meaningful China exposure.

This affects procurement decisions, vendor relationships, data architecture, and product design. It also affects contractual obligations to clients, particularly in sectors such as healthcare, life sciences, and legal services, where AI is increasingly embedded in client-facing processes.

What Professional Services Firms Must Do Now

The compliance obligations introduced this year are not aspirational guidelines. They are enforceable requirements with active regulatory bodies scrutinising AI operations across the sectors where professional services firms operate. Here is where to focus effort immediately.

Conduct an algorithm and model filing audit. Verify the registration status of every large model your organisation operates in China. An unfiled model is an immediate enforcement liability under the Qinglang campaign.

Establish or formalise your AI Ethics Committee. If your organisation develops or deploys AI in China—particularly in health, legal, or safety-critical environments—you are legally required to have an internal ethics review body. Ensure it has genuine authority and documented processes, not simply a nominal function.

Audit your training data pipelines. Regulators are now examining how models were built, not just what they produce. Review your annotated data processes, third-party dataset provenance, and any outsourced annotation work for compliance with manual review requirements.

Review your AI content labelling compliance. AI-generated content must be clearly identifiable. Audit your customer-facing and internal-use outputs to confirm labelling standards are consistently applied.

Assess your exposure to the dual-stack problem. Map which AI systems are deployed across multiple jurisdictions. Identify where Chinese regulatory requirements—on data sovereignty, content filtering, or training corpus composition—conflict with obligations in other markets, and begin designing appropriate segregation.

Engage legal and technical expertise for high-risk applications. If your AI touches clinical decision-making, remote patient monitoring, drug discovery, or any environment classified as high-risk under the new measures, an expert recheck is now a regulatory requirement, not a best practice.

The Window for Remediation Is Narrowing

China's transition from framework-builder to active enforcer happened faster than most compliance teams anticipated. Organisations that approached 2026 with monitoring strategies rather than implementation plans now face a compressed remediation timeline in an environment where regulators are already conducting audits.

The professional services sector—accustomed to operating under rigorous professional standards in other domains—should apply the same discipline to AI compliance. The tools, the talent, and the regulatory expectations now exist. What remains is the decision to act.

Ops Intel works with international professional services businesses and global enterprises to navigate AI compliance obligations across multiple jurisdictions, including China, the EU, and beyond. If your organisation is assessing its position under China's 2026 AI governance measures, or managing the dual-stack challenge across competing regulatory frameworks, contact our team to discuss a structured compliance review.