By Lili Kazemi | Founder, The Human Edge of AI
For the past three years, the corporate world has been obsessed with the chatbot.
We focused on hallucinations, data privacy, prompt engineering, and whether AI-generated answers could be trusted. But while we were debating what AI said, the technology changed. In 2026, the more urgent question is what AI can do.
The shift from generative AI to agentic AI — systems that can plan, use external resources, access workflows, make decisions, and execute tasks with bounded autonomy — has created a new governance and liability frontier. These systems are no longer just drafting emails or summarizing documents. They are connecting to databases, triggering workflows, modifying files, changing access permissions, and interacting with operational environments.
For legal, cybersecurity, and C-suite leadership, the question is no longer:
“What did the AI say?”
It is now:
“What did the AI do, who authorized it, and who is liable when it fails?”
That question became even more urgent with recent government guidance. In April 2026, the National Institute of Standards and Technology released a concept note on trustworthy AI in critical infrastructure. Days later, cybersecurity agencies from the United States, United Kingdom, Australia, Canada, and New Zealand — the Five Eyes alliance — issued joint guidance warning organizations to treat agentic AI as a core cybersecurity concern, not a future innovation experiment.
Together, these developments signal a clear shift: the “wait and see” period for agentic AI governance is over.
Part I: Defining the Agentic Shift
In 2024, AI was often treated as a researcher or assistant.
In 2026, AI is becoming a negotiator, procurement coordinator, software operator, customer service representative, cybersecurity analyst, and systems administrator.
Agentic AI refers to AI-enabled software capable of pursuing a goal through multi-step action. Unlike a chatbot that waits for a prompt and returns text, an agent may connect to external services, retrieve data, call APIs, use memory, make decisions, and trigger downstream actions without human approval at every step.
That matters because the risk profile is fundamentally different.
A chatbot can give a wrong answer. An agent can take a wrong action.
In critical infrastructure, that distinction is enormous. An agent deployed in a logistics environment might reroute shipments. A financial services agent might execute transactions. A healthcare agent might update records or triage patient information. A cybersecurity agent might change access controls or isolate network assets.
Once AI moves from advice to execution, traditional concepts of software error, vendor risk, cybersecurity controls, and corporate authority begin to collide.
Part II: NIST and the New Standard of Criticality
The NIST AI Risk Management Framework provides the broader governance foundation for this shift. Its core functions — govern, map, measure, and manage — are especially relevant to agentic AI because the risk depends not only on what the model says, but on where it is deployed, what systems it can access, what actions it can take, and how those actions are monitored.
For organizations operating in or adjacent to critical infrastructure, this changes the meaning of reasonable care. The April 2026 NIST concept note should be understood as part of that larger trajectory: critical infrastructure deployments require tailored risk profiles when AI moves from generating information to taking operational action.
NIST’s direction also reinforces the importance of bounded autonomy. Agentic systems should not be given open-ended authority to act across an enterprise. They should operate within defined environments, with clear constraints, privilege limits, audit trails, and escalation requirements.
In practical terms, this means organizations need to know:
- What the agent can access
- What the agent can change
- What the agent can trigger
- What actions require human approval
- What logs are preserved
- Who owns the risk when the agent acts
This is where NIST’s governance lens meets the Five Eyes cybersecurity warning.
Part III: The Five Eyes Warning: Agentic AI Is an Identity and Cybersecurity Problem
The latest Five Eyes guidance adds a critical missing piece to the agentic AI liability conversation: cybersecurity agencies are not treating agents as abstract AI tools. They are treating them as operational actors inside digital environments.
According to the guidance, agentic AI systems are already being deployed in critical infrastructure and defense-related environments, often with more access than organizations can safely monitor or control. These systems need connections to external tools, databases, memory stores, and automated workflows to function — but those same connections create new attack surfaces.
The agencies identify several categories of risk that should matter deeply to legal and executive leadership.
First is privilege risk. If an agent has excessive access, a single compromise can cause damage far beyond a typical software vulnerability. An over-permissioned agent is not just a weak endpoint. It can become a high-speed pathway into sensitive systems.
Second is design and configuration risk. Poorly designed agents may create vulnerabilities before they ever go live. This includes weak authentication, unclear permissions, insufficient monitoring, and inadequate separation between low-risk and high-impact actions.
Third is behavioral risk. Agents may pursue goals in ways their designers did not anticipate. A system told to “optimize collections,” “reduce downtime,” or “resolve tickets faster” may take shortcuts that create legal, operational, or customer harm.
Fourth is structural risk. As agents become connected to one another, failures can cascade across workflows. One agent’s mistake may trigger another agent’s response, creating a chain reaction that is difficult to trace.
Fifth is accountability risk. Agentic systems may produce logs that are hard to interpret, incomplete, or scattered across systems. When something goes wrong, the organization may struggle to reconstruct who or what made the decision.
The guidance is especially important because it does not recommend inventing an entirely new security discipline. Instead, it tells organizations to apply established cybersecurity principles to agentic AI: zero trust, defense-in-depth, least privilege, identity management, encryption, short-lived credentials, and human approval for high-impact actions.
That is the core governance message: agentic AI is not exempt from cybersecurity fundamentals.
It intensifies them. Which is why risk and liability in agentic AI is a Monday morning question, not a theological discussion.
Part IV: The Dual Liability Trap
From a legal and executive standpoint, agentic AI creates a dual liability trap.
Organizations may be held responsible for what their AI agents do, while sensitive communications with those systems may not be privileged, confidential, or protected from disclosure. That means AI can create exposure in two directions at once: outward, through the actions agents take in the marketplace or operational environment, and inward, through sensitive communications, strategy, or data entered into the system.
1. The Agency Risk
Courts and tribunals have not fully resolved how traditional agency law will apply to AI agents. But the direction of travel is clear: organizations should not assume that “the AI did it” will be a defense.
The warning sign is already visible in customer service. AI chatbots are increasingly deployed as the front door to companies, but they can trap customers in loops, fabricate information, generate false ticket numbers, or provide answers that conflict with official policy. That is not just a user-experience problem. It can become a representation, reliance, and liability problem.
In Moffatt v. Air Canada, a British Columbia tribunal found Air Canada liable after its chatbot gave a customer incorrect information about bereavement fares. Air Canada argued, in substance, that the chatbot was responsible for its own response. The tribunal rejected that position, treating the chatbot as part of the company’s website and holding Air Canada responsible for the information provided through it.
That case involved a customer-service chatbot, not a fully autonomous enterprise agent. But the lesson scales. If a company deploys an AI agent to interact with customers, vendors, employees, regulators, or counterparties, the company may be held responsible for the agent’s actions. If the agent makes a representation, triggers a transaction, modifies a record, escalates or suppresses a complaint, or causes operational harm, the legal analysis may focus on whether the company authorized, enabled, or failed to supervise that behavior.
This is especially important in environments where agents are customer-facing, transaction-facing, or embedded in critical workflows. The more authority the organization gives the system, the harder it becomes to argue that the agent’s conduct was outside the company’s responsibility.
2. The Privilege and Confidentiality Risk
The second risk runs in the opposite direction.
Even as organizations may be responsible for AI-enabled conduct, communications with AI systems may not receive legal protection. Sensitive information entered into AI systems may be discoverable, retained, logged, reviewed, or otherwise exposed depending on the platform, the terms of use, the deployment environment, and the role of counsel.
In United States v. Heppner, Judge Jed S. Rakoff of the U.S. District Court for the Southern District of New York held that documents generated through a consumer version of Claude were not protected by attorney-client privilege or the work product doctrine. The court emphasized that Claude was not an attorney, that the user had accepted privacy terms allowing data collection and disclosure, and that the AI-generated materials were not prepared at the direction of counsel.
The lesson is not that AI can never be used in legal workflows. The lesson is that legal teams must control the environment.
Legal strategy, regulatory analysis, litigation planning, confidential business information, sensitive customer data, and privileged work product should not be entered casually into public or consumer-grade AI systems. Sensitive AI use should be governed by clear protocols, appropriate counsel direction where legal advice is involved, secure deployment environments, and defined rules for confidentiality, retention, access, and disclosure.
Part V: Building the Agentic Governance Framework
The organizations that succeed in the agentic era will not be the ones that ban AI or blindly accelerate deployment. They will be the ones that build structured, auditable, human-governed environments for AI action.
A strong agentic governance framework should include five core controls.
1. Bounded Environments
Agents should operate in sandboxed or segmented environments until reliability, safety, and accountability are proven. No agent should receive broad enterprise access by default.
2. Least-Privilege Identity
Every agent should have a verified identity, defined permissions, short-lived credentials, and access limits. Organizations should know which agent acted, under what authority, using which credentials, and within which workflow.
3. Calibrated Human Oversight
Not every action requires the same level of human review. Low-risk, reversible tasks may be appropriate for automation once validated, while higher-risk actions require stronger human involvement.
High-impact actions should require human approval before execution. That includes changes to access permissions, financial transactions, customer commitments, legal positions, safety-related decisions, and critical infrastructure operations.
Critically, the decision about which actions require human approval should be made by system designers, legal teams, cybersecurity leaders, and business owners — not by the agent itself.
4. Explainable Action Logs
Organizations need more than chat transcripts. They need action logs.
A defensible agentic system should preserve what the agent accessed, what it changed, what it recommended, what it executed, what approvals it obtained, and what fallback controls were available.
In a dispute, investigation, breach, or regulatory inquiry, the audit trail may become the organization’s most important defense.
5. Resilience and Reversibility
The Five Eyes guidance makes a crucial point: until security practices and evaluation methods mature, organizations should assume agentic systems may behave unexpectedly. That means deployments should prioritize resilience, reversibility, and containment over pure efficiency.
In plain English: do not give an agent power you cannot trace, contain, or unwind.
Five Key Takeaways for Legal and C-Suite Leadership
1. Define the Agent’s Authority Early
Review AI vendor contracts, internal deployments, and workflow integrations. Define what the agent is authorized to do, what it is prohibited from doing, and who bears responsibility when it acts.
2. Calibrate Human Oversight by Action Type
Human review should not become a generic checkbox. Use automation for low-risk, reversible tasks; human monitoring for moderate-risk workflows; and human approval for high-impact actions with legal, financial, safety, security, or external consequences.
3. Treat Agents as Identity-Bearing Actors
Agentic AI is not just a software feature. It is an identity, access, and permissions issue. Give agents verified identities, narrow credentials, and traceable authority.
4. Close the Privilege and Confidentiality Gap
Issue clear internal guidance on sensitive AI use. Legal strategy, confidential business information, regulated data, and privileged material should be handled in secure environments with defined rules for access, retention, disclosure, and counsel direction where appropriate.
5. Require Explainable Action Logs
If an agent can act, the organization must be able to reconstruct the action. Logs should be durable, interpretable, and protected from alteration.
Conclusion: The Future Is Not Just Generative. It Is Operational.
The next wave of AI risk will not come only from bad answers.
It will come from AI systems that take action before anyone understands the consequences.
That does not mean organizations should avoid agentic AI. The opportunity is real. Agents can reduce friction, improve response times, automate repetitive workflows, and help organizations operate more intelligently.
But autonomy without governance is not innovation. It is exposure.
The organizations that lead in this next phase will be those that treat agentic AI as a legal, cybersecurity, operational, and governance issue from the start.
Because in the era of agentic AI, the central question is no longer whether the system can generate an answer.
The question is whether it should be allowed to act, under what conditions, and with what safeguards.
And if it does, whether your organization can prove it acted within bounds.
Disclaimer: This article is for general informational purposes only and does not constitute legal advice. Readers should consult counsel regarding any specific legal, regulatory, or operational matter.
***
Lili Kazemi is General Counsel and AI Policy Leader at Anant Corporation, where she advises on the intersection of global law, tax, and emerging technology. She brings over 20 years of combined experience from leading roles in Big Law and Big Four firms, with a deep background in international tax, regulatory strategy, and cross-border legal frameworks. Lili is also the founder of DAOFitLife, a wellness and performance platform for high-achieving professionals navigating demanding careers.
Follow Lili on LinkedIn and X
👇 Subscribe to Lili’s newsletter, the Human Edge of AI, to get AI from a legal, policy, and human lens.
Subscribe on LinkedIn
