Agentic AI System
agentic-system · Frontier safety
An AI system that takes actions in the world — calling tools, executing code, browsing the web, sending messages, planning multi-step sequences — rather than only generating text or images for a human reader.
Definition & scope
An agentic system, in the technical sense, is one whose outputs include actions with external effects (tool calls, API requests, code execution, file writes) and whose loop structure permits multi-step planning over those actions. The architecture pattern emerged with ReAct (Yao et al. 2022, 'ReAct: Synergizing Reasoning and Acting in Language Models'), AutoGPT and BabyAGI (2023, open-source), and is now the deployment substrate for Claude's tool use, GPT's function calling + assistants API, and Google DeepMind's Project Astra demos. The governance-relevant distinction from chat-only LLMs is that agentic systems can cause harm by acting (sending money, running attacks, exfiltrating data) rather than only by saying — Wittgenstein's 'words can wound' becomes 'words and actions can wound, and the actions are at machine speed.' Regulatory vocabulary has not caught up. EU AI Act treats agentic systems as a sub-case of GPAI plus deployment context, with no agentic-specific obligations. Seoul Declaration (May 2024) and the 16 frontier-lab Frontier AI Safety Commitments mention 'advanced AI systems' but do not operationalise the agentic-vs-chat distinction. UK AISI's evaluations include agentic-capability tests (autonomous-replication, self-exfiltration) that imply the category but do not define it. The G7 Hiroshima Code §1 uses 'advanced AI' as the umbrella. Industry-side frameworks (Anthropic RSP, OpenAI Preparedness, DeepMind FSF) treat agentic capability as a tier-relevant signal: at sufficient action capability, capability-tier safeguards apply that wouldn't apply to a chat-only model with equal knowledge.
Mechanism: the agent loop and its principal variants
Beneath the one-line definition, an agentic system is an iterated control loop wrapped around a language model: at each step the model receives a context (instructions, prior actions, returned observations), emits either a reasoning trace or a structured action, and an executor runs that action and feeds the result back. ReAct 1 crystallised this pattern by interleaving free-text 'thoughts' with discrete actions, letting the model 'create, maintain, and adjust high-level plans' while incorporating external observations — the substrate now reused by tool-calling APIs across vendors.
Three mechanism families extend the bare loop. First, tool-use grounding: Toolformer 2 showed a model can teach itself when and how to call external APIs, supplying the 'action' vocabulary the loop executes. Second, self-correction: Reflexion 3 adds a verbal-reinforcement step in which the agent 'verbally reflect[s] on task feedback' and stores those reflections in an episodic buffer to improve later trials — adaptation without weight updates. Third, persistent memory and planning: Generative Agents 4 couples the loop to a long-term memory stream that is synthesised into higher-level reflections and retrieved to plan future behaviour.
These mechanisms compose: production 'agents' typically stack a ReAct-style loop, a tool layer, a memory store, and a planner/orchestrator. The governance-relevant property is that capability lives in this scaffolding, not only in the base model's weights — a point the social-science section's benchmarks (Mialon et al. 2023; AgentBench) operationalise empirically.
Open debate: a contested, marketing-stretched category
Whether 'agentic' names a coherent kind is actively disputed, with direct implications for any obligation keyed to it. Most writing treats agency as a sliding scale of autonomy rather than a binary — 'AI systems that can be instructed in natural language and act autonomously on the user's behalf are more agentic,' with several incompatible level schemes proposed but no consensus 5. The absence of agreed gradations, these authors argue, has itself produced 'confusion in both technical and public discourse.'
A stronger critique holds the term is now diluted past usefulness: Bent 6 documents that vendor definitions range from systems that maintain control over how they accomplish tasks to anything that merely uses an LLM to decide the control flow, and proposes replacing the binary with three minimum requirements plus a five-dimensional 'agenticness' spectrum. A parallel taxonomy distinguishes single-agent 'AI Agents' (tool-equipped, task-specific) from multi-agent 'Agentic AI' marked by 'multi-agent collaboration, dynamic task decomposition, persistent memory, and coordinated autonomy' 7. Policy Window's editorial reading is that this definitional instability — not just measurement difficulty — is why no instrument in the operationalisation table fixes an agentic-specific threshold: a label that vendors stretch and scholars cannot delimit resists a clean regulatory trigger.
History: from rational agents to autonomous-replication evaluations
The vocabulary predates large language models. Classical AI defined the field as 'the study and design of rational agents' — entities that perceive an environment through sensors and act upon it through effectors to achieve the best expected outcome (Russell & Norvig, Artificial Intelligence: A Modern Approach). The current usage narrows this to LLM-driven systems and dates almost entirely to 2022-2023.
ReAct 1 introduced the reasoning-plus-acting loop. In early 2023 the enabling mechanisms arrived in quick succession: Toolformer 2 for self-supervised tool use, Reflexion 3 for verbal self-correction, and Generative Agents 4 for memory-driven multi-agent simulation. The open-source AutoGPT and BabyAGI projects (2023) popularised the 'autonomous agent' framing for general audiences (Fortune 2023). Governance attention crystallised the same year: ARC Evals (renamed METR in December 2023) published 'Evaluating Language-Model Agents on Realistic Autonomous Tasks' (August 2023), formalising the autonomous-replication-and-adaptation threat model that frontier-lab frameworks later adopted as a capability tier. By 2025 the conversation had turned normative, with Hugging Face researchers arguing that 'the more control a user cedes to an AI agent, the more risks to people arise' and that fully autonomous agents should not be built at all 8.
Use in governance
How instruments operationalise this concept
| Instrument | Jurisdiction | Status |
|---|---|---|
| G7 Hiroshima AI Process Code of Conduct | G7 | in force |
| Seoul Declaration on Safe, Innovative and Inclusive AI | global | in force |
| NIST AI RMF Generative AI Profile | US | in force |
Appears in topic articles
Editorial note
When citing 'agentic' in policy contexts, distinguish (a) tool-using LLMs that act through a fixed API surface (most current 'agents'); (b) browser-driven agents with general internet access; (c) embodied agents (robotics + LLM). Each raises distinct governance questions; collapsing the three is one of the most common analytical errors in 2025-2026 policy writing.
See also
Further reading
Sources on the broader topics this concept relates to — complementing, not standing in for, the primary sources cited inline above. 66 academic & grey-literature sources; catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Artificial intelligence and synthetic biology: biosecurity risks, dual-use concerns, and governance pathways Peer-reviewed✦ AIReviews biosecurity and dual-use risks at the AI-synthetic-biology interface and maps governance pathways for emerging catastrophic threats.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- Two types of AI existential risk: decisive and accumulative Peer-reviewed✦ AIDistinguishes 'decisive' (sudden takeover) from 'accumulative' AI existential risk, arguing governance must address gradual societal erosion as well as abrupt scenarios.
- Confronting Catastrophic Risk: The International Obligation to Regulate Artificial Intelligence Peer-reviewed✦ AIArgues international law imposes a precautionary-principle obligation on states to regulate AI to mitigate the threat of human extinction.
- Artificial Intelligence and Nuclear Weapons Proliferation: The Technological Arms Race for (In)visibility Peer-reviewed✦ AIAnalyzes how AI-driven detection/concealment in nuclear arsenals reshapes strategic stability and proliferation risk, with governance implications.
- International Agreements on AI Safety: Review and Recommendations for a Conditional AI Safety Treaty Preprint✦ AIProposes a conditional AI safety treaty with a compute threshold triggering mandatory audits by an international network of AI Safety Institutes empowered to halt development if risks are unacceptable.
- Managing extreme AI risks amid rapid progress Peer-reviewed✦ AIWarns "AI safety research is lagging" and present governance initiatives "lack the mechanisms and institutions to prevent misuse and recklessness", urging adaptive governance plus safety R&D.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
- Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity Peer-reviewed✦ AIExamines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements.
- Evaluating Frontier Models for Dangerous Capabilities Preprint✦ AIPilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating.
+ 54 more across this concept's topics — see the literature index.
References
Sources cited inline in the analysis, numbered in order of appearance.
- Yao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., Cao, Y. (2022), 'ReAct: Synergizing Reasoning and Acting in Language Models.' Agentic AI System. arXiv:2210.03629 — Yao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., Cao, Y. (2022), 'ReAct: Synergizing Reasoning and Acting in Language Models.' ↩
- arXiv:2302.04761 ↩
- arXiv:2303.11366 ↩
- arXiv:2304.03442 ↩
- arXiv:2407.01502 ↩
- arXiv:2508.05338 ↩
- arXiv:2505.10468 ↩
- arXiv:2502.02649 ↩
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/agentic-system — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Social-science evidence — the “so-what”
What the peer-reviewed social science shows: whether the harm this concept addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Agentic systems are empirically real and operational, not hypothetical: language models augmented with tools, code execution, browsing, and multi-step reasoning are surveyed (Mialon et al. 2023) and systematically benchmarked across interactive environments (AgentBench, Liu et al. 2023/2024, which spans 8 environments and 27 LLMs), and their capability growth is measured — METR's time-horizon metric (Kwa et al. 2025) finds the length of software tasks frontier agents complete at 50% success has been roughly doubling every seven months. Caveat: the category 'agentic' spans a wide capability range, and even frontier agents remain unreliable on many realistic multi-step tasks (AgentBench explicitly finds poor long-term reasoning and decision-making), so the label denotes a real and coherently defined class rather than a fixed competence level.
Sources: Mialon et al. 2023 (Augmented Language Models: a Survey, arXiv:2302.07842); Liu et al. 2023/2024 (AgentBench: Evaluating LLMs as Agents, ICLR 2024, arXiv:2308.03688); Kwa et al. 2025 (Measuring AI Ability to Complete Long Tasks, METR, arXiv:2503.14499)
There is no rigorous evidence that any governance or technical regime reliably bounds the distinctive harms of agentic systems: the agent-specific failure mode of indirect prompt injection (tool-returned data hijacking the agent) is demonstrated to be hard to defend, with AgentDojo (Debenedetti et al. 2024) showing unconstrained agent pipelines remain highly vulnerable and existing defenses break some security properties (though AgentDojo's own adaptive attacks were less effective than on other benchmarks, partly due to its longer contexts). AI Control (Greenblatt et al. 2023) is a promising research direction for keeping untrusted agents safe via monitoring and auditing, but it is evaluated in constructed red-team/blue-team settings, not validated as a deployed governance regime — no replicated study shows a governance lever measurably curbs real-world agentic harm.
Sources: Debenedetti et al. 2024 (AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents, NeurIPS 2024, arXiv:2406.13352); Greenblatt et al. 2023 (AI Control: Improving Safety Despite Intentional Subversion, ICML 2024, arXiv:2312.06942)