LCQ19: Regulating AI agents
***************************
Question:
It has been reported that an AI agent, commonly known as "lobster", has recently sparked a craze on the Mainland. The AI agent is capable of automatically completing various tasks upon receiving instructions. However, the Mainland regulatory authorities issued a warning last month, pointing out that a misconfigured or improperly authorised AI agent will pose relatively high security risks and may give rise to hidden security hazards such as cyberattacks, malicious system takeovers, or information leakage. In this connection, will the Government inform this Council:
(1) whether the authorities will expeditiously formulate security guidelines specifically for the application of AI agents, so as to ensure that public and private organisations promote the application of such agents within the scope of security and controllability; if so, of the details; if not, the reasons for that;
(2) given that the 2026-2027 Budget has proposed the establishment of the Committee on AI+ and Industry Development Strategy, whether the Committee will, upon its establishment, expeditiously formulate a comprehensive AI Development Blueprint, so as to improve the relevant planning, infrastructure and legal governance framework, and strengthen the protection of Hong Kong's cybersecurity and data security, with a view to steering the sustainable development of AI (in particular AI agents); if so, of the details; if not, the reasons for that;
(3) whether the authorities will allocate dedicated resources from the existing innovation and technology funding schemes to support local organisations in the research and development of secure and reliable AI agents, and promote their application in Hong Kong; if so, of the details; if not, the reasons for that; and
(4) whether the authorities will allocate additional resources and, by drawing reference from the Government Information Technology Security Policy and Guidelines, formulate a set of Information Technology Security Guidelines applicable to non-Government organisations and individual users, while strengthening popular science education and publicity to enhance the awareness and preventive capability of various sectors of the community in the secure use of AI tools (in particular AI agents); if so, of the details; if not, the reasons for that?
Reply:
President,
Regarding the question from the Hon Michelle Tang, upon consulting the Department of Justice, the reply is as follows.
(1) and (4) The Government attaches great importance to the governance and risk mitigation of AI applications. In terms of governance, the Digital Policy Office (DPO) published the Ethical Artificial Intelligence Framework and the Hong Kong Generative Artificial Intelligence Technical and Application Guideline, etc, to provide guidance for projects involving the development and application of AI technologies. These help identify and manage potential risks and key considerations associated with AI projects (such as system security and robustness, personal privacy, data security and management), and offer practical guidance to technology developers, service providers, and users. For example, the Ethical Artificial Intelligence Framework recommends project owner to conduct impact assessment for AI applications, and give consideration to AI-related ethics, roles, and responsibilities in accordance with risk gating criteria, as well as to assess which projects require a review. In particular, high-risk applications should establish "human-in-the-loop" oversight mechanisms to minimise the risks associated with AI applications through human oversight.
In respect of information security, the DPO has developed a comprehensive set of Government IT Security Policy and Guidelines which cover the application scenarios for AI tools. These Policy and Guidelines have been uploaded to the government website, enabling individual organisations to adopt appropriate information technology security risk management measures based on their own circumstances, thereby enhancing their awareness and capabilities regarding information security and safeguarding against AI-related risks. Taking account of the actual circumstances, the Government will consider extending the Policy and Guidelines to organisations and individual users outside the government.
In recent years, generative or agentic AI agents have become increasingly prevalent. However, certain applications may involve potential security vulnerabilities such as excessive privileges, data leakage, and system intrusions. The DPO has alerted all government departments and the general public to these security risks, and provided relevant security guidelines for reference. For example, government departments were advised not to install related AI agents on computers connected to the government's internal network; departments must conduct risk assessments before installing any software, including evaluating the necessity of the software/product, its features and track records, and the security risks it poses to the department; and users are advised to implement adequate security measures when deploying and using AI agents, including strictly isolating the operating environment, enhancing credential management, and staying vigilant over official releases of security updates, to mitigate the associated risks.
To raise the awareness across society regarding the safe application of AI, the DPO supports the Hong Kong Internet Registration Corporation Limited in continuously updating courses on the safe application of AI in the workplace through the Cybersec Training Hub, covering workplace application risk alerts and codes of conduct. In addition, the 2026-2027 Budget announced an allocation of $50 million to enhance the understanding and skills of students, youth, and the public in applying AI, to foster AI literacy, and to promote a culture of responsible AI use. The Government is currently in discussions with the Hong Kong Science and Technology Parks Corporation, Cyberport, and the Hong Kong Productivity Council, and will invite these three organisations to submit proposals. Together with technology companies and academic institutions, they will organise courses and competitions, etc, that are diverse, engaging and closely aligned with the needs of the target groups. Additionally, the Government plans to organise a series of easily understood popular classes on AI, to be presented by experts and industry leaders, with an aim to enhance public understanding of safe application of AI, future trends and opportunities. The measures are expected to be rolled out in phases as early as the second quarter of this year.
(2) and (3) Pursuant to the strategy set out in the Hong Kong Innovation and Technology Development Blueprint, the Government has been actively building a local AI ecosystem with a focus on strengthening infrastructure and promoting the application-oriented approach. Through initiatives related to governance, scientific research, computing power, data, talent, and funding, the Government enhances the synergy among the upstream, midstream and downstream of the ecosystem, and makes every effort to promote the vigorous and safe development of AI in Hong Kong. These initiatives are ongoing and being consolidated. The newly established Hong Kong Artificial Intelligence Research and Development Institute will come into operation in the second half of this year, taking the lead to co-ordinate efforts in AI research and development, transformation of research outcomes, and expansion of application scenarios. In respect of infrastructure, Hong Kong's overall computing power has reached 5 000 peta-floating point operations per second (PFLOPS). Following commencement of works of the Sandy Ridge Data Facility Cluster, it is expected to provide computing power of 180 000 PFLOPS by 2032, which is equivalent to 36 times the current computing power in Hong Kong.
Regarding the legal framework, to evaluate whether the laws under different policy areas can keep pace with technological developments (including AI), the Secretary for Justice convened a Steering Committee meeting on March 6 this year on the establishment of the Inter-Departmental Working Group to Review Legislation to Support Wider Application of AI. Establishing a Working Group with its core members comprising representatives from different policy bureaux and government departments (B/Ds) is crucial for addressing issues arising from the rapid development and widespread application of AI. The B/Ds concerned will first conduct a comprehensive and in-depth review of existing laws to identify loopholes or deficiencies, before exploring targeted and practicable solutions (including considering the need for and feasibility of enacting bespoke legislation or implementing administrative measures) in light of Hong Kong's actual circumstances.
The Government will continue to monitor the latest development in AI, while promoting its widespread application and placing equal emphasis on innovation and security. The Government will update relevant guidelines and governance framework in a timely manner to foster a healthy and orderly AI ecosystem.
Ends/Wednesday, April 22, 2026
Issued at HKT 15:32
Issued at HKT 15:32
NNNN