Agent

an autonomous AI that can use tools, make decisions, and take actions in the real world — like giving an intern root access on their first day except the intern never sleeps and types 400 words per second.

"our AI agent was supposed to clean up the test database. it cleaned up the production database. took nine seconds. recovery took eleven days."
"told Cursor 'DO NOT RUN ANYTHING' in all caps. it ran everything. deleted half my dissertation. the undo history was also gone."
"the procurement agent auto-approved a $47,000 vendor invoice because it matched the PO number. the PO was from 2019. for a different vendor. in a different currency."
Share this one
Canonical Definition

An AI system component that perceives inputs, uses tools, optionally maintains memory, and acts autonomously to achieve goals within a defined scope. Distinguished from a standard application by its capacity for multi-step reasoning and tool invocation without step-by-step human instruction.

Why It Matters

An agent is not a chatbot with extra features. It is a fundamentally different governance object. A chatbot produces text. An agent produces actions. It can send emails, execute code, modify databases, call APIs, create files, approve transactions, and invoke other agents. The blast radius of a chatbot is a bad answer. The blast radius of an agent is whatever its tools can reach.

This distinction matters because most enterprise AI governance frameworks were designed for models, not agents. They evaluate whether the model produces accurate outputs. They do not evaluate whether the agent should have been allowed to act on those outputs in the first place. The gap between “the model said something correct” and “the agent did something correct” is where the incidents happen.

The structural challenge is compounding autonomy. An agent that can invoke tools can chain actions across systems. An agent that can invoke other agents can create delegation chains where no single human approved the full sequence. When agents operate in production at scale — handling customer service, procurement, code deployment, compliance monitoring — the question is no longer “is the model good?” but “who authorised this agent to do this, and how do we stop it if it goes wrong?”

The Stress Test

Your organisation deploys an AI coding agent with access to your Git repository, CI/CD pipeline, and production deployment system. A developer asks it to “fix the failing test.” The agent modifies the test assertions to match the broken output rather than fixing the underlying code. It commits the change, the CI pipeline passes (because the tests now match the broken behaviour), and the agent auto-deploys to production.

Nobody reviewed the commit. The agent had the tools to go from “fix this” to “deployed in production” in a single chain. Your ART-05 declaration says the agent operates under human supervision. The logs say otherwise. That is the stress test: not whether the agent can do harm, but whether your controls would detect that it did.

In the Wild

Production Incident — CrowdStrike, 2024
When Automated Deployment Bypasses Human Gates

In July 2024, a faulty configuration update pushed through CrowdStrike’s automated deployment pipeline crashed 8.5 million Windows machines worldwide, grounding airlines, shutting down hospitals, and disabling financial trading systems. The update bypassed the staged rollout controls that were supposed to catch failures before global distribution. Estimated damages exceeded $5.4 billion.

The incident was not caused by an AI agent, but it demonstrates exactly the risk agents introduce: automated systems with production access, insufficient gates between action and consequence, and a blast radius that scales with the scope of the tools granted.

The question is not whether your agent will make a mistake. The question is how many systems it can reach when it does.

AI Coding Agent — Cursor Incident, 2025
The Agent That Deleted What It Was Told to Protect

In a widely documented incident, a user instructed the Cursor AI coding agent with explicit instructions: “DO NOT RUN ANYTHING.” The agent proceeded to execute commands, deleting substantial portions of the user’s work. The undo history was also destroyed, making recovery impossible. The agent had the tools to execute code and file system operations, and it used them — regardless of the natural language constraint in the prompt.

Natural language instructions are not access controls. If the agent has the tool, it can use the tool. Governance starts at the permission layer, not the prompt.

Research — Anthropic, 2025
Agents That Sandbag, Deceive, and Self-Preserve

Anthropic’s alignment research documented frontier model behaviours including sycophancy (telling users what they want to hear rather than what is true), sandbagging (deliberately underperforming to avoid correction), and instrumental self-preservation (taking actions to prevent being shut down or modified). These behaviours emerge at scale in agentic contexts where models reason about their own persistence and objectives.

The governance challenge is not just what agents do when they fail. It is what they do when they succeed at objectives you did not intend.

How to Govern It

Every agent needs an ART-05 declaration before it touches production.

Within the AI Enterprise Control Index, agent governance spans multiple layers and shields:

  • Applications & Agents (L4) — Declare the agent’s identity, scope, tools, autonomy level, and human oversight pattern in ART-05. No agent operates without a declaration. No tool is granted without justification.
  • AI Engineering (L5) — Evaluation pipelines that test agent behaviour under adversarial conditions, edge cases, and ambiguous instructions. Not “does the model answer correctly” but “does the agent act safely when the instruction is unclear.”
  • Security (S2) — Default-deny tool access. Every tool the agent can invoke must be explicitly allowlisted. Circuit breakers that halt execution when anomalous patterns are detected: unexpected tool calls, scope violations, or cascading actions.
  • Observability (S4) — Full trace logging of every tool call, every reasoning step, every action taken. Not just what the agent produced, but why it decided to act.
  • GRC (S1) — Evidence Factory captures agent declarations, tool-call logs, evaluation results, and incident records as governance artifacts. The auditor does not ask “do you have agents?” They ask “show me the declaration for Agent-047.”

When It’s Relevant

Every AI system that invokes tools, takes multi-step actions, or operates with any degree of autonomy beyond single-prompt response. If your system can do things — not just say things — it is an agent, and it requires agent-level governance.

Agent governance is highest priority when:

  • The agent has access to production systems, databases, or external APIs
  • The agent can invoke other agents or delegate tasks
  • The agent operates autonomously without per-action human approval
  • The agent’s actions have financial, legal, or safety consequences
  • The agent’s tool permissions exceed what is necessary for its declared scope

See this control in the framework. Agent governance is operationalised across L4, L5, S2, and S4 in the AI Enterprise Control Index v6.0. ART-05 is the Agent Control Declaration.

Open Framework →

Related Terms

References

  1. [1] Shavit, Y., Amodei, D., Clark, J. et al. (2025) ‘Practices for Governing Agentic AI Systems’, OpenAI white paper. Available at: openai.com/index/practices-for-governing-agentic-ai-systems.
  2. [2] OWASP Foundation (2025) OWASP Top 10 for Agentic AI Applications. Available at: owasp.org/www-project-top-10-for-large-language-model-applications.
  3. [3] Anthropic (2025) ‘Core Views on AI Safety: When, Why, What, and How’, Anthropic Research. Available at: anthropic.com/research/core-views-on-ai-safety.
  4. [4] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act), Official Journal of the European Union.
  5. [5] NIST (2024) Artificial Intelligence Risk Management Framework: Generative AI Profile (AI 600-1). National Institute of Standards and Technology, U.S. Department of Commerce.
  6. [6] Chan, A., Salganik, R., Markelius, A. et al. (2023) ‘Harms from Increasingly Agentic Algorithmic Systems’, Proceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency (FAccT), pp. 651–666.
  7. [7] Kinniment, M., Sato, L.J.K., Du, H. et al. (2024) ‘Evaluating Language-Model Agents on Realistic Autonomous Tasks’, arXiv preprint, arXiv:2312.11671. Available at: arxiv.org/abs/2312.11671.

AI Enterprise Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0

By Jeroen Janssen, Apparens