Skip to main content
COMPEL Body of Knowledge
Get Certified Platform
AITM M1.6-Art01 v1.0 Reviewed 2026-04-06 Open Access
M1.6 People, Change, and Organizational Readiness
AITF · Foundations

What Agentic AI Is

What Agentic AI Is — Organizational Change & Culture — Applied depth — COMPEL Body of Knowledge.

10 min read Article 1 of 18

COMPEL Specialization — AITM-AAG: Agentic AI Governance Associate Article 1 of 14

Definition. An agentic AI system is an AI system that plans its own sequence of actions, decides which tools to call, acts on external systems or data, retains state across turns, and operates with substantial autonomy between human checkpoints. Agentic systems combine language-model reasoning with tool use, memory, and environment interaction to pursue goals that neither the prompt nor the training data fully specify at invocation time. The governance discipline that this credential teaches begins the moment a system crosses that threshold.

A governance analyst who classifies every language-model application as “just another AI system” and tries to govern it with a NIST AI RMF checklist designed in 2022 will miss the failure modes that matter. Agents hallucinate plans, not only facts. Agents call tools that touch production systems. Agents accumulate memory that can be poisoned. Agents interact with other agents in patterns their designers never rehearsed. Classical AI governance — model cards, bias tests, drift monitors — remains necessary but is not sufficient. The extension is the subject of this credential.

The distinguishing properties

An agentic system exhibits five properties in combination. Any three in a system is sufficient for it to be treated as agentic for governance purposes. All five is the normal case in a 2025-era enterprise deployment.

PropertyWhat it looks likeGovernance consequence
PlanningThe system decomposes a goal into steps without a pre-written script.The specific execution path cannot be fully pre-validated.
DecisionThe system chooses among alternative actions at run time.Authority for each decision must be allocated and logged.
ActionThe system invokes tools, calls APIs, writes to systems, moves files.Tool permissions and rate limits become first-class controls.
AutonomyThe system proceeds for multiple steps without a new human instruction.Oversight cannot be only at invocation; runtime controls are required.
StateThe system carries memory, context, or learned patterns across turns.Memory becomes a governed data asset.

A system that reads a prompt, generates a single response, and terminates fails the autonomy test and is not agentic. A system that chains a retrieval call, an LLM reasoning step, and an outbound email — under its own control and with memory between runs — passes four of the five. That system needs an agentic governance pack, not a model card.

The autonomy spectrum

Agentic behaviour is not binary. The spectrum below is a working taxonomy used by several operator-side frameworks, including the Anthropic Responsible Scaling Policy capability levels and the OpenAI Preparedness Framework preparedness levels, both public references. COMPEL’s autonomy spectrum — covered in detail in Article 3 — uses a similar six-level structure adapted for governance purposes.

  • Level 0 — assisted. Single-turn assistant. Human prompts, system responds, task ends.
  • Level 1 — advisor. Multi-turn chat, no external action. The system recommends; the human executes.
  • Level 2 — bounded executor. The system executes in a tight sandbox with pre-approved tools. Human approves each consequential action.
  • Level 3 — supervised executor. The system plans and executes sequences. A human reviews outcomes, not every step.
  • Level 4 — autonomous executor. The system executes for extended periods without per-action supervision. Humans define guardrails; the system operates within them.
  • Level 5 — self-directing. The system sets its own sub-goals, acquires new tools, and operates across long horizons.

Most production deployments in 2025 sit between Level 2 and Level 4. Level 5 is not a near-term enterprise class, and any vendor that claims it is marketing, not engineering. The governance burden rises superlinearly with level; the gap between Level 3 and Level 4 is the gap between “reviewing agent output” and “auditing an agent’s operating history.”

Worked classification — five systems

The definition and spectrum together yield a simple screen. Apply it to five example systems:

  1. Customer-service LLM summariser. Reads a past-ticket thread and produces a summary for a support agent. Single-turn, no tools, no memory beyond the current prompt. Not agentic. Classical governance suffices.
  2. Code-generation assistant that also runs tests. The assistant proposes code and, on approval, executes a test runner. Plan + decision + action + (some) autonomy. Agentic at roughly Level 2. Tool-use governance required.
  3. Financial-research agent. Given “draft a memo on company X,” the system searches the web, reads filings, reasons, drafts a memo, and iterates without human approval at each step. Plans, decides, acts, autonomous for minutes, has working memory. Agentic at roughly Level 3. Full agentic governance pack required.
  4. Scripted RPA bot with LLM re-planning. A traditional RPA bot runs a fixed workflow, but an LLM replans when an element is missing. The LLM’s replanning exercise is bounded but genuinely autonomous. Agentic at Level 2, with extra attention to the boundary between LLM and scripted branches.
  5. Multi-agent trading-research workbench. Research-assistant, analyst, and critic agents converse, delegate, and publish an analyst note. Plans, decides, acts, operates for tens of minutes, and carries memory; multiple agents interact. Agentic at Level 4. Multi-agent governance, additional A2A controls, and a hard kill-switch required.

The edge case deserves attention. A Retrieval-Augmented Generation (RAG) chatbot that only reads documents and never writes is not agentic; it is a classical LLM application with a tool-use-lite pattern. A RAG chatbot that can escalate to a ticketing system is agentic, because that escalation is an action. The boundary sits on whether the system takes external actions under its own authority. Read-only retrieval does not cross it; ticket creation does.

Why classical AI governance is not enough

Classical AI governance was designed around the classical machine-learning lifecycle: collect data, train model, evaluate on a test set, deploy to inference, monitor for drift. That lifecycle makes two assumptions that do not hold for agents. First, inference is stateless — each prediction is an independent call. Second, the model acts only through its output — it does not touch the world except by emitting a prediction.

Agents break both assumptions at once. Agents are stateful — their memory is a live data store. Agents act — they invoke tools that change state in other systems. The OWASP Top 10 for LLM Applications LLM06 Excessive Agency entry captures the core of what this breaks: when an agent has tools, permissions, and latitude exceeding what supervision can safely cover, the failure modes include unauthorised writes, data exfiltration, financial commitment, and cascades triggered by adversarial input. Classical model cards do not address this; agentic governance packs (Article 14) do.

The EU AI Act’s Article 14 requirement for effective human oversight of high-risk AI was drafted before the 2024 agentic wave. It remains applicable and, in fact, acquires added weight when the system being overseen is autonomous for minutes at a time. The specialist covers Article 14 oversight design in Article 5 of this credential. The point to carry away here is that the regulation is agent-applicable; the design effort required to comply with it is higher for an agent than for a static model.

Two real-world anchors for the definition

AutoGPT’s early incidents — the public introduction to runaway agents

AutoGPT’s open-source release in March 2023 exposed non-specialist audiences to the behaviour that makes agentic governance necessary. The system, given an open-ended goal, would loop — generating sub-goals, consuming API tokens, and in documented cases running into infinite loops or exhausting budgets without completing any useful work. Coverage in reputable press at the time, including MIT Technology Review’s April 2023 piece on the release, documented the pattern. The incidents were small-scale, but they presented three of the five distinguishing properties above — planning, decision, autonomy — operating in combination without containment. Source: https://www.technologyreview.com/2023/04/21/1071925/autogpt-agi-scam/.

The AutoGPT lesson for the specialist is not that “agents are dangerous.” The lesson is that the boundary between assistant and agent is behavioural, not architectural, and that the absence of a budget cap, a step limit, or a review loop turns a harmless demonstration into a runaway in production. Governance begins where autonomy begins.

Shavit et al., “Practices for Governing Agentic AI Systems” — the operator-side framing

In 2024, a team of researchers associated with OpenAI published “Practices for Governing Agentic AI Systems,” a public paper that names many of the governance primitives this credential teaches — agent identification, delegation, bounded action spaces, human oversight modes, and incident response. The paper is operator-side, meaning it is written for the companies building and running agents. The governance practitioner reads it to understand where the industry has been thinking and to use it as a vocabulary bridge, but cites it as one voice among several. Source: https://cdn.openai.com/papers/practices-for-governing-agentic-ai-systems.pdf.

The specialist’s job is not to adopt a single operator’s framing. It is to synthesise operator-side material, regulation (EU AI Act, NIST AI RMF, ISO 42001), and the vendor-neutral security canon (OWASP Agentic, MITRE ATLAS) into a house framework that works against any agent the organisation deploys, regardless of which model provider (OpenAI, Anthropic, Google, Meta, Mistral, DeepSeek, open-source) or orchestration framework (LangGraph, CrewAI, AutoGen, LlamaIndex Agents, OpenAI Agents SDK, custom code) the engineering team chose.

The scoping question

Before Article 2 of this credential — architecture patterns and inventory — the specialist has one scoping question to answer: does the organisation have agents in production that are not yet recorded as such? The honest answer in most enterprises in 2025 is yes. Engineering teams have put LLM chains with tool calls into production under headings like “automation,” “assistant,” or “copilot” that do not trigger agent-governance workflows. The specialist’s first job in most engagements is a discovery exercise that finds those systems, classifies them against the definition above, and places them on the autonomy spectrum so that the appropriate governance artifacts can follow.

The discovery exercise is structured in Article 2. The classification exercise is structured in Article 3. The two articles together produce the initial agent register; every subsequent article in this credential produces one more section of the Agent Governance Pack (Article 14) for each agent in the register.

Learning outcomes — confirm

A specialist who completes this article should be able to:

  • Name the five distinguishing properties of an agentic AI system and apply them to classify described systems as agentic or not.
  • Explain the Level 0–5 autonomy spectrum and locate an example system on it.
  • Argue, in a memo addressed to a non-specialist executive, why classical AI governance is necessary but not sufficient for agentic systems.
  • Identify two public real-world anchors — one incident (AutoGPT) and one framework paper (Shavit et al.) — that establish the governance baseline.

Cross-references

  • EATF-Level-1/M1.1-Art04-Introduction-to-the-COMPEL-Framework.md — framework orientation required before agentic specialisation.
  • EATF-Level-1/M1.4-Art11-Agentic-AI-Architecture-Patterns-and-the-Autonomy-Spectrum.md — Core article on agentic architecture and the autonomy spectrum.
  • Article 2 of this credential — architecture patterns and inventory.
  • Article 3 of this credential — autonomy classification, deep dive.

Diagrams

  • TimelineDiagram — evolution from single-turn prompt → retrieval-augmented → tool-using copilot → multi-step agent → multi-agent system, with governance implications annotated per stage.
  • MatrixDiagram — 2×2 of autonomy level × consequence severity mapping to governance tier.

Quality rubric — self-assessment

DimensionSelf-score (of 10)
Technical accuracy (every property + level claim traceable)9
Technology neutrality (OpenAI, Anthropic, Meta, Mistral, open-source, LangGraph, CrewAI all named)10
Real-world examples ≥2, public sources10
AI-fingerprint patterns (em-dash density, banned phrases, heading cadence)9
Cross-reference fidelity (Core Stream anchors verified)10
Word count (target 2,500 ± 10%)10
Weighted total91 / 100