From ChatGPT to Sora and then to DeepSeek, generative artificial intelligence is constantly evolving and innovating, but its potential legal risks are also becoming increasingly serious. By analyzing the three-stage operation mechanism of preparation-operation-generation of generative artificial intelligence, it can be known that the core technologies involved in the three stages are different so that the existing legal risks also vary. Specifically, the core of the preparation stage of generative artificial intelligence lies in massive data and machine learning. The operation stage mainly involves algorithm techniques, manual annotation, and autonomous learning. The generation stage relies on data decoding and sample generation. Correspondingly, its legal risks mainly lie in the protection of privacy and personal information in the preparation stage, data security and algorithm bias in the operation stage, and copyright ownership, ideology and social order in the generation stage. However, the existing legislation fails to provide detailed guidance on the core contents such as the legal status, regulatory standards, and sample attribution of generative artificial intelligence. Based on this, on the basis of a comparative analysis of the governance paradigms and experiences of countries such as the United States, the United Kingdom, and the European Union, in combination with China’s national conditions and practical status, we should focus on the three-dimensional path of civil law protection-regulatory standard-industry norms to regulate the legal risks of generative artificial intelligence to safeguard the legitimate rights and interests of citizens. Firstly, at the civil law level, we should clarify the legal object status of weak generative artificial intelligence and the fictitious legal subject status of strong generative artificial intelligence, strengthen the protection of personal information through explicit authorization of private information and data encryption technology, and improve the intellectual property determination standards based on the attributes and rights ownership of generated samples. Secondly, at the regulatory standards level, we should implement the whole process supervision covering the preparation-operation-generation stage for technologies such as algorithms, enhance the transparency of related technologies by formulating technical transparency standards, introducing interpretable technologies and establishing an accountability-feedback guarantee system, and form a characteristic regulatory model of government-society-enterprise linkage that the government provides policy support for citizens and enterprises, citizens actively participate in regulatory governance and feed back infringement information to the government and enterprises, and enterprises, guided by government policies and citizens’ demands, contribute to social development. Finally, at the industry norms level, we should clarify the applicable liability principle for its infringement through the three infringement forms of generative artificial intelligence, implement the legal obligations of service providers and users that providers should undertake obligations such as content review and security guarantee, while users should fulfill obligations such as reasonable use and operation as well as information feedback, and open up social consultation and feedback channels to curb the occurrence of infringement phenomena and improve the efficiency of resolving infringement disputes by popularizing citizens’ rights and obligations, standardizing citizens’ usage methods, and enhancing the connection between enterprises and citizens.