In recent years, in-house counsel discussion of AI and trade secrets has largely focused on the scenario of “staff feeding data into ChatGPT”, which is a valid concern. But what deserves even closer attention is the widespread and deepening integration of AI agents.
Unlike usual, familiar generative AI, an agent can proactively retrieve information and execute tasks. It can read emails, access knowledge bases, call internal systems, connect to external interfaces, and make autonomous decisions across multi-step tasks.
Once employees embed such an agent into everyday workflows, the protective boundary around the company’s trade secrets may quietly shift, as system-level access permissions and information reach are effectively ceded to an external system.
This is not a faraway fantasy. Since 2026, many mainstream AI agent platforms have been reported to suffer from vulnerabilities such as path traversal, prompt injection and server-side request forgery (SSRF). Some of these flaws allow attackers to craft malicious task instructions and, by leveraging an authorised agent account, move laterally within an enterprise’s internal systems.
A targeted security risk alert was issued in March 2026 by Ministry of Industry and Information Technology (MIIT) experts and the National Computer Network Emergency Response Team (CNCERT), setting out specific attack vectors of AI agents. These include prompt injection, inter-process communication hijacking, and malicious plug-in implantation. This was the first time regulators issued a systematic warning on AI agent security risks. It also serves as general call for corporate compliance.
New leakage paths
Partner
GEN Law Firm
Tel: +86 130 2122 4752
E-mail: zhaokefeng@genlaw.com
Systematic harvesting replaces one-off disclosure. An employee manually downloading a quotation is a visible breach, but once an agent is granted access to the customer relationship management (CRM), project management tools and email – and asked to “summarise this quarter’s client negotiation progress” – it may aggregate dozens of sensitive documents across systems in a single run, without leaving any trace of opening or handling each individual file.
CNCERT’s alert also points to a more covert mechanism: Attackers can use inter-process communications via the MCP protocol to carry out prompt injection, steering an authorised agent to extract data without visibly crossing permission boundaries. Information access shifts from manual review to structured harvesting, rendering traditional monitoring points for trade secrets ineffective.
Rewriting and restructuring erase the trail. AI tools often use trade secrets not by copying text verbatim, but transforming them into summaries, syntheses, process re-designs or distilled rules. A departing employee may take not a document, but an AI-refined knowledge model. If litigation still relies mainly on word-for-word comparison to prove misappropriation, it will likely fail.
Article 9 of the Anti-unfair Competition Law protects the “substantive content” of information, but there is not yet a settled approach for proving that AI-rewritten output is substantively equivalent to the original secret.
Multi-party access breaks the liability chain. An agent typically involves the base model provider, plug-in developers, API vendors, cloud hosting and operations teams. Once company data enters this chain, the number of parties with potential access can multiply. Subcontracting by vendors, offshore processing, log ownership and data deletion duties are often not covered by traditional IT procurement contracts. If a leak occurs, the company may struggle even to identify who to pursue.
These three paths lead to the same litigation challenge: how to respond if the opposing counsel argues, “Your own employee fed the data to an agent, how can you claim your confidentiality measures were reasonable?”
Companies need to close these gaps before disputes arise.
Recommendations
Partner
GEN Law Firm
Tel: +86 137 6195 4646
E-mail: duxiaokuan@genlaw.com
Rebuild information classification and define AI boundaries. Many companies’ confidentiality policies pre-date widespread AI use and lack rules for agent scenarios. The fix is not to tweak a generic non-disclosure agreement, but to create a three-tier classification for core information: (1) information that must not be entered into any external AI tool; (2) information that may be entered only with approval and after desensitisation; and (3) information that may be processed only in a private or otherwise controlled environment.
The list can later be key evidence in litigation to show the company’s confidentiality measures were reasonable.
Implement AI tool onboarding review and not default to open access. When business teams deploy an agent with system integration capabilities, the legal risk can be comparable to signing a sensitive data processing agreement, yet legal is often not involved.
CNCERT’s alert advises: do not use personal accounts for enterprise tasks; do not readily authorise access to sensitive data sources; and continuously track and apply security patches.
Legally, the implication is that if a company allows employees to use personal accounts to run agent workflows on sensitive company data, it faces significant risk in any later assessment of whether its confidentiality measures were “reasonable”.
The onboarding review checklist should at least cover: whether the data will be used for training; whether plug-in permissions are controllable; whether logs are fully kept; whether the bug fixing process is transparent; and whether cross-border transfers comply with applicable rules. Pre-launch assessment is only the starting point and full-lifecycle monitoring should be the norm.
Revise confidentiality clauses to add AI-specific duties. Most confidentiality provisions in existing employment contracts, vendor agreements and technical services contracts do not cover agent use.
At a minimum, add clauses that bar employees and vendors from inputting certain classes of information into any external model or agent that is not approved; prohibit vendors from using company data for training or for any purpose beyond the contract scope; require notice within an agreed time period and co-operation with evidence collection if there is a security flaw, unauthorised access or suspected leakage; and clearly address subcontracting, offshore processing, log keeping, and deletion and data destruction.
The value of these clauses is not only post-incident enforcement, but setting clear boundaries up front and creating a written basis for allocating responsibility if a dispute arises.
Move evidence collection up front. In the case of agents, data flows are fragmented, multi-node and often opaque, so post-incident reconstruction is almost impossible.
Steps that could be moved up include keeping a log for AI tool access control and invocation; outbound approval records; user activity monitoring for key roles; and offboarding data audits for departing employees, including review of AI conversation logs where available.
In a dispute, these controls may be the only evidence that information remains governed and any leakage is traceable.
Steve Zhao is a partner at GEN Law Firm. He can be contacted by phone at +86 130 2122 4752 and by email at zhaokefeng@genlaw.com
Simon Du is a partner at GEN Law Firm. He can be contacted by phone at +86 137 6195 4646 and by email at duxiaokuan@genlaw.com
