A Pragmatic Roadmap for the Bureaucratic Complexities of the Coming U.S.-China AI Safety Dialog
(How to read this briefing: the Executive Summary states the core argument in under a minute; a glossary of key actors and acronyms follows; Figures 1 and 2 map the U.S. and Chinese governance architectures; and the appendix profiles the Chinese officials who matter most.)
Executive Summary
This analysis argues that the next U.S.-China AI safety dialogue will be constrained not only by mistrust or geopolitical competition, or by lack of political will on both sides, but by a more practical bureaucratic problem: neither government yet has an institutional architecture that combines technical model-evaluation capacity, national-security authority, industrial-policy awareness, diplomatic coordination, and access to top-level political decision-making that could lead to real outcomes enforceable in both countries and acceptable to the global AI safety community.
The core analytical frame is the expertise-authority gap. In both systems, the actors with the deepest AI model evaluation and testing knowledge often lack regulatory or political authority, while the actors with authority often have not exercised that authority within a broader policy process and critically lack the specialized capacity to evaluate frontier models. This makes even politically endorsed dialogue difficult to translate into a durable process.
In the United States, CAISI, Commerce/NIST, NSA, CISA, DOE/NNSA, ONCD, OSTP, Treasury, and State all bring some assets to the frontier-AI governance game, but no single institution clearly owns model evaluation, release decisions, let alone bilateral risk-reduction diplomacy. The June 2026 executive order begins to build a classified cyber-focused evaluation process, but it remains voluntary, contested, and incomplete, with multiple players vying for primacy.
China faces a parallel but differently structured problem. CAC, MIIT, NDRC, MOST, MFA, MSS, MPS, the PLA, and emerging technical networks such as CnAISDA all have relevant equities, yet Beijing still lacks a clearly empowered frontier-AI risk evaluator. This fragmentation matters because effective cooperation will require counterpart capacity: both sides need institutions able to speak the same language, define risk thresholds, evaluate capabilities, and speak with enough authority to sustain agreements.
Thus what will likely emerge over the what will be at least a one to two year process will not be a single bilateral arms-control treaty or simply a purely technical exchange, but a layered and flexible architecture that could include at least some of the following elements: technical evaluation channels between expert bodies, political oversight through national-security and diplomatic institutions, and narrowly scoped confidence-building measures beginning with risks both sides already recognize, such as cybersecurity, and biosecurity misuse at a minimum, and potentially RSI and loss of control in the most optimistic scenario.
Bureaucratic Capacity Matters
This causal claim is deliberately bounded. Trust deficits and strategic competition remain fundamental, but bureaucratic fragmentation explains why even moments of political will may fail to generate operational cooperation, and particular across administrations in the U.S., where there is significant turnover of bureaucratic leadership every four years. Without agencies that can evaluate models, define thresholds, coordinate across economic and security equities, and authorize follow-through, leader-level endorsement produces a channel rather than a process.
The emerging U.S.-China AI governance and safety discussion, one of, if not the most important of the key deliverables of the May 2026 U.S. China Summit in Beijing between Presidents Trump and Xi, has usually been treated as a problem of strategic engagement and trust in the wake of a rapidly developing technology. The new government-to-government talks will commence as Washington and Beijing continue to contest the AI space as governed by bilateral competition over AI hardware, commercial ecosystems, military applications, talent, and the broader geopolitical advantages associated with leadership at the frontier edges of AI. These conditions make any bilateral discussion of AI safety vulnerable to concerns over intent, access, verification, security, and relative advantage. It is telling that the new dialogue was announced as a formal summit outcome by Beijing, while Washington has so far issued no parallel statement of its own, an early indicator of the asymmetries in institutional readiness described below.[1]
But bureaucratic capacity may be the more immediate constraint through which strategic mistrust becomes operationally binding. As CCA Honorary Fellow Paul Triolo recently wrote, the governance of frontier AI models and the upcoming U.S.-China dialogue will involve interactions between a complex array of agencies, overlapping mandates and authorities, that pose significant institutional and political challenges. Neither the United States nor China has yet built a fully mature institutional system for governing frontier AI as a national-security technology. Both governments have agencies with partial responsibility for the issue, but neither has a settled architecture capable of integrating all the critical dimensions that will be needed: technical evaluation, national-security considerations, industrial-policy impacts, diplomatic coordination, and political decision-making, to name the most obvious. This is a faster-moving version of a familiar institutional lag. The early nuclear age also forced governments to build governance structures only after new technology had transformed strategic competition and there had been a Trinity Moment. But frontier AI is more diffuse and there will not be a Trinity Moment to focus minds on both sides: it is driven by private firms, the first time for a technology of this importance and wide ranging consequences not developed by government or incubated by government deployed through commercial platforms, improved through rapid software iteration, and relevant across cyber, biosecurity, military, economic, and information domains, all at once. Two superpowers are attempting to put guardrails around a rapidly developing technology without the needed bureaucratic scaffolding to both develop and implement agreements. Accelerating the development of this scaffolding both domestic and bilaterally this will be critical for not just the two countries, but the entire sector and the broader world.
To be sure, the two governments have been here once before, and the precedent is instructive. A first intergovernmental dialogue on AI was held in Geneva in May 2024, led on the U.S. side by the NSC’s senior director for technology and national security and the State Department’s then acting special envoy for critical and emerging technology, and on the Chinese side by the MFA’s Department of North American and Oceanian Affairs.[2] Later that year, Presidents Biden and Xi affirmed in Lima the need to maintain human control over the decision to use nuclear weapons, which remains the only concrete bilateral AI understanding to date.[3] The Geneva channel and the State Department’s position did not survive the U.S. political transition, primarily because it was staffed by generalist diplomatic and NSC channels rather than by institutions with technical capacity over and authority for frontier models, which, as this piece argues, both sides still lack. Things are somewhat more favorable now for the participation of the requisite technical expertise sorely lacking in Geneva, but there is still no process or clear delegation nor authority that would facilitate real progress. The lesson for the new dialogue then is that leader-level endorsement without bureaucratic scaffolding produces a channel, not a process likely to endure on such a complex topic.
This reality, in the near term, is likely to constitute a major bottleneck for progress on AI safety cooperation. Frontier AI models and platforms do not fit neatly into the categories through which modern states have traditionally managed strategic risk. The most consequential models have capabilities that can spill across traditional national security areas such as cyber operations and critical infrastructure vulnerability, biological agent design, military integration, and intelligence analysis, to broader areas such as scientific discovery, economic growth across most sectors, and future risks such as recursive self-improvement (RSI) and loss of control. The technology is cross-domain, while the state remains organized by domain. Ideally, the U.S. China bilateral AI dialogue itself will spur both sides to accelerate progress towards the type of institutional authority that the age of AI, RSI, AGI (artificial general intelligence), and ASI (artificial superintelligence) require, both domestically and in time, forming the foundation of a global organization that can tackle a minimally viable AI governance framework. For longer term discussions that go beyond the most pressing near-term CBRN safety concerns into RSI and other issues, it would also be helpful to review a recent paper “Beyond Rivalry” from CCA Sr. Fellow, Alvin W. Graylin, who provides a comprehensive framework for cooperative efforts to reduce risks around runaway AI, capex overbuild, model bias, economic instability and geopolitical equity.
The U.S.’s Frontier AI Model Governance System: Many Capabilities, No Settled Owner
The U.S. landscape can be read across five functions: technical evaluation, national-security review, industrial-policy consequences, diplomatic coordination, and political authorization. The problem is not that the United States lacks relevant institutions; it is that these functions sit in different places, and no agency yet combines all five. The graphical diagram of the key parties and their relationships below can help bring more clarity on the situation.
In the United States, relevant expertise across these areas of potential discussion is dispersed across multiple institutions, while authorities specific to the most frontier AI models, such as monitoring, evaluation, release power, are all basically non-existent. Because Treasury Secretary Scott Bessent has a long-standing interest in AI and has been given the authority by the President to lead the trade negotiations out of which the AI Dialogue has materialized, he will play an important role in managing the diplomatic and interagency dimensions of the U.S. China AI track, especially where AI security intersects with financial stability, cyber resilience, and broader economic-security policy. But the Treasury Department is not traditionally a major player in the AI domain within the U.S. interagency, so Bessent’s small staff will be stretched to coordinate with the many other players who will seek a seat at the table.
Cyber and security agencies: authority without the full frontier-model remit
The Office of the National Cyber Director (ONCD), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the intelligence community illustrate the authority side of the gap. They bring cyber, classified, and threat-assessment capacity, but frontier-model governance extends beyond network defense into model behavior, deployment conditions, biosecurity, and commercial release decisions.
For example, the White House cyber apparatus and the Office of the National Cyber Director (ONCD), under National Cyber Director Sean Cairncross,[4] has made a major power play to become the lead agency on frontier model governance, playing a major role in the drafting of the recent executive order on the topic. To be sure, ONCD brings cyber authorities and coordination capacity, but the Office is not a natural fit for leadership domestically, because the issue is bigger than just cybersecurity, and the natural focus of the organization is network defense, critical infrastructure, ransomware, and state-backed cyber operations. ONCD’s mandate centers on cyber coordination rather than frontier-model evaluation, and its institutional weight in this arena is limited relative to Treasury, which is close to the President, and to technically capable organizations such as NSA. Other players also involved in the process that led to the EO, specifically CISA and NSA, adding operational and technical expertise, including on defensive tools and classified cyber capabilities. The intelligence community assesses adversary capabilities and strategic threats. NSA has much greater bureaucratic heft than any of the other players and will insist on a major role in assessing frontier model capabilities and determining how and when they are released, given its dual offensive and defensive cyber mission. NSA clearly brings significant AI expertise to the game, but as a core intelligence organization is not necessarily a logical candidate to participate in the initial stages of the U.S. China AI Dialogue, until the scope and key issues become clearer.
Commerce, NIST, and CAISI: technical evaluation without regulatory control
The Department of Commerce, however, including NIST, remains central to standards, measurement, technology controls, and industrial policy. The NIST-subordinate Center for AI Standards and Innovation (CAISI), formerly the U.S. AI Safety Institute, is the single largest reservoir of frontier AI model evaluation and testing expertise within the U.S. government, and any serious effort to engage China on frontier model governance will need to include CAISI. OpenAI, Anthropic, Microsoft, Google/DeepMind, and xAI have all entered into arrangements allowing CAISI to evaluate advanced models. These agreements have strengthened the argument that CAISI should receive substantially greater funding because it is now expected to perform independent evaluations of systems costing billions of dollars to train. CAISI has been caught in the politics of frontier AI model governance. In April 2026 its newly appointed leader, former Anthropic researcher Collin Burns, was pushed out by the White House four days into the job over his prior stint with Anthropic, currently a controversial player in the sector after ongoing tussles with the Department of War and the former and still influential White House AI Czar David Sacks; the Commerce Department subsequently turned to Chris Fall, a former director of the Energy Department’s Office of Science, to lead the center.[5] In June 2026, administration officials also reportedly directed CAISI to pause publication of its model evaluation reports while the new executive order is implemented, a move that underscores how contested the center’s public-facing role remains.[6] The Commerce export control apparatus also has become involved with the recent order based on Export Administration Regulations (EAR) statutes, to bar use of Anthropic’s Fable 5 model by “foreign nationals” due to the potential for the model be subject to “jailbreaks” by foreign adversaries and non-state actors. This action may have highlighted the need for companies and national leaders around the world to ensure AI sovereignty, pushing them to evaluate Chinese open-source models that would be freed from such regulatory actions.
While NSA falls bureaucratically under the Defense Department, its director is also dual hatted as commander of U.S. Cyber Command, and the organization has a role in leveraging AI for military applications and reducing operational risk. OSTP and other White House and interagency actors are also involved in the emerging frontier-AI security framework. OSTP in particular, under Director Michael Kratsios, has been heavily involved on the AI promotion side, having a hand in drafting last summer’s U.S. AI Action Plan. Kratsios also maintains close relations with Undersecretary of State Jacob Helberg, whose Pax Silica initiative is designed to shore up the U.S. AI data center supply chain. While both Kratsios and Helberg could be candidates for participation in a U.S. China AI Dialogue given their bureaucratic remit, neither appear to have focused significant effort on the issue of governance of frontier AI models.
Mirroring the Chinese side to some degree, where some AI issues fall with the purview of the arms control elements of the Ministry of Foreign Affairs, the State Department Bureau of Arms Control, Deterrence, and Stability, under the Under Secretary for Arms Control and International Security is explicitly responsible for strategic stability, escalation risk, arms control, deterrence, and emerging-technology challenges, which makes it the natural home for the arms-control dimension of a U.S.–China AI dialogue.
But if the dialogue is more focused on laying the groundwork for bilateral agreement on scaffolding around the testing and release of frontier AI models, the arms control framework may prove to be unworkable, given the significant economic and commercial interests that are at play here. It is worth recalling that the 2024 Geneva round was not run by arms controllers on either side: the U.S. delegation was led by the NSC and the State Department’s special envoy for critical and emerging technology, while China fielded the MFA’s North American and Oceanian Affairs Department rather than its Department of Arms Control.[7] Where each government chooses to house the new dialogue will itself be a signal of how it conceptualizes the problem.
The expertise-authority gap
The United States still has not decided where frontier-model evaluation belongs inside the government. Existing agencies can assess many related risks, but none clearly owns the question of when a model’s capabilities should trigger government review before deployment. CAISI has already been playing a significant role here but is not a regulatory body. Rather, it serves as a guiding organization which can make recommendations. This has produced an expertise-authority gap: some of the agencies with the strongest national-security authorities are not built around frontier-model evaluation, while the institutions with deeper technical expertise may lack political standing or decision-making power. This situation is rapidly changing in the wake of the June executive order, but there is still considerable churn within the administration of authorities and leadership in this rapidly changing arena.
CAISI is closest to the technical evaluation function, though its authority remains limited. It is not a licensing body and does not control model release, all its arrangements with the leading labs are voluntary. Its role is better understood as a technical bridge between frontier AI developers and parts of the national-security state. That makes CAISI indispensable for any serious discussion of model evaluation, including Chinese frontier models, but also politically awkward as a formal diplomatic counterpart: the same expertise that makes it useful for dialogue also ties it to sometimes politicized U.S. assessments of Chinese company frontier capabilities.
This points to a broader expertise-authority gap. Security agencies can evaluate adversaries, vulnerabilities, and strategic threats, but they are less directly built for model testing, including assessing emergent capabilities, interpreting benchmark results, or judging how deployment conditions affect risk. These are specialized capabilities that require regular interaction with the leading AI labs that currently only CAISI really has. The debate over giving CAISI a larger role in frontier-model review reflects this institutional gap.
One important pocket of capacity sits outside the cyber-centric framework altogether. The Department of Energy and its National Nuclear Security Administration (NNSA) are the only parts of the U.S. government that have actually run classified evaluations of frontier models as an ongoing practice: since April 2024, NNSA and the national laboratories have assessed Anthropic’s models for nuclear and radiological proliferation risk in a Top Secret environment, and the two sides have co-developed nuclear safeguards classifiers whose methodology is being shared with other developers through the Frontier Model Forum.[8] If a bilateral agenda with Beijing eventually extends beyond cyber to the chemical, biological, radiological, nuclear (CBRN) risks both governments have flagged in official documents, China’s own AI Safety Governance Framework explicitly lists misuse in nuclear, biological, and chemical domains, then DOE and NNSA expertise will be hard to leave out of the room, and the CBRN lane may in fact offer the most tractable early agenda for technical exchange, since neither side wants proliferation-relevant capabilities diffusing to third parties. But there is an important distinction here between the C and the BRN. Recent revelations of Chinese cyber operations targeting U.S. critical infrastructure, distillation of U.S. frontier models, and broader and longer-term U.S. concern about China’s cyber theft of IP make this domain particularly sensitive to discuss in the context of AI-enabled offensive and defensive cyber operations.
The June 2026 executive order as a first test case
Complicating the issue is the fact that the June 2026 AI Executive Order establishes what is effectively the first U.S. government framework for classified evaluation of frontier AI models based on national security capabilities rather than general AI safety concerns. The centerpiece is a classified benchmarking process, led by national security agencies in coordination with CAISI, to assess advanced cyber capabilities and determine when a system qualifies as a “covered frontier model.” The benchmark itself would be classified, reflecting concerns that publicly disclosing capability thresholds could reveal sensitive information about offensive and defensive cyber operations. The framework is focused primarily on cyber-enabled risks, including vulnerability discovery, exploit development, and critical infrastructure impacts, rather than broader questions of misinformation, bias, or societal harms.
From a strategic perspective, the EO is attempting to move frontier AI governance closer to an arms-control and strategic stability model. Developers of covered frontier models are encouraged to provide the government with up to 30 days of pre-release access for classified evaluation, allowing agencies to assess whether emerging systems could alter the cyber offense-defense balance or create new national security risks. While participation remains voluntary, the EO creates an institutional mechanism for government visibility into the most capable AI systems before deployment. In effect, the United States is beginning to treat certain frontier AI models less like commercial software and more like strategically significant technologies requiring specialized government assessment, a development that could eventually inform future discussions with China on AI risk reduction, strategic stability, and confidence-building measures.
But this is very much work in progress, and many within the industry are uncomfortable with a classified evaluation process and will likely push back on this process. In addition, a further political difficulty is that even a voluntary review process can be seen by some actors as the beginning of a de facto licensing regime. That concern is especially strong when many policymakers view regulatory constraints through the lens of U.S.-China technological competition. At the same time, placing frontier AI too narrowly inside cyber-focused institutions could mischaracterize the problem. Cybersecurity is central, but frontier AI safety also raises questions around biosecurity, autonomous behavior, model control, misuse, and broader social risks. A process designed mainly for cyber defense may not capture the full range of frontier-model concerns. A broader model-release or licensing framework would be a later, even more involved step.
U.S. versus China: Industry and technical counterparts
Finally, the role of industry here in the process of setting up the dialogue remains complex. The expertise in frontier AI model development, testing, and deployment ultimately rests within small teams with all the leading labs. Any agreement between the two governments will have to establish a mechanism for inputs from both AI safety organizations such as CAISI and China’s CnAISDA, from other pools of expertise such as the Frontier Model Forum (FMF), and the labs themselves. CnAISDA, the China AI Safety and Development Association unveiled in February 2025 around the Paris AI Action Summit, deserves a precise read: it is not a CAISI-style government agency but a network of existing institutions, convened with backing from senior figures such as Turing Award winner Andrew Yao and Tsinghua’s Xue Lan, whose members include Tsinghua’s Institute for AI International Governance (AIIG), the Shanghai Qi Zhi Institute, the Beijing Academy of Artificial Intelligence, the Shanghai AI Laboratory (SAIL), CAICT, and the MIIT-affiliated think tank CCID. The network itself does not test or evaluate models, although several member institutions do.[9] That asymmetry of institutional form, an agency on one side and a network on the other, could complicate any effort to designate formal technical counterparts, though it is likely that the U.S. China AI dialogue could force consolidation of frontier AI model testing capabilities into a smaller and empowered subset of CnAISDA member organization. Indeed, this would be a desired outcome. On the U.S. side, players such as Sacks could also be part of the mix, or better, whoever replaces him in the position of White House AI Czar[10], should President Trump decide to appoint a suitable replacement, ideally someone who can straddle industry and government and help shape the development of the U.S. bureaucratic organization structure optimized for frontier AI model governance, and serve as bridge both between industry and the government, and for bilateral and multilateral discussions of the issue as a logical focal point that can reach out across the U.S. interagency for expertise and authority as required.
China’s Frontier AI Model Governance System: Emerging but Dynamic Ecosystem
As with the U.S. graphical diagram, the relevant Chinese parties and their relationships below should be studied closely to provide a visual understanding of the counterparts we will be working with.
China’s system can be mapped through the same five functions. CAC is central to online information, algorithm governance, and data security; MIIT to industrial policy and technical standards; NDRC to planning and infrastructure; MOST to research and innovation; MFA to external governance; MPS and MSS to cyber, public-security, and intelligence enforcement; and the PLA to military risk. The problem is that no single body specializes in frontier-model risk evaluation while also holding authority across these domains.
Major government actors: authority distributed across competing mandates
Ministries, administrations, and standards bodies in Beijing have issued a large volume of AI regulations and policy guidance, especially around algorithms, generative AI services, synthetic content, data compliance, online information control, and industrial development over the past three years. But like the U.S., Beijing has not chosen to establish an agency designed specifically to evaluate frontier AI risk. The CAC has authority over online information, public opinion, algorithm governance, content security, and data-related controls. MIIT is more closely linked to industrial policy and technical standards. MPS, through cyber and public-security channels, brings enforcement capacity over network security, cybercrime, and the security implications of deployment. NDRC’s expanding AI role points to planning, investment coordination, strategic resource allocation, and the integration of AI into broader economic policy. MOST remains relevant through science and technology policy, research funding, and innovation strategy, and a MOST Vice Minister has periodically represented China at international AI safety fora, including at Paris in 2025.
MFA has the external-facing function of engaging in global AI governance. That external engagement increasingly runs through Beijing’s preferred multilateral vehicles: the Global AI Governance Initiative of October 2023, the Global AI Governance Action Plan released at the July 2025 World AI Conference, and the proposed World AI Cooperation Organization (WAICO, to be headquartered in Shanghai, which Xi personally promoted at APEC in November 2025. Any bilateral dialogue will be shaped by Beijing’s effort to route AI governance through these China-led and UN channels. MSS and MPS are both centers of strong cyber and security expertise: MSS on intelligence and state-security risks, MPS on public-security enforcement, cybercrime, and protection of critical information infrastructure. The PLA has also been a reservoir of cybersecurity-related capabilities, and has clear stakes, given the cyber and military implications of frontier AI model capabilities, which have reportedly featured in recent military conflicts.
Chinese Technical Institutions
China also has an array of capable technical bodies. Institutions such as CAICT and emerging AI safety-focused organizations can provide practical expertise on testing, standards, and security assessment. The most concrete artifact of this technical layer is the AI Safety Governance Framework, issued in September 2024 and upgraded to version 2.0 on September 15, 2025, by TC260, China’s national cybersecurity standards committee, together with CNCERT/CC under CAC guidance. Version 2.0 explicitly addresses misuse in cyber and CBRN domains and loss-of-control risks and introduces a risk grading system, making it the closest thing China has to an official frontier-risk taxonomy and a natural reference document for any bilateral technical agenda.[11] A handful of institutions are also building genuine evaluation muscle: SAIL, for example, under Director Zhou Bowen, published a Frontier AI Risk Management Framework with Concordia AI in July 2025; the Beijing Academy of Artificial Intelligence (BAAI), added to the Entity List by the Biden Administration in 2025, a status that would make its participation awkward; and the Beijing Institute of AI Safety and Governance, established in February 2025 under Chinese Academy of Sciences (CAS) scientist Zeng Yi.[12] Zeng, who serves as a member of the United Nations High-Level Advisory Body on AI, is a widely respected AI safety expert who brings both technical expertise and multilateral engagement experience to the table. We will be watching for his inclusion in the Chinese team as a sign of how Beijing will approach the dialogue.
Research institutes linked to public-security, state-security, and cybersecurity systems may also be involved where frontier AI intersects with cyber operations, intelligence, and domestic-security concerns. The result is a policy field in which expertise, authority, and political access are distributed across different actors.
As in the United States, effective frontier-AI governance in China would require some combination of overall policy development, still lacking, coupled with technical competence, national-security authority, and access to top-level political decision-making. NDRC has gained influence over AI policy, but it is not primarily a technical agency and focuses primarily on domestic AI data center infrastructure and industrial policies related to the AI stack, not frontier model safety. MFA may become the visible face of China’s international AI governance efforts, while more powerful actors, including parts of the security apparatus, remain less visible. Technical institutions may be able to assess models, but they may not have the authority to define national-security priorities, and they do not appear, like CAISI, to have developed equivalent relationships with key expert bodies related to cybersecurity and biosecurity or with MPS-linked operational channels to enable testing of models under controlled or classified conditions. CnAISDA appears to have good relations with leading Chinese AI labs, but there does not appear to have been the deep integration of AI testers and evaluators within U.S. AI labs that CAISI has pioneered in the U.S. This reflects a familiar Chinese governance pattern: when a policy issue touches many priorities at once, many institutions can claim relevance, while ownership remains blurred.
Chinese AI governance must therefore reconcile competing mandates within a single political system. Frontier AI touches growth, security, ideology, diplomacy, military modernization, private-sector dynamism, and regime security at the same time. Internal coordination becomes politically and bureaucratically demanding.
This has direct implications for a Track 1 U.S.-China AI safety channel. A serious bilateral process will require counterpart capacity. Meaningful dialogue will be hard to sustain if the two systems lack functionally comparable institutional counterparts with enough authority and technical depth to scope and iterate a discussion of containing frontier-model risk. It also requires a shared understanding of what kind of risk is being discussed. If one side frames AI safety mainly as cyber defense while the other emphasizes access to systems for evaluation, the two sides can quickly talk past each other, making the collaboration framework moot.
This risk is already visible in debates over model access and evaluation. Chinese researchers have argued that meaningful safety assessment requires access to the systems being evaluated. In Washington, such arguments can easily be read as pressure for access to sensitive U.S. technology. Meanwhile, close cooperation between the U.S. government and leading AI firms can reinforce Beijing’s perception that American frontier labs are increasingly integrated into the national-security state. These perceptions make even technical exchanges politically charged.
Both sides will likely need new mechanisms that can evaluate emerging capabilities, define risk thresholds, and coordinate across multi agencies with competing mandates. Personnel continuity will also matter. Leader-level endorsement has elevated AI safety as a priority in the bilateral relationship, but it cannot substitute for institutional capacity to move the conversation forward.
History suggests that when transformative technologies emerge, governments often spend years building the bureaucracies needed to govern them. Nuclear technology eventually produced institutions such as the Atomic Energy Commission and later the Nuclear Regulatory Commission. Financial crises led to new regulatory structures after 2008. Frontier AI may now be at a similar stage.
Appendix: Who is Who in China’s AI governance system
China’s AI governance system is fragmented by design. Multiple agencies and political networks shape policy, often advancing overlapping agendas while checking one another’s authority. This pattern has become more pronounced since the 20th Party Congress, as Xi Jinping has balanced the portfolios of senior leaders rather than placing the full AI agenda under a single bureaucratic chain. The result is a coordination problem that will shape China’s response to frontier AI and limit what interlocutors can deliver in U.S.-China AI dialogues.
Formal negotiators may therefore not control the institutions that matter most. MOFCOM and MFA can participate in talks, but they do not have the domestic authority to align China’s military, security, industrial, and economic-planning systems. The key question is which officials and agencies can make frontier AI legible to Xi and influence his assessment of its opportunities and risks. Some of the most important players on AI may rarely interact directly with U.S. or multilateral counterparts but can still shape the advice and constraints facing China’s negotiators.
Politburo Standing Committee member Cai Qi could become a key player in the emerging U.S. China AI dialogue process. As perhaps the closest confidante of President Xi Jinping and the fifth-ranking member of the PBSC and director of the Central General Office, he is Xi’s chief of staff and one of the most important enforcers of ideological discipline, who also has responsibilities that touch on the risks and opportunities of frontier AI model deployments. His positions in the Central National Security Commission and the Central Cyberspace Affairs Commission, which sits over CAC, give him influence over the party-state’s information control and security apparatus.
Through the Central Cyberspace Affairs Commission, Cai has direct visibility into the Cyberspace Administration of China, the main regulator for online content, data security, and algorithm governance. The CAC has been led since 2018 by Zhuang Rongwen, who concurrently directs the commission’s general office and serves as a deputy head of the party’s Propaganda Department, a triple hat that ties AI regulation directly to the information-control apparatus. CAC’s filing and registration system functions as the primary clearance mechanism for generative AI services. It requires security assessments for developers of foundational large language models and works with technical bodies such as CNCERT/CC and emergency-response entities linked to MIIT and MPS. Because Cai sits above the cyberspace system, AI threat assessments generated through CAC and related security channels are likely to move quickly toward the top leadership.
Vice Premier Ding Xuexiang sits on the development and technology side of the system. As the sixth-ranking member of the Politburo Standing Committee and executive vice premier, he oversees macroeconomic planning, public finance, innovation policy, and the national science and technology agenda. Through the Central Science and Technology Commission, he helps coordinate major state-backed programs in AI, semiconductors, and data infrastructure. The commission is a strategic coordinator that identifies local policy experiments and scales selected models through the Ministry of Science and Technology and provincial party science-and-technology committees.
Vice Premiers He Lifeng and Zhang Guoqing occupy adjacent but important lanes. He, a Politburo member and vice premier, oversees finance, domestic commerce, monetary policy, and U.S.-China trade negotiations. His network also retains influence inside the NDRC, despite Ding’s formal portfolio. Zhang Guoqing, also a Politburo member and vice premier, manages the industrial base, informatization, and state-owned assets. Through MIIT and SASAC, he has influence over the physical backbone of China’s AI ecosystem, including computing infrastructure, industrial automation, hardware standards, and procurement rules affecting foreign AI chips in state systems.
The military operates through a parallel channel. The CMC Science and Technology Commission and its National Defense Science and Technology Innovation Rapid Response Groups monitor commercial breakthroughs and connect them to military users. Established in 2018, these groups function as local sensors for civil-military fusion, with visible activity in cities such as Chongqing, Xi’an, and Shenzhen. Despite recent PLA purges, including the March 2026 delisting of Liu Guozhi, who led the CMC Science and Technology Commission from 2016 to 2021, from the Chinese Academy of Sciences academician roster,[13] open-source records suggest that these local nodes have continued to operate. This gives the PLA a direct mechanism for tracking frontier AI and passing military-relevant assessments upward.
The NDRC is emerging as another important coordination platform. Formally under Ding’s portfolio but also shaped by He Lifeng’s personnel network, the commission operates as a high-level strategy and evaluation body. Its AI and civil-military fusion work appears to rely on agile task forces that draw personnel from local development and reform commissions and other ministries. A reported Leading Group on Semiconductor Industry Development has its Office located at NDRC, and includes semiconductor component and an AI specific organization, managed by Xiangli Bin and Huang Ru, respectively. Huang is a microelectronics academician and NDRC vice chair; together these offices focus on semiconductor supply chains, hardware, computing infrastructure, and cross-agency coordination. The NDRC’s role in cases involving AI firms and overseas restructuring suggests that it is gaining leverage over the boundary between technology policy, capital control, and national security.
The National Data Administration, established under the NDRC in 2023, adds another piece to the system. Its mandate is to build a national data market and reduce the proprietary data silos controlled by large technology firms. That task is central to China’s AI ambitions, but implementation has been difficult. Firms have strong incentives to protect commercially valuable data, and early efforts to inventory corporate data assets have reportedly met resistance.
MPS is important for cybersecurity and public security. Through its 11th Bureau, the Cybersecurity Protection Bureau, it regulates enterprise network security under the graded protection system. As AI risks become more visible, MPS is increasingly focused on AI-related vulnerabilities and the security risks created by deployment. Its role overlaps with CAC’s authority over cyberspace governance and with the security services’ broader interest in cyber and intelligence risks.
China’s diplomatic interlocutors face clear constraints. MFA represents China in international AI talks and can frame broad principles on safety, sovereignty, and global governance. But it lacks the technical capacity, rank, and budget to direct the institutions that manage the AI ecosystem, including NDRC, CAC, MIIT, MPS, and the PLA. MFA also depends heavily on outside experts and think tanks, including the Tsinghua Institute for AI International Governance, led by founding dean Xue Lan, who also chairs the national New Generation AI Governance Expert Committee, with former vice minister Fu Ying as honorary dean.[14] That gives it intellectual support, but not the in-house capacity or mandate to assess specific frontier-model risks.
MOFCOM has more direct policy leverage through export controls and trade tools. It can shape technology governance when AI intersects with external pressure, sanctions, or cross-border transactions. But its autonomy is limited. In sensitive cases, MOFCOM may initiate or manage parts of the process, but higher-ranking bodies such as the NDRC can still step in when strategic technology, capital, or national-security concerns are involved.
An expert ecosystem that can bridge the two systems is starting to form. CnAISDA knits together the institutions most engaged on frontier risk, and several of its convening figures carry considerable weight inside the system: Turing laureate Andrew Yao and Tsinghua AIR dean Zhang Yaqin have co-signed the International Dialogues on AI Safety red-lines statements alongside Western counterparts, Zeng Yi runs the Beijing Institute of AI Safety and Governance under the Chinese Academy of Sciences, and Zhou Bowen’s Shanghai AI Lab has published a frontier AI risk management framework with Concordia AI, the most active Track 2 connector between the two safety communities.[15] None of these actors holds formal negotiating authority, but they are the likeliest source of the working-level technical expertise and trust a government channel will need, and any U.S. coalition strategy should map and engage this network deliberately rather than treating the official organs as the only interlocutors. So far, U.S. officials, including from CAISI, have not engaged seriously with China’s AI safety community, either at major international fora such as the Bletchley Park AI Summits or at other international AI fora where Chinese players have been present.
The challenge for U.S.-China AI dialogue is whether China can bring the above security, military, industrial, and planning systems into alignment, and which bureaucratic channels can translate frontier AI risks into language and priorities that reach top leadership.
[1] Center for Strategic and International Studies, analysis of the May 2026 Trump-Xi Beijing summit and its technology deliverables, May 2026, csis.org; PRC Ministry of Foreign Affairs summit readout, May 2026, fmprc.gov.cn.
[2] The White House, “Statement from NSC Spokesperson Adrienne Watson on the U.S.–PRC Talks on AI Risk and Safety,” May 13, 2024, bidenwhitehouse.archives.gov; PRC Ministry of Foreign Affairs, readout of the first meeting of the China–U.S. intergovernmental dialogue on artificial intelligence, May 15, 2024, fmprc.gov.cn.
[3] The White House, “Readout of President Joe Biden’s Meeting with President Xi Jinping of the People’s Republic of China,” Lima, Peru, November 16, 2024, bidenwhitehouse.archives.gov.
[4] Wall Street Journal reporting on implementation of the June 2, 2026, executive order, June 2026; The White House, “Promoting Advanced Artificial Intelligence Innovation and Security,” Executive Order, June 2, 2026, whitehouse.gov/presidential-actions.
[5] Washington Post, reporting on the removal of Collin Burns as CAISI lead and the selection of Chris Fall, April 24, 2026, washingtonpost.com.
[6] Wall Street Journal, reporting that CAISI was directed to pause public model-evaluation reports during executive order implementation, June 2026, wsj.com.
[7] See the White House NSC statement of May 13, 2024, and the PRC MFA readout of May 15, 2024, cited above.
[8] Anthropic, “Developing nuclear safeguards for AI through public-private partnership,” August 21, 2025, anthropic.com; Axios, reporting on the first frontier model evaluation in a Top-Secret environment beginning April 2024, November 14, 2024.
[9] Scott Singer, “How Some of China’s Top AI Thinkers Built Their Own AI Safety Institute,” Carnegie Endowment for International Peace, June 2025, carnegieendowment.org; Shanghai Qi Zhi Institute, readout of the CnAISDA unveiling on the sidelines of the Paris AI Action Summit, February 2025.
[10] Reuters and Bloomberg, reporting on David Sacks stepping down as White House AI and crypto czar at the 130-day special government employee limit and becoming PCAST co-chair, March 26, 2026.
[11] National Technical Committee 260 on Cybersecurity and CNCERT/CC, AI Safety Governance Framework 2.0, September 15, 2025, tc260.org.cn; Carnegie Endowment for International Peace, “How China Views AI Risks and What to Do About Them,” October 2025.
[12] Shanghai AI Laboratory and Concordia AI, Frontier AI Risk Management Framework, July 2025; Concordia AI, AI Safety in China updates on the establishment of the Beijing Institute of AI Safety and Governance under the Chinese Academy of Sciences, February 2025, concordia-ai.com.
[13] South China Morning Post, reporting on Liu Guozhi’s removal from the Chinese Academy of Sciences academician roster, March 19, 2026, scmp.com.
[14] Tsinghua University Institute for AI International Governance, institutional pages on its founding dean, honorary dean, and role supporting the New Generation AI Governance Expert Committee, aiig.tsinghua.edu.cn.
[15] International Dialogues on AI Safety, consensus statements (Ditchley Park 2023; Beijing 2024; Venice 2024), idais.ai; Concordia AI, State of AI Safety in China reports, 2023–2025, concordia-ai.com.










