Skip to main content
COMPEL Body of Knowledge
Get Certified Platform
AITE M1.2-Art01 v1.0 Reviewed 2026-04-06 Open Access
M1.2 The COMPEL Six-Stage Lifecycle
AITF · Foundations

What Is an Agentic AI System

What Is an Agentic AI System — Transformation Design & Program Architecture — Advanced depth — COMPEL Body of Knowledge.

10 min read Article 1 of 53 Calibrate

COMPEL Specialization — AITE-ATS: Agentic AI Systems Architect Expert Article 1 of 40

Scope. Agentic AI is the point at which a language model stops emitting text and starts changing the world. The architect who treats agentic systems as “chatbots with extra steps” will design a platform that fails three predictable ways: tool calls will happen without authorization, loops will consume budget without producing value, and the organization will be unable to explain to a regulator — or a tribunal — why the agent committed the company to an outcome no human approved. This article fixes the definition, draws the architectural line between agentic and non-agentic systems, and establishes the reference architecture that the remaining thirty-nine chapters refine.

The five-axis definition

An agentic AI system is an AI system that exhibits, in combination, the following five properties. Any three is sufficient for the system to require agentic governance; in a 2025-era enterprise deployment, all five is the normal case.

  1. Tool execution. The system emits structured calls — OpenAI function calls, Anthropic tool-use blocks, Google Gemini function declarations, MCP tool invocations — that an orchestrator executes against real systems. The agent does not just recommend; it acts. The failure mode that appears first in incident reports is excessive agency, formalised as OWASP LLM06 and extended in the OWASP Top 10 for Agentic AI draft.
  2. Looping. The system calls a model, calls a tool, reasons over the result, and decides whether to continue. Single-turn request/response is not agentic; the ReAct pattern published by Yao et al. (ICLR 2023) is the canonical loop shape. Looping means observability must capture multi-step traces, not single prompt/response pairs.
  3. State. The system carries context across steps — working memory inside the loop, long-term memory across sessions, episodic memory of prior traces, semantic memory as structured knowledge. State introduces classes of bugs that single-turn LLM applications cannot have: stale-state decisions, memory poisoning (OWASP agentic), and cross-session contamination.
  4. Composition. The system can spawn or delegate to other agents. CrewAI role-based hierarchies, AutoGen conversational patterns, and LangGraph sub-graph invocations all exhibit composition. Composition introduces distributed-system failure modes — deadlock, livelock, infinite delegation, goal drift — that single-agent systems cannot produce.
  5. Blast radius. A classical LLM chatbot that hallucinates embarrasses the brand. An agent with tool access that hallucinates can process the company’s invoice pipeline through a prompt-injected payload, place trades, send email to the wrong counterparties, or commit the organization to a contract. The blast radius is operational and legal, not reputational alone — the Moffatt v. Air Canada judgment (2024 BCCRT 149) established that the bot’s commitment bound the airline.

An architecture team applying the definition should treat the first three axes as the primary screen. Tool execution + looping + state is the minimum configuration that makes a system agentic for design purposes. Composition and blast radius govern how much agentic rigour the system needs.

Diagram 1 — Bridging from single-turn LLM feature to agentic system

     SINGLE-TURN LLM FEATURE              AGENTIC AI SYSTEM
     ─────────────────────────            ─────────────────────────
     prompt → model → response            loop{ plan → act → observe }

     · request/response            →      · multi-step trace
     · no side effects             →      · tool execution with side effects
     · stateless across calls      →      · memory across steps and sessions
     · one surface to defend       →      · four planes (input/tool/memory/egress)
     · embarrassment blast radius  →      · operational + legal blast radius

The five deltas cannot be bridged incrementally. The architect who ships “one tool” has crossed the threshold into agentic design and should have applied the full pack: tool schema, authorization, validation, audit, kill-switch, observability. The chapter references below walk each delta in depth; the blueprint template anchored by this article is the one-page agentic scope brief.

Diagram 2 — Concentric rings of the reference architecture

             ┌─────────────────────────────┐
             │        environment          │
             │   ┌─────────────────────┐   │
             │   │        tools        │   │
             │   │ ┌─────────────────┐ │   │
             │   │ │     memory      │ │   │
             │   │ │  ┌───────────┐  │ │   │
             │   │ │  │  agent    │  │ │   │
             │   │ │  │   loop    │  │ │   │
             │   │ │  └───────────┘  │ │   │
             │   │ └─────────────────┘ │   │
             │   └─────────────────────┘   │
             └─────────────────────────────┘

The ring diagram is the mnemonic for the credential. The agent loop sits at the core. Around it is memory — short-term working context plus long-term store. Around that sits the tool surface. Around that sits the environment — the systems the agent touches through its tools. Safety, observability, policy, and oversight controls penetrate every ring; they are not a separate layer. Article 20 (agentic platform design) shows how these rings become shared platform services.

Worked classification — five candidate systems

Applying the five-axis test to five candidate systems fixes intuition:

  1. Customer-service summariser. Reads a past ticket thread, returns a summary. Single-turn, no tools, no memory. Zero of five — not agentic. Classical model-card governance suffices.
  2. Code-review bot that posts comments. Reads a pull request, generates review comments, posts them to GitHub via a tool. Tool execution ✓, looping possibly ✓, state usually ✗, composition ✗, blast radius modest. Agentic at a minimum configuration — apply the pack at reduced depth, with particular attention to tool authorization on the GitHub API.
  3. Replit AI Agent (2024). Plans a task, writes code, runs tests in a sandbox, reads error messages, iterates, commits. Tool execution ✓, looping ✓, state ✓ across the session, composition limited, blast radius contained by sandbox. Agentic. The public Replit engineering postmortems on memory-corruption bugs (2024) — where agent memory poisoning caused task failures that required architectural change — make Replit a canonical case study for the credential.
  4. Salesforce Agentforce sales development agent. Reads CRM, drafts emails, sends them, reads replies, schedules meetings, updates pipeline. Tool execution ✓, looping ✓, state ✓ across days, composition ✓ (coordinates with other Agentforce agents), blast radius material (revenue, deliverability, regulatory under GDPR/CAN-SPAM). Full pack required.
  5. Devin (Cognition AI, 2024). Receives a software-engineering ticket, plans, executes code, runs tests, commits, opens pull request. Long-horizon, multi-hour autonomy. All five axes present. Extreme blast radius on a production codebase — which is why the Cognition team published detailed architecture and safety posts before customer deployment.

Most enterprise candidates sit between (3) and (4). Level (5) autonomy for business-critical workloads is, in 2025, not a near-term class despite vendor marketing to the contrary.

Why the EU AI Act, OWASP, and MITRE all apply at once

Three frameworks converge on the agentic class:

  • EU AI Act Article 14 (Regulation (EU) 2024/1689) requires effective human oversight of high-risk AI systems. The Article was drafted before the 2024 agentic wave but applies with added weight when the system being overseen is autonomous for minutes or hours at a time. The architect’s obligation is to design oversight into the runtime, not to bolt it onto a user interface.
  • OWASP Top 10 for Agentic AI (2025 draft) extends the LLM Top 10 with agentic-specific risks — memory poisoning, goal hijacking, excessive agency, deceptive delegation, tool misuse, cascaded prompt injection, supply-chain attacks on tools, coordination failures, persistent-state risks. Articles 7, 8, 14 of this credential map each onto architectural controls.
  • MITRE ATLAS adds adversarial technique IDs — AML.T0051 (evade ML model), AML.T0043 (craft adversarial data), AML.T0049 (exfiltration via ML inference API) — plus agentic-specific additions covering supply-chain attacks via tool integrations and indirect prompt injection via retrieved tool outputs.

The three together define the regulatory and threat context in which the architect operates. No AITE-ATS holder should be surprised by any specific obligation or technique; the credential catalogs them through chapters 8, 9, 14, 23, and 27.

Two real-world anchors

Replit AI Agent — architecture in public (2024–2025)

Replit’s public engineering posts through 2024 and into 2025 are the most detailed agentic-architecture case study available outside internal vendor documentation. The team published discussions of the sandbox isolation model, the memory layer design, the tool set, and — critically — the postmortems from memory-corruption incidents. In one reported case, stale entries in an agent’s long-term memory caused it to repeatedly attempt a fix that had already failed, burning tokens and user trust. The architectural response was to add memory versioning and explicit invalidation on tool-result signals. The lesson is that memory is a first-class architectural decision; the credential’s Article 7 devotes its entire word count to the memory stack. Source: https://blog.replit.com/.

Devin by Cognition AI — long-horizon software engineering (2024)

Cognition AI announced Devin in March 2024 with a public demonstration of a software-engineering agent that could complete multi-hour tasks end-to-end — from reading a ticket through writing code, running tests, and opening a pull request. The subsequent architecture posts described a planner/executor separation, a browser-based sandbox, and a memory layer capturing intermediate results. Devin’s practical blast radius is a production codebase, which is why Cognition invested in sandboxing and staged rollout — the same patterns Articles 21 and 24 cover. The SWE-bench benchmark on which Devin reported performance (13.86% resolution on the full SWE-bench evaluation at launch) is cited not for leaderboard position but as the pattern for agentic capability evaluation covered in Article 17. Source: https://www.cognition.ai/.

Closing — the reference architecture refined across the credential

The five-axis definition, the concentric-ring diagram, and the three-framework regulatory context are the constants of AITE-ATS. Every subsequent article refines one ring or one axis:

  • Articles 2–4 refine the loop — autonomy classification, agent runtimes, loop patterns.
  • Articles 5–6 refine the tool surface — schemas, registries, authorization, validation.
  • Article 7 refines the memory layer.
  • Articles 8–9 refine the blast-radius control — agentic risks, kill-switch, escalation.
  • Article 10 refines the oversight control — HITL/HOTL patterns under EU AI Act Article 14.
  • Articles 11–12 refine composition — multi-agent orchestration, coordination protocols.
  • Articles 13–14 refine the environment surface — agentic RAG and indirect injection.
  • Articles 15–17 refine observability and evaluation.
  • Articles 18–20 refine operations, cost, and platform at portfolio scale.

The architect who finishes this credential will be able to sit in a COMPEL Calibrate review and say of any proposed agentic system: here is its autonomy level, here is its runtime, here is its tool surface with authorization design, here is its memory design with poisoning defence, here is its kill-switch spec, here is its Article 14 evidence plan. That is the output of Article 40 (capstone). This is Article 1.

Learning outcomes check

  • Explain the five axes that define agentic systems, with a governance consequence for each.
  • Classify five candidate systems against the axes with justified decisions.
  • Evaluate a described system for whether agentic governance is required and at what depth.
  • Design a one-page agentic-scope brief for a proposed feature.

Cross-reference map

  • Core Stream: EATF-Level-1/M1.4-Art11-Agentic-AI-Architecture-Patterns-and-the-Autonomy-Spectrum.md; EATF-Level-1/M1.4-Art12-Tool-Use-and-Function-Calling-in-Autonomous-AI-Systems.md.
  • Sibling credential: AITM-AAG Article 1 (governance-focused definition); AITE-SAT Article 1 (solution-architecture framing).
  • Forward reference: Article 40 capstone composes the reference architecture end-to-end.