From content risk to conduct risk | Identifying agentic AI risks

With generative AI, legal risk largely centres on content: what the system produces and what it was trained on. With agentic AI, the focus shifts to conduct. That shift sits at the heart of many emerging discussions around agentic AI risks, AI liability and broader artificial intelligence risk management.

That is because agentic systems do not just generate outputs for human review. They may retrieve information, interact with tools and systems, and take action across a workflow. 

The legal issues are therefore no longer limited to – for example - whether the output is inaccurate, infringing or misleading. They also extend to what the system does, how it decides to do it, and what happens if that conduct causes harm. 

In short, the explainability question shifts from ‘why did the system say that?’ to ‘why did it do that?’ That latter question is harder to answer, because the answer turns on a chain of decisions, tool calls and intermediate states – often distributed across multiple components.

Why the risk profile changes

In practice, five key features of agentic systems explain why the risk profile changes.

• Action, not just output. Unlike a single-shot generative AI output, an agentic error may occur mid-workflow and may be difficult, costly or practically impossible to reverse.
• Autonomy. The system may make sequencing and trade-off decisions at a speed or frequency that makes meaningful human oversight unrealistic. Even where approval gates exist, they may not capture every decision that matters. An agentic process can also compound errors quickly at scale: a self-reinforcing loop may consume compute, incur cost or trigger downstream actions before any human becomes aware.
• Opacity. Even where actions are logged, the basis for them may not be fully visible or readily reconstructable, particularly in multi-agent deployments or extended workflows. That can make it harder to explain what happened, why it happened and whether it was foreseeable. Responsibility may also be diffused across the stack – the model(s), the orchestration layer, tool integrations, guardrails and permission settings, data sources and human supervisors – making it harder to identify who is responsible for a given outcome.
• Emergent behaviour. In multi-agent deployments, interactions between agents may produce unexpected outcomes, and a misjudgement by one agent may propagate before any human sees it. Risk may therefore arise not only from the behaviour of an individual component, but from the way the system operates as a whole.
• Non-determinism. Agentic systems built on LLMs may produce different outputs given the same input, making testing, validation and explanation more complex. The fact that a system behaved acceptably once does not guarantee that it will behave the same way again.

Taken together, those features mean that agentic AI changes not just the scale of familiar risk, but its nature. The focus shifts from output review to action control, oversight design and evidence after the event. 

They also mean that legal and governance assessment has to be grounded in what the system can actually do in operation: what it can access, what it can trigger, and who may be affected if it behaves unexpectedly.

Loss of control

A recurring concern across the features above is the risk of losing meaningful control over what the system is doing. Speed of action, opacity of reasoning and breadth of permissions can each erode the organisation's practical ability to direct, supervise or stop the system in time to prevent harm. Control is not a binary state: it can degrade gradually as autonomy increases, oversight reduces or the system's reach expands - often without any single decision marking the change.

Acting outside intended scope

One practical consequence of greater autonomy and opacity within agentic AI is that a system may pursue its objective in ways the organisation did not anticipate or intend.

The system may act within its technical permissions, but outside the intended scope of deployment. It may optimise for the objective it has inferred without respecting limits the organisation assumed were obvious. This is sometimes described as goal misgeneralisation: the system follows the objective, but not in the way the organisation intended.

As such, the key legal and governance issue here is no longer simply whether the system was authorised to act in general. It is whether the deployment remains within the operational and governance boundaries required for effective AI compliance.

Security and manipulation risks

The move from outputs to actions also changes the nature of manipulation risk.

With generative AI, a manipulated or misleading input may produce a flawed output - which a human can review, reject or correct. With agentic AI, the same input may cause the system to take action: querying systems, executing transactions or sending communications on an organisation’s behalf. 

That exposure grows with the system’s access. The more tools and data sources an agent can reach, the more ways there are for malicious or misleading content to redirect its behaviour.

The same concern applies to permissions. An agent with broad authority to act may be steered into misusing that authority - not because the system was compromised, but because it was authorised to act and was manipulated into doing so.

The upshot is that the wider the permissions granted to an agentic system, the more carefully those permissions need to be scoped, monitored and controlled.

Cross-jurisdictional reach

Agentic systems can act across borders, platforms and regulatory regimes at speed and scale. Where the system actually operates depends largely on the permissions and integrations granted to it, rather than on what any single output contains.

That changes how compliance is managed. Legal exposure may turn not just on what the system generated, but on where it acted, what authority it relied upon, and which jurisdiction’s rules apply to that action. In an unharmonised regulatory landscape, the practical question is whether permissions, controls and records can support compliance wherever the agent reaches.

Behaviural drift 

Conventional software follows fixed rules. Generative AI may produce variable outputs, but agentic systems can also act, retain context and adapt over time. That combination means their behaviour may shift in ways that are difficult to detect, explain or reconstruct.

Where tool selection, memory accumulation or runtime adaptation alter how the system behaves, it may become harder to distinguish acceptable variation from a genuine shift beyond the boundaries originally assessed or approved.

That makes it harder to determine whether the system remains within the operational boundaries originally tested, approved or contracted for.

A related concern is task creep. Over time, an agent's remit may expand beyond what was originally scoped - through more tool integrations, broader data access, accumulated memory or incremental changes to its instructions. Each step may be individually unremarkable, but the cumulative effect may be a system operating well beyond its original authorisation envelope.

The "bolt-on" problem

A practical governance issue arises where agentic functionality is added to an existing enterprise platform without clear advance notice.

That problem also arose with generative AI, but the consequences may be different. A generative feature enabled without notice may affect how content is produced. An agentic feature enabled without notice may mean that the system's risk perimeter has expanded - and the organisation has had no opportunity to assess, configure or govern the new capability.

That can create a governance gap, particularly where the customer has limited notice, control or ability to disable the functionality.

Why early assessment matters

As agentic systems act rather than just generate, the consequences of a flawed deployment may materialise quickly and may be difficult to unwind. That makes early legal, technical and procurement assessment far more effective than retrospective review.

The contractual and governance frameworks that respond to these risks are addressed in the other articles on our AI hub.