Agentic AI: Curated Questions for the Boardroom

The value of agents is that they decide what to do given a goal. If your agents are running predefined workflows, you're getting automation, not agency. The upside comes from letting them reason, plan, and act.

Every organization has processes where human bottlenecks slow things down. Some of those are genuinely high-stakes and need a human. Others are just habit. Knowing the difference is where the opportunity lives.

Every workaround your team builds for a model's limitations becomes dead weight when that limitation disappears. The investments that compound are context (giving agents the right information) and permissions (governing what they can do with it). Ask your team how much of the current agent codebase they'd expect to throw away in a year.

Agent quality depends on having the right information for the task at hand. Not everything, not nothing: the relevant context, when it's needed. If your agents are underperforming, the model might not be the bottleneck. The context pipeline might be.

Protocols like MCP for tool integration and A2A for agent communication are maturing fast. Building proprietary alternatives might feel faster now, but risks leaving you incompatible with the ecosystem forming around you.

Agents that need human approval for every action aren't agents: they're suggestion engines. Containment by design lets agents run autonomously within safe boundaries. That's where the real productivity gain is.

When employees build agents on low-code platforms, the company is still the deployer. An HR screening agent built without a compliance assessment makes you non-compliant without knowing the system exists. Shadow agents are the new shadow IT.

Knowing what's running today is one thing. Making it structurally impossible to deploy an unregistered agent is another. If anyone can spin one up without it showing up in a registry, visibility is a snapshot, not a guarantee.

Audit logs that show "alice@company.com" aren't enough when Alice delegated to an agent three months ago. You need to know who or what made the call, and under what authority.

The human who delegated, the team that deployed, the vendor who built the model: all may share responsibility. If no one owns the answer, everyone will point at each other when it matters.

The EU AI Act requires traceability, risk management, and human oversight for high-risk use cases. If an agent autonomously wandered into one, can you reconstruct the chain of decisions that got it there?

You can't list everything an agent shouldn't do: the list is infinite. The inverse works: start from zero authority, grant explicit permissions per task. A blocklist is always incomplete. An allowlist is always bounded.

If your procurement agent can approve purchases up to $5,000, any sub-agent it calls should inherit that ceiling or lower. Does the architecture enforce this, or just assume it?

A general-purpose office assistant told to "handle my inbox" might draft an email (minimal risk), then screen a job application (high-risk). The risk tier depends on how open-ended the prompt is. If you can't anticipate the use case, how do you bound it?

Policy says what agents shouldn't do. Architecture limits what they can do, regardless of what they try. If a prompt injection or bad dependency triggers something unexpected, what actually stops it from spreading?

After the 20th approval prompt, people start clicking "yes" without reading. Decades of automation research confirm that humans can't reliably monitor automated systems and then rapidly take control when needed. If your safety model depends on vigilance, what happens when vigilance fades?

Agents get better with more context, but more context means more data exposure. Do your agents see only what they need for the task at hand, or do they have broad access because it's easier to set up? And where does that data go: to an open-source model running on your infrastructure, or to a frontier model behind an API? The privacy calculus is different for each.

Most current approaches work within a single trust domain. When agents act across organizations, call external APIs, or coordinate with third-party agents, identity and authority need to travel with the request: verifiable at every step, not assumed.