Agentic AI.

An AI agent, as the term is used on this page, is a system that can do three things a classical model cannot:

• Plan. From an assignment, the agent derives a sequence of steps that are not pre-programmed but determined by the situation at hand.
• Use tools. The agent calls on other systems — databases, APIs (interfaces to other software), browsers, file systems, calendars, payment systems.
• Observe itself. The agent evaluates its own intermediate results and adjusts its plan. It "knows" when something has gone wrong — and reacts without human intervention.

Behind this usually sits a large language model (LLM — the kind of system that powers ChatGPT, Claude or Gemini) as the "reasoning module", supplemented by an infrastructure of tool integrations, memory, an orchestrator (the control layer that coordinates the order of steps) and safety layers. The term agent therefore describes less a technology than a mode of operation for AI — one in which the model does not merely speak, but does things that have consequences in the world.

Anyone looking for an overview of the field in mid-2026 will see five categories in which agents are productive today or close to it:

The common thread: agents work well where the task, the tools and the success criteria are clearly bounded. The more open the assignment, the longer the action chain, the higher the stakes — the sharper the drop in reliability. That is not a set-up problem; it is a property of the technology.

In conventional software, a version is a version. What worked yesterday works tomorrow, until somebody changes it. With AI agents, that does not hold. The underlying model is continuously developed, replaced and re-parametrised by the vendor — sometimes announced, sometimes quietly. That has three consequences rarely thought through in advance of production deployment:

• Performance regression (a step backwards in capability). Vendors swap models out regularly for a newer version — sometimes without warning, sometimes under the same name. On average the new version is better, but on specific, concrete tasks it may be worse than the one that ran yesterday: summaries become less precise, a particular format stops being respected, a tool call suddenly fails. Organisations that have tuned their workflows over months to the quirks of one model often only notice such regressions when a customer complains.
• Loss of reproducibility. The same query returns different results today than it did three months ago — not because the world has changed, but because the model has. Audit, traceability and evidence become markedly harder.
• Hidden performance adjustments. Vendors can throttle compute in the background, lighten the model through quantisation (a compression technique that uses less compute but loses precision), reallocate context windows. The model still carries the same name, but behaves differently. This phenomenon has been documented in the technical community since 2024, rarely confirmed and rarely contested by the vendors.

For organisations, the implication is this: an agent is not a system you build once. It is a system whose core shifts under your feet. Anyone building business processes on top of it needs evaluation routines that measure this continuously — before every model change, on a sampling basis in routine operation, and as a hard requirement in safety-critical use.

The field distinguishes two terms. Human-in-the-loop means the agent may perform certain steps only once a human actively approves them — a payment, a termination, a medical recommendation. Without the click, nothing happens. Human-on-the-loop means the agent acts independently, but a human supervises the run and can step in or abort at any time. Both are legitimate models — which one is right depends on how consequential and how reversible the action in question is. The most common promise from agent vendors is that the human can eventually be taken out of both roles altogether. That is exactly the wrong direction — for three reasons.

First: the more convincing agents appear, the less their mistakes get noticed. A system that is right in 95 out of 100 cases and plausibly wrong in 5 is more dangerous than one that is obviously wrong in 80. People tend to trust the former — and that is precisely where the most expensive mistakes happen.

Second: the irreducible problems from section 3 (hallucinations, drift, injection) produce errors that are statistically rare and individually serious. Distributions like that call for human oversight in the right places — not across the board, but exactly where actions become irreversible or high-stakes.

Third: Article 14 of the EU AI Act requires human oversight for high-risk systems. With agents, the question shifts from whether to where in the chain of action. Oversight at the end of a five-step chain is almost always too late.

The modern form of human oversight is not "a human watches every step" — that is neither practical nor useful. It is a deliberate mix: human-in-the-loop with mandatory approval for irreversible or sensitive actions; human-on-the-loop with effective supervision and escalation for routine work; and at all times a reliable abort mechanism. Anyone planning to deploy agents has to name these points before going live, not afterwards.

There is an internationally recognised tool that addresses exactly this structure: ISO/IEC 42001, the standard for AI management systems (AIMS). It sets out how an organisation can make the use of AI — and therefore of agents — planned, documented and auditable: Which systems are running? Who is responsible? Where do the risks sit? At which points does a human step in? What happens in an incident? Something like painting by numbers — not in the sense of simplistic, but in the sense of step by step, from the decision to adopt a system through to switching it off. Details are on our page on ISO 42001 — the AI management system.

If one agent is interesting, several are spectacular. Multi-agent systems divide up the work: a research agent searches, a writing agent drafts, a reviewing agent checks, an orchestrator coordinates. In the demo it looks like a digital project team. In production it looks like a black box squared.

Three effects turn up reliably in multi-agent architectures and need to be anticipated in design:

Error amplification

A small error in the first step is legitimised and amplified by each further agent. What comes out at the end is a result nobody questions any more, because "it has already been through three checks".

The illusion of review

When one agent reviews another agent, the same underlying model is reviewing itself. The weaknesses the first agent displays are the ones the second displays too — only phrased more politely.

Diffused responsibility

In a chain of five agents, you quickly ask: who was actually the decision-maker here? Without clear role assignment, a structure emerges in which nobody is ultimately accountable — the opposite of what the EU AI Act requires.

Multi-agent systems are not a bad idea — they are a demanding one. Anyone building them needs more than functioning agents; they need a functioning architecture: heterogeneous models for the reviewing agents, independent validation outside the agent chain, clear escalation paths.

Regulation (EU) 2024/1689 is technology-neutral — that is its strength and its limit. It applies to agents as to any other AI system. Applied to agents, five articles become particularly relevant:

• Art. 4 — AI literacy. Staff working with agents must be appropriately trained. For agents, "appropriately" means more than "how to write a prompt"; it also covers "how to recognise failure modes, when to step in, how to document".
• Art. 14 — Human oversight. Mandatory for high-risk systems. For agents this calls for a design that makes oversight possible at meaningful points — not just formally.
• Art. 26 — Obligations of deployers. Anyone deploying an agent must ensure it is used as intended, keep logs and report incidents. With multi-step agents this means: traceable tool calls, auditable decisions, documented escalation.
• Art. 27 — Fundamental Rights Impact Assessment (FRIA). Mandatory for certain use cases. With agents, the FRIA is not a one-off exercise but runs alongside the lifecycle, because capabilities and risks shift through model updates.
• Art. 50 — Transparency. Users must know they are interacting with an AI system. With agents that appear in emails or chats this is not trivial — the labelling must be visible and comprehensible, not buried in small-print legalese.

What the AI Act does not explicitly address is the particulars of multi-agent architectures — who counts as the deployer for a chain of actions, how far documentation duties reach into intermediate steps, how prompt-injection attacks should be assessed under Article 15 (robustness). These gaps will not close in 2026 — what is needed here is organisational governance that thinks ahead.

Governance for agentic systems arrives too late if it is only considered after the rollout. It has to be part of the design. Four structural elements that have proven robust in practice:

1. Boundaries and budgets. What may the agent do, and what may it not? Which systems, which data, which costs? No unlimited access, no unlimited resources, no unlimited runtime. A well-set budget catches 80 per cent of unexpected behaviour before it does damage.
2. Reversibility. Which actions can be undone, and which cannot? Irreversible actions — sent messages, executed payments, deleted records — require human approval before execution, not an apology after the fact.
3. A complete audit trail. Every tool call, every intermediate decision, every piece of context is traceable. Not as an extra, but as standard. Without this foundation, neither the AI Act can be met nor serious incident management run.
4. Kill switch and graceful fallback. It must be possible to stop an agent immediately and hand the process over to a human without losing data and without leaving half-finished actions dangling. That is an architectural decision, not a feature.

With agentic AI, a question becomes acute that still felt academic when only language models were in play: who acts when a machine acts?

The simple answer is: people. The machine carries out what people designed, commissioned and signed off on. That is clear in law and defensible in ethics. The notion that an agent is "its own fault" when something goes wrong is compatible neither with European liability law nor with an ethical tradition that ties responsibility to persons, not to artefacts.

The harder answer is: responsibility is distributed along a long chain, from the model provider to the agent developer, the commissioning party, the person signing off, down to the end user. Drawing that chain cleanly and attaching a clear duty to each role is the organisational homework that no vendor will do for you.

A fuller treatment of the ethical side — including the traditions from technology, medical and military ethics that come together around agents — is on our page on AI ethics.

Deploying agents looks different in each context. Blur the three together, and you end up with recommendations that fit nowhere.

The Center for AI and Ethics (Europe) brings a deliberate combination to the subject of agentic AI:

David Mirga carries the substance profile — an AI author with four relevant publications, among them the first comprehensive German-language AI dictionary with more than 5,000 specialist terms, focused on multi-agent orchestration and ISO/IEC 42001. Jeremy James Wilhelm brings the enterprise transformation side — 25 years of IT transformation for corporations such as adidas, Lindt & Sprüngli, METRO and SPAR, certified AI trainer at WIFI Vienna. Patrick Casey Prager carries the ethical framing — interdisciplinary ethics with a specialisation in technology, medical and military ethics, precisely the three fields that converge around AI systems that act.

We do not certify. We do not sell agents, licences or tools. What we do: support organisations before, during and after introducing agents — with documented risk assessment, governance design, training for the responsible roles, and an honest reading that does not depend on selling a product.

Whether you are just starting out or already running agents in production: a conversation costs nothing. office@caie.at — we reply personally.