Before turning to the legal, contractual and governance issues, it is worth being clear about what we mean by “agentic AI”.
As with AI more broadly, the terminology around agentic AI is still evolving. Terms such as "agent" and "agentic system" are not always used consistently - and market labels can be broader than the underlying functionality.
In practice, the key question is not whether the vendor labels the system as "agentic", but what the system can actually do within the permissions and controls set around it.
This article gives an introductory overview of AI agents and agentic AI, covering the core concepts that inform the legal and governance issues addressed elsewhere in this series.
AI agents and agentic AI
Agents
An agent is a software component that pursues an objective over time by selecting actions, using tools and adapting its approach based on intermediate results - rather than simply producing a one-off response to a prompt.
Agentic AI systems
An agentic system is an end-to-end system that uses one or more agents to plan and execute multi-step workflows.
In many cases, an agentic system can break the objective into tasks, choose and sequence steps and adapt as it goes within the constraints and oversight you set.
Put simply: traditional generative AI produces content; agentic systems can plan and take action within defined controls.
An example simplified agentic flow is shown below:
How agents operate
AI agents typically operate through a recurring decision loop, often described as “sense, think, act”:
- Sense: the agent gathers information from its environment - reading documents, querying databases, monitoring systems or retrieving external data.
- Think: the agent evaluates what it has observed, decides what to do next and forms a plan. This is not a one-time process - the agent reassesses as new information emerges, adapting its approach accordingly.
- Act: the agent takes action - generating an output, updating a system, sending a communication or executing a transaction - before cycling back to observe the outcome and continue. Unlike a generative AI tool, those actions may modify external state rather than simply produce outputs for human review.
Single-agent and multi-agent patterns
Some agentic systems rely on a single agent. Others use multiple agents with different roles, permissions and access to systems or data.
In more complex deployments, the process is coordinated by an orchestrator agent. The human user provides the objective and an LLM-powered orchestrator reasons through how to achieve it - breaking the objective into tasks and delegating each to a specialist sub-agent. The sub-agents execute their assigned tasks, and the outputs are brought back together into a coherent response.
A simplified multi-agent system example is shown below:
We walked through how an orchestrated multi-agent system can work in more detail in our Tech Summit talk.
Agency and autonomy
Not all agentic AI systems present the same level of risk. Two factors largely determine the risk profile of a given deployment: how much the system can do, and how freely it can decide what to do next. We can think of these two factors as agency and autonomy:
- Agency - what tools the system can use, which systems it can access, and which actions it can take.
- Autonomy - how much freedom it has to decide the next step without human direction.
Agency and autonomy do not always move together. A system with broad access to business systems may still operate under tightly prescribed instructions and approval gates. Another may have more limited access but wide discretion over how it pursues its objective.
As a general rule: the greater the agency and the higher the autonomy, the more significant the legal and governance questions - and the more robust the controls need to be. This distinction is one of the key differences in the debate around agentic AI vs generative AI.
Assessing agency
Drawing on the “sense-think-act” framework introduced above, agency can be assessed across three dimensions:
- Planning: can it break work into steps, adapt its approach and choose tools?
- Interaction: can it communicate internally or externally, or make representations on the organisation’s behalf?
- Execution: can it act in tools and enterprise systems, especially by taking “write” or “commit” actions?
The more of those capabilities a system has, the broader its effective agency - and the more carefully its permission boundary needs to be defined.
Managing autonomy
Autonomy is shaped by how oversight is designed. Approval gates, thresholds and stop conditions determine how freely the system can act and when human intervention is required.
In practice, oversight tends to follow one of four patterns - ranging from tightest to loosest:
The right position on that spectrum depends on the risk profile of the deployment - the nature of the actions the system can take and the consequences of error.
We explore these oversight principles further, including approval design and monitoring, in the Governance and Oversight section of this guide [LINK].
Memory and state
In agentic systems, memory can operate at several levels. For example, the orchestrator agent may retain context about the overall objective; individual sub-agents may retain information about the tasks they have been assigned; and tools and external systems may also maintain their own records or state.
Each of those layers raises distinct questions around data protection, confidentiality and auditability.
Two specific issues are worth noting:
- Persistence: memory may cause an agent to act on information that is stale, out of scope or no longer authorised. An instruction or context from an earlier interaction may shape later behaviour in ways that are difficult to detect or trace.
- "Context rot": over long, multi-step workflows, the system's handling of earlier instructions may degrade. Instructions given early in a workflow may effectively be forgotten or deprioritised - creating a gap between what was authorised and what was actually done. That gap can make later behaviour harder to predict, explain or audit.
Both issues point to the same governance requirement: memory needs to be designed, scoped and monitored, rather than treated as a background technical feature.
Why this matters
Agentic AI is not a single technology with a fixed risk profile. What matters for legal and governance purposes is what a particular system can actually do - how broad its access is, how much discretion it exercises, how its memory and audit trail work, and how the vendor stack is structured.
We explore those themes further in the other blogs on our AI hub.
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2025-09-29-13-48-10-128-68da8e1af6347a2c4b96de4e.png)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2026-06-01-10-47-37-512-6a1d6349325d492fa0bece93.jpg)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2026-06-01-08-36-43-169-6a1d449b2e2d3e6a815b2ced.jpg)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-08-23-11-31-07-354-66c872fb971eecc249d83d40.png)