3 min read

From content to conduct – how agentic AI is shifting the risk conversation

Read more

By Tim Ryan, Peter Given and Alistair Cooper

|

Published 15 July 2026

Overview

AI adoption is moving beyond tools that simply generate outputs. As AI systems begin to make recommendations, support decisions, and take actions, businesses need to rethink how they approach risk, oversight, and accountability. 

 

What do we mean by agentic AI? 

For many businesses, the early conversation around AI has focused on tools that generate content. Those tools can draft text, summarise information, produce code, and support analysis. The risk conversation has therefore tended to focus on the output, particularly around who owns it and whether it is accurate, defamatory, confidential, or potentially infringing. 

Agentic AI moves that conversation on. It describes AI systems that can analyse information, interact with other tools, and take action to achieve a particular outcome, moving technology away from passive tools and towards something closer to actors within an operational process. (At this stage it's worth acknowledging the subtle difference between the meaning of the terms ‘AI agent’ and ‘agentic AI’, with the former referring to a stand-alone tool designed to execute a specific task, and the latter referring to a broader system capable of independent reasoning and performing multi-step processes). 

It is no longer enough to ask whether an AI system produces a good output. Businesses also need to ask what the AI system is permitted to do, what approvals are required, and what happens if the AI system takes an action that has legal, commercial, or regulatory consequences. 

 

How is agentic AI different from generative AI? 

A simple way to frame the difference is to distinguish between content risk and conduct risk. Generative AI creates content, which means businesses need to think about the quality, accuracy, and ownership of what is produced. 

Agentic AI introduces conduct risk because the concern shifts from what the model says to what the model does. If an AI-enabled system is involved in recruitment screening, customer onboarding, underwriting, claims handling, or other operational decision-making, the core issue may be the action taken or influenced by the system rather than the wording of an output. 

This distinction is becoming more important as AI systems become more embedded in business processes. Businesses may find themselves relying on AI, not only to support human judgement, but to trigger workflows, recommend decisions, escalate cases, or take operational steps. 

 

Why does this change the risk conversation? 

The shift from outputs to actions creates a more complex accountability challenge. Businesses need to understand who controls the system, who oversees it, what data and systems it can access, and whether human oversight is meaningful. 

This is particularly important in areas such as recruitment, customer onboarding, credit decisions, claims handling, and other regulated activities, where AI-driven decisions can directly affect individuals, customers, or regulatory outcomes. Businesses should be clear about the system's role, the limits on its authority and the safeguards that apply. 

 

What should organisations be asking before deploying agentic systems? 

  • What authority is the tool being given? 
    What decisions, commitments, or actions is it authorised to make on the company’s behalf? 
  • What can it do without human approval? 
    Where are the boundaries between autonomous action and human oversight? 
  • What data, systems and tools can it access? 
    Could its access create security, privacy, confidentiality, or operational risks? 
  • Can we explain and audit its decisions and actions? 
    Is there sufficient transparency, logging, and evidence to understand what happened and why? 
  • Who is accountable if something goes wrong? 
    Are responsibility, governance, and escalation routes clearly defined? 
  • What legal and contractual protections are in place? 
    Who bears the risk if the AI system fails, infringes rights, breaches regulations, or causes loss? 

 

Conclusion 

As AI moves from generating content to influencing decisions and taking actions, businesses need to focus not only on what AI produces, but also on what it is permitted to do. Clear governance, effective oversight, and defined accountability will be essential to managing the risks and realising the benefits of agentic AI. 

Authors