What is Agentic AI?

Agentic AI is the class of AI systems that pursue goals over multiple steps by planning, reasoning, calling tools, and acting on systems outside the model. Where a chat model answers and stops, and a RAG system retrieves and answers, an agent decides what to do next, takes the action, observes the result, and decides again - often dozens or hundreds of times in a single task.

An agent is built from four ingredients:

• A reasoning core: An LLM that decides what to do next given the current state.
• A set of tools: Functions, APIs, databases, file systems, browsers, or other agents that the reasoning core can invoke.
• A memory: Short-term context (the running conversation) and optionally long-term memory (vector stores, scratchpads, notebooks).
• A loop: The orchestration that lets the agent observe results and choose the next action.

This architecture is what turns an LLM from a question-answering system into an actor. The agent can read a customer ticket, look up the customer in the CRM, refund a charge, send an email, and log the resolution in the ticket - autonomously. It can take a research question, search the web, download papers, summarize them, and produce a report. It can read a security alert, query SIEM data, isolate a host, and write an incident note.

And every one of those actions is something that, in a non-agentic world, would have required a human to do or to approve. That is the source of both the power and the danger. Areebi's position is that agentic AI is the most consequential governance shift in enterprise software since the move to cloud - and that it requires an explicit AI control plane rather than ad-hoc per-tool guardrails.

The differences between chat, RAG, and agentic AI are not just architectural. They are differences in the blast radius of a failure.

Dimension	Chat LLM	RAG	Agentic AI
Output	Text	Text grounded in retrieved sources	Text + actions taken in the world
Number of model calls per task	One	One (plus retrieval)	Many - often dozens
Side effects	None	None	Writes to external systems
Failure mode	Bad answer	Bad answer with bad citation	Bad action - data exfiltration, wrong refund, deleted record
Reversibility	Trivial - new prompt	Trivial	Often hard - the action already happened
Auditability	Prompt + response	Prompt + retrieved chunks + response	Full chain of reasoning + every tool call + every result
Attack surface	Prompt injection	Prompt injection + indirect prompt injection	All of the above + tool abuse + privilege escalation

The architectural punch line: agents convert language model outputs into real-world actions. Everything that was a quality problem in chat becomes a governance and security problem in agents.

Three architectural patterns dominate production agentic AI. Each one shifts where control sits, which has direct implications for how an enterprise governs the system.

ReAct (Reason + Act)

The classical pattern, introduced in the 2022 paper "ReAct: Synergizing Reasoning and Acting in Language Models." The agent interleaves thought tokens (reasoning) with action tokens (tool calls). The model writes "Thought: I need the customer's recent orders. Action: lookup_orders(customer_id=12345)." The orchestrator parses the action, calls the tool, and feeds the result back as an "Observation" that the model reasons over. The loop continues until the model emits a final answer.

ReAct is interpretable - the reasoning is in plain text - and it works with any LLM. It is also fragile under adversarial conditions because the entire control flow lives in model-generated text.

Function-Calling / Tool-Use

Modern frontier models (Anthropic Claude with tool use, OpenAI's Assistants API and structured function-calling, Gemini's function-calling) expose tool-use as a first-class API capability. The model emits structured tool-call objects (typically JSON) rather than free-form text. The orchestrator executes the tool and returns a structured tool-result message to the model.

Function-calling is more reliable than parsing free-text ReAct, supports parallel tool calls, and is easier to audit because each tool call is a structured event. It is the default for production agents in 2026.

Multi-Agent Systems

Rather than one agent, a team of specialized agents collaborate. A "planner" agent decomposes the task; "worker" agents execute sub-tasks; a "reviewer" agent verifies outputs. Agents communicate through structured messages, shared memory, or a central orchestrator. Multi-agent systems are powerful for complex workflows but exponentially complicate governance - each agent introduces a new authorization boundary, a new prompt-injection surface, and a new audit requirement.

Agentic Frameworks

LangGraph, AutoGen, CrewAI, LangChain agents, OpenAI's Assistants API, and Anthropic's tool-use primitives are the most common building blocks. The framework choice is downstream of the architectural pattern - and downstream of whether the organization has a control plane that can enforce policy regardless of which framework engineering teams pick.

The risks of agentic AI are a superset of the risks of every preceding pattern. NIST AI 600-1 (the Generative AI Profile of the NIST AI RMF) and the OWASP Top 10 for LLM Applications 2025 both identify agent-specific risks that materially exceed the risk surface of chat or RAG systems.

Excessive Agency (OWASP LLM06:2025)

OWASP's Top 10 for LLM Applications 2025 lists LLM06 - Excessive Agency - as a top enterprise risk. An agent with too many tools, tools with too much authority, or autonomy without confirmation can take actions far beyond what the user intended. The classic failure mode is the agent that "helpfully" runs the deletion endpoint, sends the email, makes the refund. OWASP's guidance is to apply least privilege at every level (OWASP LLM06:2025 Excessive Agency).

Tool Authorization Confusion

Agents inherit the credentials of whoever runs them. A poorly designed agent will use a service account with broad permissions and act as that service account regardless of which end user requested the action. The result is a privilege escalation primitive: any user who can talk to the agent can effectively act with the service account's authority. Correct design requires per-user authorization context propagated to every tool call.

Prompt-Injection Escalation

Prompt injection in a chat system produces a bad response. Prompt injection in an agentic system produces a bad action. An agent that reads a malicious customer email and obeys its embedded instructions has just been weaponized. Indirect prompt injection through retrieved or scraped content is listed as the top risk in the OWASP Top 10 for LLM Applications 2025. Our prompt injection guide covers the technical depth.

Loss of Audit Continuity

Each tool call in an agent run is a discrete event. Without explicit instrumentation, the chain that led from "user asked X" to "agent did Y" disappears. For regulated industries, this is fatal - the audit trail is the basis of every compliance claim. NIST AI 600-1 specifically calls out the need for action-level provenance in agentic systems.

Multi-Hop Data Exfiltration

An agent with file-read and email-send tools can stage a single-step data exfiltration. An agent with browsing, file-read, and write-to-anywhere-public tools can build a multi-hop exfiltration that conventional DLP does not catch. The MITRE ATLAS adversarial ML knowledge base catalogs these patterns explicitly (MITRE ATLAS).

Loop and Cost Pathologies

Agents can loop. A model that fails to recognize task completion can spend hundreds of tokens on hundreds of model calls before timing out. Without rate limiting and budget enforcement, an agent failure is also a budget incident.

Agentic AI is not safe to deploy without an explicit governance posture. The controls below are the minimum set Areebi recommends for enterprise agents, mapped to NIST AI 600-1, the OWASP Top 10 for LLM Applications 2025, and the operational realities of the customers we work with.

Action Allowlisting

Define the exact set of tools the agent may call, in the exact contexts where each is permitted. No "general internet access" without scoping. No "database write" without a row-level filter. The default for any tool not on the allowlist is deny. Areebi's policy engine enforces tool allowlists by user, role, and use case.

Human-in-the-Loop (HITL) for High-Impact Actions

Any tool call that is irreversible, financially material, or touches regulated data must require human confirmation. The agent can prepare the action; the human approves it. This is the single most important control - it converts "agent did the wrong thing autonomously" into "agent proposed the wrong thing and the human caught it."

Per-User Authorization Context

Tool calls execute with the requesting user's authorization context, not the agent's service account. A user who lacks read access to a resource cannot retrieve it through the agent. This requires propagating user identity all the way to every backing service.

Sandboxing and Network Egress Control

Agents that browse, execute code, or call external APIs must run inside a sandbox with strict egress control. Allowed destinations are explicit. Outbound DLP applies. Code execution is ephemeral, isolated, and audited.

Prompt-Injection Defense at Every Boundary

Every input that reaches the model - the user prompt, retrieved content, tool results, prior agent messages - is a potential injection vector. Areebi's AI firewall inspects each boundary and applies policy. Tool results, in particular, deserve the same scrutiny as user prompts.

Action-Level Audit Trail

Every tool call - inputs, outputs, decision rationale, policy decisions - is logged in an immutable audit trail. Areebi's audit layer captures this automatically. The audit trail is the basis of post-incident investigation and the evidence regulators expect.

Budget and Rate Limiting

Agents have per-task, per-user, and per-tenant budgets in tokens, tool calls, and wall-clock time. Exceeding any budget triggers a halt. This bounds the blast radius of loop pathologies and prompt-injection abuse.

Continuous Red-Teaming

Agents need adversarial evaluation as a routine practice, not a launch event. AI red teaming targeting the agent's tool set, authorization boundaries, and prompt-injection surfaces should run on a recurring schedule and feed back into the policy and prompt configuration.

Decommissioning Plan

Every agent has a documented retirement plan - what triggers retirement, how active sessions are migrated, where the audit trail is preserved, who signs off. Agents do not just get turned off; they get formally retired.

Regulators are catching up to agentic AI faster than most enterprise teams realize. The frameworks below are the ones Areebi maps controls to today.

NIST AI 600-1 (Generative AI Profile)

The Generative AI Profile of the NIST AI RMF (NIST AI 600-1) is the authoritative US framework for generative AI risk - including agentic systems. It explicitly addresses confabulation, dangerous content, data privacy, human-AI configuration, information integrity, and value chain components - all of which take new shape in agents. The Govern-Map-Measure-Manage cycle applies to every agent in production (NIST AI Risk Management Framework).

OWASP Top 10 for LLM Applications 2025

The 2025 edition of the OWASP Top 10 for LLM Applications has dedicated entries that map directly to agentic systems - LLM01 Prompt Injection (especially indirect), LLM06 Excessive Agency, LLM02 Sensitive Information Disclosure, and LLM05 Improper Output Handling. Treat the list as a baseline threat model for every enterprise agent (OWASP Top 10 for LLM Applications 2025).

MITRE ATLAS

MITRE ATLAS is the adversarial AI playbook - the ATT&CK-style knowledge base of techniques used against machine learning systems, including specifically against agentic systems. ATLAS entries on agent compromise, tool abuse, and indirect prompt injection are required reading for any team operating production agents (MITRE ATLAS).

EU AI Act

Agentic AI deployed in high-risk domains - employment, credit scoring, education, critical infrastructure, biometric ID - inherits the full Annex III regime under the EU AI Act. Article 14 human-oversight requirements are particularly relevant for agents: the deployer must be able to intervene, interrupt, and override agent decisions. Article 50 transparency obligations apply to user-facing agents that synthesize content.

Singapore Model AI Governance Framework

Singapore's Model AI Governance Framework and the IMDA's 2024 guidance on agentic AI explicitly require human oversight, transparency on agent actions, and a documented escalation path - patterns that are emerging across most APAC jurisdictions.

Mature enterprise agentic deployments follow a maturity ladder. Skipping rungs is how organizations get into the headlines.

1. Read-only agent. The agent can read systems but cannot write. Risk is bounded to information disclosure. Most enterprise agents in 2026 are still here, and that is appropriate.
2. Write with confirmation. The agent prepares an action; a human confirms before execution. This is where most production-grade enterprise agents sit. The agent does the work; the human owns the consequence.
3. Bounded autopilot. The agent acts autonomously inside a narrow, well-defined boundary - a single system, a single record type, a single value cap. Breaches of the boundary escalate to human review.
4. Full autopilot. The agent acts autonomously across systems. Rare, justified only by extensive measurement of agent accuracy, and accompanied by reversibility guarantees and rate limiting.

The Areebi view: most enterprises should ship at stage 2 (write with confirmation), graduate to stage 3 only after months of clean operation, and avoid stage 4 outside of narrowly scoped operational tasks where the cost of error is well understood.

Areebi is the AI control plane for enterprise agentic AI. The control plane sits between the agent and the world, and enforces policy at every boundary - the user prompt, the model decision, the tool call, the tool result, the final response.

• Tool allowlisting and per-user authorization: Areebi's policy engine enforces which tools each agent may call, in which contexts, and with whose authority. Per-user authorization context flows through every tool invocation.
• HITL workflows: Configurable human-in-the-loop gates for any tool, any user, any data classification. The agent prepares; the policy decides whether a human must approve before execution.
• AI firewall at every boundary: Areebi's AI firewall inspects user prompts, retrieved content, and tool results for prompt injection, sensitive data, and malicious instructions.
• Action-level audit trail: Every tool call, every observation, every model decision is captured in Areebi's audit layer with cryptographic integrity, supporting NIST AI 600-1, EU AI Act, and ISO 42001 evidence requirements.
• Budget and rate enforcement: Per-user, per-tenant, and per-tool budgets bound the blast radius of loop pathologies and prompt-injection abuse.
• Shadow agent discovery: Areebi's shadow AI detection extends to shadow agents - agentic tools deployed without governance review - and channels them through the control plane.

The Areebi Index Q2 2026 highlights that the gap between enterprises with a formal agentic governance posture and those without is widening fast. To assess where your organization sits, take the free AI governance assessment or book a demo focused on agentic AI deployment.