A U.S.-China Communication Channel on AI Incidents: Provisional Recommendations
A preview of upcoming IAPS research
Hello readers! After a lacuna that involved my first trip back to China in 8 years and a conference in Singapore, I am back with a post and a bit of news. Our fearless leader Oliver Guest having joined the UK AISI, I (Karson) have been handed the reins of the International Strategy team at IAPS as Research Manager. I’m very excited for where the team is going. This post is co-authored with my colleague Clarissa Koh. You may be hearing more from us here in the coming months!
Introduction
Following President Trump’s summit visit to Beijing, China’s Ministry of Foreign Affairs (MoFA) announced that both countries would establish an intergovernmental AI dialogue, while Treasury Secretary Scott Bessent said that the U.S. and China would commence discussion on a “protocol” to prevent proliferation of powerful AI models to non-state actors, likely “within the next four to eight weeks”. President Trump also mentioned that the summit included discussion of “guardrails” on AI, possibly including CBRN risks.
Beyond facilitating these discussions, a formal dialogue channel could have multiple functions, such as sharing understandings of mutual threats and coordinating on possible responses. At IAPS, we have been working on a new report discussing a closely related idea: a lightweight, but formalized, AI incident notification and information sharing mechanism between the U.S. and China. We view this as a relatively achievable goal which could meaningfully contribute to reducing risks. In this post, we are sharing some early, provisional takeaways from our research to surface this idea and engage colleagues in discussion. Our thinking is still evolving, and we would be eager to receive comments from researchers with relevant expertise.
Despite the obvious challenges, this proposal may be more politically feasible than it first appears. A key concern from the U.S. side would be that China may seek to extract concessions in exchange for agreeing to participate, as it has done with prior bilateral mechanisms. The strongest safeguard against this is roughly symmetric risk perception on both sides—when both governments see themselves as benefiting from the channel, neither has incentive to hold its establishment hostage to broader negotiations. There are some signs that an alignment of risk perceptions is underway. In the U.S., Anthropic’s limited release of Mythos appears to have prompted a shift in the Trump administration’s approach to frontier AI risk, culminating in the release of an Executive Order to strengthen the government’s oversight of frontier models. In China, AI emergency preparedness is an emerging domestic priority. President Xi has repeatedly called for the construction of systems for technology monitoring, risk warning, and emergency response, recently highlighting “technological loss of control” (技术失控) as a particular topic of concern. Last year, China’s 2025 National Emergency Response Plan also placed AI security incidents alongside earthquakes, cyberattacks, and infectious disease epidemics. Mythos has also been a topic of significant concern for Chinese counterparts thinking about AI risks.
Provisional Recommendations
We suggest that the U.S. and People’s Republic of China (PRC) discuss the establishment of a dedicated channel for notification of time-sensitive AI incidents. No such channel exists today, creating risk of misinterpretation and escalation when clarity matters most. When an autonomous AI system malfunctions, frontier model weights are stolen by non-state actors and proliferate uncontrollably across global networks, or a compromised AI system launches cyberattacks against critical infrastructure in multiple countries, U.S. officials need to reach technically capable PRC counterparts quickly.
A dedicated channel would address gaps in existing U.S.-China communication channels along four dimensions: speed, expertise, protocols, and resilience. Existing channels include the Beijing-Washington hotline and Defense Telephone Link (DTL), besides ad hoc contact between counterparts in embassies and other parts of government. However, these have several disadvantages regarding use for communications on AI. Firstly, these channels lack the specialized expertise not just to describe what is happening, but to assess significance and avoid misinterpretation. Secondly, AI incidents may require faster procedures than diplomatic cables and conventional hotlines afford (the DTL requires 48 hours’ advance notice to set up a call).1 Moreover, because AI incidents are an emerging threat category, neither government has shared definitions or procedures to fall back on. Lastly, they also have a history of politicization based on events in the bilateral relationship.2 Calls placed on the Beijing-Washington hotline after the 1999 bombing of the PRC embassy in Belgrade and the 2001 Hainan Island air collision went unanswered. China also left the DTL dormant during then-U.S. Speaker of the House Nancy Pelosi’s 2022 Taiwan visit and the 2023 “balloon incident”. While the DTL was not formally suspended in either case, China cancelled multiple adjacent military dialogue tracks in retaliation for the Pelosi visit, rendering the DTL effectively unusable as part of a broader signal of displeasure.
Drawing on lessons from the nuclear weapons, cyber, and public health domains as well as practical considerations about what is achievable in the near- and longer-term, we have identified the following guiding principles to make a U.S.-China AI incident notification and information sharing channel most effective:
Bilateral, on the basis that the United States and China lead in frontier AI capabilities and that a small number of parties reduces coordination costs and competing political agendas.
Narrow in scope and actively maintained through routine use, limited to technical incident information and kept operationally warm through regular non-emergency exchanges.
Communication-only and voluntary, imposing no enforceable commitments and granting no asymmetric advantage.
Focused on shared risk such as non-state actor misuse, malfunctions, loss of control, third-party theft, and unintended cross-border effects. Clearly adversarial, state-attributed incidents should be handled through other mechanisms.
Formally recognized, with provisions for renewal and sustained institutional investment that signal both governments treat AI incidents as a shared risk worth managing.
Housed in civilian agencies, rather than military institutions. While no U.S.-China channel is immune to political shocks, military institutions may be especially sensitive and liable to be disrupted due to political circumstances.
Open to future evolution, designed to accommodate expanded scope, deeper coordination, or broader participation as conditions allow.
Implementation
The form that such a mechanism takes would depend on contextual factors. If the intergovernmental dialogue on AI is established as a standing channel of communication, it may make most sense for formalized incident notification and information sharing to sit closely within or alongside it. As the exact scope of the dialogue channel and format of participation remain unclear, multiple different pairs of hosts are possible, with various tradeoffs. Here we describe one option and provisional details for implementation.
One possibility on the U.S. side is for the State Department to lead, supported by the Center for AI Standards and Innovation (CAISI).3 The State Department’s new Bureau of Emerging Threats is expected to address threats stemming from AI models with advanced cyber capabilities; its experience hosting the U.S. end of the Nuclear Risk Reduction Center also means it has the diplomatic infrastructure to support a comparable AI mechanism. CAISI provides the technical depth. It is the U.S. government’s primary point of contact with frontier AI developers, with pre-deployment evaluation agreements in place with major U.S. frontier labs, and is directed under the AI Action Plan to establish AI-specific incident response standards. Routing technical communications through this existing institutional node, in support of State-led diplomacy, extends a role CAISI is already performing.
A corresponding arrangement on the PRC side could be MoFA in collaboration with relevant departments in the Cyberspace Administration of China (CAC). China’s MoFA is the natural counterpart for the State Department, and would be a likely coordinator on the Chinese side for a dialogue channel,4 but lacks technical expertise. CAC has emerged as Beijing’s lead AI regulator, issuing regulations and overseeing the pre-deployment security assessment regime for AI models. CAC’s combination of technical fluency and proximity to senior political leadership mirrors the channel’s intended shape: civilian rather than military, and equipped to route notifications to technical interlocutors without first traveling up the political chain. Another possibility would be CAC as the lead host on the Chinese side, to ensure strong and immediate connection to technical experts.5
We propose a three-tier framework that governs when the channel is used and how it operates in each case. The channel is intended to handle factual, technical incident information;6 it is not a venue for attribution, intelligence exchange, or broader AI-governance disputes. We draw on the Frontier Model Forum’s (FMF) concepts and core distinctions between information sharing, incident reporting, and incident response. While “incident notification” is conceptually similar to what FMF terms “incident reporting”, we choose to use “notification” here as it better reflects the voluntary nature of the proposed channel as compared to “reporting”, which has a regulatory connotation.
Although both countries’ domestic incident reporting infrastructure remains underdeveloped, it is still worth starting the work to establish a notification channel now. Poor domestic visibility on either side could lead to confusion or misperception, so more effort should be put into building the domestic infrastructure to make such a channel as effective as possible. But AI risks are advancing rapidly, and establishing a bilateral notification channel will take time; waiting until incident reporting infrastructure is fully mature may take too long. Ultimately, a voluntary incident notification and information sharing channel is among the lowest-cost instruments available to either government for managing the risks of a transformative technology. It costs little to establish and could prove invaluable when needed—the prudent moment to get started is now, acting before a crisis rather than improvising during one, and making use of the upcoming intergovernmental dialogue announced following the leaders’ recent summit in Beijing.
In this context, we refer to an AI incident as a discrete event in which malfunction, compromise, misuse, or unexpected behavior of an AI system endangers human life or property in a way that requires an urgent large-scale response. This excludes slow-onset problems such as gradual performance degradation or model drift, which require sustained mitigation rather than emergency response.
President Xi Jinping’s comment following the summit that both sides should “move forward in making good use of political-diplomatic and military communication channels” is, possibly, some positive sign on Chinese attitudes towards such channels.
This could involve a similar arrangement to the Nuclear Risk Reduction Centers, in which the US NRRC Director is a State Department official while the Deputy Director is an active-duty senior military officer, traditionally from the Air Force. An AI Risk Reduction Center could have a Director from the State Department and Deputy Director from CAISI.
The China-UK Dialogue on AI was co-chaired by MoFA’s Director-General of the Department of Arms Control Sun Xiaobo, who is concurrently also MoFA’s Coordinator for AI Affairs.
CAC is an example of the common Chinese institutional structure of “one institution with two names” in that it has two identities, one as a Party organ and the other as a state body. If CAC is involved, its role should likely be under its state entity, rather than its Party entity.
A shared incident notification taxonomy is also key in ensuring interoperability. Both sides can draw on existing work to support the development of a standardized notification template, including: the OECD’s Common Reporting Framework for AI Incidents, the AI Incident Database (AIID), and CSET’s AI Harm Framework.




I think this is definitely highly NEEDED!!
I think the collaboration can potentially start from some low-risk areas (geopolitically), like LLM use for education and labor