Agentic AI from principles to practice
A C-suite guide to capturing value without losing control.
What is agentic AI and why it matters
4 June 2026
Tags
Technology
Technology & digital consulting
Digital transformation and AI
The hardest question your board will ask about AI in 2026 is “What decisions and actions are we allowing agentic AI to take on our behalf and how do we know it’s under control?” That is a very different question to those we’ve been hearing from boards recently on AI and requires a different kind of governance.
Agentic AI has moved quickly from emerging concept to business priority. For senior leaders, the question is no longer just about return on investment, but how to capture its value without losing control and confidence.
The opportunity is significant. Agentic and generative AI are creating one of the largest productivity and reinvention opportunities in a generation. At the same time, most organisations are still far from mature in how they deploy and govern these systems. The control gap is one of the most under-recognised but at the same time anxiety-inducing issues for boards.
The gap matters because agentic AI changes the nature of the risk and how it must be managed. Once systems can plan, act and adapt in live environments, weak governance is no longer just a policy issue, it becomes a key operational one. The risk is not just that a model gives the wrong answer, but that agents can take actions that are difficult or impossible to reverse. Recent examples, including agents deleting production databases and backups, highlight why stronger, real-time controls are needed.
- 2.2billionAI agents forecast to be in companies worldwide by 2030.(Source: Statista)
- 82of executives plan to adopt AI agents within the next one to three years. (Source: World Economic Forum)
- 18of respondents say they are 'highly confident' their current systems can manage agent identities effectively. Trust is becoming the rate-limiter on agent scale in 2026. (Source: Cloud Security Alliance)
The gap matters
Agents are being deployed faster than the governance structures needed to manage them are being built. Organisations that close this gap now will have a significant competitive and compliance advantage.
What is agentic AI and how it is different
Traditional software is generally built around predefined rules and workflows. Even where AI enhances parts of the process, the overall workflow typically remains fixed. Agentic AI changes that model.
AI agents can operate with different degrees of autonomy. At the lower end of the spectrum are advisory agents which support decision-making; gathering relevant information, analysing options and recommending next steps but leaving final judgement and action with a human. Then assistive agents such as customer service bots that answer questions or complete simple tasks within defined rules, or workflow assistants that retrieve information and prepare actions for human approval.
At the higher end of the spectrum, agentic AI represents a more advanced form of autonomous AI agents. These systems can interpret context, generate plans, decide which steps to take, act through tools and adapt their behaviour as conditions change in pursuit of a goal. This allows them to handle complex, multi-step processes, developing workflows dynamically rather than following predefined ones.
For example, in procurement you can set an objective for an agentic AI system to help source and onboard an approved supplier for a critical category within a defined timeframe. Once the goal is set, it can interpret requirements, search approved supplier databases, compare options against criteria, gather documentation and coordinate approvals for human sign-off where needed. What makes this agentic is not simply automation, but the ability of the agent to plan, sequence and adapt its actions across a process to achieve a goal.
Defining capabilities of agentic AI
Agentic AI differs because it can plan the steps needed to achieve a goal, act through connected tools, adapt as circumstances change and chain actions across systems over time.
How agentic AI systems work
Agentic AI systems may be built as either single-agent or multi-agent systems.
Single-agent systems
In a single-agent design, one agent coordinates the overall task, often using tools or services to complete it.
Multi-agent systems
More complex environments use multi-agent systems, where specialised agents handle different sub-tasks or roles.
Co-ordination between agents typically follows one of several patterns:
- Orchestration, where a central agent manages the workflow;
- Choreography, where agents respond to each other in a more decentralised, event-driven way;
- Predefined pipeline, where hand-offs are fixed in advance.
In practice, design choices should be a cross-functional exercise because choices about agent structure directly affect performance, security, oversight and risk.
Currently, some of the most compelling examples of agents are emerging across healthcare and life sciences (where they can accelerate research and clinical operations) or financial services (where they can streamline complex service and decision processes).
As capabilities grow, so do risks
The transformational potential of agentic AI comes with an expanded risk profile.
Traditional responsible AI approaches focused mainly on model accuracy, fairness and explainability are therefore no longer enough. Once systems can plan, act, adapt and chain across tools and workflows, risks extend beyond incorrect outputs to unsafe or unintended actions.
Importantly, many enterprise agent builders now allow citizen developers to create useful AI agents quickly through low-code, no-code, and natural language tooling. (This is related to the broader rise of AI-assisted “vibe coding,” but enterprise agent builders are more structured and governed).
However, most of these agents are still primarily assistive rather than autonomous or agentic, and this article explores how traditional approaches to AI governance need to be adapted for agentic AI.
| Agentic AI governance shift | With Agentic AI the question is no longer just about performance and ROI, but how to capture its value without losing control. |
|---|
Why confidence and trust matter
To realise the benefits of agentic AI at scale, organisations need more than technical capability. They need confidence in how these systems operate and trust from the stakeholders affected by them. That confidence comes from knowing where agents are being used, what authority they have been given, how their actions are monitored and how quickly they can be challenged, corrected or stopped when necessary.
Trust, in turn, is built when boards, employees, customers, regulators and investors can see that these systems are being deployed with clear accountability, proportionate oversight and disciplined control. In practice, this means governance must move from policy on paper to operating reality before agentic autonomy is allowed to scale.
What comes next
Understanding agentic AI is only the starting point. As organisations begin to scale these systems, the challenge shifts to defining clear boundaries, maintaining visibility, intervening when needed and building trust at scale.
In the next part, we explore the agentic AI governance gap, including the key risks and regulatory considerations organisations need to address, and how traditional approaches to AI governance need to adapt for agentic AI.
Agentic AI governance maturity self-assessment
We have developed an agentic AI governance maturity assessment to help senior leaders judge whether their organisation is ready to put higher-autonomy and impact agents to work with confidence. It translates the twelve operating disciplines into five practical areas for which to assess maturity.
The aim is not to be at the highest maturity level overall but whether your current level is strong enough for the agents you are already deploying or planning next. A low-risk assistant may be workable at a lower level of maturity. An agent acting across live systems or handling sensitive data will require a much higher one. The gap between the maturity you have and the maturity your use cases demand becomes the leadership agenda.
Complete your self-assessment
| Dimension | Level 1 Ad hoc | Level 2 Basic | Level 3 Managed | Level 4 Embedded | Level 5 Leading |
|---|---|---|---|---|---|
| Scope and guardrails | No one has clearly defined what the agent is there to do, what it must not do or where human approval is required. | Some boundaries exist for certain use cases, but they are incomplete, inconsistently applied and not tied clearly to risk. | A standard approach defines the agent’s role, permitted actions, boundaries, escalation points and where human approval is required. | Scope and autonomy limits are risk-tiered, formally owned and approved before go-live and when material changes are made. | Scope, autonomy boundaries and risk classification are actively maintained, monitored and updated as the agent, its environment or its role changes. |
| Identity, data and trust | The agent can access far more than it needs and there are no reliable controls over identity, permissions, source quality, memory or data leakage.
| Some access controls exist and key sources have been identified, but identity, delegation, grounding and retention are only partly understood. | The agent has a distinct identity, access is limited to what is needed, trusted sources are defined and rules exist for retrieval, memory, retention and cross-context data handling. | Identity, access, grounding, retention and information flows are reviewed regularly, with controls to reduce excessive privilege, stale data and cross-context leakage. | Identity, access and information quality are continuously monitored, with automated detection and review of misuse, leakage, drift, anomaly or grounding failure. |
| Testing, live safeguards and assurance | Testing is absent or informal and, once live, there is little to stop the agent acting outside expectations.
| Some testing and safeguards exist, but they are patchy, inconsistent and not clearly linked to risk. | Structured testing covers safety, reliability, misuse and business performance before launch, and key safeguards and approval thresholds are in place before go-live. | Controls operate alongside the agent in production, with ongoing testing, monitoring and triggers for changing risk, behaviour or operating conditions. | Continuous testing, internal challenge, drift detection and live assurance operate in production, and safeguards can be adjusted rapidly as risk or context changes. |
| Accountability and traceability | No one clearly owns the agent and there is no agreed process for escalation, intervention or remediation if something goes wrong. | A project or technical owner is named, but responsibilities are unclear and oversight largely falls away after deployment. | Clear business and operational owners are in place, with defined responsibilities for oversight, approvals, intervention, traceability and change. | Escalation routes, review forums, traceability, governance reporting and incident handling are established, used and understood in practice. | Leadership has a live view of agent ownership, risk and control status across the organisation, supported by governance reporting, a maintained risk register and strong traceability across the estate. |
| Change and lifecycle | Governance stops at launch and the agent is treated largely as set-and-forget. | Some reviews take place, but changes to prompts, models, tools or workflows often go unmanaged. | Structured review, change approval and periodic recertification are part of how the agent is run. | Reviews are triggered by time, incidents and material change, with clear re-approval points and defined retirement steps. | Change, recertification, retirement and evidence retention are tightly managed across the full lifecycle, including dependencies on third parties and connected systems. |
How we can help
We bring together multidisciplinary teams spanning AI, data governance, cyber security, technology risk and legal to help organisations move from AI ambition to controlled, real-world deployment through pragmatic, right-sized governance that builds confidence and trust.
A guide to agentic AI
Agentic AI offers organisations significant opportunities to improve speed, productivity and decision-making but it also introduces a greater governance challenge.
Explore moreAgentic AI governance
Read more
AI consulting services
Our AI solutions: Prepare with purpose. Govern with confidence.
Key contacts
Sofia Ihsan AI Consulting Leader - Manchester
Matt Lomax Associate Director - Data and Digital Advisory - London
Asam Malik Head of Growth: Large Clients - Newcastle
Simon Withington Partner - Head of Technology Assurance - Newcastle
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.